scconsult home bill's home bill's other stuff

About The Solid Clues Blacklist: Q&A

The Solid Clues Blacklist is published solely to disclose Solid Clues Consulting policy which may impede mail to Solid Clues Consulting addresses. There is no publicly disclosed DNS zone carrying this data and it would be extremely unwise for any other site to attempt to use this blacklist as it is. As a work generated by Solid Clues Consulting for internal use from proprietary data, this list is proprietary intellectual property and may not be copied or used without an explicit license. There is no standard licensing policy in place and there are no existing licensees.

Ramblings about the blacklist.

Note that freeform text covering the following issues used to be on the main list page, and I moved it here 9/6/03 to declutter that page. I have been editing it into a cleaner Q&A style over time...

Calling this a 'FAQ' would be a lie, since in fact none of the questions have been asked 'frequently' and some have never been asked at all, but are only being answered to save people from the trouble of asking. If you want to know more about the list that is not covered here or want to discuss a listing with me, read on for mechanisms to get around the blacklist

Obvious Questions (and the best answers I have for them)

What does the listing of an address say about that address?

Very little.

The list is a statement of my opinion about a set of IP addresses based on both facts and subjective analysis. It says that in my opinion, the chance of there being legitimate email offered to a Solid Clues mail server from that IP address is low enough (usually infinitesimal) and the chance of it offering illegitimate mail (notably any unsolicited bulk email, including that sent by Windows worms) is high enough that prudence requires me to reject email from it which does not carry very strong signs of being desirable.

Who uses the Solid Clues Blacklist to control mail delivery and how?

As far as I know, it is in use only on Solid Clues mail servers to control inbound mail delivery. They are configured to reject all mail from listed addresses unless the mail is in some other way identifiable as desirable. To the best of my knowledge, no one whose mail is not handled by those mail servers uses the list in any automated way.

Who SHOULD use the Solid Clues Blacklist?

No one not mentioned in the prior question. The list is published to allow people whose mail is rejected as a result of a listing to figure out for themselves why their mail is rejected and perhaps provide clues on how to resolve the problem. It may also be used as a reference by people who have an interest in tracking email deliverability and spam control issues. It is NOT released to the public domain or published for general use as a blacklist. Any other site using it as a blacklist, even in a weighted score manner, is making a huge mistake. In addition, anyone running a mail server who attempts to pass responsibility for their blocking decisions onto me because they've decided to put in the work to misuse this list for their own server is acting irresponsibly and incompetently. Any mail systems issuing rejection messages pointing here are issuing lies and I can do nothing to modify their behavior. I offer no ready means of using the blacklist to the general public and anyone using the blacklist as source material for their own uses may be behaving illegally as well as stupidly.

Who is the "I" referred to in this document?

Hi, I'm Bill Cole. To the extent that it is run, I run Solid Clues Consulting. I've been fighting spam since 1993, before it was widely referred to as spam. I maintain the blacklist and everything associated with it. I have a lot of spam aimed at my addresses and at other scconsult.com addresses, so I take drastic measures to stop it. This list is a drastic measure

What is Solid Clues Consulting?

See the home page.

What is the structure of the blacklist?

The blacklist is made up of entries. Each entry consists of an address range and sometimes a comment, with ; as the comment delimiter. Some comments include timestamps, typically of the form which one gets from the standard (ISO/IEC 9899:1990) date formatting string %Y%m%d%H%M%S. The timestamps generally reflect the moment of addition to the list. Some entries lack comments, some comments lack timestamps. In most cases the address range of an entry is intended to represent addresses under the control of one entity who has or should have the power to make the spam from those addresses stop.

SPECIAL CASES:

  1. 24/8 has been listed in its entirety here because the 67 individual entries for entities like AT&T, Comcast, Rogers, the late @Home, Armstrong Cable, Charter, RoadRunner, Cablevision/Optimum Online, Shaw, Eastlink, Fibertel, GCI, Adelphia, and so on were together covering the majority of 24/8, whose original purpose was to cover cable modems. In most cases, cable modem users should be sending their mail through their provider's mail servers. If you are a cable modem user and find your address here in the 24/8 block, it is not necessarily the case that your provider's network has been a source of spam aimed here, but the odds are pretty good: I've had spam arrive here from provider networks accounting for over 60% of 24/8, not counting the instances where other blacklists (notably the PDL, OPM, and CBL) have caught the spam. If you need an exception to a 24/8 listing, you can get one in exactly the same way as any other delisting.
  2. Much of APNIC space (202/7, 218/7, 220/7) is listed with APNIC as the sole unifying element. I am absolutely aware of the fact that APNIC can't stop the spam and that there are a lot of innocents in there. Just as with 24/8, the reality is that being in APNIC space is a very strong predictor for a machine sending no legitimate mail here. Using an IP on this list does not mean I think you are evil, rather that I doubt any legitimate mail will be coming here from your IP address. I'm open to evidence to the contrary.
  3. The same goes for much of LACNIC space, 200/7.
  4. Malware sources (mostly Swen from 2003-09 through 2004-04) are NOT a special case except as being especially problematic. The addresses listed as such have passed at least one and often MANY copies of some Microsoft garbageware worm to Solid Clues machines. I could not care less why they did so, but the fact that they did so indicates that the party responsible for the machine is grossly irresponsible. If you allow your mail servers to be used by people capable of sending such crap, it is YOUR responsibility to filter it. Malware source addresses will only be de-listed on the same terms as any others, including that they have to appear unlikely sources of future junk email. This means that if you allow users of Microsoft garbageware to pass mail through your machines, you should be filtering that mail for the sorts of malware common to MS systems.
  5. Virus bouncers/notifiers are, like worm sources, special in the sense that they are likely to have a tougher time qualifying for delisting. Machines listed as virus bouncers or notifiers appear to be mail systems with anti-viral software which either bounces infected messages to a sender address potentially invented by the malware they detect or sends a notice to would-be recipients of infected messages in lieu of the infected message. In both cases, there is no reason for this behavior other than to advertise AV software. Such machines will only be delisted if the administrators certify that they no longer de facto spam sources and that any AV software on them either rejects mail with a reasonable code in SMTP or simply drops it after acceptance and scanning. In other words: no more AV messages will ever be sent to Solid Clues addresses under any circumstances. I tolerate my cats bringing me 'presents' because of their limited cerebral facilities, but I do not tolerate mail servers configured to do the same.
  6. There are various entries listing ranges that should never appear on the public Internet or on the Solid Clues local network. These are mostly marked as 'bogon' entries. They are nowhere near comprehensive, but rather reflect (mostly) tests of the list management software.
  7. A few addresses or ranges are listed because of the misbehavior or simply demonstrated anti-social nature of one person believed to be in de facto control of that address or range.

Why are addresses added to the list?

Every address belongs to an entry. Every entry has some reason for inclusion in the list. Each entry's comment may hint at that reason or may simply be an expression of exasperation and disdain. Generally speaking, the reasons for entries all are some subset of one simple statement: I have been convinced by events that the listed addresses are far more likely to be sources of spam than to be sources of legitimate mail directed to Solid Clues addresses.

How can an address be removed from the list?

I remove addresses from the list if I conclude that they are highly unlikely to be sources of spam and are somewhat likely to be legitimate sources of mail for Solid Clues users. Note that this is not quite the perfect reverse of the listing basis. There are 2 issues involved: likelihood of addresses offering spam and likelihood of them offering legitimate mail. I have an open mind and will listen to arguments that an address sends legitimate mail to someplace, but unless is clear to me that there is no reason to expect spam from that address and that legitimate mail may indeed be aimed here, I will not remove the address. Note that this is highly subjective, and in practice means pretty much that if you had legitimate mail bounced and the relevant address is not itself detectably a spam source, I'll delist it. You can send mail to me despite using a listed IP address by using this link or if your mail is in a range that cannot even speak to my mail server, you can use this form

I see datestamps over a decade old on entries! Don't entries ever expire?

There is NO automatic expiry process. From time to time I clean up the list by whatever criteria satisfy my current whims, on no particular schedule. The latest and largest cleanup, removing over 90% of all entries, was done 2017-05-17. Every entry surviving that purge has stopped spam here at some time since 2015. There is no plan for scheduling this sort of purge.

What about mixed-mail addresses?

Addresses which have been listed and which continue to offer spam or seem very likely to do so will not be delisted even if they are also sending legitimate mail. Users whose mail goes through such addresses can be given other means of getting around the listing by any Solid Clues user with whom they wish to exchange email.

How can a listing be appealed?

Any appeal for removal of address space from this list can be sent via postal mail or via email from some address that is not listed. Commercial senders of bulk mail may be required to pay for and assist with a policies and practices audit to have a listing appeal considered. Commercial mailers will need to be sending 100% fully verified opt-in mail for such an appeal to succeed.

How can someone appeal a listing if they can only mail through a listed address?

All domains using Solid Clues mail servers have complete and accurate domain registrations. The telephone numbers and postal addresses there are quite real and can be used to contact relevant and empowered parties. The contact email addresses for all of our domains are exempted from the blacklist. In addition, there are many freemail services from which mail is generally accepted here, although I cannot guarantee that such will always be true. There is also a sort of halfway application of the blacklist to the postmaster account: mail is accepted from listed addresses but goes to a special dump which is dredged through only on an irregular basis. There are also many exempt addresses including the one you get with this link. If your mail is in a range that cannot even speak to my mail server, you can use this form

Why can't some addresses even see your mail server at all?

Particularly obnoxious networks that continue to attempt to send mail here despite blacklisting may be added to the access rules on our network devices which prevent those networks from contacting the mail server here. Single-address exemptions from those rules ARE NOT MADE and those rules are only removed where there is evidence that they are no longer needed. If you are on one of these networks (including much of Korea, China, Italy, and occasionally residential broadband networks in various places) your best bet in getting email to Solid Clues addresses is to find mail service on a competently managed network, although you can also use you can use this form.

Why is the list more conservative about US ranges than non-US ranges?

This has been claimed by a couple of European correspondents. It seems to be open to debate objectively. However, I admit to an intent of greater specificity in US listings than in non-US listings for a very simple reason: Solid Clues receives very little legitimate mail from non-US sites. This is one of the reasons that this list is NOT licensed for general use at other sites. When spam is reported here from a non-US address I make an effort to include the LARGEST clearly common address space unless there is a record of legitimate mail here from that space. For US addresses, listings usually include the smallest SWIP'ed range for most providers and sometimes just a /24 or /32 if there's no SWIP record.

Will you delist a network whose operator is prevented by local law from making the spam from his network stop?

No.

Will you delist a network whose operator is prevented by a valid contract from making the spam from his network stop?

No.

Will you delist a network whose operator is prevented by corporate politics from making the spam from his network stop?

No.

Will you delist a network whose operator is prevented by criminal threats or extortion from making the spam from his network stop?

No.

Why are the previous 4 answers such absolute No's?

The list is not a statement about the intentions, ethics, legality, or personal courage of the users, operators, or owners of any network, but rather a statement of my opinion about the likelihood of various networks to send wanted or unwanted mail to Solid Clues addresses. The fact that a network operator cannot make the spam from his network stop is a good indication that the network belongs on this list.

Can a delisting be bought?

In theory, yes. No asking price has been set, but I believe that in theory I have a price for a delisting. That price would certainly not be a good deal for the listee, as it would have to be high enough to underwrite at least my immediate retirement, my daughter's future college tuition, and my disabled son's many long-term needs. Anyone seeking to buy a delisting should feel free to send me an offer, but should not bother to do so without planning to meet that baseline. Note that it is probably cheaper to create a situation where I will be eager to delist your address for free.

How can people not affiliated with Solid Clues use the list?

I'd rather you not.

If you insist, then there is little I can easily do to prevent it even though I DO NOT waive any right to try to stop you through both legal and technical means if I discover that you are using the list in some way that I deem worth stopping. As of 2005-08-04 the only way for anyone outside of the Solid Clues network to get a copy of the list is the web page. If you wish to avoid being seen as an attacker on my webserver as you work to keep a current copy of the list, you may wish to try to persuade me ahead of time that your use of the list is not evil or idiotic.