Blocked on SPFBL by spammers

The SPFBL is a remote blacklist designed to store information about known spammers and distribute this information to their customers via DNS.

Interestingly, it appears that spammers are also using SPFBL against legitimate mail servers.

In our case, spammers operating from vinhedo.nuvemidc.com (client=vinhedo.nuvemidc.com[179.127.30.78]) attempted to send us spam email from the address contato@goomarketing.com.br.

Some investigation:

$ dig MX goomarketing.com.br +short
0 _dc-mx.910d187fe7de.goomarketing.com.br.
$ dig _dc-mx.910d187fe7de.goomarketing.com.br. +short
179.127.30.78

$ dig -x 179.127.30.78 +short
vinhedo.nuvemidc.com.

Ironically, when they failed to deliver thir spam via our mail server (thanks to greylisting), they blocked the IP address of our mail server on SPFBL. While SPFBL allowed us to unblock/delist it (SPFBL delist), it’s concerning that they let obvious spammers block our clearly legitimate server.

The domain of the spamming mail server is registered via the privacy-focused registrar DomainsByProxy. While domain privacy is very important for pepole like journalists, whistleblowers etc., it seems less acceptable for mail servers.

$ whois nuvemidc.com | grep Registrant | grep Proxy
Registrant Organization: Domains By Proxy, LLC
Registrant Street: DomainsByProxy.com

Although it’s evident that the IP address 179.127.30.78 and the domains nuvemidc.com and goomarketing.com.br should be blacklisted, this alone might not be sufficient. It seems that it might be a good idea to ban every domain registered via Domains By Proxy. While it’s not practical to run a whois query every time someone tries to send us an email, we can do this retroactively by maintaining our own RBL.