Why would Spamhaus continue to add an IP to the CSS when that IP hasn't sent email recently?

spam spamassassin

Solution 1:

Warning ahead for people experiencing similar issues: NEVER just request unblocking at any spam block list before you figure out what's going on. Those spam blocklist are almost always clever enough to not randomly block you. They may even tell you that additional unblock requests will incur a fee or not be possible at all if you unblock and then get listed again.

There are a number of rules about the CSS blocklist that are not published - intentionally - they do not want the spammers to avoid getting blocked by working around the rules.

One thing that is well known and published is however, that the list contains at least /64 blocks for IPv6. That means, they never block single /128 addresses, they always hit a full block at once. That, in turn, means that spam being sent by people in the same /64 block as you is getting you blocked as well.

If it was listing smaller blocks, the list would be

  • tremendously large (imagine the number of possible ipv6 addresses to keep track of) and
  • very easily circumvented by spammers (they could just use a fresh IP every time they were blocked).

The choice of using /64 blocks is roughly tracking what is common in the industry nowadays - one /64 usually is one customer. That equation was far from always the case 5 years ago - but afaik is the industry standard by now.

For a more detailed and weighed discussion of that decision, there is a lengthy statement about it on the spamhaus site: the "Spamhaus IPv6 Blocklists Strategy Statement"

Possible solutions for your case:

a) Ask your hosting provider

Your hosting provider may or may not effortlessly offer to assign you a larger (at least /64) block (Linode FAQs mention adding IPs), as the assignment of your (smaller) block might very well have historic reasons only - the (so far, still only rough) consensus on using /64 per customer is only 2 years old and before that, many hosting providers just assigned whatever they deemed appropriate - with wildly differing outcomes. My experience: many hosting providers offered that change of prefix size to me without me even asking (couple years ago).

b) Change your hosting provider

If your hosting provider is unable to follow industry standards - and additionally unable to justify doing so (I don't assume there is a good explanation, IPv6 address space is not exactly scarce), question their motives. If the hosting provider intentionally assigns small IPv6 blocks - e.g. to make sure that legitimate and spam mail gets mixed up (that is what the Spamhaus folks are concerned with when they use terms like "snowshoe operations") - it's time to run.

Related

connect two routers with different subnet
How to automate certbot certificate renewal on Ubuntu 20.04
PHP-ZMQ pecl installation error - Unable to find libzmq installation
Alternative to Windows RDP for Remote Workers [closed]
How to Remove a VM From Hyper-V Without Deleting the Configuration File?
Check if a process is running or not on Windows?
Multi-dimensional arrays in Bash
Associative array versus object in JavaScript
Easiest way to sort DOM nodes?
Any way to bold part of a NSString?
Is there go up line character? (Opposite of \n)
Setting a timeout for socket operations