The Spamhaus CSS includes more than dedicated spam ranges

April 2, 2017

When it started out, the Spamhaus CSS was primarily there to list IP addresses and address ranges used for snowshoe spamming (this was explicitly covered in the announcement of the Spamhaus CSS, and even helped give the CSS its name). However, things have changed somewhat since 2009, both with Spamhaus and perhaps with snowshoe spammers themselves. Specifically, the CSS is now described as:

The Spamhaus CSS list is an automatically produced dataset of IP addresses that are involved in sending low-reputation email. CSS mostly targets static spam emitters that are not covered in the PBL or XBL, such as snowshoe spam operations, but may also include other senders that display a risk to our users, such as compromised hosts.

(The italics are mine.)

Pragmatically, my observations say that it's not a 'may' here, it's a 'definitely does'. On my sinkhole SMTP server, most or almost all of the SBL CSS hits that I see these days are also in the CBL and/or the PBL (based on looking at recent hits). There was a day when many of the SBL CSS hits were dedicated snowshoe spam areas, but that day is evidently over. Either the snowshoe spammers are now sending their spam through compromised IPs as well as their own dedicated ranges, or the characteristics of genuine snowshoe spam and the sort of spam you get via compromised IPs are merging so that Spamhaus now has given up on telling them apart.

(I suspect that at least the first is definitely true, although it's a bit odd that careful snowshoe spammers would be willing to rent IPs that are already known as compromised, or worse are outright listed on the PBL as 'should never accept email from this IP'. You'd think that that would be asking for delivery problems and people wouldn't really want to pay for such IPs. Maybe access to them goes for really cheap.)

This isn't particularly a bad change, but it does have implications for what DNS blocklists you may want to check or how you may want to report things. Personally I'm most interested in knowing real snowshoe spam IPs and IP ranges, so I now want to check the SBL only after checking the CBL and the PBL. And if you have more elaborate reporting capabilities for DNSBL hits, you definitely want to check and report all data values returned from, say, the Spamhaus ZEN, so that you can see that a snowshoe IP was also in the PBL or the CBL or both.

Also, all of this goes to show that choosing and setting up DNS blocklists is not necessarily a one-time thing. If you have anything except conservative settings, it's something that requires a certain amount of active ongoing maintenance, both to look at your results and to keep up on news about DNS blocklists.

(Just using the Spamhaus ZEN and not caring too much about why things are blocked is conservative. Spamhaus is unlikely to do anything weird and changes like this don't affect you unless you care about specifically why something is blocked.)

Written on 02 April 2017.
« I quite like the simplification of having OpenSSH canonicalize hostnames
Why modules raising core exceptions mostly hurts, not helps, your users »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Apr 2 02:02:42 2017
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.