Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Spam blocking by RBL, when is a good thing too much? SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Spam blocking by RBL, when is a good thing too much?
I was involved in a recent discussion that was interesting regarding a startup company that got a new (to it) ip address assignment from its ISP. As soon as they lit up their mail server emails started to get blocked by spam filters. It turned out that a previous owner of that IP block got themselves on several spam black hole lists.

It is a long standing issue with the various RBLs that it is easy to get blocklisted, and tough to get unlisted. Needless to say the company in question requested a new address assignment from the ISP and resolved the problem that way. Leaving that address to the next poor victim to deal with it.

I have seen this situation personally a few times in the last year. I have started to suggest that anyone working with an ISP to get a new address assignment check the address block with various RBLs before accepting and putting the addresses into production. I also recommend that they request the ISP perform this check prior to making the assignment, some are more cooperative than others. Sorry I will not mention any names of ISPs. They know who they are, and if you ask them you will know too.

dan /at/ MADJiC /./ net

Reader Yakov Shafranovich wrote:
"A while back when I co-chaired the ASRG, we wrote up a document which addresses RBL issues:

Specifically section 2.5 would be relevant here."

Thanks for the hard work and intersting read! It seems to me that temporary blocking
would best serve the community. Of course defining temporary could keep some attorneys
very busy I suppose.

Another reader Melvin suggests that the following article should be required reading for small and medium size businesses deploying mail services in limited address space. the article describes using routing mail through an ISPs smarthost so as not to be filtered by RBLs.
I agree this is a great method to bypass this problem. In my opinion the "openness" of the Internet suffers when we are forced to take these kind of measures. There is a trade off involve here obviously.

It seems that this is a sore spot for many folks. Another writer who asked to remain anonymous wrote in that "he could spend much of his day chasing stale RBL entries" that it would serve his customer base, but is a waste of time based on what his team is supposed to be doing. He also mentions that a new trend towards reputation based blocking has a whole new potential danger.
He advocates for individuals building local RBLs for local use. I would add to that that anyone using a product for spam filtering should be aware of what they are blocking with that tool and feed back to the producer if they see erroneous mesages in the filters. One more thing for admins to chase.

42 Posts
May 4th 2006

Sign Up for Free or Log In to start participating in the conversation!