HOME

TheInfoList



OR:

A Domain Name System blocklist, Domain Name System-based blackhole list, Domain Name System blacklist (DNSBL) or real-time blackhole list (RBL) is a service for operation of
mail server Within the Internet email system, a message transfer agent (MTA), or mail transfer agent, or mail relay is software that transfers electronic mail messages from one computer to another using SMTP. The terms mail server, mail exchanger, and MX host ...
s to perform a check via a
Domain Name System The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to ...
(DNS) query whether a sending host's
IP address An Internet Protocol address (IP address) is a numerical label such as that is connected to a computer network that uses the Internet Protocol for communication.. Updated by . An IP address serves two main functions: network interface ident ...
is blacklisted for
email spam Email spam, also referred to as junk email, spam mail, or simply spam, is unsolicited messages sent in bulk by email (spamming). The name comes from a Monty Python sketch in which the name of the canned pork product Spam is ubiquitous, unavoida ...
. Most mail server software can be configured to check such lists, typically rejecting or flagging messages from such sites. A DNSBL is a software mechanism, rather than a specific list or policy. Dozens of DNSBLs exist. They use a wide array of criteria for listing and delisting addresses. These may include listing the addresses of
zombie computer In computing, a zombie is a computer connected to the Internet that has been compromised by a hacker via a computer virus, computer worm, or trojan horse program and can be used to perform malicious tasks under the remote direction of the hac ...
s or other machines being used to send spam, Internet service providers (ISPs) who willingly host spammers, or those which have sent spam to a honeypot system. Since the creation of the first DNSBL in 1998, the operation and policies of these lists have frequently been controversial, both in Internet
advocacy Advocacy is an Action (philosophy), activity by an individual or advocacy group, group that aims to influence decision making, decisions within political, economic, and social institutions. Advocacy includes activities and publications to infl ...
circles and occasionally in lawsuits. Many email systems operators and users consider DNSBLs a valuable tool to share information about sources of spam, but others including some prominent Internet activists have objected to them as a form of
censorship Censorship is the suppression of speech, public communication, or other information. This may be done on the basis that such material is considered objectionable, harmful, sensitive, or "inconvenient". Censorship can be conducted by governments ...
. In addition, a small number of DNSBL operators have been the target of lawsuits filed by spammers seeking to have the lists shut down.


History

The first DNSBL was the Real-time Blackhole List (RBL), created in 1997, at first as a
Border Gateway Protocol Border Gateway Protocol (BGP) is a standardized exterior gateway protocol designed to exchange routing and reachability information among autonomous systems (AS) on the Internet. BGP is classified as a path-vector routing protocol, and it makes ...
(BGP) feed by
Paul Vixie Paul Vixie is an American computer scientist whose technical contributions include Domain Name System (DNS) protocol design and procedure, mechanisms to achieve operational robustness of DNS implementations, and significant contributions to open ...
, and then as a DNSBL by Eric Ziegast as part of Vixie's
Mail Abuse Prevention System The Mail Abuse Prevention System (MAPS) is an organization that provides anti-spam support by maintaining a DNSBL. They provide five black lists, categorising why an address or an IP block is listed: * Real-time Blackhole List (RBL), the one for wh ...
(MAPS); Dave Rand at Abovenet was its first subscriber. The very first version of the RBL was not published as a DNSBL, but rather a list of networks transmitted via BGP to routers owned by subscribers so that network operators could drop all
TCP/IP The Internet protocol suite, commonly known as TCP/IP, is a framework for organizing the set of communication protocols used in the Internet and similar computer networks according to functional criteria. The foundational protocols in the suit ...
traffic for machines used to send spam or host spam supporting services, such as a website. The inventor of the technique later commonly called a DNSBL was Eric Ziegast while employed at Vixie Enterprises. The term "blackhole" refers to a networking black hole, an expression for a link on a network that drops incoming traffic instead of forwarding it normally. The intent of the RBL was that sites using it would refuse traffic from sites which supported spam — whether by actively sending spam, or in other ways. Before an address would be listed on the RBL, volunteers and MAPS staff would attempt repeatedly to contact the persons responsible for it and get its problems corrected. Such effort was considered very important before black-holing all network traffic, but it also meant that spammers and spam supporting ISPs could delay being put on the RBL for long periods while such discussions went on. Later, the RBL was also released in a DNSBL form and Paul Vixie encouraged the authors of
sendmail Sendmail is a general purpose internetwork email routing facility that supports many kinds of mail-transfer and delivery methods, including the Simple Mail Transfer Protocol (SMTP) used for email transport over the Internet. A descendant of the ...
and other mail software to implement RBL support in their clients. These allowed the mail software to query the RBL and reject mail from listed sites on a per-mail-server basis instead of black-holing all traffic. Soon after the advent of the RBL, others started developing their own lists with different policies. One of the first was Alan Brown's
Open Relay Behavior-modification System Open Relay Behavior-modification System (ORBS), created and run by Alan Brown in New Zealand, was one of the first DNS-based Blackhole Lists (DNSBL), a means by which an internet domain may publish a list of IP addresses, in a database which can ...
(ORBS). This used automated testing to discover and list mail servers running as
open mail relay An open mail relay is a Simple Mail Transfer Protocol (SMTP) server configured in such a way that it allows anyone on the Internet to send e-mail through it, not just mail destined to or originating from known users. This used to be the default con ...
s—exploitable by
spammers This is a list of individuals and organizations noteworthy for engaging in bulk electronic spamming, either on their own behalf or on behalf of others. It is not a list of all spammers, only those whose actions have attracted substantial independen ...
to carry their spam. ORBS was controversial at the time because many people felt running an open relay was acceptable, and that scanning the Internet for open mail servers could be abusive. In 2003, a number of DNSBLs came under
denial-of-service attack In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connect ...
s (DOS). Since no party has admitted to these attacks nor been discovered responsible, their purpose is a matter of speculation. However, many observers believe the attacks are perpetrated by spammers in order to interfere with the DNSBLs' operation or hound them into shutting down. In August 2003, the firm
Osirusoft The Spam Prevention Early Warning System (SPEWS) was an anonymous service that maintained a list of IP address ranges belonging to internet service providers (ISPs) that host spammers and show little action to prevent their abuse of other network ...
, an operator of several DNSBLs including one based on the
SPEWS The Spam Prevention Early Warning System (SPEWS) was an anonymous service that maintained a list of IP address ranges belonging to internet service providers (ISPs) that host spammers and show little action to prevent their abuse of other network ...
data set, shut down its lists after suffering weeks of near-continuous attack. Technical specifications for DNSBLs came relatively late in RFC5782.


URI DNSBLs

A
Uniform Resource Identifier A Uniform Resource Identifier (URI) is a unique sequence of characters that identifies a logical or physical resource used by web technologies. URIs may be used to identify anything, including real-world objects, such as people and places, conc ...
(URI) DNSBL is a DNSBL that lists the domain names and sometimes also IP addresses which are found in the "clickable" links contained in the body of spams, but generally not found inside legitimate messages. URI DNSBLs were created when it was determined that much spam made it past spam filters during that short time frame between the first use of a spam-sending IP address and the point where that sending IP address was first listed on major sending-IP-based DNSBLs. In many cases, such elusive spams contain in their links domain names or IP addresses (collectively referred to as a URIs) where that URI was ''already'' spotted in previously caught spam and where that URI is not found in non-spam e-mail. Therefore, when a spam filter extracts all URIs from a message and checks them against a URI DNSBL, then the spam can be blocked even if the sending IP for that spam has not yet been listed on any sending IP DNSBL. Of the three major URI DNSBLs, the oldest and most popular is
SURBL SURBL (previously stood for Spam URI RBL) is a collection of URI DNSBL lists of Uniform Resource Identifier (URI) hosts, typically web site domains, that appear in unsolicited messages. SURBL can be used to search incoming e-mail message bodies fo ...
. After SURBL was created, some of the volunteers for SURBL started the second major URI DNSBL, URIBL. In 2008, another long-time SURBL volunteer started another URI DNSBL, ivmURI.
The Spamhaus Project The Spamhaus Project is an international organisation based in the Principality of Andorra, founded in 1998 by Steve Linford to track email spammers and spam-related activity. The name ''spamhaus'', a pseudo-German expression, was coined by Lin ...
provides the Spamhaus Domain Block List (DBL) which they describe as domains "found in spam messages". The DBL is intended as both a URIBL and RHSBL, to be checked against both domains in a message's envelope and headers and domains in URLs in message bodies. Unlike other URIBLs, the DBL only lists domain names, not IP addresses, since Spamhaus provides other lists of IP addresses. URI DNSBLs are often confused with RHSBLs (Right Hand Side BLs). But they are different. A URI DNSBL lists domain names and IPs found in the body of the message. An RHSBL lists the domain names used in the "from" or "reply-to" e-mail address. RHSBLs are of debatable effectiveness since many spams either use forged "from" addresses or use "from" addresses containing popular freemail domain names, such as @gmail.com, @yahoo.com, or @hotmail.com URI DNSBLs are more widely used than RHSBLs, are very effective, and are used by the majority of spam filters.


Principle

To operate a DNSBL requires three things: a domain to host it under, a nameserver for that domain, and a list of addresses to publish. It is possible to serve a DNSBL using any general-purpose DNS server software. However this is typically inefficient for zones containing large numbers of addresses, particularly DNSBLs which list entire Classless Inter-Domain Routing netblocks. For the large resource consumption when using software designed as the role of a Domain Name Server, there are role-specific software applications designed specifically for servers with a role of a DNS blacklist. The hard part of operating a DNSBL is populating it with addresses. DNSBLs intended for public use usually have specific, published policies as to what a listing means, and must be operated accordingly to attain or sustain public confidence.


DNSBL queries

When a mail server receives a connection from a client, and wishes to check that client against a DNSBL (let's say, ''dnsbl.example.net''), it does more or less the following: # Take the client's IP address—say, ''192.168.42.23''—and reverse the order of octets, yielding ''23.42.168.192''. # Append the DNSBL's domain name: ''23.42.168.192.dnsbl.example.net''. # Look up this name in the DNS as a domain name ("A" record). This will return either an address, indicating that the client is listed; or an "NXDOMAIN" ("No such domain") code, indicating that the client is not. # Optionally, if the client is listed, look up the name as a text record ("TXT" record). Most DNSBLs publish information about why a client is listed as TXT records. Looking up an address in a DNSBL is thus similar to looking it up in reverse-DNS. The differences are that a DNSBL lookup uses the "A" rather than "PTR" record type, and uses a forward domain (such as ''dnsbl.example.net'' above) rather than the special reverse domain ''in-addr.arpa''. There is an informal protocol for the addresses returned by DNSBL queries which match. Most DNSBLs return an address in the 127.0.0.0/8 IP
loopback Loopback (also written loop-back) is the routing of electronic signals or digital data streams back to their source without intentional processing or modification. It is primarily a means of testing the communications infrastructure. There are m ...
network. The address 127.0.0.2 indicates a generic listing. Other addresses in this block may indicate something specific about the listing—that it indicates an open relay, proxy, spammer-owned host, etc. For details see RFC 5782.


URI DNSBL

A URI DNSBL query (and an RHSBL query) is fairly straightforward. The domain name to query is prepended to the DNS list host as follows: example.net.dnslist.example.com where ''dnslist.example.com'' is the DNS list host and ''example.net'' is the queried domain. Generally if an A record is returned the name is listed.


DNSBL policies

Different DNSBLs have different policies. DNSBL policies differ from one another on three fronts: * Goals. What does the DNSBL ''seek'' to list? Is it a list of open-relay mail servers or open proxies—or of IP addresses known to send spam—or perhaps of IP addresses belonging to ISPs that harbor spammers? * Nomination. How does the DNSBL ''discover'' addresses to list? Does it use nominations submitted by users? Spam-trap addresses or honeypots? * Listing lifetime. How long does a listing ''last''? Are they automatically expired, or only removed manually? What can the operator of a listed host do to have it delisted?


Types

In addition to the different types of listed entities (IP addresses for traditional DNSBLs, host and domain names for RHSBLs, URIs for URIBLs) there is a wide range of semantic variations between lists as to what a listing means. List maintainers themselves have been divided on the issues of whether their listings should be seen as statements of objective fact or subjective opinion and on how their lists should best be used. As a result, there is no definitive taxonomy for DNSBLs. Some names defined here (e.g. "Yellow" and "NoBL") are varieties that are not in widespread use and so the names themselves are not in widespread use, but should be recognized by many spam control specialists. ; White List / Allow List : A listing is an affirmative indication of essentially absolute trust ; Black List / Block LIst : A listing is a negative indication of essentially absolute distrust ; Grey List : Most frequently seen as one word (greylist or greylisting) not involving DNSBLs directly, but using temporary deferral of mail from unfamiliar sources to allow for the development of a public reputation (such as DNSBL listings) or to discourage speed-focused spamming. Occasionally used to refer to actual DNSBLs on which listings denote distinct non-absolute levels and forms of trust or distrust. ; Yellow List : A listing indicates that the source is known to produce a mixture of spam and non-spam to a degree that makes checking other DNSBLs of any sort useless. ; NoBL List : A listing indicates that the source is believed to send no spam and should not be subjected to blacklist testing, but is not quite as trusted as a whitelisted source.


Usage

* Most
message transfer agent Within the Internet email system, a message transfer agent (MTA), or mail transfer agent, or mail relay is software that transfers electronic mail messages from one computer to another using SMTP. The terms mail server, mail exchanger, and MX host ...
s (MTA)As of July 2016, 30 out of 41 MTAs listed in Comparison of mail servers#Antispam features are known to support DNSBL, 1 doesn't, and the remaining 10 are not known. can be configured to absolutely block or (less commonly) to accept email based on a DNSBL listing. This is the oldest usage form of DNSBLs. Depending on the specific MTA, there can be subtle distinctions in configuration that make list types such as Yellow and NoBL useful or pointless because of how the MTA handles multiple DNSBLs. A drawback of using the direct DNSBL support in most MTAs is that sources not on any list require checking all of the DNSBLs being used with relatively little utility to caching the negative results. In some cases this can cause a significant slowdown in mail delivery. Using White, Yellow, and NoBL lists to avoid some lookups can be used to alleviate this in some MTAs. * DNSBLs can be used in rule based spam analysis software like
Spamassassin Apache SpamAssassin is a computer program used for anti-spam techniques, e-mail spam filtering. It uses a variety of spam-detection techniques, including Domain Name System, DNS and fuzzy checksum techniques, Bayesian spam filtering, Bayesian filt ...
where each DNSBL has its own rule. Each rule has a specific positive or negative weight which is combined with other types of rules to score each message. This allows for the use of rules that act (by whatever criteria are available in the specific software) to "whitelist" mail that would otherwise be rejected due to a DNSBL listing or due to other rules. This can also have the problem of heavy DNS lookup load for no useful results, but it may not delay mail as much because scoring makes it possible for lookups to be done in parallel and asynchronously while the filter is checking the message against the other rules. * It is possible with some toolsets to blend the binary testing and weighted rule approaches. One way to do this is to first check white lists and accept the message if the source is on a white list, bypassing all other testing mechanisms. A technique developed by Junk Email Filter uses Yellow Lists and NoBL lists to mitigate the false positives that occur routinely when using black lists that are not carefully maintained to avoid them. * Some DNSBLs have been created for uses other than filtering email for spam, but rather for demonstration, informational, rhetorical, and testing control purposes. Examples include the "No False Negatives List," "Lucky Sevens List," "Fibonacci's List," various lists encoding GeoIP information, and random selection lists scaled to match coverage of another list, useful as a control for determining whether that list's effects are distinguishable from random rejections.


Criticism

Some end-users and organizations have concerns regarding the concept of DNSBLs or the specifics of how they are created and used. Some of the criticisms include: * Legitimate emails blocked along with spam from shared mailservers. When an ISP's shared mailserver has one or more compromised machines sending spam, it can become listed on a DNSBL. End-users assigned to that same shared mailserver may find their emails blocked by receiving mailservers using such a DNSBL. In May 2016, the SORBS system was blocking the SMTP servers of Telstra Australia, Australia's largest internet service provider. This is no surprise as at any one time, there would be thousands of computers connected to this mail server infected by zombie type viruses sending spam. The effect is to cut off all the legitimate emails from the users of the Telstra Australia system. * Lists of dynamic IP addresses. This type of DNSBL lists IP addresses submitted by ISPs as dynamic and therefore presumably unsuitable to send email directly; the end-user is supposed to use the ISP's mailserver for all sending of email. But these lists can also accidentally include static addresses, which may be legitimately used by small-business owners or other end-users to host small email servers. * Lists that include "spam-support operations", such as MAPS RBL. A spam-support operation is a site that may not directly send spam, but provides commercial services for spammers, such as hosting of Web sites that are advertised in spam. Refusal to accept mail from spam-support operations is intended as a
boycott A boycott is an act of nonviolent, voluntary abstention from a product, person, organization, or country as an expression of protest. It is usually for moral, social, political, or environmental reasons. The purpose of a boycott is to inflict som ...
to encourage such sites to cease doing business with spammers, at the expense of inconveniencing non-spammers who use the same site as spammers. * Some lists have unclear listing criteria and delisting may not happen automatically nor quickly. A few DNSBL operators will request payment (e.g. uceprotect.net) or donation (e.g.
SORBS Sorbs ( hsb, Serbja, dsb, Serby, german: Sorben; also known as Lusatians, Lusatian Serbs and Wends) are a indigenous West Slavic ethnic group predominantly inhabiting the parts of Lusatia located in the German states of Saxony and Brandenbu ...
). Some of the many listing/delisting policies can be found in the
Comparison of DNS blacklists __NOTOC__ The following table lists technical information for assumed reputable DNS blacklists used for blocking spam. Notes "Collateral listings"—Deliberately listing non-offending IP addresses, in order to coerce ISPs to take action agains ...
article. * Because lists have varying methods for adding IP addresses and/or URIs, it can be difficult for senders to configure their systems appropriately to avoid becoming listed on a DNSBL. For example, the UCEProtect DNSBL seems to list IP addresses merely once they have validated a recipient address or established a TCP connection, even if no spam message is ever delivered. Despite the criticisms, few people object to the principle that mail-receiving sites should be able to reject undesired mail systematically. One person who does is
John Gilmore John Gilmore may refer to: * John Gilmore (activist) (born 1955), co-founder of the Electronic Frontier Foundation and Cygnus Solutions * John Gilmore (musician) (1931–1995), American jazz saxophonist * John Gilmore (representative) (1780–1845), ...
, who deliberately operates an
open mail relay An open mail relay is a Simple Mail Transfer Protocol (SMTP) server configured in such a way that it allows anyone on the Internet to send e-mail through it, not just mail destined to or originating from known users. This used to be the default con ...
. Gilmore accuses DNSBL operators of violating
antitrust Competition law is the field of law that promotes or seeks to maintain market competition by regulating anti-competitive conduct by companies. Competition law is implemented through public and private enforcement. It is also known as antitrust l ...
law. A number of parties, such as the
Electronic Frontier Foundation The Electronic Frontier Foundation (EFF) is an international non-profit digital rights group based in San Francisco, California. The foundation was formed on 10 July 1990 by John Gilmore, John Perry Barlow and Mitch Kapor to promote Internet ci ...
and
Peacefire Peacefire is a U.S.-based website, with a registered address in Bellevue, Washington, dedicated to "preserving First Amendment rights for Internet users, particularly those younger than 18". It was founded in August 1996 by Bennett Haselton, ...
, have raised concerns about some use of DNSBLs by
ISP An Internet service provider (ISP) is an organization that provides services for accessing, using, or participating in the Internet. ISPs can be organized in various forms, such as commercial, community-owned, non-profit, or otherwise private ...
s. One joint statement issued by a group including EFF and Peacefire addressed "stealth blocking", in which ISPs use DNSBLs or other spam-blocking techniques without informing their clients.


Lawsuits

Spammers have pursued lawsuits against DNSBL operators on similar grounds: * In 2003, EMarketersAmerica.org filed a lawsuit against a number of DNSBL operators in a Florida court. Backed by spammer
Eddy Marin Eddie or Eddy may refer to: Science and technology *Eddy (fluid dynamics), the swirling of a fluid and the reverse current created when the fluid flows past an obstacle *Eddie (text editor), a text editor originally for BeOS and now ported to Linu ...
, the company claimed to be a trade organization for email marketers and that DNSBL operators
Spamhaus The Spamhaus Project is an international organisation based in the Principality of Andorra, founded in 1998 by Steve Linford to track email spammers and spam-related activity. The name ''spamhaus'', a pseudo-German expression, was coined by Linf ...
and SPEWS were engaged in
restraint of trade Restraints of trade is a common law doctrine relating to the enforceability of contractual restrictions on freedom to conduct business. It is a precursor of modern competition law. In an old leading case of '' Mitchel v Reynolds'' (1711) Lord S ...
. The suit was eventually dismissed for lack of
standing Standing, also referred to as orthostasis, is a position in which the body is held in an ''erect'' ("orthostatic") position and supported only by the feet. Although seemingly static, the body rocks slightly back and forth from the ankle in the s ...
. * In 2006, a U.S. court ordered Spamhaus to pay $11.7 million in damages to the spammer e360 Insight LLC. The order was a
default judgment Default judgment is a binding judgment in favor of either party based on some failure to take action by the other party. Most often, it is a judgment in favor of a plaintiff when the defendant has not responded to a summons or has failed to appear ...
, as Spamhaus, which is based in the UK, had refused to recognize the court's
jurisdiction Jurisdiction (from Latin 'law' + 'declaration') is the legal term for the legal authority granted to a legal entity to enact justice. In federations like the United States, areas of jurisdiction apply to local, state, and federal levels. Jur ...
and did not defend itself in the e360 lawsuit. In 2011, his decision was overturned by the
United States Court of Appeals for the Seventh Circuit The United States Court of Appeals for the Seventh Circuit (in case citations, 7th Cir.) is the U.S. federal court with appellate jurisdiction over the courts in the following districts: * Central District of Illinois * Northern District of Il ...
.


See also

*
Comparison of DNS blacklists __NOTOC__ The following table lists technical information for assumed reputable DNS blacklists used for blocking spam. Notes "Collateral listings"—Deliberately listing non-offending IP addresses, in order to coerce ISPs to take action agains ...
*
DNSWL A DNSWL (" DNS-based whitelist") is a "whitelist" of semi-trusted locations on the Internet. The locations consist of IP addresses which may be reputed with no or low occurrences of spamming. Generic need for whitelisting Natural language under ...
*
Email spam Email spam, also referred to as junk email, spam mail, or simply spam, is unsolicited messages sent in bulk by email (spamming). The name comes from a Monty Python sketch in which the name of the canned pork product Spam is ubiquitous, unavoida ...


Notes


References


External links

*
Blacklist Monitor
- Weekly statistics of success and failure rates for specific blacklists

- Tutorial on how to create a DNSBL (DNS Black List) {{DEFAULTSORT:Dnsbl Spamming Spam filtering Internet terminology