RBL Frustration

Don't get me wrong here, I hate SPAM. It costs money to deal with it, from spam filters, to the time of both my staff and I. I would far prefer to spend my dollars on other things.

A couple of years ago, we signed up for a service at work which filters Spam. It scans both my inbound and outbound emails with four different anti virus scanners, and also check both inbound and outbound emails for Spam content. Naturally, it filters out attachments, suspect HTML and a few other things. It costs our company (about 50 email accounts) close to $125 CDN per month for this service, and I feel that it's a bargain when compared to the amount of staff time it would take to sort through and kill all the spam messages we get per month. Our email now goes from our server to a relay server (we'll call it MXR), to the destination.
Imagine my surprise when we start having issues with outbound email...

I've been here before, once, when we were flagged as spammers, and email did not get to our head office. It was a pain to get cleared, but we did it. That was about a year ago, and I had help from head office to get cleared on that. At the time, we were being picked up because our email server did not have reverse DNS lookup specified or something. (I can't quite remember.)

This time, though, email was not getting through to one company (our engineering firm) from us. The rest of our emails seemed to be going just fine. So they called their ISP, who claimed that we were tagged as spammers. To be really helpful, they sent me an email with a link to Spamcop so that I could get myself removed. Very helpful of them, only...

I went to Spamcop... and we're not listed. Neither by IP address, nor by domain name. So far as I can see, we've never been listed, so now what?

Finally, after wasting a ton of time, it's brought to my attention that we've been tagged by Spews... only it wasn't just me. It was my ISP's entire subnet that was flagged. Great. So now I phone up my ISP and ask what they are doing about it, and what they are doing to ensure that I don't have my email blocked. I had some long discussions with the tech there, and they sound pretty frustrated. Spews has about two suggestions on how to fix what they see as the ISP's disregard of spam. My ISP swears that they did this a year ago, but they keep getting listed weekly. Further, Spews will not return email to the ISP so that they can deal with the current issue. I appreciate the blacklist, but these idiots need to realize that there are legitimate businesses running on these ISP's, and that ignoring their requests does not cut it. I'd like to think that they have a good reason to blanket block and entire ISP's subnet, but they got their attention. Answer them and fix it! Once you've got the ISP excited, talk to them and tell them what you want to do to deal with the issue. Playing games to punish the ISP at that point is NOT cool. This is not a game, and is costing legitimate companies money. At any rate, the ISP tech tells me that they are doing what they can, but it's pretty much a waiting game.

So the next thing I do is call the firm's ISP. (Go figure, but we need to get emails to them.)

Ken: "I know this sounds strange, but I was wondering if I could get you to make an exception to your policies. Could you whitelist my domain so that I can get emails to one of your clients? My ISP has been tagged as spammers by Spews"

ISP: "Oh yeah. They get on that list weekly. We white-listed their entire subnet a couple of years ago."

"Oh great", I think, "this is getting better and better, isn't it?" So the issue isn't my ISP after all. Now what?

As it turns out, there are two issues. The firm's ISP is having an issue receiving email from MXR. In addition, MXR has also recently decreed that our email server's outbound address (pointing to them) be changed. We knew about the last, but when we'd made the change before, email was only getting through to other MXR customers. We changed the setting back to what was working at the time.

At this point, we find out that several of our suppliers and customers in the area use this other ISP to get their email.  So now it's not only our engineering firm that isn't getting their email.  We sell real estate, and some of the agents can't receive theirs.  (This is really not good now.)  Our printing services are another...

Trying to do what we can to get this resolved, we changed the our outbound mail server setting to the newly defined (approved) outbound mail address. Our entire mail server, which also hosts our directory services, abends. (Grabs it's chest, gurgles about and falls to the floor writhing in agony.) Further, every time we try to make the change, the same thing happens. We appear to be locked in to a mail server that is pointing outbound mail to an address that isn't working correctly.

After a bit more sleuthing, I get one of my tech support guys to edit the config files themselves, and we bring everything back up. Email finally starts getting through to all destinations. Yay!

So then, for whatever reason, I decide to head back to DNSStuff one last time to check if we're on any spam blacklists. To my horror, while Spews is gone, I've been picked up by CBL, and about 30 minutes later, this replicated to both DNSBLNETAUT1 and Spamhaus. Argghhh!

One thing I will say about CBL is that they are really effective. You can ask for manual removal immediately, which is fantastic. They also have several suggestions to look at as to why you were listed in the first place, and what you should look at to ensure that you won't be listed again. One of those things, which we did this afternoon, was ensure that no outbound email can be sent from out network via port 25 (SMTP) unless it goes directly to MXR. CBL's suspicions are that we have a virus or a spam bot within out networking flooding spam out the door. I do not believe that, but locking down the outbound email will tell us for sure.

Through all of this, we're in the middle of a month end, down one of my staff members due to a car accident. (She's recovering, but off work for a few weeks.) So I'm trying to do my job, co-ordinate and fill in her job, and also fool around with this stuff.

My biggest frustration in all of this is that we are a legitimate business that do not spam. We've purchased a system to ensure outbound mail is filtered. We are really trying. I see a huge problem with how the RBL's function though... if I'm suspected, my emails just start being black-holed. They simply disappear. I have no idea it's even happening until someone starts complaining that they are not getting their email.

So the big question of this post is: why is there no way to deal with this for legit companies? We have a requirement to have specific email addresses in place for other things (abuse@ for example), so why can't we do the same with this? If we are suspected, email spam@domain.com requesting a reply within 48 hours. If we don't give it, and a reasonable explanation as to what we're doing to fix the issue, THEN tag us. At least this would give us a chance to deal with it.

For those of you who do look after email, if you don't know about DNSStuff, you need to. Just go there, scroll down the page, and drop your IP address into their Spam Database Lookup tool. It's the only site that I know of that check all RBL servers. Lord knows that if you tried to hunt them down on your own, you'd be hunting a long time. There's a ton of other tools there as well, that just may be of interest to you. One word of advice on the Spam tool though... look yourself up by domain and by IP. They return different results.

All in all, this has taken me three days to sort through. I'm hoping that I've seen the back of this issue for a while.

2 thoughts on “RBL Frustration

  1. Hi Ken,

    I have the exact same issue, When I'm on the raod I use a GSM based DSL connection. If I send my mail through them, it appears to be sent from a black listed (CBL at SpamHuas.org) IP address.

    Spamhaus also shows me that several attempts have been made to remove this IP from their list (which I haven't!!). To me, this indicates that just checking from which IP a message stems is useless, because obviously spammers are able to spoof those.

    So far I haven't heard too much bounces (just one), but I'm keeping an eye out...

  2. Totally agree, Jan Karel.

    I think I understand why they tag based on IP, after reading CBL's explanation, but I see a need for a multi part test to determine if the email should be filtered. If mail servers were able to flag emails in the header as having been sent from a securely authenticated site, for example, then they could check both the IP and that flag. Sure, it fails the IP test, but it was authenticated, so let it through. At that point, check the relay domain. If it's a known spammer, THEN tag it.

Leave a Reply

Your email address will not be published. Required fields are marked *