The zen of SpamHaus

(Somewhat long but scroll to the bottom for the important parts if pressed for time)

nospam

How would like to reduce the amount of spam coming into your mailbox by 90%?

Yes…..90%.

It can be done and it can be done very easily but for many the price might be too high.  See, the fight against spam is kind of a catch 22.  There is no solution out there that, even if it works great, won’t aggravate some users.  For web hosts this is particularly painful.  A host’s client base often demands less spam but in my experience they are unwilling to pay the price.  This is why most hosts just let the email flow and give their clients end-user tools with which to fight spam – and on the whole it works well. By using SpamAssassin and some filters I generally don’t see much spam in my inbox. On average maybe 5-10 per day. The rest gets tagged and filtered. I can certainly live with that – but some people can’t.

So what other options are available to us as a web hosting provider? The most popular option is to use Blacklists. These are lists generated and maintained by external providers. We can set our servers to check mails against these lists and if they are listed we reject the mail. The most popular list is SpamCop which I’m sure almost everyone has heard of. There are literally hundreds of lists out there. Some are public, some are private, some are good and some are terrible. There are some lists that if you get on it you simply can’t get removed or have to pay to be removed. These are the bad ones but relays like SpamCop are good as you can delist and on some if your server doesn’t send anymore spam the entry can automatically delist. SpamCop works like this and it works well but it is far from perfect. Even with SpamCop your server can accept alot of spam.

logo_spamhaus

Another great Blacklist is SpamHaus and we have this deployed on all servers. However, there are different levels of spam protection that are offered by SpamHaus:

1) The Spamhaus Block List – sbl.spamhaus.org.

In their own words:

The SBL is a realtime database of IP addresses of verified spam sources and spam operations (including spammers, spam gangs and spam support services), maintained by the Spamhaus Project team and supplied as a free service to help email administrators better manage incoming email streams.

2) The Exploits Block List – xbl.spamhaus.org.

To quote:

The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of hijacked PCs infected by illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits.

It’s basically a list that incorporates two other RBLs – cbl.abuseat.org and www.njabl.org.

We use both of these as standard and query SpamHaus using sbl-xbl.spamhaus.org.

3) The Policy Block List – pbl.spamhaus.org.

This is what sets SpamHaus apart from all the other RBLs. To quote their site:

The Spamhaus PBL is a DNSBL database of end-user IP address ranges which should not be delivering unauthenticated SMTP email to any Internet mail server except those provided for specifically by an ISP for that customer’s use. The PBL helps networks enforce their Acceptable Use Policy for dynamic and non-MTA customer IP ranges.

If you use all 3 Blacklists that is then zen.spamhaus.org. We put zen.spamhaus.org on some servers a few weeks ago but right away we got complaints from users who couldn’t send mail because their ISP was listed in pbl.spamhaus.org. Remember that most spam on the net doesn’t come from servers like we run but it comes from viruses on people’s computers that send spam via Outlook unbeknownst to the infected user. So yes, many ISP IPs are listed and for good reason – 95% of all spam originates from sources like this.

So we removed zen.spamhaus.org and kept sbl-xbl.spamhaus.org. I thought it best that all users at HostNexus get involved and we have a community discussion before implementing it again. But remember, even if you find you can’t send mail due to being listed by zen all you need do is follow the link in the bounced mail failure and delist your IP – it is really simple. To quote SpamHaus again:

IP Address Self-Service Removal Mechanism

A feature of the PBL is the elimination of ‘false positives’ with a server-identifying and automatic removal mechanism for single IP addresses. This allows end users with static IP addresses within a larger dynamic pool, and legitimate mail server operators, to assert that in their opinion their IP addresses are a trustworthy source of email and to automatically remove (suppress) their IP addresses from the PBL database. Safeguards are built in to prevent abuse of this facility by spammers (and particularly by automated bots).

I fully tested zen.spamhaus.org on our server and these are the resuts average over 3 mail accounts in a 24 hour period:

  • No SpamHaus (only SpamCop): 165 spam tagged/10 spam untagged
  • With sbl-xbl.spamhaus.org: 105 spam tagged/7 spam untagged
  • (drumroll)

  • With zen.spamhaus.org: 10 spam tagged/1 spam untagged

You have to admit, that is pretty awesome. 😀

But lets recap the downsides if we implement Zen:

1) Some people might have issues sending you mail. If they are savvy enough they can click the link in the bounced mail and delist quickly but alot of people are not going to do that. Some might contact their host or ISP to get it resolved. Some just might not send that email.

2) You (or your users) might not be able to send mail. The upside of this downside is that you are all web savvy and know to delist.

I have posted a discussion thread with poll on our forum. Please comment here or in that thread and vote on that poll. This would be a great thing to implement but everyone needs to be aware of it before we do and know how to resolve any issues if they experience them.

Thanks for your time. 🙂

Share This

About the author

Laurence

Hi, my name is Laurence and I’m a web hosting aficionado. When I'm not cracking the whip at HN I can be found at the gym where I'm chasing that 500lb deadlift and kickboxing with guys half my age and still giving as good as I get. Yep, a rare breed of tech nerd mixed in with meathead.

    View all articles by Laurence

    2 comments

    1. Jimbo

      If the service works like you say than it’s just FREAKIN AWESOME. By the way, heard that Microsoft with federals killed spam “monster” RUSTOCK, it was responsible for 39 percent of the world’s spam.
      Thanks, it’s Always a pleasure to read your blog

      1. Laurence (aka NexDog)
        Post author
        Laurence (aka NexDog)

        Jimbo,

        It certainly is very good. We have it on a few servers where spam complaints were high and I’d love to implement on all servers. We have it running on our HostNexus server and it cuts out about 90% of the spam.

    Leave a Reply

    Your email address will not be published. Required fields are marked *