ISPs cop customer angst over outbound emails

Email users Australia-wide spent the past 24 hours receiving bounce-back notices after anti-spam blacklist operator SORBS mistakenly listed vast IP address ranges as spammers.

Customers of ISPs including Internode, Adam Internet and Telstra have reported problems with sending emails since 10am yesterday.

The problems were not caused by any of the ISPs. 

Instead, emails from these customers were blocked by any email recipient (or their provider) that chose to use the SORBS blacklist to weed out spam.

SORBS' mistake caused legitimate incoming emails to be labelled as spam, resulting in a large volume of messages being returned to senders as undeliverable.

"We have received reports that Adam Internet IP address ranges are incorrectly appearing in SORBS blacklist RBL's [real-time blacklists]," an Adam Internet advisory said.

"This may impact the delivery of email to select destinations that make use of these blacklists."

A Telstra spokesman confirmed the carrier's platforms weren't affected.

"Some of our customers might have reported an impact if mail they had sent to an affected recipient bounced back," he said.

Internode managing director Simon Hackett told iTnews the SORBS malfunction meant the blacklist had "started painting something close to everyone as being bad.

"The trouble with the way these blacklists work is that they are designed to generate messages that blame the messenger (a customer's local ISP) for a decision by the server at a remote ISP (or corporate) to reject perfectly legitimate email for flawed reasons," Hackett told iTnews.

"Customers often seem to believe these unfair diagnostic messages rather than believing the human beings at their local ISP's helpdesk.

"The ISP who is trusting SORBS has no idea, initially, that there is a problem because they don't get the incoming email - and their customers take a long time to figure out that they've stopped receiving email from people because the absence of new email is less obvious for a while than the experience of the senders (getting reject messages)."

Globally, IP address ranges used by Google's Gmail, Rackspace and Amazon were also mistakenly blacklisted, according to reports by uTest, but a SORBS spokesman disputed the reports in UK publication The Register.

SORBS creator Michelle Sullivan said the problem was caused by a migration between versions of the blacklist application, which corrupted a database containing millions of IP address records.

Flags "that were used to indicate that a listing was historical were deleted, causing the addresses to be considered current", according to a post-mortem published by The Register.

SORBS was unreachable following the database corruption error after the site allegedly succumbed to an unrelated distributed denial-of-service (DDoS) attack.

The problems seemed to have been largely resolved.

Adam technicians reported improvements in outbound email traffic at 3am, while Internode technicians listed the issue as resolved at 9.30am.

A "bad, bad idea"

Hackett was critical of the "blame the sender/messenger approach" taken by blacklist operators like SORBS, which resulted in ISPs bearing the brunt of customer anger, despite being blameless.

He said it created "huge angst, unfairly, for all legitimate and diligent ISPs".

Hackett was also critical of businesses and service providers that relied only on lists like SORBS to filter out spam.

"The reality is that the use of these externally run, often sole-trader operated listing services can mean your entire ability to receive email is entrusted to them," he said.

"It's a really bad idea to trust an entity like SORBS in isolation to let you stop your customers getting email, but some surprisingly large ISPs still do that.

"The era of trusting a single third party blacklist to do anti-spam work is past. It's not unreasonable to use them to add some bias toward spam determination, but allowing them to have so much weighting in anti-spam systems that they can single-handedly wreck incoming email flow is a bad, bad idea."

Hackett said Internode ran "high quality spam and virus filtering using a cluster of high end Cisco IronPort appliances, which work with a number of sophisticated anti-spam mechanisms including a very well developed reputational database called SenderBase.

"Those systems detect and clamp down on any compromised customer systems that send spam - all automatically," he said.

He urged businesses that did not use "professional grade solutions" to consider using anti-spam systems hosted by ISPs.

"Internode can, and does, offer this to business customers, for instance - we have an available 'Email protection' service that vectors incoming email to a customer domain via our IronPort cluster," he said.

"This cluster already protects our free customer mailboxes, of course - and generates a level of spam in peoples mailboxes that is a tiny fraction of the total that is flying around out on the Internet.

"Blocking legitimate email is much worse that letting the odd spam message in."

Optus, it was alleged in the Whirlpool broadband forums and on Twitter, was one of several Australian companies to filter incoming email using SORBS, resulting in emails bouncing. An Optus spokesman has been contacted for comment.