I work at Yahoo! and we've been blacklisted as well by Spamhaus. I wouldn't say it's entirely inappropriate because of the sheer volume of email that can pass through our (or in this case Gmail's) system.
Personally, I've tried to reach out to Google regarding security issues on blogspot which were affecting our property. There was an XSS vulnerability and we were getting thousands of posts on our blog linking to blogspot which would in turn redirect the user to some pharma site.
It's been months and they haven't really made any progress other than put me in contact with various people who don't respond to email.
If that's how they deal with an open XSS I can only imagine how fast they move to deal with spam like this.
Disclaimer: This isn't a post bashing Google and praising Yahoo - just the only experiences I've had to contribute to this post :).
True. I agree that it's a really clumsy "solution" - if you even want to call it that. I know for us it expedites our efforts to remedy our part of the problem.
Not the right motivation and perhaps more harm than good but I'm not 100% sure.
As of June 2009, the latest stat I found, Gmail has 5.51% share of email users, 1/3 of either hotmail or yahoo mail. Definitely not "tens of percentage points."
I know the google fanboys will hate this, but the problem is letting just anyone or just any machine create an account and use your service. It's google's responsibility to can the spam coming from their domain. Google doesn't care though. If they make it harder to get a gmail account, then they make it harder to spam their "legitimate" users with advertisements and why would they want to do that?
If you are a company that provides spamming capabilities to anyone and everyone, then it is exactly valid to add them to a spam list.
You could say, "Plenty of legitimate users use gmail." Fine, maybe so, but if you are someone who uses gmail, you are surrounded by a cadre of spammers and should understand your credibility is instantly devalued.
Birds of a feather flock together. The solution is to stop using gmail.com.
A VERY VERY high percentage of spam in my inbox comes from gmail accounts. If tens of percentages points of spam is sent from a domain, then it's valid to add them to the list of spamming domains.
> Fine, maybe so, but if you are someone who uses gmail, you are surrounded by a cadre of spammers and should understand your credibility is instantly devalued.
"My credibility"? When I send my mom an email, I expect her to get it. When she sends me one, I expect to get it.
>Birds of a feather flock together.
Yes, because I am a spammer.</sarcasm>
If gmail has a lot of spammers using their service, they should address this. But the suggestion that those caught in the crossfire should know better is one of the more frustrating things about black-listers.
Perhaps, instead, you should try using a better spam blocking system. Gmail's system works quite well.
I personally wouldn't touch Spamhaus with a ten foot pole. From everything I hear, they seem seriously biased towards incorrectly blacklisting IPs than letting a few bad ones through; more highly favouring false positives than false negatives in terms of identifying malice, in other words. Thing is, I believe most reasonable people prefer the reverse trade-off; they would rather get a little more spam than risk losing email.
I'm guessing it's not the "google fanboys" who hate this sentiment, so much as it is the people who expect to be able to use email instead of sacrificing chickens to the sysadmin/net-abuse gods.
"expect to be able to use email" This just summarizes the problem. People "expect" to use a free email system and still be treated equally to those who pay good money for a legitimate SMTP host that cares about the quality of service they provide to their customers.
Legitimate email providers take measures to ensure their customers aren't spammers and those who don't end up on the spammer lists and this is exactly the way it should be.
Until Google takes a stand against the spammers who use their systems, they should be on the list just like all the others.
TLDR; It's a tough problem to which I have no suggestions.
It's not just Google. Trust me when I say that combating spam is a full time ongoing job that never ever ends and you never ever win.
I do agree that it's the responsibility of the email provider to mitigate spam but it's an incredibly difficult task to accomplish with near zero false positives.
Perhaps Google could do a better job but restricting the "open" nature of signing up for and using email is not the solution. If Google does that then someone else will offer it unrestricted.
It's simply too cheap for spammers to send emails. Identifying usage patterns and rate limiting or gasp charging based on them would be a step in the right direction. But that means losing users which in itself has tremendous cost.
In this case Spamhaus accidentally blocked gmail because they used the entire ip block of the original email's images.
it seems that spammers were using docs.google.com to post some documents, which are stored in the same /24 as gmail. Spamhaus decided to blacklist the whole subnet.
I interpreted that sentence to mean that the decision was not accidental but purposeful on Spamhaus' part; if it's accidental then it's slightly different (actually it makes me think somewhat less of Spamhaus, because it's sloppy).
Either way I'm not sure that the outcome is going to be good. I'd like it if there were a way to pressure Google into being more responsive about spam issues, but they have little incentive to, beyond keeping it from clogging up their own systems.
I know this isn't the right place for a Yahoo! bug report, but they don't reply to me elsewhere.
I keep getting spam from Yahoo! in the form of people signing me up for some group, just today someone signed me up for the "vjth group" with the group description "iqdjgpwo62r683fs".
There's a link in the E-Mail saying "You may also change your email preferences to prevent group owners from
adding you to their groups.". But when I follow it and change my E-Mail preferences I get:
Groups error
We're Sorry...
There was a problem with your request.
The page you've requested returned this error:
If you continue to receive this error for more than
48 hours, please contact our Customer Care team. We
apologize for this inconvenience.
I've been getting this error for the last 6 months or so. Stop spamming me Yahoo!.
I guess that depends on definition. At yahoo the ability to use a product for spam is a vulnerability. If a spammer can email a link to yahoo.com/something/random which redirects them to mypharamasite.com then it's a vulnerability because the site allowing the redirects helps trick the end user into buying vicodin :).
I can't imagine why javascript redirects add much value in a blog post. But everyone picks a different spot between features and security - and that's okay by me.
>I can't imagine why javascript redirects add much value in a blog post. But everyone picks a different spot between features and security - and that's okay by me
There are a lot of people that have used blogspot as their host for a long time, but then decide to get their own domain and don't want to lose their readers. That's the motivation I've heard for allowing redirects in the past, though I don't know what the current policy is.
Blogspot is a lot more like a hosting service than an application in terms of what it allows, probably because it's one of the oldest.
Spamhaus is the most rabid group of extreme anti-spammer teenagers out there (or at least they act like teenagers).
I've had various SMTP servers (for various companies) blocked by them, usually for very questionable reasons. You used to have to argue with them on their forum (and take a beating from all of the kids on that site) before they'd remove you.
The result is that SMTP admins get it from both sides: Spammers make your life hard, rabid blackhole lists combatting spammers make your life even harder.
I can't send email to gmail addresses -- well sometimes I can and sometimes I can't -- because Google (sometimes) says of my server:
Our system has detected an unusual rate of
550-5.7.1 unsolicited mail originating from your IP address. To protect our
550-5.7.1 users from spam, mail sent from your IP address has been blocked.
This is complete bullshit. We have SPFs in DNS. We don't relay, and have had this independently tested.
We send tiny amounts (3 or 4 a week) of mainly personal email to gmail addresses.
Who do I contact to sort this? Who knows? Google has no point of contact.
So I'm happy for Google to have a taste of their own medicine. And my opinion of them is a rabid group of extreme anti-spammer teenagers.
I doubt that Google is tasting this at all. Probably only the unlucky companies who use Spamhaus and now have the unenviable task of going through and making sure they missed no emails from customers or partners.
> Spamhaus is the most rabid group of extreme anti-spammer teenagers out there
I see you've never met SORBS. Or even NANAE (news.admin.net-abuse.email).
Blacklists are a pretty powerful tool to get ISPs and the like to do something about their spam. And Spamhaus is usually right. And yes, I've been on SORBS (due to some other account in the same /24 spamming at some point in the past...)
Paul Vixie has proposed an extension to the DNS that would have relay cache servers (the servers you ask for generic name lookups) store blacklists of evil domains. Anything blacklisted would, in effect, disappear from the Internet (for normal users).
use an alternative DNS that doesn't blacklist. Alternative DNS servers already exist, I'm sure there'll be someone who won't blacklist if they do implement this.
Seems like it might be biting off a bit more than they can chew.
Given the choice between the service Spamhaus' list provides, and being able to receive mail from what's undoubtedly one of the largest webmail providers in the world (the biggest?), a lot of people are going to can Spamhaus.
I'd hope that Google will react by doing something about the spam, but they could much more easily do nothing, put out some recommendation that people stop using Spamhaus, and a lot of people will be forced to do just that (or Spamhaus will blink and un-blacklist Google). They're the 800-pound gorilla in this particular match; Spamhaus isn't a lightweight but I wouldn't put any money on them in that fight.
Google isn't even close to the biggest email provider (by some sources both Yahoo and Microsoft are more than twice their size)... but your point stands :)
Just a little anecdote about how good spamhaus really is. I used to co-locate in Toronto, right next door to a bunch of heavy duty spammers. It so happened that there was a class C split in to three subsections, two of them belonged to the spammer and a tiny 16 host range in the middle that belonged to us.
Spamhaus figured this all out by themselves and took great care not to cause any collateral damage while going after the spammers. Pretty impressive, especially since that would have been very hard to figure out from the outside.
We've switched once already this month - our new office was assigned an IP by C&W business that is in the same block as thousands of Virgin home cable-modems, so we got blacklisted by Spamhaus and others. Management got quite twitchy so I moved all the outgoing email to go via our Postini account which was previously only filtering incoming. Don't fancy having to find a third option now.
Because of the existence of false positives? Please let me know of a spam filtering system which doesn't have them. Really. I'd like to add it to my filtering setup...
Personally, I've tried to reach out to Google regarding security issues on blogspot which were affecting our property. There was an XSS vulnerability and we were getting thousands of posts on our blog linking to blogspot which would in turn redirect the user to some pharma site.
It's been months and they haven't really made any progress other than put me in contact with various people who don't respond to email.
If that's how they deal with an open XSS I can only imagine how fast they move to deal with spam like this.
Disclaimer: This isn't a post bashing Google and praising Yahoo - just the only experiences I've had to contribute to this post :).