Spam and Open Relay Blocking System (SORBS—http://www.dnsbl.us.sorbs.net) lists approximately 3 million open relays, open proxies, dynamic IP address space, and otherwise compromised host systems that spammers use. Listing dynamic IP address space is controversial and a highly suspect practice. The justification for such listing is that legitimate mail servers should have a fixed IP address. However, many people prefer to use their own mail servers for outbound mail and to do so must use dynamically assigned IP addresses. Placing dynamic IP address space in its blacklist database is damaging to innocent individuals and reflects a dangerously low tolerance at SORBS for the selective needs of law-abiding individuals. I caution against using SORBS for anything other than spam-probability weighting; otherwise, you're bound to lose legitimate email. You can query the SORBS blacklists by using dnsbl.sorbs.net as the domain suffix for your queries.
Composite Blocking List (CBL—http://cbl.abuseat.org) uses spam traps set around the Internet to identify IP addresses that run suspected open proxies (whether via HTTP, SOCKS, AnalogX, Wingate, or other protocols) that are known to have been used to send spam or malicious code. If you use Spamhaus, then the CBL blacklist will be included in your queries, and in that case, using CBL as a separate blacklist service will be redundant. However, if you choose not to use Spamhaus, you can use the CBL on its own. You can query the CBL blacklists by using cbl.abuseat.org as the domain suffix for your queries.
Blitzed Open Proxy Monitor List is also included in queries to Spamhaus but can be used as a separate service. The service lists open proxies of various types that are known to have been used to send spam. The service detects open proxies by using spam email information and by performing checks against machines that connect to Internet Relay Chat (IRC) systems. You can query the Blitzed Open Proxy Monitor List blacklists by using opm.blitzed.org as the domain suffix for your queries.
Dnsbl.net.au (http://www.dnsbl.net.au/) has no formal name other than its domain name. The service provides a very large aggregate blacklist compiled from many sources and as a result produces a lot of positive results for queried IP addresses. The service tracks open proxies, open mail relays, and lots of other data that you can view on the site's Status page. This service also lists a lot of dynamic IP address space. You can view the Web site home page and query the aggregate blacklist by using t1.dnsbl.net.au as the domain suffix for your queries. You can also selectively query more than 20 categorized blacklists, the DNS addresses of which are listed on the Status page.
510 Software Group (http://www.five-ten-sg.com/blackhole.php) is less well known than the other blacklist service providers I've described. The service provides query results for spam sources, bulk mailing services that don't use opt-in policies, open relays, the end points of multistage open relay networks, Web sites that run mailing scripts prone to abuse by spammers, and sources of malicious code. The service also lists dynamic IP address space as well as network addresses of ISPs who allegedly refuse to remove spammers from their networks. You can query the 510 Software Group blacklists by using blackholes.five-ten-sg.com as the domain suffix for your queries.
SURBL—Spam URI Realtime Blocklists (http://www.surbl.org) is unique in that it lets you check domain names, rather than IP addresses. You can harvest domain names from URLs in the headers and body of a message and check to see whether SURBL lists them. If it does, the chances are good that the message is from a known spammer. To query SURBL, you must extract the domain name from a URL or message header and remove any host names. Then, you structure a query with surbl.org as the suffix, and query for an A record: for example, domain.tld.multi.surbl.org, where domain.tld is the domain name in question. If you receive a response with an address in the 127.0.0.x range, then the message is likely from a known spammer.
Evaluating Blacklist Service Provider Performance
If you search the Internet, you'll find dozens of blacklist service providers. Evaluating providers is difficult to do without reading lots of reports that are posted on the Internet by various users, and doing so is well worth your time. Fortunately, the task of gauging the effectiveness of the results that particular service providers offer is much easier. Jeff Makey maintains a Web site at http://www.sdsc.edu/~jeff/spam that offers helpful information. In particular, Makey publishes the results of his weekly surveys of various blacklist services. He bases his survey queries on the connecting IP addresses that deliver mail to his network, and he queries blacklist services to determine whether they list particular IP addresses. The survey results show which services offer the most accurate reports according to his particular queries. Obviously, query results will vary; nevertheless, Makey's reports are helpful as a gauge of how useful a given service might be for individual users.
Keep in mind that any blacklist provider listed in Makey's surveys might or might not suit your needs today, and how well a particular provider works for you can change depending on the type of spam you receive. Spammers tend to be moving targets, particularly when they use hijacked systems to create robot mailer networks. You also need to consider the influence of false positives, which can cause you to lose legitimate email depending on how your particular mail-filtering solution uses blacklist data. I can't stress enough the importance of thoroughly testing any service you use to determine whether it satisfies your needs.
The blacklist service providers that garner top results in Makey's reports are worth trying as part of your own mail-filtering solution. The service providers that I've listed above are among the top performers from his survey results of November 2004. If you already use or intend to use blacklist services, be sure to check out Makey's reports and bookmark his site for periodic review—it's an excellent resource.
The Lowdown
Querying dynamic blacklists increases an email message's processing overhead, and DNS-lookup lag times can slow down mail delivery, especially on networks that receive huge amounts of mail. Some blacklist service providers offer zone transfer service as a feature. If your network receives tens of thousands of messages or more on a daily basis, consider using DNS zone transfers to download a particular service provider's blacklists to your network. Zone transfers let you perform DNS queries locally, which dramatically increases mail-processing speed and significantly reduces your network traffic.
Using dynamic blacklist services can be controversial; in particular, many users complain that some services will blacklist IP addresses without much, if any, investigation. In my experience, blacklist service providers such as the ones I've listed here work fairly well, even if they are occasionally stubborn in their policies about which networks they list or remove from their lists. As with all types of services, users need to exercise due diligence and choose service providers wisely.
End of Article
