Blacklisted servers, should Gmail be held accountable?
As an email service provider, it is our job to reduce as much spam as possible for our customers. We don’t just filter inbound messages for spam, it is also our responsibility to take appropriate measures to protect our own servers from abuse and make sure they are not being used to send outbound spam messages. The consequence of not protecting our servers would land them on blacklists, causing our customer’s outbound messages to be filtered, blocked, bounced or simply deleted upon arrival. We monitor our servers in real time and monitor over fifty of the most popular blacklist services to be assured that our servers are not being abused. Not only do we monitor the blacklist databases, we also take steps to prevent the abuse before it starts. The results of our efforts have resulted in only three or four instances in the past six years, where one of our servers had been blacklisted. Fortunately, in every case but one, it was the result of a customer sending out a newsletter. Due of the volume of messages, ISPs thought that it was spam, not because of the content, but because of the number of messages they had received within a short time. In every instance, we had it resolved and the server removed from the blacklist database within an hour. So, what happens when our own firewalls block inbound messages because the sender’s mail server is blacklisted on one or more blacklist databases?
This past week, we have received about five complaints regarding “false positives”. In every case, our firewall queried two of the most popular blacklist databases and found the sender’s server was flagged for sending spam. Not so surprising, was that in each one of these cases, Gmail or Google Apps provided the sender’s email service. Typically, spammers target most service providers who offer free email service, such as Gmail, Hotmail, Yahoo, among others, because it is easy to setup an email account through one of these providers and abuse it. The moment an account is created, they will start sending high volumes of spam before the account is shut down. Not too many spammers want to pay for a fee-based service, so any service provider offering free services are naturally going to be in the cross hairs. The result is that their servers are often blacklisted. Keep in mind, these outbound servers handle mail for thousands, even millions of mostly legitimate email accounts and if even 1% of the messages that are processed is spam, the numbers would be mind boggling and blacklist databases are made aware of these abused servers every minute. Our firewalls query these databases for known spam senders and if listed, will block the message and send a bounce message to the sender indicating that their message was rejected, why it was rejected and will provide them the name and URL of the blacklist service.
In a couple of these cases this past week, the sender told us that they don’t have a Gmail account, so we must have been mistaken and therefore need to fix it. What they didn’t realize, is even though they do not have an address using the gmail.com domain, their service was still being provided by the same servers that Gmail and other private domains hosted by Gmail or Google Apps, use for sending outbound messages. When the server is flagged for sending spam, every account hosted by Gmail, whether using gmail.com or a private domain, is affected. The result is legitimate messages being blocked for no other reason than the outbound server having been abused by someone else.
So, who should be accountable for these blocked messages? Big Mountain makes a great effort to ensure our customer accounts are protected and our servers are not abused. We query blacklist databases in an effort to reduce spam and to not do so, would result in a significant increase of spam and a lot of frustration for our customers. Granted, it is not an exact science and blacklist databases are not perfect. But, when one of our customers is waiting for an important message that never arrives and the sender receives a bounce back notice letting them know their outbound server was blacklisted, who’s responsibility it is to fix this? Sure, we can always whitelist the sender’s email address or domain allowing their messages to pass though unfiltered, but what about the hundreds of thousands of other firewalls and spam filtering software applications that also query these same blacklist databases? Should the sender pass blame to every recipient they send a message to and make it their responsibility? Or, should the sender contact their email service provider and hold them accountable? In the case of Gmail, should they be held responsible for contacting these blacklist services to resolve or should they get a free pass and be allowed to send spam messages without recourse? Perhaps if people held them responsible, maybe they would tighten their security and make a larger effort to prevent spam abuse? If not, maybe their customers should consider switching email service providers? In our research this past week trying to troubleshoot those “false positives”, we pulled up a number of Gmail servers listed in the DNS records of some of these senders and found seven out of eight servers were blacklisted on one or more blacklist databases. Here are the results:
alt2.aspmx.l.google.com, 74.125.115.27 listed on 2 blacklists
aspmx.l.google.com, 74.125.65.27 listed on 2 blacklists
alt1.aspmx.l.google.com, 74.125.113.27 listed on 1 blacklist
alt3.gmail-smtp-in.l.google.com, 74.125.39.27 listed on 2 blacklists
gmail-smtp-in.l.google.com, 74.125.157.27 listed on 1 blacklist
alt2.gmail-smtp-in.l.google.com, 209.85.229.27 listed on 0 blacklists
alt1.gmail-smtp-in.l.google.com, 74.125.93.27 listed on 2 blacklists
alt4.gmail-smtp-in.l.google.com, 72.14.213.27 listed on 1 blacklist
Given the results above, we know that all week they were listed on at least one additional blacklist server because our firewalls do not query the two blacklist databases that they are currently listed on. Please understand that this issue is not isolated to Gmail. As stated above, all email service providers who offer free services are always targeted by spammers and are subject to more abuse. Users should be aware that if their email service is hosted through one of these larger service providers, that their outbound messages are sent through one or more shared servers that may have been abused and listed on one or more blacklist databases. The question is, at what point in time do we hold the sender’s email service provider responsible? Or, should Big Mountain issue a free pass to these providers and stop querying blacklist databases for known spam sending servers?
One Response to “Blacklisted Servers, Should Gmail Be Held Accountable?”
I wanted to follow up on this post a couple of days later to see if the blacklisted servers had been removed from those blacklist databases. Unfortunately, all of the servers’ blacklist status remain the same except for one which is now blacklisted on two blacklist databases, instead of one. Here are the results from today:
alt2.aspmx.l.google.com, 74.125.115.27 listed on 2 blacklists
aspmx.l.google.com, 74.125.65.27 listed on 2 blacklists
alt1.aspmx.l.google.com, 74.125.113.27 listed on 2 blacklists
alt3.gmail-smtp-in.l.google.com, 74.125.39.27 listed on 2 blacklists
gmail-smtp-in.l.google.com, 74.125.157.27 listed on 1 blacklist
alt2.gmail-smtp-in.l.google.com, 209.85.229.27 listed on 0 blacklists
alt1.gmail-smtp-in.l.google.com, 74.125.93.27 listed on 2 blacklists
alt4.gmail-smtp-in.l.google.com, 72.14.213.27 listed on 1 blacklist
I decided to do a little more research on the two blacklist databases which seem to be common among all of these blacklisted servers. They are ASPEWS (http://www.aspews.org) and SENDERSCORE (http://www.senderscore.org/blacklistlookup).
ASPEWS states the following on their “Why I was I referred here” page:
“Many people find this website after they receive a bounced email telling them that their original email was rejected and to please visit the website of ‘Another Spam Prevention Early Warning System’ (ASPEWS) at http://www.aspews.org/. If you bothered coming to this page, you are probably an innocent email user whose email has bounced. Other people are referred to this website by friends or search engines. However you found us, bear in mind that if any network has rejected your email or other connections based on the ASPEWS list, it has deliberately chosen to do so. We do not control the network traffic on anyone else’s servers; therefore, we are not the ones rejecting your email. The mailserver you attempted to send email to generated the bounce. We simply provide a public list of ranges of Internet space (IP addresses) which we do not wish to exchange traffic with. Other networks may choose to filter traffic on their systems using our list. ASPEWS never touches any email (or other data packets) between your network and someone else’s network. Any email bouncing or packet blocking that takes place occurs at the receiving system.
Please understand our list is based on IP addresses only, not domain names, email addresses, URLs, email software, message contents, or anything else. We know that, as a user of the Internet, email and other connectivity is important to you. We also know that unsolicited bulk email (spam) is bad. We encourage you to ask your Internet Service Provider (ISP) to fix the problem which has resulted in your mail bouncing or whatever other effects of being listed in ASPEWS you may be experiencing. This is in the best interest of all parties on the Internet – except the people sending or profiting from spam. Also be aware that having an email bounced does not mean it must be spam, it just means your mailserver (or that of your ISP) was listed due to a spam related problem.
The first step in fixing the problem is to determine if the IP address your email system uses to send mail is in the ASPEWS list. There is a lookup form which will help you find out at the top of this page. If you were sent here via a link in a bounced email, there should be a ASPEWS record number already in the form’s lookup box. If your system is in the ASPEWS list, you should see a page with the reason(s) ASPEWS has listed this part of the Internet. If the form cannot find the corresponding record, then it is not in the ASPEWS list. It may be that the IP address of your mailserver is in some other blocklist and the place you were sending email to incorrectly sent you here. There is also a chance that between the time of your email bouncing and your coming here, the spam problem was corrected and your email system is no longer listed in ASPEWS. There can be up to a eight (8) hour time lag in the de-listing process.
If the lookup showed that the IP address is in ASPEWS, it is in a range of addresses that are either a spam source, or a spam support service (e.g., a webserver or nameserver). We normally publish the nature of the problem on the page that is displayed when one does a lookup. This is sometimes in the form of an evidence file. The evidence file will explain the problem. From there, actions to fix the problem will consist of reporting the information on the page. Only administrators responsible for the listed address(es) will have the authority to fix the problem. Reading the ASPEWS FAQ (Frequently Asked Questions) should be of help in this. Be aware that some networks filter all IP traffic, not just email, based on the ASPEWS list.
In other words, if you are not the administrator of the IP address(es) in the ASPEWS list, then you should contact your ISP in order to attempt to resolve the problem. When you contact your ISP, they will need a copy of the bounce message which you received and/or other evidence of the problem. Be sure to include the IP address which was rejected. Let them know that it is on the ASPEWS list and give them the URL of the lookup form.
Finally, most places listed in ASPEWS have shown a consistent pattern of spamming, giving support to spammers, or tolerating spammers on their systems. For this reason it may be difficult to get the administrators to provide a solution. You may, in the end, need another method of sending email to the growing list of networks and ISPs that use ASPEWS.”
Unfortunately, it seems that their Lookup IP link at the top of their page is not working properly. So, I cannot immediately see how to request the blacklisted server to be removed. I suspect, based on other blacklist services, that once you lookup the IP and confirm that it is listed, that they will give you an option to request it’s removal via a form to fill out. However, since this link seems to be broken, I cannot confirm this.
It appears that there are no “real” ASPEWS admins to contact directly. They claim the service is completely automated and suggest contacting one of a couple of discussion forums for support. Interestingly enough, they reference Google as making it easy to contact one of these forums. In their FAQs, in #39, they state:
“Q39: How does one contact ASPEWS?
A39: One does not. ASPEWS does not receive email – it’s just an automated system and website, general blocklist related issues can be discussed in the public forums mentioned above. The newsgroups news.admin.net-abuse.blocklisting (NANABL) and news.admin.net-abuse.email (NANAE) are good choices. Google makes it quite easy to post messages via the Web in the unmoderated NANAE group. Newsreader software should be used to post to the prefered moderated NANABL group. First time newsgroup posters should read the NANAE FAQ. Note that posting messages in these newsgroups & lists will not have any effect on ASPEWS listings, only the discontinuation of spam and/or spam support will. Be aware that posting ones email address to any publicly viewable forum or website makes it instantly available to spammers. If you’re concerned about getting spammed, change or “munge” the email address you use to post with.”
They do state that once a request has been made to remove the blacklisted IP off of their list, that it may take up to eight hours to process. To be fair to Gmail and Google Apps, the lookup link (what they call “lookup box”) does not seem to be working and they do not provide any other alternative methods to remove their blacklisted IPs without first going through the lookup process.
SENDERSCORE states the following on their website:
“If the email server sending your messages has been included in the Reputation Network Blacklist due to past behavior, it may be difficult for your messages to be delivered to some recipients.
The Return Path Reputation Network Blacklist calculates the likelihood that emails from any email server may be objectionable or otherwise unwanted based on measurement of past performance. This is not a value judgment about the content of the message, but is based on whether past messages from that server were considered to be “spam” by recipients (along with other metrics.)”
SENDERSCORE makes it extremely easy to remove a server’s IP from their blacklist database. As it turns out, the only thing the admin is required to do is provide the IP address of the blacklisted server. The only thing they ask is that the admin resolve the security issue that allowed their server to be abused. According to their site, it will only take up to 2 hours to be removed from their database. This has to be one of the easiest removal systems of all the blacklist database services.
So, while I may give them a pass with regards to ASPEWS, there is absolutely no reason why they have not requested their servers be removed from the SENDERSCORE databases. This should be done at a minimum to ensure that their customer’s email messages are delivered. While our particular firewalls do not query these two blacklist database services, there are others out there that do.