Why are ESP customer domains getting listed in Spamhaus, and what can be done about it?

Key findings

• Nature of listing: Spamhaus listings for customer domains (e.g., in the DBL - Domain Blocklist) often occur when the landing pages behind tracking URLs are flagged for malicious activity like phishing or malware, even if the root domain itself appears blank.
• Open redirections: A common cause for multiple customer domains getting listed is if the ESP's tracking system allows open redirections, where malicious actors can exploit the tracking domain to redirect to harmful external sites.
• CNAME vs. redirection: While CNAMEs are used for tracking domains, the issue isn't the CNAME itself. The problem lies with the content or behavior of the ultimate destination URL that the tracking link resolves to. Spamhaus blocks the domain (or subdomain) that is facilitating access to problematic content.
• Broad impact: If many customer domains across different industries and geographies are being listed, it strongly suggests a systemic problem within the ESP's platform, such as vulnerability to abuse rather than isolated sender issues.
• New domain risk: Spamhaus's DBL is particularly sensitive to newly registered domains that exhibit suspicious activity, leading to quicker blocklisting for emerging threats.
• Compromised sites: Phishing destinations often reside on compromised websites, such as vulnerable Wordpress installations, not necessarily on blank root domains.

Key considerations

• Investigate landing pages: ESPs and their customers must thoroughly check all landing page URLs linked via tracking domains, not just the root domain, to identify the malicious content. Spamhaus's checker provides reasons for listing, which can offer clues.
• Secure redirections: ESPs should implement strict security measures to prevent open redirections and ensure that tracking domains are not exploitable for illicit purposes. This is a critical step for preventing widespread blocklisting of customer domains.
• Proactive monitoring: Regular blocklist monitoring for both ESP and customer domains is essential to detect and remediate listings quickly. Tools can help identify which specific domains are affected.
• Communication with Spamhaus: Once the underlying issue is resolved (e.g., removing malicious content or patching vulnerabilities), the ESP or domain owner can initiate a delisting request with Spamhaus. Providing detailed information on the remediation steps is crucial.
• ESP responsibility: ESPs must take responsibility for securing their tracking infrastructure to prevent abuse. This includes vetting customer content, monitoring for phishing, and ensuring their systems don't inadvertently facilitate malicious activity, which can lead to widespread Spamhaus blocklistings for their clients.

Key opinions

• Confusion over CNAME function: Many marketers initially misunderstand that a CNAME itself isn't a redirection. The real problem often lies with the destination URL or landing page that the tracking domain points to, especially if exploited by phishers.
• Impact on deliverability: A Spamhaus blocklist (or blacklist) can severely impact email deliverability, causing emails to be blocked or sent to spam folders, even if the sending content is legitimate. This is a significant concern for campaign performance.
• Systemic vs. individual issues: If multiple customer domains of an ESP are listed, regardless of their industry or geography, marketers suspect a systemic issue with the ESP's platform, such as open redirect vulnerabilities, rather than individual spamming behavior.
• ESP responsibility: There's a strong sentiment that ESPs, given their expertise and control over the tracking infrastructure, should be proactive in preventing and resolving these blocklisting issues, including securing against open redirections.

Key considerations

• Thorough investigation: Marketers need to investigate beyond the CNAME to identify the actual URL causing the blocklist. Even blank root domains can be listed if sub-paths are hosting malicious content.
• Collaborate with ESP: Engaging with the ESP is crucial. Most ESPs have experience with Spamhaus and can guide customers through the delisting process, or take direct action if the issue is with their shared infrastructure. This often involves steps detailed in blocklist removal guides.
• Monitor domain reputation: Continuously monitoring the reputation of their sending domains and tracking domains is vital. Tools that provide domain reputation metrics can offer early warnings.
• Preventing future issues: If the problem is an open redirect vulnerability, marketers should push their ESP to close this loophole. This proactive measure prevents future blocklistings for themselves and other customers. Mailgun's blog suggests steps for getting off and staying off blocklists.

Key opinions

• Redirection vulnerability: The primary concern isn't the CNAME itself, but rather the potential for open redirection vulnerabilities on the ESP's platform, which allow malicious actors to point tracking domains to spam or phishing sites.
• Content, not just domain: Blocklists like Spamhaus DBL target the actual content or behavior found at the resolved URL of the tracking link, not merely the CNAME record. This often includes content deeply nested within a domain's path.
• Systemic risk for ESPs: If many customer tracking domains are listed, it signifies a systemic issue (e.g., poor abuse prevention, compromised platform) that the ESP needs to urgently address to protect its overall reputation and that of its clients.
• New domain sensitivity: Spamhaus (and other blocklists) are often very quick to list new domains if they are involved in suspicious activity, making it harder for spammers to quickly pivot to fresh domains.

Key considerations

• Proactive security measures: ESPs must implement robust security practices to prevent their tracking infrastructure from being exploited for phishing or spam. This includes continuous scanning of linked content and closing open redirect vulnerabilities.
• Domain and IP reputation management: ESPs should actively monitor their own IP and domain reputation, as well as their customers' tracking domains, using services that provide detailed blocklist information to identify issues promptly. See our guide on what happens when your domain is blocklisted.
• Remediation and delisting: Once malicious content or vulnerabilities are addressed, initiating the delisting process with Spamhaus is critical. This requires clear communication of the steps taken to resolve the issue.
• Customer education: ESPs should educate their customers on best practices to avoid linking to malicious content or compromised websites, ensuring that all linked URLs are safe and legitimate.

Key findings

• Domain Blocklist (DBL) focus: Spamhaus's DBL specifically lists domain names that appear in spam or are associated with spamming activities, including those used in phishing or malware distribution.
• Evidence-based listing: Listings are typically triggered by direct evidence of abuse, such as spam trap hits, reports from network operators, or automated detection of malicious content or redirects.
• Zen combined blocklist: Spamhaus ZEN is a combined blocklist that includes various sub-lists (like SBL, XBL, PBL, DBL), offering a comprehensive protection mechanism that covers both IP addresses and domains associated with threats.
• Delisting requirements: Delisting from Spamhaus requires proving that the source of the problematic activity has been identified and completely remediated, with a commitment to preventing future recurrences.

Key considerations

• Direct communication channels: Spamhaus provides a checker tool (check.spamhaus.org) to verify listings and often directs users to their network or hosting provider for remediation, as they are typically responsible for the IP addresses and underlying infrastructure. More detail can be found on how to get delisted.
• Understanding listing reasons: When a domain is listed, it is crucial to understand the specific reason provided by Spamhaus. This diagnostic information is key to identifying the precise issue, whether it's related to spam traps, phishing, or other abuse types. Our guide on Spamhaus listings and spam traps offers further insight.
• Prevention via policy: To avoid future listings, entities (especially ESPs) must enforce strict acceptable use policies and deploy technical measures to detect and prevent spam, phishing, and malware originating from or redirecting through their systems.
• Ongoing vigilance: The nature of online threats means that prevention and monitoring must be continuous. Listings can recur if underlying vulnerabilities are not permanently addressed.