Spamhaus is Silencing Internet Researchers and I'm Tired of it. Spamhaus has started a nasty campaign against Internet Researchers, and until now has gone mostly unnoticed outside the port scanning communities. As the operator of a VPS provider which has been trying to hold out as long as possible in allowing port scanning activity, I've come to a point where I can no longer remain cordially quiet about the aggressive campaign Spamhaus is operating as they are directly harming my business as a result of their negligence. Port scanning is a crucial activity for Internet Researchers. Port scanning allows researchers to know what services are running on the Internet, and in its simplest case a port scanning probe is a single TCP SYN packet. Market researchers port scan to calculate market share of various products. Engineers at large companies port scan to calculate global impact of changes to their networks. Security researchers port scan to both find vulnerable devices attackers are hacking, and to find the servers which control those hacked devices. Spamhaus is an incredibly influential company. They have gained popularity with enough large tech companies that being listed by Spamhaus is a death sentence. Spamhaus will automatically upgrade listings to include whole subnets, and then the subnets of their providers, to force action down the chain. This is a reasonable policy when directly attacking spam bots and those who enable them, but by attacking innocent researchers it is causing a chilling effect throughout the port scanning communities. Several (LOTS) of Internet researchers have been complaining that their port scanning activities have been silenced: (pretend I put a bunch of tweets here) The Spamhaus Block List (SBL) has historically been used to list IP addresses used to send spam, who attempt to hack into servers, and who host botnet controllers and infrastructure. Unlike with these activities, there is no way to prove that port scanning actually originates from a given IP address, meaning malicious actors are able to spoof port scanning traffic and inflict a sort of "blacklist attack" by causing innocent IP addresses to be listed. Spamhaus is listing all port scanning traffic without verifying the traffic comes from where it says. Instead of checking for e.g. banner scans, which require a TCP handshake or two-way UDP interaction, Spamhaus' honeypot servers are blacklisting all TCP SYNs it sees. My friend in the security community and I have demonstrated Spamhaus is vulnerable to this attack by causing a provably-innocent IP address to be blacklisted. Any IP address can currently be blacklisted on Spamhaus in 2-12 hours by spoofing the source IP address with the following command: masscan --src-ip -p 23 0.0.0.0/0 --rate=80000 Both my friend and I have been subject to abuse from Spamhaus over the last month, which sparked our interest in exactly how Spamhaus was listing this traffic. I agreed to let him attack a server of mine, and I logged all traffic to prove no traffic was being originated. Spamhaus listed the IP address for "vulnerability scanning", despite no traffic ever being sent from this server. What do Spamhaus' abuses look like? I am happy to share with you what I have been putting up with over the last month. Our port scanning customers were blacklisted immediately as Spamhaus started their new policy, which quickly escalated to a network listing, meaning none of my customers have been able to reliably send mail for the last month. Here's the timeline: 03/01: Spamhaus lists first port scanning customer 03/01: We appeal, list our PTR policy, describe our AUP, ask for this class of listings not to escalate to a network listing 03/02: Spamhaus removes the listing 03/03: Spamhaus sends an afterword saying our PTR (rDNS) should point to a website describing intentions and contact info 03/05: Spamhaus starts listing port scanners again over the next few days, causing our entire network to be blacklisted 03/11: OvO enacts Spamhaus' policy directive, launches https://port-scanning-customer.ovo.sc/ and requires all port scanning servers to use this or their own PTR 03/12: We respond to the listing, cite our new PTR policy, and invite any further policy changes Spamhaus wants, and appeal the innocence of our customers on this subnet 03/13: Spamhaus sends an ambiguous message ("Please ask this organization to contact us directly.") 03/13: I email Spamhaus clarifying I am representing the organization, and asking if they are meaning for every customer to contact them, or for someone representing the company. I also appeal the innocence of our customers, our flawless record in complying with Spamhaus in the past, and detail the impact the listing is having to my customers who use this network for personal/bunisess email. 03/15: I follow up, asking for a hopeful response so we can take action over the weekend 03/18: Spamhaus responds to one of our customers who uses the network for mail, calling us criminals (see below) 03/20: I become aware of this email 03/20: I email them again, cite how "no spamhaus listings" has been AUP #1 since day 1, and demand that they explain their accusation and respond to my emails 03/20: Spamhaus finally tells me they want every listed customer to contact them, and that they will only remove the subnet listing when all IP address listings are removed 03/20: We give every listed customer 72 hours to contact Spamhaus to identify their traffic to them 03/23: We appeal each listing 03/24: Spamhaus delists each listing 03/24: We appeal the subnet listing, demand they describe their allegations above 03/24: Spamhaus lists one port scanning customer 03/24: Spamhaus denies the subnet delisting ("There are still open listings") 03/25: We suspend the server (sorry customer) 03/25: We request delisting for the 1 port scanning customer 03/25: We request delisting for the subnet again 03/25: Spamhaus delists the 1 port scanning customer 03/25: Spamhaus lists 1 server engaged in actual illegal activity 03/25: We suspend the server (not sorry) 03/25: We request delisting for this IP 03/27: Spamhaus delists, and cites 3 IP addresses that are still port scanning, and gives a list of requirements for port scanning customers (website, opt-out process, contact info, etc.) 03/27: Spamhaus lists one of those 3, which is the SAME IP ADDRESS THAT WAS DELISTED ON 03/02 03/27: We give all customers 72 hours to comply with Spamhaus' requirements and contact Spamhaus with their details 03/29: One more of the 3 are listed 03/30: One customer contacts them, another doesn't want to and requests a refund, and one does not respond 03/30: All listed and unlisted port scanning customers are suspended after their contact falls through 03/30: We appeal both IP address listings 03/30: We appeal the subnet listing again 04/03: I follow up to both IP listings and the subnet listings 04/03: They decline to delist the 2 IP addresses because they need more information 04/03: I point out the information that was already in the delist request 04/03: They delist both IP addresses, yet they still have not responded to the subnet delist request Wait a second, Spamhaus told our customer what?! Hello, You will need to contact your hosting service. You may want to rethink your hosting choice, since this block is hosting all sorts of illegal activities that may lead to your server ending up in the back of a Law Enforcement truck when they impound everything. Thankyou, Spamhaus SBL Support Team Spamhaus, don't fucking talk to my customers that way when you are purposefully ignoring my repeated emails to you. We have been nothing but immediate and professional with you and you are ignoring us and talking shit behind our back. OvO is a professional group of sysadmins and programmers, is Spamhaus full of school children? We have bent over backwards to comply with your policies, even if it meant becoming complicit in your silencing of good-intentioned researchers. Our datacenter requires we comply with Spamhaus polices, but their requirements predate your predatory and unprofessional policies. We don't know why Spamhaus has decided to cause so much of an issue for our company in particular, but it is very clear from their actions they are delaying the delisting as long as possible. But Spamhaus' new aggression against researchers extends far beyond our company. Spamhaus' new policies are harming any legitimate hosting provider who either wants to or is forced to comply. As a result the number of hosting providers which allows port scanning has significantly dwindled over the last month. Malicious actors have plenty of hosting providers to choose from who are outside of Spamhaus's reach. If hackers can still scan for vulnerable devices, but security researchers and anti-malware companies can't, then we have lost the ability to find out what's worth panicing about. I hope you will share this story amongst your friends and coworkers, and encourage them to share their Spamhaus story. Only through speaking out will we be able to grasp the global impact of Spamhaus' aggression.