previous page: Anti-SPAM Techniques: Collaborative Content Filtering
page up: Anti-SPAM, Anti-Phishing and Anti-Viruses Techniques
next page: Anti-SPAM Techniques: Grey Listing

Anti-SPAM Techniques: Black Listing (RBL)


This article is a part of the series on undesired email (spam, phishing, viruses, etc.). The material covers the Poisons and the Remedies.

Anti-SPAM Techniques: Black Listing (RBL)

By Stas Bekman.

Another approach to undesired email filtering is to use black listings, known as RBL (Realtime Blackhole List). It's maintained by system administrators who, using various spam detection tools, report bad-behaving IP addresses (e.g. open relays or hosts that were detected to spend undesired email, have no registered DNS record, etc.). This information goes into a central database, and is then shared by those who want to use it. So rather than trying to filter each email separately, here all email coming from a blacklisted IP is rejected as soon as the connection is established.

There are many RBLs available. Some are more aggressive (blocking whole net blocks), whereas others are more flexible. One way to deal with false-positives here is to try to query several RBLs and then make a decision based on whether they all agree or not.

Most RBLs are free for moderate usage, however if you issue too many queries in a short period of time you may get throttled by the service provider. If you pay them, they will provide you an unlimited access.


This is a very good approach, as it requires almost no resources from the receiving system, since the rejection happens before any data is received. The main problem is that sometimes a legitimate IP is reported and legitimate traffic can't make it through. Usually the reason for this is that someone has sent SPAM mail from that IP hurting all other users who also use that domain.

BlackListing Providers

Here are some vendors providing Black Lists (including open-source solutions):


Spam and Open Relay Blocking System (SORBS) (http://www.us.sorbs.net/)
(Free) tracks dynamically assigned and spamming IPs (separately)

rfc-ignorant.org (http://www.rfc-ignorant.org/)
(Free) is the clearinghouse for sites who think that the rules of the internet don't apply to them.

Spam Prevention Early Warning System (SPEWS) (http://www.spews.org/)
(Free) maintains a list of known spam sources and spam friendly hosts so that e-mail can be rejected from these problem sites.

ORDB (http://www.ordb.org/)
the Open Relay DataBase

MAPS Relay Spam Stopper (RSS) (http://www.mail-abuse.com/)
(Free and Commercial) (now owned by Trend Micro (http://www.trendmicro.com/))

Spamhaus (http://www.spamhaus.org/)
(Commercial) tracks the Internet's Spammers, Spam Gangs and Spam Services, provides dependable realtime anti-spam protection for Internet networks, and works with Law Enforcement to identify and pursue spammers worldwide. It also provides a list of known SPAM operators.

The SpamCop Blocking List (SCBL) (http://www.spamcop.net/)
(Free) lists IP addresses which have transmitted reported email to SpamCop users. SpamCop, service providers and individual users then use the SCBL to block and filter unwanted email. The SCBL is a fast and automatic list of sites sending reported mail, fueled by a number of sources, including automated reports and SpamCop user submissions. The SCBL is time-based, resulting in quick and automatic delisting of these sites when reports stop.

NJABL.ORG is Not Just Another Bogus List (http://www.njabl.org/)
(Free) maintains a list of known and potential spam sources (open relays, open proxies, open form to mail HTTP gateways, dynamic IP pools, and direct spammers) for the purpose of being able to tag or refuse email and prevent at least some spam.

Composite Blocking List (CBL) (http://cbl.abuseat.org/)
(Free) takes its source data from very large spamtraps, and only lists IPs exhibiting characteristics which are specific to open proxies of various sorts (HTTP, socks, AnalogX, wingate etc) which have been abused to send spam, worms/viruses that do their own direct mail transmission, or some types of trojan-horse or "stealth" spamware, without doing open proxy tests of any kind. The CBL does not list open SMTP relays.



Please notify me if you know of others.


Here are some vendors providing support for Black Lists (including open-source solutions):

Kaspersky Internet Security (http://www.kaspersky.com)
(Commercial) and its other products.

SpamAssassin (http://spamassassin.apache.org/)
(OSS) - is a mail filter which attempts to identify spam using a variety of mechanisms including text analysis, Bayesian filtering, DNS blocklists, and collaborative filtering databases.

MailChannels' TrafficControl
(Commercial) supports black lists.

SpamPal (http://spampal.org/)
(Free) is a mail classification program that can help separate your spam from the mail you really want to read. It runs only on Windows.


CipherTrust (http://www.ciphertrust.com/)
(Commercial) inbound/outbound protection



Please notify me if you know of others.

Related Links

And here are some pointers for additional information on the subject:


Are you on an Email Blacklist? (http://multirbl.valli.org/)
A free multiple DNSBL (DNS BlackList aka RBL) lookup and FCrDNS (Forward Confirmed reverse DNS) check tool.

Blacklists Compared (http://www.sdsc.edu/~jeff/spam/Blacklists_Compared.html)
The conclusion is that one shouldn't use the survey to decide which one is better, hmmm...

Dotcomeon.com (http://www.dotcomeon.com/)
An argument against using MAPS, encouraging ISPs to individually control spam instead of relying on central services.

Spam blocking on DNS blacklist criteria alone (http://www.info-world.com/spam.diagnosis/)
Blocking emails relying on single DNS blacklist criteria alone is not recommended by blacklist operators, leading to errors and chaos in email communication.

Can DNS-Based Blacklists Keep Up with Bots? (http://www.cc.gatech.edu/~avr/publications/ceas2006.pdf)
This paper (pdf) presents a preliminary evaluation of the responsiveness of blacklists for a specific set of spamming IP addresses that are known to come from a spamming botnet that spreads via the "Bobax" vulnerability.



Continue reading about other Remedies or jump to the email-related Poisons section.

previous page: Anti-SPAM Techniques: Collaborative Content Filtering
page up: Anti-SPAM, Anti-Phishing and Anti-Viruses Techniques
next page: Anti-SPAM Techniques: Grey Listing