DNSBL
Encyclopedia
A DNSBL is a list of IP address
IP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...

es published through the Internet Domain Name Service (DNS) either as a zone file that can be used by DNS server software, or as a live DNS zone that can be queried in real-time. DNSBLs are most often used to publish the addresses of computers or networks linked to spamming; most mail server software can be configured to reject or flag messages which have been sent from a site listed on one or more such lists.

DNSBL is a software mechanism, rather than a specific list or policy. There are dozens of DNSBLs in existence, which use a wide array of criteria for listing and delisting of addresses. These may include listing the addresses of zombie computer
Zombie computer
In computer science, a zombie is a computer connected to the Internet that has been compromised by a cracker, computer virus or trojan horse and can be used to perform malicious tasks of one sort or another under remote direction. Botnets of zombie computers are often used to spread e-mail spam...

s or other machines being used to send spam, listing the addresses of ISP
Internet service provider
An Internet service provider is a company that provides access to the Internet. Access ISPs directly connect customers to the Internet using copper wires, wireless or fiber-optic connections. Hosting ISPs lease server space for smaller businesses and host other people servers...

s who willingly host spammers, or listing addresses which have sent spam to a honeypot
Honeypot (computing)
In computer terminology, a honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems...

 system.

Since the creation of the first DNSBL in 1997, the operation and policies of these lists have been frequently controversial, both in Internet advocacy
Advocacy
Advocacy is a political process by an individual or a large group which normally aims to influence public-policy and resource allocation decisions within political, economic, and social systems and institutions; it may be motivated from moral, ethical or faith principles or simply to protect an...

 and occasionally in lawsuit
Lawsuit
A lawsuit or "suit in law" is a civil action brought in a court of law in which a plaintiff, a party who claims to have incurred loss as a result of a defendant's actions, demands a legal or equitable remedy. The defendant is required to respond to the plaintiff's complaint...

s. Many email systems operators and users consider DNSBLs a valuable tool to share information about sources of spam, but others including some prominent Internet activists have objected to them as a form of censorship. In addition, a small number of DNSBL operators have been the target of lawsuits filed by spammers seeking to have the lists shut down.

History of DNSBLs

The first DNSBL was the Real-time Blackhole List (RBL), created in 1997, at first as a BGP feed by Paul Vixie
Paul Vixie
Paul Vixie is an American Internet pioneer, the author of several RFCs and well-known Unix software.Vixie attended George Washington High School in San Francisco, California. He received a Ph.D in computer science from Keio University in 2011....

, and then as a DNSBL by Eric Ziegast as part of Vixie's Mail Abuse Prevention System (MAPS)
Mail Abuse Prevention System
The Mail Abuse Prevention System ' is an organisation that provides anti-spam support by maintaining a DNSBL. They provide five black lists, categorising why an address or an IP block is listed:...

; Dave Rand at Abovenet was its first subscriber. The very first version of the RBL was not published as a DNSBL, but rather a list of networks transmitted via BGP to routers owned by subscribers so that network operators could drop all TCP/IP traffic for machines used to send spam or host spam supporting services, such as a website. The inventor of the technique later commonly called a DNSBL was Eric Ziegast while employed at Vixie Enterprises.

The term "blackhole" refers to a networking black hole
Black hole (networking)
In networking, black holes refer to places in the network where incoming traffic is silently discarded , without informing the source that the data did not reach its intended recipient....

, an expression for a link on a network that drops incoming traffic instead of forwarding it normally. The intent of the RBL was that sites using it would refuse traffic from sites which supported spam — whether by actively sending spam, or in other ways. Before an address would be listed on the RBL, volunteers and MAPS staff would attempt repeatedly to contact the persons responsible for it and get its problems corrected. Such effort was considered very important before blackholing all network traffic, but it also meant that spammers and spam supporting ISPs could delay being put on the RBL for long periods while such discussions went on.

Later, the RBL was also released in a DNSBL form and Paul Vixie encouraged the authors of sendmail
Sendmail
Sendmail is a general purpose internetwork email routing facility that supports many kinds of mail-transfer and -delivery methods, including the Simple Mail Transfer Protocol used for email transport over the Internet....

 and other mail software to implement RBL support in their clients. These allowed the mail software to query the RBL and reject mail from listed sites on a per-mail-server basis instead of blackholing all traffic.

Soon after the advent of the RBL, others started developing their own lists with different policies. One of the first was Alan Brown's Open Relay Behavior-modification System (ORBS). This used automated testing to discover and list mail servers running as open mail relay
Open mail relay
An open mail relay is an SMTP server configured in such a way that it allows anyone on the Internet to send e-mail through it, not just mail destined to or originating from known users...

s—exploitable by spammers to carry their spam. ORBS was controversial at the time because many people felt running an open relay was acceptable, and that scanning the Internet for open mail servers could be abusive.

In 2003, a number of DNSBLs came under denial-of-service attack
Denial-of-service attack
A denial-of-service attack or distributed denial-of-service attack is an attempt to make a computer resource unavailable to its intended users...

s. Since no party has admitted to these attacks nor been discovered responsible, their purpose is a matter of speculation. However, many observers believe the attacks are perpetrated by spammers in order to interfere with the DNSBLs' operation or hound them into shutting down. In August 2003, the firm Osirusoft, an operator of several DNSBLs including one based on the SPEWS
Spam Prevention Early Warning System
The Spam Prevention Early Warning System was an anonymous service which maintained a list of IP address ranges belonging to Internet service providers which host spammers and show little action to prevent their abuse of other networks' resources...

 data set, shut down its lists after suffering weeks of near-continuous attack.

URI DNSBLs

A URI
Uniform Resource Identifier
In computing, a uniform resource identifier is a string of characters used to identify a name or a resource on the Internet. Such identification enables interaction with representations of the resource over a network using specific protocols...

 DNSBL is a DNSBL that lists the domain names and IP addresses which are found in the "clickable" links contained in the body of spams, but generally not found inside legitimate messages.

URI DNSBLs were created when it was determined that much spam made it past spam filters during that short time frame between the first use of a spam-sending IP address and the point where that sending IP address was first listed on major sending-IP-based DNSBLs.

In many cases, such elusive spams contain in their links domain names or IP addresses (collectively referred to as a URIs) where that URI was already spotted in previously caught spam and where that URI is not found in non-spam e-mail.

Therefore, when a spam filter extracts all URIs from a message and checks them against a URI DNSBL, then the spam can be blocked even if the sending IP for that spam has not yet been listed on any sending IP DNSBL.

Of the three major URI DNSBLs, the oldest and most popular is SURBL, created and operated primarily by Jeff Chan. After SURBL was created, some of the administrators and contributors to SURBL started the second major URI DNSBL, URIBL. More recently, another current and long-time SURBL administrator, Rob McEwen, started the third major URI DNSBL, ivmURI.

URI DNSBLs are often confused with RHSBLs (Right Hand Side BLs). But they are different. A URI DNSBL lists domain names and IPs found in the body of the message. An RHSBL lists the domain names used in the "from" or "reply-to" e-mail address. RHSBLs are not very effective because most spams either use forged "from" addresses or use "from" addresses containing popular freemail domain names, such as @gmail.com, @yahoo.com, or @hotmail.com addresses. In contrast to marginally effective and not-often-used RHSBLs, URI DNSBLs are very effective and are used by the majority of spam filters.

How a DNSBL works

To operate a DNSBL requires three things: a domain to host it under, a nameserver for that domain, and a list of addresses to publish.

It is possible to serve a DNSBL using any general-purpose DNS server software
Comparison of DNS server software
This article presents a comparison of the features, platform support, and packaging of independent implementations of Domain Name System name server software.- Servers compared :...

. However this is typically inefficient for zones containing large numbers of addresses, particularly DNSBLs which list entire Classless Inter-Domain Routing
Classless Inter-Domain Routing
Classless Inter-Domain Routing is a method for allocating IP addresses and routing Internet Protocol packets. The Internet Engineering Task Force introduced CIDR in 1993 to replace the previous addressing architecture of classful network design in the Internet...

 netblocks. For the large resource consumption when using software designed as the role of a Domain Name Server, there are role-specific software applications designed specifically for servers with a role of a DNS blacklist.

The hard part of operating a DNSBL is populating it with addresses. DNSBLs intended for public use usually have specific, published policies as to what a listing means, and must be operated accordingly to attain or sustain public confidence.

DNSBL queries

When a mail server receives a connection from a client, and wishes to check that client against a DNSBL (let's say, dnsbl.example.net), it does more or less the following:
  1. Take the client's IP address—say, 192.168.42.23—and reverse the order of octets, yielding 23.42.168.192.
  2. Append the DNSBL's domain name: 23.42.168.192.dnsbl.example.net.
  3. Look up this name in the DNS as a domain name ("A" record). This will return either an address, indicating that the client is listed; or an "NXDOMAIN" ("No such domain") code, indicating that the client is not.
  4. Optionally, if the client is listed, look up the name as a text record ("TXT" record). Most DNSBLs publish information about why a client is listed as TXT records.


Looking up an address in a DNSBL is thus similar to looking it up in reverse-DNS. The differences are that a DNSBL lookup uses the "A" rather than "PTR" record type, and uses a forward domain (such as dnsbl.example.net above) rather than the special reverse domain in-addr.arpa.

There is an informal protocol for the addresses returned by DNSBL queries which match. Most DNSBLs return an address in the 127.0.0.0/8 IP loopback
Loopback
Loopback describes ways of routing electronic signals, digital data streams, or flows of items from their originating facility back to the source without intentional processing or modification...

 network. The address 127.0.0.2 indicates a generic listing. Other addresses in this block may indicate something specific about the listing—that it indicates an open relay, proxy, spammer-owned host, etc. For details see RFC 5782.

URI DNSBL

A URI DNSBL query (and an RHSBL query) is fairly straightforward. The domain name to query is prepended to the DNS list host as follows:

example.net.dnslist.example.com

where dnslist.example.com is the DNS list host and example.net is the queried domain. Generally if an A record is returned the name is listed.

DNSBL policies

Different DNSBLs have different policies. DNSBL policies differ from one another on three fronts:
  • Goals. What does the DNSBL seek to list? Is it a list of open-relay mail servers or open proxies—or of IP addresses known to send spam—or perhaps of IP addresses belonging to ISPs that harbor spammers?
  • Nomination. How does the DNSBL discover addresses to list? Does it use nominations submitted by users? Spam-trap addresses or honeypot
    Honeypot (computing)
    In computer terminology, a honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems...

    s?
  • Listing lifetime. How long does a listing last? Are they automatically expired, or only removed manually? What can the operator of a listed host do to have it delisted?

Uses of DNSBLs

DNSBLs can be used in rule based spam blocking software like Spamassassin
SpamAssassin
SpamAssassin is a computer program released under the Apache License 2.0 used for e-mail spam filtering based on content-matching rules. It is now part of the Apache Foundation....

 where different black list are given point scores that can be mitigated by white rules to reduce false positives. They can also be used by MTAs like Exim
Exim
Exim is a mail transfer agent used on Unix-like operating systems. Exim is free software distributed under the terms of the GNU General Public License, and it aims to be a general and flexible mailer with extensive facilities for checking incoming e-mail....

, Sendmail
Sendmail
Sendmail is a general purpose internetwork email routing facility that supports many kinds of mail-transfer and -delivery methods, including the Simple Mail Transfer Protocol used for email transport over the Internet....

 and Postfix
Postfix (software)
In computing, Postfix is a free and open-source mail transfer agent that routes and delivers electronic mail. It is intended as a fast, easier-to-administer, and secure alternative to the widely-used Sendmail MTA....

 to outright block email if the senders IP address or host name is listed in a DNSBL.

One way to do this is to first check white lists and pass the email if the server is on a white list. A technique developed by Junk Email Filter uses Yellow Lists and NoBL lists to mitigate the false positives that often occur when using multiple black lists. Yellow lists are host names and IP addresses of servers that are known to be a source of mixed spam and non-spam. Examples would be yahoo, hotmail, and gmail. If the forward confirmed rDNS FCrDNS
FCrDNS
FCrDNS, or forward-confirmed reverse DNS, or full-circle reverse DNS, also known as iprev, is a situation where a given IP address has forward and reverse DNS entries that match each other...

 resolves to one of these hosts then the IP address contains no information as to if the message is or isn't spam. Thus other DNSBL tests should not occur because the IP carries no useful information.

Here's a list of different kinds of DNS Lists.

White List - IP is a trusted email source
Black List - 100% spam. Message should be rejected.
Yellow List - Message comes from a mixed source and IP should not be tested further
NoBL list - IP is not a spam source but may be a ham source

Messages should first be checked for yellow listing. If listed, then no further checking is needed. Then the message should be white list tested. If it is found listed in a white list, the message should be accepted as good. Then the NoBL lists should be tested. If listed then black list tests should be bypassed. Finally the black list testing should apply. The message is rejected if it is found in a black list. To be safe one might score the blacklists and reject if listed on multiple lists.

Criticisms

Email users who find their messages blocked from mail servers that use DNSBLs may object, sometimes to the extent of attacking the existence of the lists themselves. The following listing practices are controversial:
  • Lists of dynamic or dial-up IP addresses. These lists most often also include "static" ADSL addresses, thus "end-user IP addresses" might have been a better description. Some mail sites choose not to accept messages from such addresses, since they are often home computers exploited by spammer viruses.
    This can seriously inconvenience SOHO
    Small office/home office
    Small office/home office, or SOHO, refers to the category of business or cottage industry which involves from 1 to 10 workers. SOHO can also stand for single office/home office....

     users who wish to run their own mail servers on residential ISP connections or local MTA
    Mail transfer agent
    Within Internet message handling services , a message transfer agent or mail transfer agent or mail relay is software that transfers electronic mail messages from one computer to another using a client–server application architecture...

    s on laptops for example. Forcing users to relay their outbound email through their ISP's mail server often yields unsatisfactory results. For example, many ISP-provided mail servers reject "foreign" "From" email addresses, i.e., those outside the ISP's domain, and this may prevent the perfectly legitimate use of personal and/or company domain names. Some ISP's outbound mail servers are chronically overloaded or unreliable (perhaps because they're swamped by spam from other users that has been forced through them). Without administrative access to the server, users have no way to determine if their mail has been successfully delivered, is still pending delivery, or has been lost and will never be delivered. Even when the ISP's outbound mail server is fast and reliable, the same problem arises when the destination mail server is overloaded or unreliable. Running one's own outbound mail server, to which one presumably has administrative access, is the only practical solution to these problems.

  • Lists that include "spam-support operations", such as MAPS RBL. A spam-support operation is a site that may not directly send spam, but provides commercial services for spammers, such as hosting of Web sites that are advertised in spam. Refusal to accept mail from spam-support operations is intended as a boycott
    Boycott
    A boycott is an act of voluntarily abstaining from using, buying, or dealing with a person, organization, or country as an expression of protest, usually for political reasons...

     to encourage such sites to cease doing business with spammers, at the expense of inconveniencing non-spammers who use the same site as spammers.
  • Predictive ("early warning") lists, notably SPEWS
    Spam Prevention Early Warning System
    The Spam Prevention Early Warning System was an anonymous service which maintained a list of IP address ranges belonging to Internet service providers which host spammers and show little action to prevent their abuse of other networks' resources...

    . SPEWS listed addresses belonging to spam-support operations, under the hypothesis that such addresses were more likely to send spam in the future. SPEWS "escalated" listings, increasing the size of the netblock listed, as a site continued to support spam.
  • Some lists have unclear listing criteria and delisting may not happen automatically nor quickly. A few DNSBL operators will request payment (e.g. uceprotect.net) or donation (e.g. SORBS
    Sorbs
    Sorbs are a Western Slavic people of Central Europe living predominantly in Lusatia, a region on the territory of Germany and Poland. In Germany they live in the states of Brandenburg and Saxony. They speak the Sorbian languages - closely related to Polish and Czech - officially recognized and...

    ). Some of the many listing/delisting policies can be found in the Comparison of DNS blacklists
    Comparison of DNS blacklists
    The following table lists technical information for a number of DNS blacklists.- External links :* , weekly reports since July 2001* * * * * *...

     article.
  • Because lists have varying methods for adding IP addresses and/or URIs, it can be difficult for senders to configure their systems appropriately to avoid becoming listed on a DNSBL. For example, the UCEProtect DNSBL seems to list IP addresses merely once they have validated a recipient address or established a TCP connection, even if no spam message is ever delivered .


Although many have voiced objections to specific DNSBLs, few people object to the principle that mail-receiving sites should be able to reject undesired mail systematically. One who does is John Gilmore, who deliberately operates an open mail relay
Open mail relay
An open mail relay is an SMTP server configured in such a way that it allows anyone on the Internet to send e-mail through it, not just mail destined to or originating from known users...

. Gilmore accuses DNSBL operators of violating antitrust
Antitrust
The United States antitrust law is a body of laws that prohibits anti-competitive behavior and unfair business practices. Antitrust laws are intended to encourage competition in the marketplace. These competition laws make illegal certain practices deemed to hurt businesses or consumers or both,...

 law.
For Joe Blow to refuse emails is legal (though it's bad policy, akin to "shooting the messenger"). But if Joe and ten million friends all gang up to make a blacklist, they are exercising illegal monopoly power.


A number of parties, such as the Electronic Frontier Foundation
Electronic Frontier Foundation
The Electronic Frontier Foundation is an international non-profit digital rights advocacy and legal organization based in the United States...

 and Peacefire
Peacefire
Peacefire is a U.S.-based website, with a registered address in Bellevue, Washington, dedicated to "preserving First Amendment rights for Internet users, particularly those younger than 18". It was founded in August 1996 by Bennett Haselton, who still runs it...

, have raised concerns about some use of DNSBLs by ISP
Internet service provider
An Internet service provider is a company that provides access to the Internet. Access ISPs directly connect customers to the Internet using copper wires, wireless or fiber-optic connections. Hosting ISPs lease server space for smaller businesses and host other people servers...

s. One joint statement issued by a group including EFF and Peacefire addressed "stealth blocking", in which ISPs use DNSBLs or other spam-blocking techniques without informing their clients.

Spammers have pursued lawsuits against DNSBL operators on similar grounds:
  • In 2003, a newly formed corporation calling itself "EmarketersAmerica" filed suit against a number of DNSBL operators in Florida
    Florida
    Florida is a state in the southeastern United States, located on the nation's Atlantic and Gulf coasts. It is bordered to the west by the Gulf of Mexico, to the north by Alabama and Georgia and to the east by the Atlantic Ocean. With a population of 18,801,310 as measured by the 2010 census, it...

     court. Backed by spammer Eddy Marin, the company claimed to be a trade organization of "email marketers" and that DNSBL operators Spamhaus
    The Spamhaus Project
    The Spamhaus Project is an international organisation to track e-mail spammers and spam-related activity. It is named for the anti-spam jargon term coined by Linford, spamhaus, a pseudo-German expression for an ISP or other firm which spams or willingly provides service to spammers.-Spamhaus...

     and SPEWS were engaged in restraint of trade
    Restraint of trade
    Restraint of trade is a common law doctrine relating to the enforceability of contractual restrictions on freedom to conduct business. In an old leading case of Mitchell v Reynolds Lord Smith LC said,...

    . The suit was eventually dismissed for lack of standing
    Standing (law)
    In law, standing or locus standi is the term for the ability of a party to demonstrate to the court sufficient connection to and harm from the law or action challenged to support that party's participation in the case...

    .
  • In 2006, a US court ordered Spamhaus to pay $11,715,000 in damages to the spammer "e360 Insight LLC". The order was a default judgment, as Spamhaus (which is a UK operation, outside the court's jurisdiction) did not defend itself. See e360 Lawsuit. This decision was later overturned by an appeals court.

External links

The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK