Understanding how RBL's work
By Peter M. Abraham
August 2003

Dynamic Net started using Real Time Black Hole Lists (RBL) on July 7th to prevent SPAM from known SPAM sources.

We make use of the following eight RBL providers:

  • spamhaus.org -- mainly lists the very large spam companies.
  • spamcop.net -- list spam companies.
  • ordb.org -- lists those companies whose mail servers are configured in a way that they can be hijacked by spam providers and companies.
  • dnsbl.njabl.org -- lists those companies whose mail servers are configured in a way that they can be hijacked by spam providers and companies.
  • opm.blitzed.org -- lists those companies whose mail servers are configured in a way that they can be hijacked by spam providers and companies.
  • rfc-ignorant.org -- list those organizations who did not correctly register their mail server domain name (a tactic most commonly used by spam companies and providers).
  • dsbl.org -- lists those companies whose mail servers are configured in a way that they can be hijacked by spam providers and companies.
  • relays.visi.com -- lists those companies whose mail servers are configured in a way that they can be hijacked by spam providers and companies.

One of the most common fears when we tell customers we are blocking SPAM is the fear that valid email is being lost.

Zero email is lost with the use of RBL providers.  Let me repeat that there is zero loss of email when using RBL providers.

Why did we go the RBL route?

While SPAM has been a growing problem for Dynamic Net, our resellers, and our customers, starting earlier this year it just got out of control.

SPAM companies trying to hack into our mail servers daily.  SPAM companies trying to leach off of our mail servers daily.  SPAM companies altering the from address of every single message they sent out so you could not effectively block them based on messages sent in a short period of time by the email address.

We were adding 100 to 200 IP addresses to our firewalls every single week.  It didn't take long to get close to 1,000 IP addresses of known SPAM providers blocked in our firewalls.

And each time we added a block of IP addresses, the possibility existed we were adding one or more blocks of IP addresses belonging to highly portable Cable and DSL providers.  One day they are a SPAM sender, and the next day the IP address belongs to one of your customers.

While we were moving all of our clients including our resellers to our relatively brand new (purchased late last year) servers, several of our older mail servers were dying.

Those of you on the Linux10173 server can probably remember sometimes daily emails to support asking why mail delivery is being delayed.

We would log into the server to find it inundated with emails.  A normal mail server queue (messages waiting for delivery -- forward or to be placed in a POP3 account) is under 100.  We would often find up to 28,000 messages on Linux10173.  Do the math.  What % was SPAM.  It should make you sick.

Since we instituted RBL with our mail servers, every server is at peak performance.  Linux10173 which went into operation in late 2000 operates as if it was brand new.

We knew that even if we were to hire additional staff, we would not be able to keep up with the hefty increase in SPAM.

How much SPAM are you blocking by using these RBL providers?

We are blocking approximately 200,000 SPAM messages per day out of approximately 350,000 email messages processed per day.  Yes, that means approximately 60% of the email going through our email servers is SPAM.

Now, what does all of this mean to you as our customer, prospective customer, or partner?

RBL Providers, and there are literally hundreds of them on the Net, came into existence as a means to help providers like Dynamic Net battle the increasing costs of SPAM.

SPAM is a theft of our services, and a theft of your services.  In the United States alone the estimated cost of SPAM in 2003 is $10,000,000,000 ($10 billion).

Tell me about the different RBL providers.  How do mail servers get listed?

How does one get listed in spamhaus.org and spamcop.net?

spamhaus.org typically deals with the very large SPAM providers who have been identified through various means as to sending SPAM.  It is uncommon to be listed in spamhaus.org if you are not a major provider of SPAM.

spamcop.net list organizations and individuals who have been reported as sending SPAM.  They do research their findings, and do a math computation based on how much email is going out of a mail server, and how much of that email is reported to be SPAM.  Like spamhaus.org, it is uncommon to be listed in spamcop.net if you are not a SPAM sender.

How does one get listed in ordb.org, dnsbl.njabl.org, opm.blitzed.org, dsbl.org, or relays.visi.com and what is an open relay?

An "open relay" mail server is one that can be used to relay mail openly by anyone.

These RBL providers list organizations and individuals whose mail servers are configured in such a way they can be used by anyone who is not their direct customer.

How does one get listed in rfc-ignorant.org?

The Internet works because as a world-wide community, we have all agreed to rules of conduct.  Most of these rules, their implementation, and their compliance is transparent to us.

They are mostly invisible because some one else takes care of it, or technology handles it for us.

One of the rules that mail server administrators are responsible for is ensuring their mail server domain name was properly registered with a valid telephone number and email address for the administrative and technical contact.  That rule is RFC 2142.

If you operate a mail server on the Internet, you agree to comply completely and fully with this rule.  There are no exceptions.

If an organization or individual is listed in rfc-ignorant.org, it is because whomever registered the mail server domain name either purposely falsified information (a common tactic by SPAM organizations), or they made severe typos (they did not review their work prior to submitting it), or they made internal changes and did not notify their domain name registrar.

Why do you use eight RBL providers?

We picked a combination of providers that would yield the most accurate and best results for preventing SPAM.

We provide email hosting services to over 1,000 domains.  We process approximately 350,000 email messages per day.

With that stated, we have had 6 clients with 8 domains impacted negatively by the use of RBL providers.  The impact was accurate in that there were valid reasons for the ISP's of the 6 clients and 8 domains being listed.

The most common reason was the ISP / mail server provider involved did not comply with RFC 2142 which is a global, world wide, rule of conduct on the Internet.

What happens when a person trying to send me email has their ISP in an RBL provider's database?

The sender will receive an error message; they will not be able to send their email message. 

What the sender is told will depend on which real time black hole list (RBL) their mail server is on:

Those in Spamhaus.org may receive something like http://www.spamhaus.org/SBL/sbl.lasso?query=SBL9700

Those in SpamCop.net may receive something like http://spamcop.net/bl.shtml?203.192.10.7

Those in dnsbl.njabl.org and opm.blitzed.org and the other open relay RBL provider's databases will receive either "open proxy" or "relay proxy" as the error message.

Those in rfc-ignorant.org would receive an error message as to how their mail server is not compliant with RFC standards.

How does an ISP or other form of mail server provider get out of an RBL provider's database?

First they must fix the problem or verify the problem that got them listed no longer exists.

Then, they must follow the rules of the RBL provider to get unlisted.  For instance, to get unlisted from rfc-ignorant.org, you would email the administrator of rfc-ignorant.org.

We purposely picked RBL providers that are easy to work with in terms of response time as well as being accurate for who is listed in their databases.

How can you help me if I think one of our customers, partners, family members, or friends have an ISP or mail server provider that is listed in an RBL?

If you believe a customer, partner, vendor, family member, friend, or otherwise legitimate person or company is receiving an error message, please let us know the following information:

  • Complete email address of the sender.

  • The name of the sender's ISP or mail service provider.

  • The exact error message (if possible).

This information will allow us to verify whether or not our systems are causing a block, to immediately remove any bad blocks, or to work with the RBL providers to get the mail server provider unlisted from the RBL.

Please contact our support department if you have any questions.

 
 

Home ::  About :: Testimonials  ::  Articles ::  Employment ::  Contact
 Services ::  Web Hosting ::  Managed Services :: Parallels H-Sphere  :: Monitoring :: ShopSite 
 Resellers ::   Program ::  Compare Plans ::  Private Label		    
  :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
  Legal Notices; Copyright

See our privacy statement for questions on how we use information gained by our site.

 Managed Services provided by We Manage Servers