ISPs cop customer angst over outbound emails

By Ry Crozier on Oct 8, 2010 2:49 PM
Filed under Telco/ISP

Anti-spam blacklist bombs.

Email users Australia-wide spent the past 24 hours receiving bounce-back notices after anti-spam blacklist operator SORBS mistakenly listed vast IP address ranges as spammers.

Customers of ISPs including Internode, Adam Internet and Telstra have reported problems with sending emails since 10am yesterday.

The problems were not caused by any of the ISPs.

Instead, emails from these customers were blocked by any email recipient (or their provider) that chose to use the SORBS blacklist to weed out spam.

SORBS' mistake caused legitimate incoming emails to be labelled as spam, resulting in a large volume of messages being returned to senders as undeliverable.

"We have received reports that Adam Internet IP address ranges are incorrectly appearing in SORBS blacklist RBL's [real-time blacklists]," an Adam Internet advisory said.

"This may impact the delivery of email to select destinations that make use of these blacklists."

A Telstra spokesman confirmed the carrier's platforms weren't affected.

"Some of our customers might have reported an impact if mail they had sent to an affected recipient bounced back," he said.

Internode managing director Simon Hackett told iTnews the SORBS malfunction meant the blacklist had "started painting something close to everyone as being bad.

"The trouble with the way these blacklists work is that they are designed to generate messages that blame the messenger (a customer's local ISP) for a decision by the server at a remote ISP (or corporate) to reject perfectly legitimate email for flawed reasons," Hackett told iTnews.

"Customers often seem to believe these unfair diagnostic messages rather than believing the human beings at their local ISP's helpdesk.

"The ISP who is trusting SORBS has no idea, initially, that there is a problem because they don't get the incoming email - and their customers take a long time to figure out that they've stopped receiving email from people because the absence of new email is less obvious for a while than the experience of the senders (getting reject messages)."

Globally, IP address ranges used by Google's Gmail, Rackspace and Amazon were also mistakenly blacklisted, according to reports by uTest, but a SORBS spokesman disputed the reports in UK publication The Register.

SORBS creator Michelle Sullivan said the problem was caused by a migration between versions of the blacklist application, which corrupted a database containing millions of IP address records.

Flags "that were used to indicate that a listing was historical were deleted, causing the addresses to be considered current", according to a post-mortem published by The Register.

SORBS was unreachable following the database corruption error after the site allegedly succumbed to an unrelated distributed denial-of-service (DDoS) attack.

The problems seemed to have been largely resolved.

Adam technicians reported improvements in outbound email traffic at 3am, while Internode technicians listed the issue as resolved at 9.30am.

A "bad, bad idea"

Hackett was critical of the "blame the sender/messenger approach" taken by blacklist operators like SORBS, which resulted in ISPs bearing the brunt of customer anger, despite being blameless.

He said it created "huge angst, unfairly, for all legitimate and diligent ISPs".

Hackett was also critical of businesses and service providers that relied only on lists like SORBS to filter out spam.

"The reality is that the use of these externally run, often sole-trader operated listing services can mean your entire ability to receive email is entrusted to them," he said.

"It's a really bad idea to trust an entity like SORBS in isolation to let you stop your customers getting email, but some surprisingly large ISPs still do that.

"The era of trusting a single third party blacklist to do anti-spam work is past. It's not unreasonable to use them to add some bias toward spam determination, but allowing them to have so much weighting in anti-spam systems that they can single-handedly wreck incoming email flow is a bad, bad idea."

Hackett said Internode ran "high quality spam and virus filtering using a cluster of high end Cisco IronPort appliances, which work with a number of sophisticated anti-spam mechanisms including a very well developed reputational database called SenderBase.

"Those systems detect and clamp down on any compromised customer systems that send spam - all automatically," he said.

He urged businesses that did not use "professional grade solutions" to consider using anti-spam systems hosted by ISPs.

"Internode can, and does, offer this to business customers, for instance - we have an available 'Email protection' service that vectors incoming email to a customer domain via our IronPort cluster," he said.

"This cluster already protects our free customer mailboxes, of course - and generates a level of spam in peoples mailboxes that is a tiny fraction of the total that is flying around out on the Internet.

"Blocking legitimate email is much worse that letting the odd spam message in."

Optus, it was alleged in the Whirlpool broadband forums and on Twitter, was one of several Australian companies to filter incoming email using SORBS, resulting in emails bouncing. An Optus spokesman has been contacted for comment.

ISPs cop customer angst over outbound emails

6 comments in this discussion

"@Res- Your missing the point mate. SORBS (or any DNSBL for that matter) DO NOT block or mark messages as spam, period. They never have. It's the configuration of the receiving server that makes ..."

By realitybites

Tags

isps, internode, optus, adam, telstra, outbound, emails, sorbs, spam, list, error, database, corruption

Test shows anti-spam products less effective

Telstra, ISPs hit by Warrnambool exchange fire

Govt warns ACCC against NBN price tinkering

Telstra, Optus, TPG buy $2bn of mobile spectrum

Breaking Stories

Alacer Gold turns ERP refit project to Australia

NSW Govt bids for self-service analytics

NSW Police take aim at 3D-printable guns

Google faces new federal antitrust probe

US ISP to rip out Huawei equipment

Comments: 6

rodzilla666 Oct 8, 2010 4:05 PM	Over the years, "professional" and "hobbyist" anti-spammers have caused more disruption to legitimate email than the spammers from whom they claim they're "protecting" us!
realitybites Oct 8, 2010 6:15 PM	The problem here is that ISP's / email providers block mail based on the results of these blacklists. This is very very bad for the following reasons: 1. It's a very grey area from a legal perspective. Is anyone able to point out just one case tested in a court of law by a disgruntled email customer concerning blocking of mail? 2. Blocking email is basically censorship. The number of people both on this forum and whirlpool that raged about the Internet filter, willingly accept censorship of their email by ISP's that block using these blacklists. What's the difference I ask you all. The correct thing to do is use the lists as just one measure of an email's spam content and mark the message as spam. Then let it flow through to either the customers inbox or an IMAP folder which the customer can use to check if any false positives have occurred. This is something I have specialized in over the last 20 odd years and I can tell you that being a big ISP DOES NOT mean they know what they are doing when it comes to mail. I'd like a dollar for every ISP/mail provider whose mail server does not even conform to the RFC's! Don't get me wrong, I hate spam and implement numerous anti spam systems on my servers, but I DO NOT block mail if any of the systems identify a mail as spam. That's not my call to make as an email provider, it's the customers call to make. The only time my system will refuse to accept an incoming message is if the sending IP has no reverse PTR record or the SPF policy of the sending domain resolves in a fail state.
Ezy2Confuze Oct 8, 2010 6:30 PM	I must admit I love our IronPorts at work, this is the second company I've worked for that uses them, in our case we use both the Email and Web appliances. However as with any product, it is only as good as the configuration and rules you create on it. Plus as with any product, especially where csecurity is concerned, you always need to tweak it and add more rules, URL's to block/unblock etc. Security is always and will always be a continually changing field in IT, even if all the SPAMMERs disappeared tomorrow, you have the CyberCrims and the script kiddies to still deal with.
Res Oct 8, 2010 6:57 PM	Lets not let all the facts get in the way of a great story cough It was NOT marking them as spam. What happened was, these services are using previous DUL (dynamic IP) ranges used by someone else at some time, and SORBS stuff-up with the DB migration basically re-flagged them as DUL by clearing out the not-dul flag. They were never marked as spam and the block messages would clearly have stated that. The question though is why did SORBS keep em around, they should not have flagged them but removed them from the DB, had they done so this would never have occurred. I trust they will do this now, maybe Ry can follow up and ask them. I do note the mail servers I run had 719 hits in past 48 hours from gmail, not a single one was blocked. Every ISP uses a DNSBL if they give a damn about their users, only some self interest ISP's prefer to let you have all the spam you can eat unless you buy a service off them to stop it
BlastedUser Oct 9, 2010 12:01 AM	@Res, it's called a soft delete. Nothing wrong with that. Maybe they wanted to keep historical information. The issue is that someone worked on the database without knowing the business rules that go with the data.
realitybites Oct 11, 2010 12:19 PM	@Res- Your missing the point mate. SORBS (or any DNSBL for that matter) DO NOT block or mark messages as spam, period. They never have. It's the configuration of the receiving server that makes that decision, not a DNSBL. If you have told your mail server to reject messages that a DNSBL has said is spam, that's a call you make by configuring your mail server in such a fashion. "I do note the mail servers I run had 719 hits in past 48 hours from gmail, not a single one was blocked." That's more a reflection on how you have your mail servers configured, rather than an indication of the effectiveness of a DNSBL. "Every ISP uses a DNSBL if they give a damn about their users," I agree, but it's the WAY they use it that's the real issue. Personally I don't use SORBS, they have always been just that little TOO aggressive for my taste. There are other's that do a better job in my opinion.