Home Page

VPN & Cryptography

Firewalls

Email & Spam

Security Topics

 

Email Spam

Zero Day Window

BATV

Bayesian Algorithm

Content and Connection control

Directory Harvesting Attacks

Email Encryption

Email Archiving

File attachments

Image scanning

Port forwarding and MX records

Reputation filters

Encrypted attachments

Grey Listing

Email Monitoring

Internal Email Security

Open Relay

Per user quarantine area

Reverse DNS lookup & SPF

RFC Compliant emails

SMTP IMAP4 or POP3

Email Throttling

What is Spam

Whitelists and Blacklists

 

 

URL Blocklists, Whitelists and Blacklists - Email Security

 

URL Blocklists

Domain Name System Based Lists (DNSBLs) provide lists of domain names and are known as URI Blacklists (URIBLs). The purpose of URIBLs is that if a URL of an email message from where the email message has come from, including any URL’s within the subject or body are found and the URL exists within a URIBL database, then the email message is classified as spam, or suspected spam. URL databases such as SURBL are lists of website domains that have appeared in email messages classified as SPAM. SURBL differs from other DNSBLs because SURBL looks at URI’s, where DNSBL’s analyse IP addresses.

 

DNS Blacklists (DNSBL)

Domain Name System (DNS) blacklists help in stopping spam, and are commonly used by anti-spam filter software and spam firewalls. A DNS blacklist is a database of IP addresses of known spam sources. Anti-spam filters can use this tool to query if an e-mail is on a blacklist, in which it would block if the source was listed. Occasionally legitimate email servers get placed on these blacklists and of course run into major problems sending e-mail. They would then have to request to be taken off the blacklist.

External blacklists, also called DNSBLs or RBLs, are lists of internet addresses from which potential or known spam originate. Anti-spam proxy firewalls use such lists to verify the authenticity of the messages received. If a proxy server querying an external blacklist receives a message from a sender on a queried blacklist, the message is usually blocked or quarantined.

Zen.spamhoause.org is an example of a well-known IP blacklist service. Databases such as this one use a number of techniques in finding spam sources. One common example of how blacklist services find spam is to run their own e-mail services in order to capture spam, and with these email services they publish e-mail addresses in various places on the internet and then sit back and monitoring e-mails received by spammers.

Some third party RBL services require a subscription and IP address registration to use their web based database RBL services. You are able to use RBL services with your anti-spam solution, but before specifying third party RBL's in your anti-spam device, you should check their website for terms and conditions.

Using blacklists is an effective initial point of defence. Querying response time is typically in milliseconds, so delays are very minimal. Some anti-spam firewalls query blacklist services in which the query is cached on local DNS for a period of time, making further queries even quicker. The only downside to this is blacklists can also generate false-positives (legitimate email messages that are blocked), although this tends to be minimal.

 

Domain or IP Address on a Blacklist Service

If your domain or IP address happens to be on a blacklist, you would first need to determine why you’re on a blacklist. Possible reasons could that you have been blacklisted are as follows:

 

- Your email server has been hijacked by a spammer, and used to send out spam messages

- Your email server could be an open relay which would mean anyone can use your email server to send emails to anyone in the world.

- Spammers use your domain’s identity as their source address when sending out spam email messages to recipients.

 

Removing IP or domain names from a Blacklist provider

You will need to resolve the initial problem, and then contact the blacklist service provider directly and request to be taken off the blacklist.

 

Common Blacklist Services

The following is a list of common blacklist services.

sbl.spamhaus.org - Spamhaus service looks for internet spammers, spam gangs and spam services which provide real-time spam protection.  Spamhaus works with law enforcement agencies to help in identifying spammers.

xbl.spamhaus.org - This list is a real-time DNS based database of IP addresses of illegal third-party exploits, including open proxies, hijacked PC’s, worms and viruses with built in spam engines.

bl.spamcop.net - SpamCop is a more aggressive spam service. Email servers can operate with blacklists in a tag-only mode, which may be more suitable when using SpamCop.

SURBL (Spam URI Real-time Blocklists) – SURBL lists website domains unlike the other spam services which list IP addresses.

 

Whitelisting and Blacklisting Email Addresses on the local Appliance

Whitelists and blacklists of IP addresses, email addresses or complete domain names can help minimise false positives and false negatives. By whitelisting an email address helps in bypassing some of the security checks in an anti-spam firewall, or vice versa, by blacklisting an email address blocks the address without the need to scan the email.

Further Reading

Wikipedia's guide to Blacklist Whitelist