Home Page


Email & Spam

Security Terminology

Security Topics

VPN & Cryptography



Email Security and Spam Terminology

Zero Day Window


Bayesian Algorithm

Content and Connection control

Directory Harvesting Attacks

Email Encryption

Email Archiving

File attachments

Image scanning

Email Load balancing

Port forwarding and MX records

Reputation filters

Encrypted attachments

Grey Listing

Email Monitoring

Internal Email Security

Open Relay

Outbound email filtering

Per user quarantine area

Reverse DNS lookup & SPF

RFC Compliant emails


Spoofed email

Stopping spam for Networks guide

Email Throttling

What is Spam

Which Spam filter

Whitelists and Blacklists


Security Products Guide

Which Anti-Virus Software?

Which Firewall?

Which Spam Filter?

Which Internet Security Suite?


What is Guide

What is a Firewall?

What is a Virus?

What is Spam?


Essential Security Guides

Securing Windows XP Guide

Securing Windows Vista Guide

A Guide to Wireless Security



Top 8 Internet Security Tips

Why both, Firewall and Anti Virus?

Free or purchased security - Which one?





URL Blocklists, Whitelists and Blacklists - Email Security


URL Blocklists

DNSBLs that list domain names are known as URIBLs, in which the content of the email message is checked for any URL’s registered with a URL database. If the URL of an email message from where the email message has come from including any URL’s within the subject or body are found and the URL exists within a URIBL database, then the email message is classified as spam, or suspected spam. URL databases such as SURBL are a list of website domains that have appeared in spam email messages. http://www.surbl.org/. SURBL differs from other DNSBLs because SURBL looks at URI’s, DNSBL’s look at IP addresses.


DNS Blacklists (DNSBL)

Domain Name System (DNS) blacklists help in stopping spam, and is commonly used by spam filter software and spam firewalls. A DNS blacklist is a database of IP addresses of known spam sources. This way a spam filter can use this tool to query if an e-mail is on a blacklist, which it would block if the source is listed. Occasionally legitimate mail servers get placed on these blacklists and of course run into major problems sending e-mail. They would then have to request to be taken off the blacklist.

External blacklists, also called DNSBLs or RBLs, are lists of internet addresses from which potential or known spam originates. Spam proxy firewalls use such lists to verify the authenticity of the messages received. If a proxy server querying an external blacklist receives a message from a sender on a queried blacklist, the message is usually blocked or quarantined.

Zen.spamhoause.org is an example of a well known IP blacklist service. Databases such as this one use a number of techniques in finding spam sources. An example would be running their own e-mail servers, publishing e-mail addresses in various places on the internet and then monitoring e-mails received for spam.

Some third party RBL services require a subscription and IP address registration to use their web based database RBL service. Before specifying third party RBL's in your proxy, check their website for terms and conditions.

Using blacklists is an effective initial point of defence. Querying response time is typically in milliseconds, so delays are very minimal. Some spam firewalls query blacklist services in which the query is cached on local DNS for a period of time, making further queries even quicker. The only downside is blacklists can also generate false-positives (legitimate email messages that are blocked), although this is minimal.


Domain or IP Address on a Blacklist

If your domain or IP address happens to be on a blacklist then first you need to determine why you’re on a blacklist. Possible reasons could be;


* Your email server has been hijacked by a spammer, and used to send out spam.

* You email server could be an open relay which would mean anyone can use your   email server to send emails to anyone in the world.

* Spammers use your domain’s identity as the sender when sending out spam email messages to recipients.


Removing IP or domain name from a Blacklist provider

You will need to first resolve the initial problem, and then contact the blacklist service provider directly and request to be taken off the blacklist.


Common Blacklist Services

sbl.spamhaus.org - The Spamhaus service looks for internet spammers, spam gangs and spam services which provide real-time spam protection.  Spamhaus works with law enforcement agencies to help in identifying spammers.

xbl.spamhaus.org - This list is a real-time DNS based database of IP addresses of illegal third-party exploits, including open proxies, hijacked PC’s, worms and viruses with built in spam engines.

bl.spamcop.net - SpamCop is a more aggressive spam service. Email servers can operate with blacklists in a tag-only mode, which may be more suitable when using SpamCop.

SURBL (Spam URI Real-time Blocklists) – Lists website domains unlike the others which list IP addresses.


Whitelisting and Blacklisting on the Appliance itself

Whitelists and blacklists of IP addresses, email addresses or complete domain names can help minimise false positives as well as false negatives. They provide guaranteed bypass of the spam firewall if using a whitelist or guaranteed blocking at the spam firewall if using a blacklist, assuming email is coming from the source specified. For example there is no point in scanning emails for spam from a trusted partner company you deal with everyday. If your partner company was sending your company 500 emails a day and a few of them are getting classified as spam on a daily bases, your administrator will have to release these emails on constant bases. However by Whitelisting your partner domain from scanning for spam emails will avoid this issue. With whitelisting, you must remember to only whitelist against spam, and not viruses. Your spam firewall should be granular enough to make this type of change.

Further Reading

Wikipedia's guide to Blacklist Whitelist