Blacklist Patrol

Did you just get blacklisted?

Get notified so you can take action.

Blacklist Patrol

Blacklist Patrol proactively monitors major anti-spam blacklists to see if your email server has been listed on any of them.

You're notified daily by email of any blacklists your server is found on.

• Free 30-day trial

• Sign up now - just $9.95 per month
• Sample Blacklist Patrol Report
• Currently Monitored Blacklists
• Frequently Asked Questions
• Terms and Conditions

What's the CBL's Real Inclusion Policy?

Click Here to Sign up for Free Blacklist Monitoring Trial

As has been explained a dozen times before on this site - a DNSBL (DNS Blacklist or Blocklist) is a list of networks or IP addresses that someone thinks are associated with spam, unwanted network activity or meet other arbitrary criteria.

There are many, many different DNSBL lists compiled and hosted by numerous organizations.

To determine if a given blacklist should be implemented on your server or client-side mail filtering - you need to figure out answers to a few questions.

Does the blacklist really block spam?

Does the blacklist stop a lot of good email?

What are the inclusion criteria for the blacklist?

This article covers the last item.

Any of the following items can get an IP or network listed in a various blacklists:

Being a confirmed source of spam

Hosting a website run by spammers

Having sent email to a "honeypot" address

Hosting an SMTP server that's an "open relay"

Hosting an SMTP server which is secure - but somehow "non-compliant"

Having a DNS configuration problem

Being part of a dial-up / dynamic address space

Pretty much anything else.

The short of it is that server operators need to look at the inclusion policy of any blacklist their considering for use.

And that's the gotcha. Most popular blacklists have some published criteria for how IP addresses get added and removed. Unfortunately, not all of them seem to be entirely clear or internally consistent.

One of the most popular, and possibly most effective blacklists is the CBL.

Let's look at an excerpt from the CBL's homepage:

The CBL only lists IPs that have sent one of our servers email that appears to indicate that the IP is infected.

The CBL operates in an entirely automated way designed to avoid listings of spamtrap hits due to bounces of forged spam, virus bounces, and "real" mail servers emitting the occasional spam. It tries very hard to avoid listing legitimate mail sources. It does not attempt to list every possible spam source.

Presumably by "infected" they mean compromised by spammers. This might mean a server is being exploited due to being an open-relay or having unsecured email forms on its web server. It could also refer to a workstation that has been recruited by a botnet.

You wouldn't think the CBL would list an IP address just for having a common server configuration problem, unless it really gave good indication that the IP was somehow being abused by spammers - right?

A few months ago - I was helping figure out why a museum's Linux email server was having delivery problems. Turns out they were in the CBL.

The server passed all the open-relay tests we could find. We scoured the server logs and never found any evidence the system was relaying or otherwise sending spam. Nothing indicated anything suspicious about the box.

Upon entering their IP into this form - I was redirected to this page containing the following:

You have been directed here because there is a possibility that your IP may have been listed as result of misconfiguration or broken mailer software.
(...)
There are two basic types of detections that land an IP in this page. RFC2821 section 4.1.1.1 says that there are only two legal types of HELO/EHLO a mail server can issue - either a fully qualified domain name (eg: "mail.example.com") or an "IP literal" (eg: "[1.2.3.4]").

No, question the server had a configuration problem. Specifically, it had a very common DNS configuration problem where the server didn't know its own name. By itself this doesn't make a server an open-relay, or otherwise prone to send spam. It's just a little sloppy IT work.

In fact, on this page - the CBL acknowledges:

"Due to idiosyncrasies in Linux install procedures, Linux machines are often a bit confused as to what their name is."

It's painfully easy to setup a new Linux installation and end up in this situation. Some of the newer distributions are better about this - but I don't think I ever deployed Red Hat and didn't find myself manually having to edit files under /etc to make things happy.

We fixed the problem, and were removed from the list. We were never re-listed.

I still think blacklists (including the CBL) can be valuable tools to help minimize spam. I'd however hesitate before blocking mail from blacklisted IP addresses unless there was other additional information suggesting the message was really spam.

It's possible to configure the SpamButcher anti-spam email program to use a blacklist to aid in blocking spam. However, when doing so - the user's "known good senders" list is still obeyed - and messages that the content filter thinks look completely normal are still delivered.

On a side note, Paul Graham encountered similar apparent inconsistencies regarding the inclusion policy of the Spamhaus DNSBL.

Spam Email Killer | Anti-Spam Blacklist Thing