Abusive blocking from SpamRats

Discussion in 'Technical' started by JohnEdward, Jan 26, 2023.

  1. JohnEdward

    JohnEdward New Member HowtoForge Supporter

    Hi.(My apologies for my bad English. It is not my native language)
    I need your advice and your guidance, how to approach the situation and how to proceed further.
    I have two separate servers, with Debian 11 and ISPConfig 3.1
    Recently, a few days ago, a user sent an email to a new customer, and I instantly received a rejection email.
    That email was a reply, after the customer placed a commercial order on our website.

    "[email protected] dot ro>: host mail.customer dot ro[77.81.xx.xx] said: 554 5.7.1 Service
    unavailable; Client host [11.22.33.44] blocked using spam.spamrats dot com;
    SPAMRATS IP Addresses See: www.spamrats dot com/bl?11.22.33.44 (in
    reply to RCPT TO command)"

    I checked the logs, checked the blacklists and found that everything is fine except for spamrats, which did not necessarily block our e-mail servers, but the entire class of IPs of our ISP.

    I had a discussion with our ISP and he told me, after the checks, that everything is clean. No attack, no abuse, no infection on that class of ips.

    I have checked my IP in SpamRATS and the result is the following:

    Standards Compliance:

    Does IP Address resolve to a reverse hostname... Passed!

    Does IP Address comply with reverse hostname naming convention...Passed!

    List Status:

    RATS-Dyna - On the list. Worst Offender Alert

    RATS-NoPtr - Not on the list

    RATS-Spam - Not on the list


    No delisting method works on the SpamRats website.I wrote to them on the contact page and they did not reply. I sent them an email from gmail to [email protected] dot com and they didn't reply.

    Some reviews on the Internet about SpamRats look like this:
    "SpamRats is a very unreliable blacklist. They basically ignore everyone including ISPs, so there are always a good number of innocent sites listed by their system.

    Ignore or remove Spamrats and use the more reliable lists like Spamhaus, SpamCop, Truncate, UCEprotect."

    "SpamRats is a cheating "company" that is adding whole IP ranges and after than they try to sell you commercial services provided by their official companies ... if you write them an email with demand to stop illegal discreditation of the good name of your company or you will sue them they will remove it within an hour ... personal experience"

    OK until this step. I don't use SpamRats in SpamAssassin.

    In PostFix main.cf i have this line:
    smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, check_client_access regexp:/etc/postfix/rbl_override, reject_rbl_client sbl.spamhaus org, reject_rbl_client xbl.spamhaus org, reject_rbl_client rbl.abuse ro, reject_rbl_client zen.spamhaus org, reject_rbl_client bl.spamcop net, reject_rbl_client psbl.surriel com, reject_rbl_client dnsbl-1.uceprotect net, reject_rbl_client cbl.abuseat org, reject_rbl_client dnsbl.justspam org, reject_rbl_client bl.mailspike net, reject_rbl_client spam.dnsbl.anonmails de, reject_rbl_client ix.dnsbl.manitu net, reject_rbl_client truncate.gbudb net, reject_rbl_client bl.blocklist. de, reject_rhsbl_client hostkarma.junkemailfilter com=127.0.0.2, reject_rhsbl_sender hostkarma.junkemailfilter com=127.0.0.2, reject_unauth_pipelining, permit

    Our mail servers meets all the technical conditions of operation, in terms of national and international regulations.
    Our email server, have DNS PTR registration, SpamAssassin filters, Mail Antivirus, SPF valid DNS registration, DKIM and dmarc record.
    We use our mail servers only for communication inside the organization and for communication with our clients on a 1:1 basis.
    We do not have mass-email campaigns, and we don't do either advertise by email.

    Even if I have the e-mail server and the dns server configured correctly, I can expect that the first mail sent to a new customer will end up in spam.
    Possibly..., even if it hasn't been the case so far.
    But in this situation it was like a trap. First attempt - first shot and that's it. We are in the blacklist.
    Why? What is the clear reason? Evidence of spam?
    We can ignore SpamRats, but what do we do about communicating with our future clients who use SpamTrap on their email servers?
    We believe that this will affect the smooth running of the business we own.
    We had e-mail services at Google for domain, Other domains, we had them at other hosting providers with Cpanel, but we did not have clear control over e-mail whitelist customers, and we were not receiving some e-mails from customers. That's why we chose to host our server ourselves.

    Since SpamRats services are hosted in Canada, we would like to file a complaint with the appropriate authorities in Canada:
    ised-isde.canada dot ca/site/competition-bureau-canada/en/restrictive-trade-practices

    I would still like to hear your opinion. There may be a simpler solution.
     
  2. pyte

    pyte Active Member HowtoForge Supporter

    There most likly is a good reason why the subnet your servers IP belongs to got blacklisted. They don't do this just cause the feel like it.

    As your IP got listed on the RATS-dyna list you may want to read what they say about the removal from that list:
    Where are your servers located? Are these hosted servers in a datacenter or locally? And if they are locally, is this a normal ISP Internet Connection that connects them to the internet?
     
  3. JohnEdward

    JohnEdward New Member HowtoForge Supporter

    Do you know them well? Are you ready to give their actions a boost of confidence?
    I think they are abusing. They are not a regulatory or certification authority, but they pretend to be and want to cheating users.
    They have not presented a clear reason for this blocking and refuse to communicate.

    I already wrote when opening this thread:
    "..
    Does IP Address resolve to a reverse hostname... Passed!
    Does IP Address comply with reverse hostname naming convention...Passed!
    Our mail servers meets all the technical conditions of operation, in terms of national and international regulations.
    Our email server, have DNS PTR registration, SpamAssassin filters, Mail Antivirus, SPF valid DNS registration, DKIM and dmarc record."

    Our mail servers are hosted inside our company.
    I am responsible for two IP classes: one /29 and one /28, which the ISP provided us based on a business subscription.
    Is this a normal ISP Internet Connection?
    I am editing/correcting a question I wrote above:
    We can ignore SpamRats, but what do we do about communicating with our future clients who use SpamRats on their email servers?
     
  4. pyte

    pyte Active Member HowtoForge Supporter

    They are one the scene for over 15 years and sponsored by some reputable organisations. I don't think they just "abuse" anyone just because they feel like, that's absurd.

    So checking the reverse DNS entries for the IPs results in the hostnames of your mailserver?

    Who owns the /29 and /28? Who is lsited in the Ripe DB your company or your ISP?
    Did you aquire these subnets just recently?
     
  5. JohnEdward

    JohnEdward New Member HowtoForge Supporter

    "Reputable" organizations are reputable, until proven otherwise.
    And anyone can apply a fake portfolio on the website page.
    They are not a regulatory or certification authority.
    Their actions, this labeling, cause us damages and losses in our businesses.

    So checking the reverse DNS entries for the our IPs, results in the hostnames of our mailserversȘ mail.ourdomain1.tld1 and mail.ourdomain2.tld2
    I don't own the those /29 and /28 ip classes. These are allocated by the ISP to us, to use them as we wish. So I am responsible for their use.
    Could you please stop trolling this thread? I would like to know everyone's opinion, especially the experts here, not just yours. You only have an opinion, I understand it, but I have my opinion.
    If we assume that spam is sent from our servers, why are we green/clean at all providers but not at SpamRats.
    It is SpamRats, more valid and famous than, Barracuda Reputation Block List or Blocklist.de or Spamcop or Spamhaus ?? I do not believe that!
    I have no evidence to prove that you are guilty, but I declare you guilty, and you have to provide evidence that you are not. But I don't allow you to contact me and defend yourself, unless you activate a paid subscription from our website.
    What is this called? Scam? I see it as a scam
     
  6. JohnEdward

    JohnEdward New Member HowtoForge Supporter

    Now it appears differently when checking on the SpamRats site:
    Standards Compliance
    Does IP Address resolve to a reverse hostname... Passed!

    Does IP Address comply with reverse hostname naming convention... Passed!

    List Status
    RATS-Dyna - Not on the list.

    RATS-NoPtr - Not on the list.

    RATS-Spam - On the list. Worst Offender Alert.

    RATS-Auth - Not on the list.
     
  7. pyte

    pyte Active Member HowtoForge Supporter

    I was trying to help and understand your envoirenment better to may find the reason/a possability why spamrats marked this subnet. All BL services work like this and just because you are in 1 list doesn't mean you have to be on another... In most cases my servers are reported by ucprotect from time to time.
    And just because you are listed on one of these lists doesn't mean that all your valid mails get rejected instantly. No one in there sane mind would configured their spamfilter to reject mails because the sender is listed on one list.

    But yea good luck, i'm out. Your attitude ist bothering me.
     
    Last edited: Jan 26, 2023
  8. JohnEdward

    JohnEdward New Member HowtoForge Supporter

    My email servers are not reported by uceprotect. They were never reported.
    You can check above which providers I use in SpamAssassin.
    But I had an email blocked in 18 August 2022 by mail.de, which asked for a paid subscription
    to include me in a "Tested Data Protection" whitelist, which included the famous Adobe company. blah blah..
    I refused to pay something like that. Somehow this association of SpamRats and Mail.de seems dubious.
    (It is on the official website of SpamRats in the portfolio)
     
  9. pyte

    pyte Active Member HowtoForge Supporter

    spamrats blocks whole /24 subnets. They check the whole subnet for valid rdns records. Make sure your subnets have rDNS for all IPs and request a delist.

    May not a good practice but it is what it is. Like i said, i can't imagine anyone rejecting a mail based only on the fact that the ip is listed on 1 blacklist.
    You can't do anything about this than comply with their requirements and request a delist or change your IP.
     
  10. JohnEdward

    JohnEdward New Member HowtoForge Supporter

    I would like to know how many of you can access this registration link at mail.de (I tried from Vodafone, Orange and MyISP):
    https://registrierung.mail.de/de/

    Every time, from any network, I get the same message:
    "Netzwerk gesperrt!
    Zugriffe aus dem von Ihnen genutzten Netzwerk sind zur Zeit gesperrt.
    Da die Spamrate aus dem von Ihnen genutzten Netzwerk überdurchschnittlich hoch ist, wurde Ihr Zugriff auf unsere Seiten gesperrt. Wir bitten um Ihr Verständnis."

    "Network blocked!
    Access from the network you are using is currently blocked.

    Since the spam rate from the network you use is above average,
    your access to our site has been blocked. We ask for your understanding."

    It seems that something is wrong with the SpamRats they are affiliated with. This is how this blacklist is explained.
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    Just tested it, works fine from here. But I connected from a german network provider, so maybe this makes the difference.
     
  12. JohnEdward

    JohnEdward New Member HowtoForge Supporter

    As a German mail provider, it is your right to offer your services only to German citizens.
    But on their website, they do not specify this, but more than that, they formulate an abusive and baseless accusation:
    "Since the spam rate from the network you use is above average,
    your access to our site has been blocked. We ask for your understanding."

    What spam rate? When? How? Can you prove? Where can it be checked?
    And again: Are you an authority for certification and regulation of internet services? In Europe, IP class abuses are reported to RIPE.
    How dare you think you are RIPE?

    I personally use fail2ban, and I report attacks from various IPs to blocklist.de and AbuseIPDB, with clear logs: date, time and reason for blocking.
    The user of the accused IP can check the reason for the act.

    This is not the way to go. It is a clear abuse when you block classes of ips or countries, presumptively,
    assuming the reason that you will probably do this or that, but you haven't done it yet and even more so that you probably won't.

    By the way, I am ethnically German, although my grandparents and parents were not part of a larger community, that's why I didn't study/learn German.
    I specify this so that it is not understood that I have something against the Germans.
     
  13. MaxT

    MaxT Member

    time ago I was forced to delete the SpamRats RBL although not because their fault. Some legitimate senders in my country are using a very big host company who allow websites with marketing commercial activity to be mixed with the common customers into the same network segments. I wonder if this could be your case.

    your problem is a bad thing. Although the critique is difficult, because in example I do the same by my own with many marketing companies like mailchimp which frequently are not covered by the RBL lists (strange? o_O ). Periodically I run a routine to detect IPs from marketing messages and I block the whole network segment belonging to one ip. I have an accumulated list with near 1400 cdir segments blocked in a preventive way, and no problem to receive legitimate messages.

    Maybe you can consider searching for another host company. Many offer some days to return the money. In that time you can build an easy RBL routine to know if your new IP can have blacklisted neighbors in the same segment.
     
    JohnEdward likes this.
  14. JohnEdward

    JohnEdward New Member HowtoForge Supporter

    I also use lists with malicious/attackers IPs, which I import and insert into the firewall. Nothing wrong with this.
    The problem, in essence, is with the rbl provider, which does not allow communication with it,
    which does not allow the right to add small exceptions.
    Do the innocent customers who want to use their blacklists know that the lists are abusively exaggerated?

    We host our own servers and services under our own banner, inside our company.
    We do not use third party hosting companies.
    We had, we tried and they did not satisfy our requirements. More precisely at the email services/server.
    We chose to build/host/manage our own servers with Debian 11 and ISPConfig. Everything has been almost perfect so far.

    The small pool of /28 IPs that was allocated to us for use by the ISP is part of a pool of /23.
    If we divide that range of IPs /23 into two /24,
    The first pool /24 contains IPs with problems at rbl providers.
    The second pool /24, which also includes our subnet, is clean. I did not find any ip with problems in a BulkBlackList check.
    So there is a pool/ip range eligible for a whitelist.
    When we started using the server with ISPConfig, in July 2022, we had a presumptive blacklist at Microsoft Office 365 AntiSpam.
    We opened a dispute, we communicated with them, and they inserted our IPs into the whitelist.

    I think that, as an RBL provider, in this case SpamRats, if you sell services for money, you ask for that money for the RBL filters, for their use.
    I don't think it's ethical to ask for money as a ransom/redemption.
    Especially if you are not guilty of anything. I see this as a method of being allowed to spam for a fee.

    There is a clean network segment that we belong to, a network segment that can be entered as an exception in the white list(That pool /24).
    Only Goodwill and communication with the RBL providers should be. But that is missing in this case.
     

Share This Page