Responsible Use of E-mail Blacklists

Introduction

One of the methods most commonly employed for reducing the amount of junk mail reaching inboxes is the use of Black Lists. Black Lists generally contain IP addresses from which spam has been sent. Given that if spam has been sent from an IP address at some point, it is likely to happen again in the future, it is common practice to reject all mail sent from IP addresses which are included in the Black List.

There are various types of Black Lists. If we classify them according to who can consult them, there are private lists for exclusive use by an organisation or company, others which security firms offer their clients for a fee and lastly, lists that can generally be freely consulted and which are by far the most widely used. In this document the latter are analysed because even those who use private or paid-for lists also tend to consult the public Black Lists. For this reason good use of these lists - selecting those which are reliable and avoiding those which are not recommended - is of great importance for the smooth running of email on the internet.

Purpose

As with the other measures used to combat junk mail, the Black Lists are a palliative remedy which has secondary effects that can be minimised through suitable and appropriate use. The purpose of this document is to help ensure responsible use of email Black Lists. To do this the most popular Black Lists are evaluated in accordance with a set of characteristics, enabling each Black List to be classified as either reliable or not recommended. The ABUSES Forum wishes to highlight that responsible use of Black Lists should prevent consultation of those lists which are not recommended, both for the benefit of those who use these lists and for the rest of the network.

Black List characteristics assessed

The characteristics a Black List has to have in order to be reliable, based on the data provided by the members of the ABUSES forum, are as follows:

  1. It should not request money or other donations for removing an IP address from its black list. This would lead to a protection tax and a loss of confidence in one of the weapons in the fight against SPAM.
  2. It should not list full ranges of IP addresses, but rather individual addresses that send spam or are infected by trojans, etc., (except DUL lists). Every effort should be made to ensure that IP addresses that send legitimate mail are not affected by the Black List.
  3. There must be clear mechanisms in place, both automatic and manual, for removing the address once the junk mail problem has been resolved. This gives great credibility to the corresponding Black List.
  4. There must be a fast, clear form of contact for communicating with the list's administrators. An IP address should not be listed for longer than necessary.
  5. Seriousness and accuracy should be observed when deciding to include an IP address on the list. The criteria employed for including an IP address on the list should be fair and known.
  6. Notification of the SPAM received. This would give the service provider the chance to act before the IP address is included in the list. If the client of the provider claims not to know why they are on the Black List, they will be able to tell them the reason and provide the corresponding evidence.
  7. Access to the email or e-mails which led to inclusion on the list. If it is not possible for the provider to receive reports of the abuses committed, they should at least be able to inform the client of where to find the evidence that the SPAM has been sent.

Classification of a Black List

The lists are classified by points in reverse order to the previously established order. Thus characteristic number 1 adds 7 points to the list and condition 7 adds 1 point to said rating.

Lists that do not meet conditions 1, 2 and 3 should be classified as not recommended and they are given 0 points to show that their use is not advised.

The ABUSES Forum has assessed the seven characteristics of the most popular public access Black Lists. A list is considered to be NOT RECOMMENDED when it scores less than 10 points. According to this criterion, the ABUSES Forum considers the following Black Lists to be not recommended for use: APEWS, FIVE-TEN, MAPS-RBL, SORBS SPAM DATABASE and UCEPROTECT The Black Lists marked as RELIABLE have scored more than the aforementioned limit (10 points) but each agent is responsible for their use and should be aware of the conditions and consequences of using each one.

Nombre P1 P2 P3 P4 P5 P6 P7 Total
APEWS 00000000
CBL 765430025
FIVE-TEN 00000000
MAPS-DUL 70000007
MAPS-RBL 70000007
NJABL 765030122
PSBL 765030122
SORBS SPAM DATABASE 00000000
SORBS-DUL 705030015
SPAMCOP 765432027
SPAMHAUS-PBL 705000012
SPAMHAUS-XBLL 765430025
SPAMCANNIBAL 00000000
UCEPROTECT 00000000

UCEPROTECT They request money to remove you from the lists, they try to make a profit and this is reason enough for the list to be considered unreliable and they also indiscriminately include complete ASNs. NOT RECOMMENDED.

SORBS SPAM DATABASE They ask for money to remove you from the list, which is reason enough for them to be considered unreliable. NOT RECOMMENDED.

MAPS-DUL (TRENDMICRO): This list works fairly well, although interacting with them is not easy; it is not an automatic process and you have to try a number of times. NOT RECOMMENDED.

MAPS-RBL (TRENDMICRO) : It does not have a good system for removing the IP addresses from the list, they are not easy to communicate with, they do not listen to reason and consequently it is not a very reliable list. NOT RECOMMENDED.

FIVE-TEN: Their policy is not to accept any IP that has a generic inverse solution. NOT RECOMMENDED.

APEWS : This is a list created by an organisation for its own use with local criteria and is made available to the general public. It allows for the incorporation of parts of the internet from which you do not wish to receive mail. It is among the most restrictive and does not have an e-mail address for requesting the removal of an IP address from its list. NOT RECOMMENDED.

SPAMCANNIBAL. This is a black list that allows complete ranges of IPs to be included simply because the names associated to said IP addresses seem to be generated by a particular script (let's say, we are provider X and we call our servers: server1.x.com, server2.x.com, serverN.x.com). They do not provide any automated mechanism for removing addresses from the list and even well reasoned requests are rejected. NOT RECOMMENDED.

SORBS- DUL: This is not really a Black List. It is a list of dynamic ranges and works fairly well. It tells you which ranges of the ISPs use dynamic addressing and should therefore not attempt to connect directly to your MTA. If they do so they tend to be bots of spam. If for any reason a non-dynamic range is added to said list, you can contact them and ask them to remove it and they tend to do so fairly promptly: RELIABLE

CBL: This list works fairly well. If an IP is included in this list it is because it has actually been sending spam. It is highly dynamic, fast and easy to manage. Removing an IP from the list only takes a minute. This means that there are no false positives and that the information is really reliable as there will be no IPs on the list from which spam was sent a long time ago, only those from which spam is currently being sent RELIABLE

SPAMHAUS PBL: Their web does not allow whole ranges to be managed, only individual IP addresses, and they do not provide any support contact. If by mistake they list a whole range from a given ISP, it takes a lot of work to rectify the mistake. RELIABLE

SPAMHAUS XBL: This list is really supported on CBL.abuseat.org, which means that if you are listed on CBL you will be listed on XBL from Spamhaus. RELIABLE

SPAMCOP: This is similar to CBL Abuseat and Spamhaus XBL with the added value of informing the client's ISP that they are committing abuses and sending them evidence of this fact. They also fulfil all the other characteristics described. RELIABLE

PSBL: Easy to request the removal of an IP address and it also keeps a history of evidence for each IP listed. RELIABLE

NJABL: Like the previous example, you can view the messages that have led to the IP address being included in the list and it is easy to remove an IP address from said list. RELIABLE