Server-side spam protection using RBLs (Realtime Blackhole Lists)

One of the most effective way to prevent spam getting in your user’s inbox is to reject from the start all emails that are sent by compromised SMTP servers or known open relays. This is done by checking the sender’s IP / domain against  RBLs (Realtime Blackhole Lists). 

In this post I will present some of the most popular RBL / DNSBL services (free and commercial)  as well as things to consider when using a RBL service .

Spam and Open Relay Blocking System (SORBS)
The SORBS DNSBL was born in November 2002. It was felt that by publicising a list of compromised hosts, the ever-increasing flow of spam through those hosts could be stopped. On January 6, 2003, the SORBS DNSBL was officially launched to the public.  SORBS provides detailed configuration tutorials for the most common mailservers.

MAPS Relay Spam Stopper (RSS) aquired by TrendMicro and rebranded Email Reputation Services.

The Spamhaus Block List
The SBL is a realtime database of IP addresses of verified spam sources and spam operations (including spammers, spam gangs and spam support services), maintained by the Spamhaus Project team and supplied as a free service to help email administrators better manage incoming email streams.
The Spamhaus Block List ("SBL") can be used by almost all modern mail servers, by setting your mail server’s anti-spam DNSBL feature (sometimes called "Blacklist DNS Servers" or "RBL servers") to query sbl.spamhaus.org.

NJABL
njabl.org maintains a list of known and potential spam sources (open relays, open proxies, open form to mail HTTP gateways, dynamic IP pools, and direct spammers) for the purpose of being able to tag or refuse email and prevent at least some spam. Here are the details on how to use njabl’s service for free .

RFC-Ignorant
rfc-ignorant.org is the clearinghouse for sites who think that the rules of the internet don’t apply to them.They maintain a number of lists (at present "dsn", "abuse", "postmaster", "bogusmx", and "whois") which contain domains or IP networks whose administrators choose not to obey the RFCs, the building block "rules" of the net. The site offers detailed config notes for the major mailservers.

Distributed Sender Blackhole List (DSBL)
The DSBL lists contain the IP addresses of servers which have relayed special test messages to listme@listme.dsbl.org; this can happen if the server is an open relay, an open proxy or has another vulnerability that allows anybody to deliver email to anywhere, through that server. The site offers help on how to use DSBL.

SpamCop Blocking List (SCBL)
The SpamCop Blocking List  lists IP addresses which have transmitted reported email to SpamCop users. SpamCop, service providers and individual users then use the SCBL to block and filter unwanted email. The SCBL is a fast and automatic list of sites sending reported mail, fueled by a number of sources, including automated reports and SpamCop user submissions. The SCBL is time-based, resulting in quick and automatic delisting of these sites when reports stop. The site offers details on how to use SCBL service.

Composite Blocking List (CBL)
The CBL takes its source data from very large spamtraps/mail infrastructures, and only lists IPs exhibiting characteristics which are specific to open proxies of various sorts (HTTP, socks, AnalogX, wingate etc) which have been abused to send spam, worms/viruses that do their own direct mail transmission, or some types of trojan-horse or "stealth" spamware, dictionary mail harvesters etc.

In other words, the CBL only lists IPs that have attempted email connections to one of our servers in such a way as to indicate that the sending IP is infected. The CBL can be queried in the usual way for DNS-based blocking lists, under the name cbl.abuseat.org.

There are a couple more things to consider when you intend to block emails using RBLs . The most important side effect of using RBLs is that you might block legitimate email by accident. Since blocking can be perfomed by IP, sometime whole domains get included in RBLs because one subdomain turned out as open relay at one time.

In case you find yourself listed on a black list, contact the RBL provider as soon as possible because only a  few servers will accept email originated from your network. You’re considered a spam relay and nobody wants to have anything to do with spambots.



Thank you for reading this post. You can now Leave A Comment (0) or Leave A Trackback. Print This Post Print This Post


Subscribe without commenting


Leave a Reply

Note: Any comments are permitted only because the site owner is letting you post, and any comments will be removed for any reason at the absolute discretion of the site owner.

CommentLuv badge