Kill Spam With Real-Time DNS Blacklists

Save/Share Google Yahoo! Digg It Reddit del.icio.us
My Zimbio

A great Open Source project for gaining understanding about e-mail systems, including an in-depth look at SMTP and POP3, is the Java-based Apache JAMES Project.  Although JAMES has the unfortunate shortcoming of being built around the now defunct and unsupported Apache Avalon Framework, it’s still a fantastic learning tool for understanding email protocols, mail delivery, and spam filtering.  Not only that, it’s a fully functional, enterprise-ready mail server that can be up and running with minimal configuration.

One technology implemented by JAMES for spam filtering is real-time DNS blacklists.  DNSBLs identify the IP addresses of potential spam sources and machines known to be delivering spam (as determined by the sometimes controversial policies of the list owner).  Spam blacklists date back to 1996 with Paul Vixie’s Mail Abuse Prevention System, and are now used by ISPs and corporate mail systems around the world.  Countless organizations maintain blacklists, and Web sites like MX Toolbox permit ad hoc queries of IP addresses against dozens of published lists.

How It Works

Built around the UDP-based DNS protocol, a DNSBL is an efficient and lightweight mechanism for checking the IP addresses of incoming messages against a list of email senders a mail server may wish to avoid.  This is much like the concept of today’s Service Oriented Architectures – providing an uncoupled, standards-based interface consumed by arbitrary clients – except years ahead of its time when created.

Querying an IP address is as simple as reversing the octets of the address and appending the domain name of the list publisher.  Perform a DNS lookup of the “A record” for this string.  If a record is returned, the IP address is on the blacklist (some DNSBLs also return the reason for the listing in the TXT record).  If no record is found, the address isn’t listed.

Java, C#, and most other high level programming languages provide a means for performing a DNS lookup.  A simple way to try it out, however, is from a DOS prompt.  Suppose you want to check out the IP address 213.199.154.22 using the list maintained by 510 Software Group at blackholes.five-ten-sg.com.  You could use the nslookup command like this:

nslookup 22.154.199.213.blackholes.five-ten-sg.com

This should reply with “Non-existent domain”.  In other words, the address is “clean”.
To lookup the same address on the SpamCop blacklist at bl.spamcop.net, you would use this command:

nslookup 22.154.199.213.bl.spamcop.net

SpamCop also has a mechanism for simulating a positive response.  Technically, 127.0.0.2 is a local address.  But, SpamCop will provided a record for it:

nslookup 2.0.0.127.bl.spamcop.net

Try it out.  You’ll get back a valid “A record” indicating the address is listed – simulating the response you’d get for a blacklisted host.

How Addresses Get Listed

IP addresses get added to blacklists based on the policies selected by the list owners.  This is important to understand before blindly adding all available blacklists to your mail server.  Some lists are more aggressive than others, and the more aggressive a policy is the more likely you are to have legitimate email filtered out of your inbox.

Some spammers are identified by trusted sources forwarding spam messages to list managers.  The mail headers will identify the IP address of the sender.  Other spammers are identified when list owners plant honeypots – bogus email addresses posted online in order to identify spammers harvesting email address off of Web pages.

Some blacklists contain the IP addresses allocated to residential Internet subscribers regardless of whether they’ve been definitively identified as a spam source.  The rationale is that residential Internet users will use their ISP’s mail server to send and receive email.  Any email coming directly from a subscriber’s computer is either a deliberate spam campaign attempting to circumvent the ISP’s safeguards, or it’s a message generated by a zombie – a computer compromised by a virus and controlled by a hacker for the purpose of delivering spam.

Another category of blacklisted IP addresses belong to open relays – mail servers that don’t require authentication and thus provide a “hop” for spam messages to freely pass through.  Open relays allow spammers to hide the true origin of their messages (because the originating IP address might already be blacklisted).  This abuse of the open mail server often occurs without knowledge of the server owner.

All of these policies carry with them a bit of controversy.  A single spammer on a large network might cause thousands of innocent users on the same network to have their outbound email blocked.  Open relay owners are also regarded more as victims than active participants in spamming (although they should be summarily reprimanded for not applying the most basic of security measures to their mail exchange: SMTP authentication).  Also, when blacklists are used by ISPs, customers might unknowingly fail to receive wanted messages that were filtered out based on someone else’s definition of spam.

Available DNS Blacklists

DNSBLs are intended for use by mail service providers – not individual email system users.  If you administer a mail server, a comparison of available blacklists you may consider configuring can be found at the DNSBL Resource Stats Center.

Save/Share Google Yahoo! Add to Technorati Favorites Digg It Reddit
del.icio.us My Zimbio

Leave a Reply