Random Stuff
Tools & Documents:
  Email Address Validator

DNS based IP Blocklists

These blocklists contain lists of IP addresses of hosts that are associated with sending spam. They are normally used by the system administrators of mail servers: most modern mailserver software includes the option to check that the sending host is not in one of these lists before deciding to accept the email.

Some filtering software, such as spamassassin, can query these lists in order to help decide if email is spam. Carrying out the check in the mailserver is preferable though, since at that stage fewer resources have been involved in receiving and processing the email. One of the main advantages of this type of blocklist is that they can easily and reliably be checked by mail servers before receiving the email.

The disadvantage is that rejecting all email from a given server might be regarded as 'heavy-handed', especially if that server is shared between the spammer and legitimate users. For this reason it's important that anyone rejecting email based on a blocklist on this page understands exactly what email they'll be rejecting - and how likely it is to reject legitimate email.

Here are brief descriptions, along with a bit of (my) opinion, of a few of the more popular blocklists.

SBL http://www.spamhaus.org/sbl/

The SBL is run by spamhaus.org, who provide ROKSO (Register Of Known Spam Operations). The rationale is simple, they believe that 90% of spam is produced by a couple of hundred well known spammers. By listing all IPs registered to these spammers they hope that people using the list will be able to block a significant amount of spam while minimising the amount of legitimate email caught. Unfortunately spammers often abuse open relays (and other types of open proxy) in order to send their spam via other people's IP addresses, so don't expect using the SBL alone to block 90% of your spam.

If you are going to reject email based on any of the blocklists on this page I'd recommend that this is the first one that you consider: it will carry only a relatively small risk of blocking legitimate email, and will show the major spammers that the majority of the internet does not want to talk to them. In combination with a good open relay blocklist the SBL has the potential to stop a significant amount of spam.

ORDB ordb.org

ORDB (Open Relay Database) is a list of open SMTP relays. Anyone can request ORDB check a host, through a simple of form on their website. They will then run their own suite of tests against the host - and list it if it is found to be an open relay. Spammers are increasinly exploiting open proxies instead of SMTP relays, for reasons I describe here - so for a more thorough solution you might want to consider a block list that includes these (for example the DSBL) as well as (or instead of) ORDB.

It is important to remember that people running open relays do not, generally, do so deliberately - they are often simply badly configured or out of date email servers run by ordinary companies or individuals. Rejecting their email may well be a good way to persuade them to get their act in gear and fix their server, but doing so will mean it's very likely that from time to time you'll reject legitimate email.

SPEWS http://spews.org

One of the most well known, and also one of the most controversial, block lists. Part of this controversy is caused by the anonymity of the administrators of the list. SPEWS primarily lists IPs belonging to known spammers or spam support organisations, however if an ISP hosts a spammer and refuses (or simply fails) to remove the spammer from their network SPEWS will start regarding the ISP as a spam supporter - and will start increasing the number of IPs listed to include other IPs owned by the ISP. While this is an effective technique in trying to persuade ISPs that it's in their interests to terminate spammers it means that SPEWS will often include IPs used by people who do not (and have never) sent spam. SPEWS regard these IPs as 'collateral damage', but it's important to remember that blocking email based on the SPEWS (while blocking a relatively large amount of spam) will almost invariably block some legitimate emails.

DSBL http://dsbl.org/

The DSBL blocks open relays, open proxies and any other server which spammers could abuse to send out their spam. The rationale is simple: if a server can be made to send an email containing a unique cookie to listme@listme.dsbl.org then it must be bad, so any such email received by that address automatically gets the sending host listed in the blocklist. Clearly this is open to abuse, since (for example) any hotmail user could legitimately use the hotmail servers to email this address - and thus get all of hotmail listed. To prevent this type of abuse only cookies given to people trusted by DSBL cause servers to be listed in the main list (list.dsbl.org). If you wish to check the complete (untrusted) list you can do so using unconfirmed.dsbl.org - however it would be very unwise to reject email based on this list. It may be appropriate for use in a scoring system (such as spamassassin).

Blocking by country http://countries.nerd.dk/

Rejecting emails based on the country the sending host's IP address belongs to is a surprisingly common practise. It's clearly not an appropriate strategy for ISPs, but for some small companies it does make some sense. Like it or not, a lot of spam currently comes from (or via open relays in) a few countries that they have no intention of selling to, or dealing with in any way - so why not simply block all email from them. The favourites include China (cn.countries.nerd.dk) and Brazil (br.countries.nerd.dk) - a quick check of your mailserver logs will show up other possible candidates.

This site is best viewed with any browser Valid HTML 4.01! © Copyright 2011, Stephen White