Welcome to the CozyNet Blog!
Spamhaus is kill, easy spam protection for indie mail will get harder
Time to take out the spam
So I run my own email service like any based internet Chad out there, of course. It’s primarily for coms between the fam and such, but it’s used for accounts and stuff and interfaces with other sites and services too. Hey, I don’t care about Netflix and shid, but some of them do so it’s gotta work; especially for billing receipts and payment confirmations!
So there I was booking a hotel room for an upcoming Loonix Fest conference in New California (aka Austin Texas) and I wasn’t receiving an email or anything from them! I printed off the receipt and order-number from the hotels website, as one always should, because you never know what kind of shenanigans they’ll try to pull. I will not, and refuse to install hotel phone apps and parking passes (even it I could, see “ITT: stuff nobody asked for - Discontinuing of 3G cellular networks”) so sometimes they like to play stupid if you don’t install their spyware onto your mobile skinnerbox; I’ve got papers!
Anyways, I started noticing that I haven’t received an email since the 16’th of March (this now being March the 28’th) which is very sus. So I switch to one of my Protonmail accounts and send an email to my personal mail and got the following bounce back.
Subject: Undelivered Mail Returned to Sender
This is the mail system at Proton Mail.
Your email could not be delivered to one or more recipients. See below for the delivery error and email.
The most common reasons for undelivered email are wrong recipient address or wrong configuration on the recipient mail server.
Learn more about delivery errors in our knowledge base: https://proton.me/support/smtp-errors
<xxxx@xxxx.net>: host x[123.123.123.123] said: 554 5.7.1 Service
unavailable; Helo command [mail-4322.protonmail.ch] blocked using
dbl.spamhaus.org; Error: open resolver;
https://check.spamhaus.org/returnc/pub/321.321.321.321/ (in reply to RCPT TO command)
The error “open resolver” is what my mail server sent to Proton Mail. An open resolver has to do with DNS, which I thought was an odd response that didn’t make much sense. My first thought was PM screwed something up on their side that was triggering the spam filter, but I did a little investigation and found that it was neither PM or my mail servers fault!
No no, it was coming from spamhaus which I use for spam protection! I had to do some looking around and came across this site with a post from October 19’th, 2021:
Be careful: Using Spamhaus with open resolvers is bad news
Do you use any of the Spamhaus blocking lists (DNSBLs) to protect yourself from inbound spam and email threats? If so, you're not alone. The Spamhaus data is quite popular and used by many ISPs as a front door gatekeeper for IP (and domain) reputation.
If you do use any of Spamhaus's DNSBLs, though, make sure you're not doing it via a public DNS resolver or via any DNS server that is attempting a high volume of queries against Spamhaus without being registered with them. If you do, you risk the queries triggering blocks simply due to the sheer volume of DNS traffic Spamhaus is receiving. Meaning you'll end up blocking mail that wasn't spam and that you probably didn't mean to block.
The guy in the post goes on to say that he strongly recommends against using public DNS servers to query Spamhaus, which is a kick in nuts because that would mean I either have to find a private DNS provider or run my own DNS server instead of just using what’s out there freely available.
But it gets a little more tricky than that. I found this on the Spamhaus resource center:
Successfully accessing Spamhaus’ free blocklists using a public DNS
--
3: The network originating the DNS Query must be identifiable. This means you must query the Spamhaus DNSBL Public Mirrors from a recursive resolver run on your own network or from a public resolver that supports ECS
I’m not familiar with ECS so looked it up and found this on wiki: “ EDNS Client Subnet (ECS) is an option in the Extension Mechanisms for DNS that allows a recursive DNS resolver to specify the subnetwork for the host or client on whose behalf it is making a DNS query” - “Because ECS provides client network information to upstream resolver, the extension reveals some information about the client's location that the resolver would not otherwise be able to deduce. Security researchers have suggested that ECS could be used to conduct internet surveillance. ECS may also be exploited to perform selective DNS cache poisoning attacks intended to only re-route specific clients to a poisoned DNS record”
Bery interdasting! Apparently this is enabled by default in /etc/resolve.conf on modern Linux operating systems. I didn’t even know that; thanks glowies!
options edns0 trust-ad
Then Spamhause continues on to the next point...
4: Queries originating from large shared hosting environments are not accepted. As a workaround, please apply for a free Datafeed Query Key from Spamhaus Technology.”
So rip in piss VPS email Chad’s. They make it sound as if this DQK and DQS is free, but what they meant to say is “free* 30 day trial.” After that you have to pay a $250 annual subscription. So it’s either pay for a key to access the DQS, or pay for a private resolver that supports ECS to continue in accessing the original public mirrors.
IMO, $250 ain't that bad, but I'm already spending quite a lot out of pocket here running my services so yeah I'm going to pass on this one bros.
There are free public resolvers that support ECS out there, such as NextDNS, but I don’t think the implementation of EDNS on Debian actually works? I’m using an old version of Debian though. I couldn’t really tell if it was working because NextDNS’s resolver isn’t yet black listed by Spamhaus, so it just worked without the EDNS settings regardless. I couldn't see any evidence of ECS when inspecting the DNS query packets from Postfix with tshark so yeah, idfk. I suspect I have to install their nextDNS client to get access to that feature.
One of Spamhause’s resources aimed at Cuckflare users has the following Q&A:
What if I don’t want to use the free DQS?
1: Use DNS resolvers with attributable DNS to continue being protected by Spamhaus’s IP and domain reputation.
2: If you no longer wish for your mail stream to be protected for free by Spamhaus’ blocklists, remove all associated configurations from your email infrastructure.
I don’t use Cloudflare for anything, but despite them supporting “attributable DNS” (ECS), I guess Spamhause are just going to force CF users to the DQS anyhow? That’s rude. It wouldn’t surprise me if they clamp down on self-hosted recursive DNS setups too, regardless of you being a good boy and following all of the rules. It’s only a matter of time and the deal will be altered, so don’t expect that method to last.
I’m just going to stop using their services altogether and not even bother with it anymore because it’ll turn into yet another time wasting endeavor keeping up with some pukes bureaucratic games; I’m already having to deal with enough of this at work.
Conclusion:
This has all been a gradual and slow effort of theirs dating back to 2018, which I didn’t even know about. Spamhaus says this is for the benefit of “small independent businesses and non-profit organizations to filter their email safely at no cost” by effectively cutting out abusers of the service, which I can understand that, but it’s just the same old song and dance routine as yet another once useful free service clamps down on more effective monetizing. I mean, isn’t this how it usually happens though? Make something that’s free and useful to attain widespread adoption, then later flip the tables and harvest the crop.
Now I’m not saying this was some long term master plan of theirs from the beginning, but I’m guessing there’s been a change in staff and attitude over the recent years, meaning the free ride is over because the very people these policy changes will effect the most are the small independent businesses and non-profit organizations. It’s not going to even phase the big email providers and abusers they say they’re after, since those guys are already paying for considerably more robust spam protection services than just simply some piss-ants “free” block list.
Unfortunately pretending they don’t exist won’t be enough to escape from the racket, because this isn’t my first run in with Spamhause gangsters.
About three years ago they black listed the block of addresses, including others owned by DigitalOcean, which my VPS was running on without any way to dispute it. I spent a lot of time working with Microsoft, Gmail, and Yahoo to keep off their spam filters only for these thugs to put an end to it; I have to now use an MTA proxy relay (AuthSMTP) to send emails so that my messages aren’t directed to the recipients spam folder since every major email provider also uses Spamhause filters (which is usually bundled in whatever spam protection service they’re running.) Fortunately the proxy is affordable, but it’s very irritating that I have to rely on it in order to send email.
So, I can’t send emails without a proxy thanks to Spamhause black listing my IP block, and then on top of that I can no longer utilize Spamhause for spam protection unless I pay for a private resolver that supports ECS. Remember, “Queries originating from large shared hosting environments are not accepted,” so hosting my own DNS isn’t going to work here, or work for very long if it did, given the nature of the environment I’m working in.
At this point, there are likely better paid for spam protection services out there than Spamhause so I might look into one of those. Maybe if someone were particularly smart, they could make an anti-spam AI in a container for anyone to slap on top of their MTA, putting an end to this black listing business.
Thanks for reading my blog!
Back to top!
Comments:
-
Mar 31, 2024
Permalink
Reply
-
Mar 30, 2024
Permalink
Reply
-
Mar 30, 2024
Permalink
Reply
-
Mar 30, 2024
Permalink
Reply