Hello Urs,
From my long term experience with e-mail (I think I got my first internet email address around 1988 where nobody thought of spam yet) I can tell you the follwoing:
Fighting spam is honorable and its good that some people take it serious. However....
Things like SPF etc can help to block routes coming from the wrong IP and they are used technically. Correcting a SPF however should immediately fix the delivery. If thats not the case, then the DNS cache can delay it. Thats just how the technology works. The only annoying guys I run into who you always require special "treatment" are google and microsoft. Luckily most of my business partners stay away from US mailproviders but some have not understood the danger there yet. Now SPF is domain based. So if SPF triggers, then mails from that IP for that domain must be blocked. Nothing else.
If there is a blacklist involved, in your case, then it's clearly a very aggressive one. I have seen some "companies" who blame themselves to be the good guys, playing the cyberpolice and who are deciding for millions of mailservers whats good and whats bad. But they overblock and take the ISP hostage. I once had to go the legal path because of such a stupid overblocking. And our friends at Swisscom where using them at the time so if this happens, you are disconnected from a lot of people from one minute to the next. This just to show you the huge power these "companies" have and how little due diligence there is. You already have problems talking to them to start with.
What I'm trying to say here is that blacklist providers are not perfect by far. They fight their own private wars and they can be abused for cyberwar or revenge attacks as well. So from the view of a mailserver operator, you should choose well whom you trust to decide who can send you emails and who doesn't. As far as UCEProtect goes (which I have never seen before), I see serious legal issues. You don't know whom you are trusting. There's no names, no legal entity, no contact information on their webpage.They hide which is never a good sign. And if you look at their delisting policy, you see immediately what they real goal is. If an ISP asks for delisting, it can take up to 7 days. However if you PAY them, you can be immediately removed. This means, they have a direct financial interest to have as many hosts listed as it generates sales. (its "only" 89 CHF per IP). So they would definitively not be my hero's fighting the nasty spam...
Spam is reality and everybody hates it. However spam should not be fought primary by simply throwing emails away or blocking. It should be fought primary by taking actions against the spammers itself which makes him stop his odd behaviour. Because otherwise they continue to overload the internet and annoy everyone and making e-mail became useless.
I give you a example:
I run a company in Iceland which has a datacenter. For some reason its sales@.. email address got added into a list of mailing addresses. Since a couple of years I got tons of spams in french advertizing stuff from France which I have absolutely no relation with. For example it was promoting to change my home electricity to another provider which is even impossible unless you live in France. Blocking these emails is not really possible on technical means without lots of collateral damage because they came from valid mailservers and valid companies. Unsubscribe buttons usually did work and reduce the volume already quite a bit. Replying to these people with something like this:
Thank you for your query. Given I have never given you an opt-in to send me spam, I would like to remind you that the law on unfair competition act, especially article 23 togeter with article 333 and 34 of the criminal code defines the maximum penalty for spamming as 1'080'000 CHF or up to 3 years in prison. So please think again before sending the next spam.
and also asking through GDPR to show them the opt-in or where they got the email address from, makes these companies quickly remove that email address and think again if it was a good idea to buy this "email addresses for cause X..." list from some shady seller. These measures have reduced the "French" spam I am getting to very very few. So this was much more effective than blindly trusting a 3rd party to just block everything. Sure >90% of the blocked stuff is spam but there might be a few mails which get deleted which are important for your business. And if its in your spam folder on your computer, you can at least find it if needed. If its deleted before even hitting your machine, you are dead and you don't even yet know it.
The technical things help for mailservers going nuts, anonymous viagra spams etc. But these don't stay for long. If an IP doesn't work anymore, these folks have a million other mailservers to try and just move on.
So to answer your question: someone putting an IP on to a blacklist just because of a mismatch on a SPF is definitively wrong because it affects all emails going through that IP address where the SPF is correct.. And if some autmoated blocks are put in place, for god sake, make it clear why what was blocked and how things can be corrected. And dont outsource that decision to 3rd party just because youre too lazy. It could fire back one day and that could ruin your business.
PS: maybe we should start a blacklist of blacklist providers.. ;-)
On 7 Oct 2020, at 17:42, Mueller Urs SBB CFF FFS urs.bf.mueller@sbb.ch wrote:
Hello list
I am writing on behalf of a colleague who is operating a small hosting business, mainly focused on the setup of the cms and consulting. He is not on the list and asked me to put his words into it. He had the following dispute with an ISP, but I will let him speak (translation via deepl reviewed by me).
We run a small hosting business on three managed servers, which we rent from a well-known Swiss ISP and host our customers (SMEs and individuals) there. We have had the misfortune three times that the IP of one of our servers got on the blacklist "UCEprotect" through no fault of our own: http://www.uceprotect.net
In each of these cases a Zurich-based ISP was at fault, who apparently is involved in this blacklist - he didn't want to tell us how exactly, but in the first case he still apologized and he was able to remove the IP from the blacklist at short notice without any problems. Therefore we assume that he has a great influence there. The first times the IP was blacklisted because there was a chaos with a telephone system (short: bounces on non-existent addresses). Last week the IP came back on UCEprotect because a customer had edited his SPF entry incorrectly (he forgot to enter the IP of the server) - a single mail from our customer to a customer of the mentioned Zurich provider was already enough for an entry on the RBL. There was neither a spam dispatch nor a spamtrap; the wrong SPF automatically led to a blacklisting of the whole IP with more than 200 hosting customers, who then of course got mail problems.
It would be normal and justifiable for a mail to be classified as spam because of a wrong SPF record. However, we find it very questionable that a whole IP is "dragged into the abyss" because of this. Especially since we have been fighting against spam for almost 25 years, keeping our servers clean and thus "fighting on the same side", it is all the more irritating to have such obstacles put in the way by this provider. The fact that customers can adjust the DNS entries and thus the SPF record themselves is normal for many providers. A single hosting customer's mistake should not also affect his provider and dozens of other customers.
The methods used for an automatic entry on the blacklist UCEprotect seem at least questionable. I would like to show the provider that he means well, but that it can easily hit the wrong people - and would be grateful for input. After the first case still said "sorry, you've been good to me", there are no more answers to the question whether he really considers these methods to be useful. What do you think can be done here? I don't have time and money for a legal dispute, and blocking any traffic to his IPs to prevent damage to our IPs would probably not be clean either.
So, what is your opinion on the behavior of this ISP? Me, Urs, I am with my colleague and I think, it's not acceptable to block a whole IP just while receiving one or a small number of mail without a correct SPF.
Thank you your thoughts, I will collect it and send it to my colleague.
Urs Müller Schweizerische Bundesbahnen SBB Senior Architekt / Product Owner Informatik Operations-Management / CYBER Poststrasse 6 - Ostermundigen, 3000 Bern 65 urs.bf.mueller@sbb.ch / www.sbb.ch
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog