What is a DNS blacklist?
A DNS Blacklist (DNSBL) is a mechanism for publishing a list of IP addresses that some people may want to avoid and in a format which can be easily queried by computer programs on the Internet. The technology is built on top of the Internet Domain Name System, or DNS. DNSBLs are chiefly used to publish lists of addresses known to be involved in spam activities. All the modern mail transport agents (mail servers) can be configured to reject or flag messages which have been sent from a site listed on one or more such lists.
DNSBLs are a medium and not a specific list or policy. There has been a good deal of controversy over the past several years over the operation of specific lists, such as the MAPS RBL and SPEWS
The following list defines most of the closely related terms that you may find over the Internet or in literature:
- RBL is an abbreviation for “Real-time Blackhole List”. As mentioned below, “RBL” was the name of the first system to use this technology. However, since “RBL” is a trademark for the proprietary MAPS DNSBL, using it as a generic term causes trademark dilution. Some pieces of mail software have configuration parameters that use “RBLs” or “RBL domains” when any DNSBLs can be used, not just the MAPS RBL.
- DNSBL is an abbreviation that usually stands for “DNS blacklist”, although different DNSBL operators define the term in various ways. The use of the word “blacklist” is somewhat controversial. Instead, some people have suggested that DNSBL should stand for “DNS blocklist” even though DNSBLs are not always used for direct blocking, or “DNS blackhole list” even though that may still infringe on MAPS’s trademark and isn’t a true blackhole. The term “rejectlist” has also been used from almost the beginning.
- DNSWL is an abbreviation for “DNS whitelist”. It is a list of IP addresses that some people may want to treat more favorably.
- RHSBL is an abbreviation for “Right Hand Side Blacklist”. This is similar to a DNSBL only it lists domain names rather than IP addresses. The term comes from the “right-hand side” of an email address, the part after the @ sign, which clients look up in the RHSBL.
- URIBL is an abbreviation for “Uniform Resource Identifier Blacklist”. It is similar to a DNSBL only it lists domain names rather than IP addresses. Contrary to RHSBL it lists domain names used in URIs instead of in e-mail addresses.
Some History Notes
The first DNSBL was the Real-time Blackhole List (RBL), created in 1997 by Paul Vixie and Dave Rand as part of the Mail Abuse Prevention System (MAPS). Initially, the RBL did not actually emerge as a DNSBL, but rather as a list of commands that could be used to program routers for the purpose of blocking all TCP/IP traffic for machines used to send spam or host spam tolerating services. Vixie, being a respected programmer, network administrator and CTO of AboveNet, was able to install these blackhole routes in key routers so that many people across the Internet would not be able to connect to these machines.
The purpose of the RBL was not simply to block spam. The main purpose was to educate Internet service providers and other Internet sites about spam and related problems, such as open SMTP relays, spamvertising, etc. Prior to listing an address within the RBL, volunteers and MAPS staff attempted repeatedly to contact the persons responsible for it and get its problems corrected. These efforts were considered very important before blackholing all network traffic, but it also meant that spammers and spam supporting ISPs could delay being put on the RBL for long periods while such discussions went on.
Later on, the RBL was released in a DNSBL form and Paul Vixie encouraged the authors of sendmail and other mail software to implement RBL clients. The latter allowed the mail software to query the RBL and reject mail from listed sites on SMTP level instead of blackholing all traffic.
Shortly after the advent of the RBL, other entities started developing their own lists with different policies. One of the first was Alan Brown’s Open Relay Behavior-modification System (ORBS). It used automated testing to discover and list mail servers running as open mail relays. ORBS was controversial at the time because many people felt running an open relay was acceptable, and that scanning the Internet for open mail servers could be abusive.
Subsequently, a number of DNSBLs came under heavy denial-of-service attacks. Since no party has admitted to these attacks nor been discovered responsible, their purpose is a matter of speculation. However, many observers believe the attacks are perpetrated by spammers in order to interfere with the DNSBLs’ operation or hound them into shutting down. In August 2003, the firm Osirusoft, an operator of several DNSBLs including one based on the SPEWS data set, shut down its lists after suffering weeks of near-continuous attack.
The various DNSBLs have different policies. DNSBL policies differ by the following three major points:
- Goals. What does the DNSBL seek to list? Is it a list of open-relay mail servers or open proxies – or of IP addresses known to send spam – or perhaps of IP addresses belonging to ISPs that harbor spammers?
- Nomination. How does the DNSBL discover addresses to list? Does it use nominations submitted by users? Spam-trap addresses or honeypots?
- Listing lifetime. How long does a listing last? Are they automatically expired, or only removed manually? What can the operator of a listed host do to have it delisted?