Mail Spam Blacklists

From LinuxReviews
Jump to navigationJump to search

E-mail has been a huge problem as long as e-mail has been around since the cost of sending millions of e-mail spam messages is so close to zero. Using blacklists to filter out known spam sources is one measure which helps. Most of the e-mail spammer blacklist providers have a DNS service which responds to queries in a standardized way. This means that they can be used with any MTA which supports DNS blacklist lookups (postfix/qmail/etc). Here's a quick rundown of how the various blacklist providers compare.

Introduction

This is actually what linuxreviews is using in it's smtpd_recipient_restrictions = in our Postfix main.cf file as of 2019-06:

  reject_rbl_client bl.spamcop.net,
  reject_rbl_client cbl.abuseat.org,
  reject_rbl_client psbl.surriel.com,
  reject_rbl_client truncate.gbudb.net,
  reject_rbl_client db.wpbl.info,
  reject_rbl_client spam.spamrats.com,
  reject_rbl_client dnsbl.dronebl.org,
  reject_rbl_client ix.dnsbl.manitu.net,
  reject_rbl_client dnsbl.inps.de,
  reject_rbl_client bl.blocklist.de,
  reject_rbl_client zen.spamhaus.org,
  reject_rhsbl_sender bogusmx.rfc-ignorant.org,
  reject_rhsbl_sender dsn.rfc-ignorant.org,

You can blindly copy this fine list but you shouldn't do that without understanding the implications. You should obviously change lists format if you're not using postfix; other MTAs have different ways of listing DNSBL entries.

You will find a detailed description of all the entries on the above list below - and some that we do not use. It may be wise to get an idea what the services on the above lists are before blindly copypasting them into your configuration.

Quick Configuration Tip: Use your own DNS server(s)

Many of the DNS blacklists are only free for low-volume personal use. The checks in place to limit mailservers (those who can use the service for free) from querying volumes only large mail providers will send typically deny public DNS servers. This means that some services may work fine if you are using your own DNS server to query and not work if you query using publicly available DNS servers like 1.1.1.1. Do run and use your own DNS server when you use DNS blacklists in your e-mail servers configuration.

The Blacklists

Composite Blocking List (abuseat)

CBL (Composite Blocking List) is a list which only blocks based on traps. Their story is this:

""The CBL takes its source data from very large spamtraps/mail infrastructures, and only lists IPs exhibiting characteristics which are specific to open proxies of various sorts (HTTP, socks, AnalogX, wingate etc) which have been abused to send spam, worms/viruses that do their own direct mail transmission, or some types of trojan-horse or "stealth" spamware, without doing open proxy tests of any kind."

CBL webpage

In other words, the CBL only lists IPs that have attempted to send email to one of our servers in such a way as to indicate that the sending IP is infected."[1]

The CBL list is a really nice list to use. It quickly adds compromised / zombie / malware infected hosts. It's got a zero false positive rate since you have to send them spam to get on the list and they only add host - they do not block IP ranges.

  • DNSBL configuration: cbl.abuseat.org

DroneBL

DoneBL is a general blacklist which can be used as a e-mail filter. It's made volunteers who report bad IPs. It works well.

Potential downside: DroneBL will have entries on it which are unrelated to e-mail. A host can get on this general list if it is functioning as a open http proxy (due to Apache misconfiguration or exploit) and people can abuse it to spam http POST requests on port 80 - that's obviously bad but it doesn't mean the host is able to send any e-mail spam messages. It's e-mail system may be fine.

  • DNSBL configuration: <wiki>dnsbl.dronebl.org</wiki>

GBUdb (Good, Bad, Ugly)

GBUdb is a database made by ARM Research Labs, LLC (ARM)[2]. They have a network of e-mail servers which is checked for bad content using their own software. The rules for being listed as "bad" by their software are fairly strict. It is an software-automated service so there is no way to submit IPs to this list.

GNUdb is free to use and it works very well and it's restrictive enough to make false positives a non-issues.

  • DNSBL configuration: truncate.gbudb.net

SpamCop

SpamCop Blocking List (SCBL) story is that "The SCBL is a list of IP addresses which have transmitted reported email to SpamCop users, which in turn is used to block and filter unwanted email."[3] This should, in theory prevent false positives from automatically entering their list.

SpamCop is free and it is a great service which does prevent a lot of spam but it does not catch everything. SpamCop is based on manual human labor (SpamCop users submitting e-mails). This makes the false positive rate very low, it is as good as zero. You will not miss out on any legitimate e-mails using this list.

  • DNSBL configuration: bl.spamcop.net

Spamhaus

Spamhaus is a really old and really good service with blacklists for e-mail as well as quite a lot of other things. For the purpose of this comparison we'll only consider their e-mail filter. This filter really is very good and if we were forced to use just one - not a whole list of filters - then we would probably pick Spamhaus.

The downside to using Spamhaus: Spamhaus is a commercial service. It is NOT free. You are allowed to use their list as long as your e-mail server has less than 100 users. Queries against this list will simply stop working if they decide your host is sending too many queries. A trick to preventing Spamhaus from banning your mailserver is use their service as one of the last services queried so only messages that have slipped through other filters are checked against Spamhaus.

  • DNSBL configuration: zen.spamhaus.org

SpamRATS

SpamRATS is a an old service which is free to use[4]. It's offering quite a few lists. The "spam" list is absolutely worth using. Their others lists.. not so much. For example, RATS-Dyna will simply tell you if a an e-mail is sent server with a PTR record for that domain. That marks all vmail services as "spam" and that's just foolish. Their "spam" list is the only one of their lists which makes sense and it's worth using. The others basically rule out anyone who's not a big e-mail provider like Microsoft or Google.

  • DNSBL configuration: spam.spamrats.com

SORBS

SORBS (Spam and Open Relay Blocking System) is a spam fighting service in Australia[5]. Their list is very broad and therefore either really effective or overly aggressive depending on how you look at it.

There are two main reasons why you should carefully consider if you really want to use SORBS:

  1. They have a long history of banning large IP ranges. One bad IP on a /24 appears to be enough to get the entire /24 blacklisted.
  2. They have a history of banning machines running various known services they do not like even though they can't be used to send e-mail at all. One example is their banning for Tor relays. A Tor exit node can send connections to websites using http/https but can not send e-mail. A Tor relay can't even do that. Blacklisting machines based on them being Tor relays makes zero sense.

SORBS's blocking policy appears to be: When in doubt, block it and everything near it.

You will get less spam by using SORBS's list. But you will also prevent a lot legitimate e-mail by using this list.

  • DNSBL configuration: dnsbl.sorbs.net[6].

surriel's Passive Spam Block List

This is a very simple anti-spam blacklist which you should NOT use for high-volume corporate e-mail servers. Do use it for your personal e-mail server.

The PSBL is essentially just some guy who runs his own e-mail server who's blacklisting everyone who sends him spam[7]

The reason we advice against corporate use of this list is that some guy running some e-mail server is likely not prepared for millions upon millions of queries.

DNSBL configuration: psbl.surriel.com

WPBL - Weighted Private Block List

WPBL has been around for a very long time. It's a good list with a very limited amount of false positives. Only single hosts are added and all entries are temporary. You have to keep on sending spam to stay on this list. It's a good list worth using.

DNSBL configuration: db.wpbl.info

manitu.net, inps.de and blocklist.de

These services appear to work. Their websites are all in something called German. Very little is known about these services beyond the fact that they are based in Europe and have German websites.

DNSBL configuration:

  • ix.dnsbl.manitu.net
  • dnsbl.inps.de
  • bl.blocklist.de

Dead services

  • relays.ordb.org: The Open Relay Database (ORDB.org) is now dead. It's over, they are not coming back. Remove relays.ordb.org from any mail configuration file where it's present.
  • rbl.orbitrbl.com: Bankrupt and finished. Service no longer operational.
  • dnsbl.proxybl.org: Proxybl.org is GONE and dnsbl.proxybl.org should, when seen in mail server configuration files, be eradicated.

One last tip: Blacklists are best used for one-way filtering

It's generally a good idea to make sure that users can send to services they can't get mail from because they happen to be on a blacklist. There is such a thing as false positives, specially if you're using SORBS or DSBL's "unconfirmed" list.

Notes

  1. CBL - Composite Blocking List
  2. About ARM Research Labs, LLC
  3. What is the SpamCop Blocking List (SCBL)?
  4. SpamRATS: About
  5. SORBS (Spam and Open-Relay Blocking System)
  6. SORBS: Using SORBS
  7. Passive Spam Block List: The idea is that 99% of the hosts that send me spam never send me legitimate email, but that people whose mail server was used by spammers should still be able to send me email.


Add your comment
LinuxReviews welcomes all comments. If you do not want to be anonymous, register or log in. It is free.