Description
This article is a part of the series on undesired
email (spam, phishing, viruses, etc.). The material covers the Poisons and the Remedies.
Anti-SPAM Techniques: Black Listing (RBL)
By Stas Bekman.
Another approach to undesired email filtering is to use black
listings, known as RBL (Realtime Blackhole List). It's maintained
by system administrators who, using various spam detection tools,
report bad-behaving IP addresses (e.g. open relays or hosts that
were detected to spend undesired email, have no registered DNS record,
etc.). This information goes into a central database, and is then
shared by those who want to use it. So rather than trying to
filter each email separately, here all email coming from a
blacklisted IP is rejected as soon as the connection is
established.
There are many RBLs available. Some are more aggressive
(blocking whole net blocks), whereas others are more flexible. One
way to deal with false-positives here is to try to query several
RBLs and then make a decision based on whether they all agree or
not.
Most RBLs are free for moderate usage, however if you issue too
many queries in a short period of time you may get throttled by
the service provider. If you pay them, they will provide you an
unlimited access.
IMHO
This is a very good approach, as it requires almost no
resources from the receiving system, since the rejection happens
before any data is received. The main problem is that sometimes a
legitimate IP is reported and legitimate traffic can't make it
through. Usually the reason for this is that someone has sent SPAM
mail from that IP hurting all other users who also use that
domain.
BlackListing Providers
Here are some vendors providing Black Lists (including
open-source solutions):
Spam and Open Relay
Blocking System (SORBS) (http://www.us.sorbs.net/) (Free) tracks dynamically assigned
and spamming IPs (separately) rfc-ignorant.org (http://www.rfc-ignorant.org/)
(Free) is the clearinghouse for sites who think that the rules
of the internet don't apply to them. Spam Prevention Early
Warning System (SPEWS) (http://www.spews.org/) (Free) maintains a list of known spam
sources and spam friendly hosts so that e-mail can be rejected
from these problem sites. ORDB (http://www.ordb.org/) the Open Relay
DataBase |
|
| MAPS Relay Spam
Stopper (RSS) (http://www.mail-abuse.com/) (Free and Commercial) (now owned
by Trend Micro (http://www.trendmicro.com/)) Spamhaus (http://www.spamhaus.org/) (Commercial)
tracks the Internet's Spammers, Spam Gangs and Spam Services,
provides dependable realtime anti-spam protection for Internet
networks, and works with Law Enforcement to identify and pursue
spammers worldwide. It also provides a list of known SPAM
operators. The SpamCop Blocking List
(SCBL) (http://www.spamcop.net/) (Free) lists IP addresses which have transmitted
reported email to SpamCop users. SpamCop, service providers and
individual users then use the SCBL to block and filter unwanted
email. The SCBL is a fast and automatic list of sites sending
reported mail, fueled by a number of sources, including
automated reports and SpamCop user submissions. The SCBL is
time-based, resulting in quick and automatic delisting of these
sites when reports stop. NJABL.ORG is Not Just
Another Bogus List (http://www.njabl.org/) (Free) maintains a list of known and
potential spam sources (open relays, open proxies, open form to
mail HTTP gateways, dynamic IP pools, and direct spammers) for
the purpose of being able to tag or refuse email and prevent at
least some spam. Composite Blocking List
(CBL) (http://cbl.abuseat.org/) (Free) takes its source data from very large
spamtraps, and only lists IPs exhibiting characteristics which
are specific to open proxies of various sorts (HTTP, socks,
AnalogX, wingate etc) which have been abused to send spam,
worms/viruses that do their own direct mail transmission, or
some types of trojan-horse or "stealth" spamware, without doing
open proxy tests of any kind. The CBL does not list open SMTP
relays. |
Please notify
me if you know of others.
Vendors
Here are some vendors providing support for Black Lists
(including open-source solutions):
Kaspersky
Internet Security (http://www.kaspersky.com) (Commercial) and its other products. SpamAssassin (http://spamassassin.apache.org/)
(OSS) - is a mail filter which attempts to identify spam using a
variety of mechanisms including text analysis, Bayesian
filtering, DNS blocklists, and collaborative filtering
databases. MailChannels'
TrafficControl (Commercial) supports black
lists. SpamPal (http://spampal.org/) (Free) is a mail
classification program that can help separate your spam from the
mail you really want to read. It runs only on Windows. |
CipherTrust (http://www.ciphertrust.com/)
(Commercial) inbound/outbound protection
|
|
|
Please notify
me if you know of others.
Related Links
And here are some pointers for additional information on the
subject:
Are
you on an Email Blacklist? (http://multirbl.valli.org/) A free multiple DNSBL (DNS BlackList aka RBL) lookup and FCrDNS (Forward Confirmed reverse DNS) check tool. |
|
| Blacklists
Compared (http://www.sdsc.edu/~jeff/spam/Blacklists_Compared.html) The conclusion is that one shouldn't use the
survey to decide which one is better, hmmm... Dotcomeon.com (http://www.dotcomeon.com/) An
argument against using MAPS, encouraging ISPs to individually
control spam instead of relying on central services. Spam blocking
on DNS blacklist criteria alone (http://www.info-world.com/spam.diagnosis/) Blocking emails
relying on single DNS blacklist criteria alone is not
recommended by blacklist operators, leading to errors and chaos
in email communication. Can
DNS-Based Blacklists Keep Up with Bots? (http://www.cc.gatech.edu/~avr/publications/ceas2006.pdf) This
paper (pdf) presents a preliminary evaluation of the
responsiveness of blacklists for a specific set of spamming IP
addresses that are known to come from a spamming botnet that
spreads via the "Bobax" vulnerability. |
Continue reading about other Remedies or jump to the
email-related Poisons
section.