original article :https://lowendtalk.com/discussion/193980/spamhaus-refusing-to-delist-false-positives-pompous-rude-attitudes-whats-your-experience
Keeping this in ‘General’ so that it may be indexed, but hoping both providers and end-users can chime in with their experiences.
I’ll try to keep this short and sticking with the facts only:
- On 03/25/2024 we had a customer register a .online domain name. We manually screen and manually process ALL domain orders, to weed out the obvious fraud or phishing ones. This one caught our eye, but only because it appeared to be an obvious joke. Had a chuckle, and approved it. Think like, “howtoscamoldpeople” or something, along those lines. Not trying to imitate a brand or anything of that nature. A name so off the wall that it had to have been a clear joke.
- On 03/27/2024 the customer writes in saying that their domain name isn’t loading, stating that they suspected DNS issues. I confirmed the domain wasn’t resolving, checked our DNS cluster, it appeared there, checked a few other things… After a little review found that the domain had a “serverHold” status. I check our abuse inbox incase we missed something about it, I see nothing. So I check with InternetBS to see if it was held by them, and it was not. Their support directed me to contact Radix, the registry that oversees domain names like .host, .online and some other TLDs you’ve all have seen.
- Radix states there is a Spamhaus listing for the domain for ‘phishing’. “Ah, maybe it wasn’t a joke afterall” I thought…
- So now I dig into this deeper. The domain was hosted on our shared hosting service. I was able to confirm that the domain name had sent zero emails (didn’t even have any inboxes created), was literally a single page index.html static site. No images, no sub-dirs. No sub-domains. No hosted scripts. I add the IP and domain to my hosts file for review and it’s literally a poorly made static site that reads like a 4Chan user had made it. But as the domain would suggest, the site is literally a joke. Nothing ‘phishy’ about it. At this point I’ve reviewed enough to determine with pretty much 100% certainty that the domain was listed by mistake as a false positive, that this is just some misunderstanding and if I ticket in with Spamhaus, after having already written to InternetBS and checked with Radix, that this can all be cleared up.
- So, I open a dialogue with Spamhaus… The entire conversation up until now is shown below, with the domain name censored for customer privacy. The conversation begins at the bottom and moves upward.
The conversation with Spamhaus:
Spoiler
I explain to them the situation, let them know we’ve checked and there doesn’t appear to be any issues with the domain, that it’s an obvious joke domain, and explained that as a result of this Spamhaus listing it triggers an automated response by Radix to serverHold the domain, removing it from the internet completely. Figured this would result in a, “Thank for writing in, upon review, you appear correct. We’ve removed the listing, you may need to contact Radix to get the hold lifted but it appears to have been a false positive. Thank you and have a good day.” type response. Instead, was met with a “cordial invitation” to “consider the type of customers that you have attracted and the reputation of said domains”.
Ok, cool. Yeah, the privacy stuff does attract some questionable orders from time to time but we try to price in a manner that encourages them to just try their luck anywhere else cheaper. Despite that, we still literally check all shared hosting domains against a 88 well maintained RBLs and blacklists (listed below) and Spamhaus’ own website reports “No Issue” for our shared hosting IPs, or ASN. We’re pretty strict when it comes to spam and phishing, and abusers are kicked to the curb quite promptly.
Spoiler
So, the issue is that the entire process is automated. Their bot detected the domain, tossed it on a list, Radix uses that list and issues a, serverHold. Boom, website vanishes from the internet with no real appeal or process to get it delisted.
In continuation to that, Spamhaus, when contacted, says they can’t or won’t do anything about it, because they have concerns regarding the “quality” of our customers and the domains we host. The tools that THEY offer to the public on their own website report that there are NO issues with our network or domains, and per the ticket they can not or will not share what domains are issues even after we’ve been expressing a willingness to review and clean up any concerns. We’ve only had six emails from Spamhaus since 2022, for real issues that were resolved promptly as I recall.
Most blacklists you can just sort of shrug off if they’re overly aggressive in their listing, but what do you do when a large, commonly used resource is behaving in such a way? Does this mean anyone can easily get a domain from Radix or other registries with similar policies yeeted from the internet by complaining to Spamhaus?
This doesn’t even seem like a new issue. A friend of mine familiar with the issue linked me to this yesterday: https://old.reddit.com/r/msp/comments/1bwyhmr/beware_of_the_xyz_registry/
What other registries like Radix offer TLDs we should now considering dropping support for? For such a low margin item it’s not worth the headache to have to fight Spamhaus for delistings on their false positives and try to explain to customers that many 3rd party organizations have unchecked influence on the internet and can behave as activists if they wish to with little recourse.
Leave a Reply