Policy

This document describes policies for the Abusive Hosts Blocking List.

Correspondence

All correspondence with the AHBL and it's staff members are considered a matter of record. We do not consider any correspondence to be confidential unless there is mutual agreement to conduct confidential communications.

We reserve the right to archive, publicly display, publish, and/or repost any correspondence or communication with us or with any staff member, including, but not limited to:

It is our policy that messages and other communications of a threatening nature are to be publicly posted.

Legal

This is a draft policy, and while it reflects our longstanding practice, it remains a draft and not official policy.

  1. We will not engage in behavior that would encourage lawsuits, nor will we be discouraged from actions consistent with our purpose and policy by the possibility of legal action.
  2. We will not be intimidated by threatened or actual legal action.
  3. We will not create bad precedent by caving in to demands or settling a lawsuit in a manner that goes against our policies, purpose, or principles.
  4. We will strive for the utmost transparency in any legal action. We will not agree to any terms requiring confidentiality in considering any settlement.
  5. We will not negotiate while under the threat of legal action. Normal channels for removal do not apply while under threat of lawsuit.
  6. We will maintain as part our our listing policy criteria which includes threatened or actual legal action against providers enforcing anti spam policies or against any blacklists, including the AHBL. Such listings will not be removed while legal action is ongoing.

Listings

Open Relay (Response: 127.0.0.2)
This IP address is listed because it is an open SMTP relay - either a single relay, or a multi-stage relay. An open SMTP relay means that a third party can send e-mail through the server on that IP address without authorization (to spam, for example).

Open Proxy (Response: 127.0.0.3)
This IP address is listed because it is an open proxy (SOCKS4/5, HTTP-Connect, and others). An open proxy means that a third party can access the server and hide their true identity and masquerade as the server they connected to. The most common use for open proxies is to spam while hiding where the spam is actually coming from.

Spam Source (Response: 127.0.0.4)
This IP address is listed because it is either sending spam, 419 scams, or other illegal content, or is on a netblock that is infested with spammers (and the provider refuses to deal with the customer in question). While we do have single IP addresses listed, we more commonly list /24 netblocks and larger.

Provisional Spam Source Listing Block (Response: 127.0.0.5)
This IP address is listed because it was seen sending spam, 419 scams, viruses/trojans (which could be used to spam), or other illegal content, and investigation is in progress. If the abusive activity stops, the listing will be removed. However, once the investigation is complete, the IP will be moved to another category.

Formmail Spam (Response: 127.0.0.6)
This IP address is listed because the web server is running an insecure script on one of its websites. This insecure script is allowing spam, 419 scams, or other illegal content to be sent through the server unrestricted.

Spam Support (Response: 127.0.0.7)
This IP address is listed because the provider, which owns the netblock, is either acting as a front for spammers (ie: WholeSaleBandwidth), is completely ignoring spam/abuse reports, providing support services for the spammers (DNS, websites, etc), or has a contract to not terminate the spammer for their actions.

Spam Support Indirect (Response: 127.0.0.8)
This is the same as the Spam Support category, but is for situations where an upstream provider refuses to deal with a customer who's customer is spamming.

End User (Response: 127.0.0.9)
This IP address is an end user system which should not be sending e-mail. This is not a DUL type list, but rather for providers who wish to have their dynamic IP space or end user IP space that should not be sending spam listed to prevent spam/abuse.

Shoot On Sight (Response: 127.0.0.10)
This IP address is listed for one of several reasons. The provider, individual, or company did one of the following:

* Cart00ney threats made towards the AHBL, SOSDG, other blacklists, and spam fighters.
* Attempted and unsuccessful legal attacks against the AHBL, SOSDG, other blacklists, and spam fighters.
* Promotes, supports, or incites attacks against the AHBL, SOSDG, other blacklists, spam fighters, and others on the Internet.

The SOS listings are also known as the 'cart00ney listings'. Once a provider is in the SOS listings, there is normally no way to have the IP space delisted. However, we do make exceptions to this policy under certain situations.

Please note that SOS listings are considered 'sticky', meaning that they will follow the person/individual/company/ISP being listed no matter where they go, or if they change IP space.

Non-RFC Complaint - No abuse or postmaster (Response: 127.0.0.11)
This IP address is listed because the server does not have a proper abuse@ or postmaster@ contact for their mail system.

Does not properly handle 5xx errors (Response: 127.0.0.12)
This IP address is listed because the mail server on it does not properly handle 5xx errors (ie: GO AWAY/Permanent errors). This means that the mail server is either trying to blast many e-mails in a short amount of time to non-existent addresses or accounts which have this host blocked, even after being told it is not getting through or the user does not exist.

Other Non-RFC Compliant (Response: 127.0.0.13)
This IP address is listed because the mail server on it does not follow accepted standards set forth in RFCs. This is a generic listing that covers anything not covered in the other non-RFC compliant listings.

Compromised System (Response 127.0.0.14-127.0.0.18)
These are various categories that cover systems infected by DDoS drones, trojans, viruses, malware/ratware that is used for spamming.

Other (Response: 127.0.0.127)
This IP address is listed for reasons other then stated above.

Removals

How To Get Removed From The AHBL

  1. Understand why you are listed and make sure the problem that caused the listing has been resolved.
  2. Be Honest. It will not help your situation to misrepresent or outright falsify facts.
  3. Be respectful. We are volunteers doing this in our spare time. If you treat us with respect, we will do the same.
  4. Use the lookup form to find your listing, and review the information there. Make sure that the problem is really resolved.
  5. Click the removal link from the lookup form, and fill out the requested information.
  6. Once you've submitted your request, do not submit another request for removal of that listing. For proxy removal requests, allow anywhere from 5-72 hours as we randomly stagger these requests. For all other removal requests, you'll receive a copy of the removal ticket. If you need to correspond with us regarding an open ticket, please reply to the ticket notification, leaving the subject line intact.

How Not To Get Removed From The AHBL

When dealing with the SOSDG and AHBL, there are various ways to get things done, and various ways to make the situation worse. Here are some ways in which you can make the listing situation worse for yourself.

Legal Threats
Legal threats don't impress us, and rarely help your situation. We call these cart00nies. If you look to the navigation bar, you'll see a section of our website where we archive all of our cart00nies and other amusing e-mails. We also send copies of cart00nies to the NANAE usenet group for archival by various people (including Google Groups)

Demands
Demands don't help your case either. At best, we tend to ignore requests that state a demand, rather than a request. At worst, we will escalate listings where someone demands rather than requests removal, particularly if they are rude, obnoxious, or threatening.

Blocking The Tester
If you have an open proxy, open relay, open formmail script, or infected host, blocking our testing software will NOT get your removed. We test from various sources including dynamic IP dialups. If we determine that you are trying to tamper with the results of testing your server, the block will stay until we feel you have properly dealt with the problem.

Outright Lies
We aren't stupid. Don't lie to us about having terminated a spammer when in reality you moved them to another IP address or netblock. We monitor various usenet groups, SpamCop, and get information on known spammers and their supporters through the other DNSbl maintainers.

If we find out you are doing something like this, not only will we keep the existing block in, but put in its new IP address, as well as expand the listings to include other netblocks on your network as a measure to ensure that the abuse does not get through.

Calling The AHBL/SOSDG Administrators
This is perhaps the worst thing you can do. If you are being blocked, use our online form to request delisting. DO NOT CALL ANYONE UNLESS YOU HAVE PERMISSION FROM THEM DIRECTLY AHEAD OF TIME.

If you call, you will most likely either be hung up on or on the receiving end of a nasty response. Don't say we didn't warn you.

Unsolicited phone calls may be recorded and publicly archived.

Contacting Our Upstream Providers
Our upstream providers are not interested in hearing you complain to them about the fact we list your domain name or IP addresses in our DNSbl. The only thing you will accomplish is annoying them and making a fool out of yourself.

How removals are handled
Proxy removals are handled by an automated testing service, that runs at random intervals of between 5 and 72 hours, and from different hosts.

All other removals are handled by an AHBL administrator, who will review the facts of the removal request and make a decision. As we are volunteers with limited time, removals can take several days, particularly if extensive investigation is required. Once a decision is made, you'll be notified via email.

Due to their nature, Shoot-on-sight listings are a special case, and have extensive requirements for removal, including minimum time frames and public apologies. Removals of shoot-on-sight listings may be vetoed by any AHBL administrator.

Shoot on Sight (SOS) listing policy.

This IP address is listed for one of several reasons. The provider, individual, or company did one of the following:

  • Cart00ney threats made towards the AHBL, SOSDG, other blacklists, and spam fighters.
  • Attempted and unsuccessful legal attacks against the AHBL, SOSDG, other blacklists, and spam fighters.
  • Promotes, supports, or incites attacks against the AHBL, SOSDG, other blacklists, spam fighters, and others on the Internet.

The SOS listings are also known as the 'cart00ney listings'. Once a provider is in the SOS listings, there is normally no way to have the IP space delisted. However, we do make exceptions to this policy under certain situations.

Please note that SOS listings are considered 'sticky', meaning that they will follow the person/individual/company/ISP being listed no matter where they go, or if they change IP space.