Monday, 1 December 2014

How to: Understand DNS Black-listing


One of our associate workers (Claire) go in touch this morning saying email from her regular address for consulting work was getting bounced back for being on a black-list:

SMTP error from remote server after RCPT command:
host: remote.dartington.org
5.7.1 Your message was rejected because the IP address of the server sending your message is in the block list of the SORBS service."


SORBS is an acronym for "Spam and Open Relay Blocking System", one of many anti-spam services in the real-time block-list (RBL) business to which you can subscribe. SORBS also lists Open Proxy servers and machines that appear to be hacked sources of spam.


The party line from our central IT department goes like this:
"To reduce the amount of (malicious) spam we are receiving, our email servers check with a couple of lists of known (or suspected) spammers; this is the SORBS service referred to in the 'reject' email. Only about 8-15% of the emails sent to us are legitimate and checking with these lists has hugely reduced the amount of spam (and virus/threat alerts that we receive). Sometimes these services block individual accounts, sometimes they block whole servers or domains shown to be sending large amounts of spam or malicious emails and 'clean' accounts can be caught up in this. We (the Trust) had similar problems a while ago when (instead of using mailchimp or a similar service) individual users were sending huge volumes of mail from our accounts and got us black-listed!"

So the first question, why is SORBS blocking Claire's email - is actually the wrong question! SORBS does not block email, web sites, networks or the Internet. The SORBS Domain Name System Black List (DNSbl) is nothing more than a list of hostnames in the SORBS.NET domain corresponding to local IP addresses, published worldwide in the Internet Domain Name System (DNS), and which have been reported as generating volumes of spam email.

It's not illegal, since it does not identify an individual and therefore does not breach data protection law. It is however, something of a blunt instrument, as it works against IP addresses covering whole servers and clusters of servers.

SORBS builds its black-list by taking automated nominations from 'feeder' servers; the general public cannot submit sites for testing. SORBS is not the only player in the real-time block-list business - see http://multirbl.valli.org/dnsbl-lookup/82.132.130.151.html. You might be more familiar with Spamcop, for example, a system that does take submissions from the public.

Because of the way that SORBS real-time black-listing works, based on confirmed volumes of spam traffic, none of us can white-list the IP address that is having problems; the spam traffic has to be proven to cease before the black-list is updated.

So Claire's address is not on the blocklist, no individual email address is ever on the blocklist. The IP address through which the mail goes out is on a blocklist and that's probably due to its owner not being proactive in kicking off abusers.

The solution is for the owner of the account to talk to the company that provides her email and get them to investigate the block; it isn't something that we can do for her.

In the case of SORBS, however, it is difficult to determine who to talk to, since essential information is missing from the rejection message. A properly-formed rejection message SHOULD contain the IP address of the rejected sending server: something like

Email rejected because 173.203.116.233 is listed by SORBS

In this case, Claire is an innocent bystander, but without the IP address, we can't go give the server owner a prompt to kick off the spammers.

In the case of a large Internet Service Provider, with clusters of large mail-servers, you will be sharing that with tens of thousands (at least) of other customers, so it's all too easy to get blocked owing to one rogue account on a server.

SORBS and SpamCop are very quick to de-list once the spam stops, so the rejections should stop, unless the subscribing servers are using out-of-date lists. Spamcop might well react to a number of reported abuses, but with SORBS, it is the proportion of spam is to genuine mail that triggers listing or de-listing.

So for a large-volume server (Yahoo, Gmail or the like) Spamcop needs more complaints or spam-trap hits - these carry more weight as these addresses have never sent mail to anyone - than a low-volume server. Working in real-time using traffic stats, the black-listing services can often spot a good spam eruption, since it can increase email from a server by a factor of 10 or more (90% or more spam, as we found, above).

How does so much spam get generated? That's the fault of the spammers who take over accounts and sometimes whole machines (zombies); Microsoft is always on the back-foot with security, although if their operating systems weren't so easily-hacked that would help. Finally, there are ISPs who don't take quick action to keep the spammers off their servers. RC

No comments:

Post a Comment

At least try to be nice, it won't kill you...