How do Blacklists work?
MAPS RSS
MAPS RSS is carefully maintained and only
contains IP addresses that are known to have
relayed spam via an open relay. All listings
are investigated and confirmed to be an insecure
server after notification. MAPS maintain samples
of spam that was sent via each open relay as
well as the results of the testing performed
after spam is received. When an IP address is
added to this list, effort is made to contact
the owner of the server and alert them that
they have an open relay that is being abused,
allowing them to correct the problem
SPEWS
SPEWS is a list of areas on the Internet which
several system administrators, ISP postmasters,
and other service providers have assembled and
use to deny email and in some cases, all network
traffic from.
SPEWS identifies known spammers and spam operations,
listing them as soon as they start, sometimes
even before they start spamming. SPEWS does
not run a request or nomination based list,
entries in the list come from the knowledge
and experience of the people who set up and
use the SPEWS lists.
Any mail servers using the SPEWS list to filter
can be configured to do several things with
incoming mail from SPEWS listed IP addresses.
The recommended method is to bounce the message
back to the sender with a link to the SPEWS
"Why was I referred to this website?"
page.
 |
Sign-up for the full-featured BlacklistedIP Service for only $39.95 for 6 months. Peace of mind for less than
23 cents a day! |
SPAMHAUS BLOCK LIST
(SBL)
The Spamhaus Block List ("SBL") is a database
of IP addresses of direct spam sources; spammers,
spam gangs and spam support services (but not
open proxies or open relays), queriable in realtime
by mail systems throughout the Internet for
the purpose of refusing mail from known spam
senders.
All SBL entries are backed
up with evidence which has fully satisfied the
Spamhaus Project team that the IP is under the
control of a spammer, spam operation or a spam
support service and that the IP or netblock
represents an unwanted nuisance or threat to
mail systems using the SBL.
SBL listings are immediate and, in the case
of known spam gangs, are preemptive. The SBL
does not require warnings or have a 'grace period'
and does not require physical evidence of spam
received from any specific IP to qualify a listing
(in the case of known spam gangs, any IPs under
their control are listed on sight). Warnings
are however sent to block owners before listing
large netblocks and for listings greater than
single /32s the ISP and Block Owner (or upstream)
is advised wherever possible of the listing.
Listing Criteria
The criteria for listing IPs in the SBL is:
Spam Sources
Spammers sending bulk email verified to be unsolicited
(spam) directly from static IPs under the spammer's
control.
Spam Gangs
Spam gangs listed in ROKSO - including preemptively
listing new netblocks each time known spammers
move to new hosts.
Spam Services
Spammers' mail servers, web servers, DNS and other
servers used in spamming.
Spam Support Services
Services providing 'bullet-proof' hosting for
spam service purposes, serving 'spamware' sites,
or knowingly providing services for spam service
purposes.
SORBS (Spam and Open
Relay Blocking System)
SORBS scans a host when it attempts to send
mail to one of the 'feeder' servers. This means
two things:
- First, if you are a spammer
and never send mail to a domain using SORBS,
you will never get blocked.
- Second, SORBS considers
scanning for vulnerable hosts' abuse. Scanning
a host upon connection is not considered abuse
by SORBS as the tested host is requesting
a connection; the test is the terms of that
connection.
SORBS
Automatically test servers attempting to send
mail to one of the 'feeder' servers. By sending
mail to these servers the sender is requesting
a cooperative connection. The administrators/owners
of these sites will allow the cooperative connection
on the basis that you allow the return connections
of the SORBS servers to test your server.
SPAMCOP
Instead of trying to test, categorize and block
the plethora of different systems at risk for
Supposed Unsolicited Bulk Mail (SUBE), SpamCop
blocks whichever the SUBE actually comes from,
regardless of their technical merits. As a result,
sites which have no technical problems but send
a lot of SUBE will be listed. On the other hand,
sites which fail some critical technical test
but which remain SUBE-free will not be listed
This list contains IP addresses
which have been reported to SpamCop as carriers
of SUBE, whether directly or indirectly. Some
of these reports come from 'spamtraps' (email
addresses used strictly to receive spam). The
reports about SUBE from a given system are weighted
against a sampling of the total amount of mail
from the same system to determine a ratio. Some
systems which send SUBE may not be listed because
they also send a lot of legitimate mail.
Legitimate mail is estimated
by monitoring the use of the SpamCop blocklist
by third-party sites. Whenever certain third-parties
(picked manually as representative) check the
blocklist for any given IP address, that host
is given a non-SUBE point.
The majority of systems are
either mostly SUBE or mostly legitimate mail.
The trick is in deciding what to do with the
ones in the middle. These are often the systems
which send the most mail overall. In the end,
an arbitrary line must be drawn.
The system currently operates
based on these rules:
- Systems with a large number
of SUBE reports relative to non-SUBE points
will be blocked. The threshold is balanced
manually in an effort to allow most legitimate
systems and block most SUBE.
- SUBE is weighted by freshness:
The most recently-reported SUBE sites are
counted 4:1. Reports 48 hours and older are
counted 1:1, with a linear sliding scale between
now and 48 hours past. Reports older than
one week are ignored.
- Non-SUBE statistics above
1000 are counted at 1/2 their normal weighting.
For instance, a host with non-SUBE metric
of 2000 would only be judged as a host with
a rating of 1500 (see AOL example above).
- Spamtrap reports (mail
sent to non-existant email addresses set up
by SpamCop) are used to weight total reports.
For spamtrap scores less than 6, the quantity
of spamtrap is multiplied by 5 and added to
the SUBE score. For larger spamtrap scores,
the quantity is squared. For example, if a
host has 2 spamtrap reports and 3 manual SUBE
reports against it, its weighted SUBE score
will be 13: 3 + (2 * 5) = 13. If a host has
7 spamtrap reports and 3 manual SUBE reports,
its weighted SUBE score will be 52: 3 + (7
* 7) = 52.
- SUBE reports regarding
website and email-address spamvertisement
ARE NOT counted at all. i.e. websites or email
addresses used to receive replies from SUBE
are not blocked, unless they are also the
senders of the SUBE.
- If a system has received
reports regarding relaying spam while listed
by an open-relay tracking service AND the
same service now lists it as clean, an option
is given for public-access manual delisting.
If this option is utilized and no SUBE reports
are received regarding more-recent SUBE incidents,
the host will be delisted.
- If a host has only 1 SUBE
report against it, it will not be listed.
- If a server has only 2
SUBE reports against it and it has some detectable
mail traffic older than 24 hours, it will
not be listed.
- If a server has not been
reported as sending SUBE within 48 hours,
it will not be listed.
|
Sign-up for the full-featured BlacklistedIP Service for only $39.95 for 6 months. Peace of mind for less than
23 cents a day! |
