That describes the escalation procedure of SPEWS, but is not at all accurate for the SBL, we do not expand listings sideways into customer space or block whole ISPs [*].
Mr. Linford's Spamhaus has recently blocked our entire ISP because of 2 entities on our network we are working to terminate (it is a bit more complicated than simply pulling the plug). In addition, we have recently requested removal of listings once we have terminated the customer in question, but received no response. We can vouch for the fact that www.spamhaus.org blocks far more than just sources of UCE. In our case, it is our entire network. -----Original Message----- From: Steve Linford [mailto:linford@spamhaus.org] Sent: Thursday, September 25, 2003 8:22 AM To: Hank Nussbacher; nanog@merit.edu Subject: Re[2]: williams spamhaus blacklist At 12:50 +0200 (GMT) 25/9/03, Hank Nussbacher wrote:
AS3339 has a zero tolerance for spamming. With just one spam complaint we block the IP in question. We have a downstream customer
that has many cybercafes in Africa that generate http and smtp spam and we block each complaint within 48 hours.
None the less, here is a recent email extract I received from someone:
"Hank, I am not a Spamhaus.org representative in any shape or form. I do not claim to speak for Spamhaus.org in any capacity. The University of xxxxxx is, however, a customer (i.e. as of this morning, we block e-mails from IP addresses listed on Spamhaus SBL).
I am just guessing what might happen if the problem is not sorted out.
I am sure you already know that the standard escalation procedure for
many blocklists is first to block the single offending IP address, then the immediate smallest block that it is contained in according to WHOIS, then the entire block of the ISP, and if that fails to stop
the spam, then the corporate MXes of the upstream ISP may be blocklisted."
That describes the escalation procedure of SPEWS, but is not at all accurate for the SBL, we do not expand listings sideways into customer space or block whole ISPs [*].
Basically, we are being told if we don't drop the customer, our corporate MXes will be blocked. I would not call this an "extreme case", but it would appear that overzealous anti-spammers are perhaps
going a bit overboard.
Luckily he claimed up-front to not be speaking for Spamhaus. I can sympathize with the level of frustration of someone being bombarded in spam, however we do not run escalations for single spammers (unless the problem is chronic, but even then we'd always contact the ISP and exhaust all other avenues). [*] Although we do not list whole U.S. or European ISPs, that's not strictly true for other areas of the net the "offshore" spammers have gravitated to. We are currently leaning on China heavily and are at this moment blocking large parts of Chinanet Shanghai (online.sh.cn) ADSL netblocks, as it's the worst of the China spam problems with 120 separate SBL listings all of US-based spammers (all the usual make-penis-fast crowd) hosted mainly on Shanghai ADSL lines. Spammers like Alan Ralsky these days pump everything out via SoBig-opened proxies with everything hosted in China, all run from Detroit using VPN. The Chinese are now understanding this but it's taken some time. That escalation should resolve itself 'any moment now' too as they say they're starting the process of tracking down and kicking off the hoard of pests they've acquired these last months. -- Steve Linford The Spamhaus Project http://www.spamhaus.org