Spam definitely does not need an introduction. Anyone with an e-mail account knows how frustrating are all of the offers of pills from virtual pharmacists, financial propositions from princes and pictures for fetish sites that shouldn’t even exist.
Public Email Blacklists
Public Email Blacklists are databases of IP Addresses and Domains known(reported) as sources of spam. These blacklists are available to the public often as a free service and sometimes for fee. There are a lot of well known public blacklists and their impact can cause serious problems for businesses by creating negative experience for their customers from undelivered emails.
There are two types of blacklists: IP address-based and domain-based.
Real-time Black Lists (RBL) and Domain Name Server Black Lists (DNSBL) are lists of IP addresses whose spam status changes in real-time.
Mailbox providers check these blacklists to see if the sending server is managed by a sender who allows others to connect and send from their system (open-relays). They also check for known spammers or mailbox providers that allow legitimate spammers to use their infrastructure.
Here are few popular RBLs:
Now we know that blacklists are publicly available and we can go to the RBL’s website and check if specific IP address or domain is known for sending spam.
Maybe this information will be more than enough for regular user BUT we are technicians and we need to understand how it actually works…
If you still reading this congratulations you are curious person and your curiosity is moving you forward to gain more information and knowledge.
How it works?
Blacklists are accessible to a public via DNS lookups. So basically you can use the nslookup tool and perform a reverse DNS lookup of specific IP address on specific Blacklists providers.
For example let’s take the DNS name of 0spam DNSBL:
And let’s take some public IP address of Gmail. If you want know how I get this IP click here.
As we need to do the reverse DNS lookup we need to reverse this IP. Basically just to read it from end to beginning( in reverse direction):
Now we need to combine the provider’s DNS name and reversed IP address:
Further on we will use the nslookup tool to perform the query:
This reply means that the IP address we where checking is not listed in the 0spam DNSBL database.
For our next example let’s take the IP address which is known for sending spam.
To get this info I went to the Blacklist’s provider website and get the latest findings.
If the IP is listed in database there are two types of codes:
- Listed with Data result 127.0.0.#
- Listed with Data result 127.0.#.0
Codes are as follows: (ie. General spam single IP result 127.0.0.1 ):
- 1 – general spam, Sending spam to blacklist’s spam traps.
- 2 – Removal request made but missing required information, please make a new request and be sure to complete the form properly.
- 3 – Does not follow valid can-spam rules for newsletters / lists.
- 4 – Not RFC compliant, server errors or improper configuration.
- 5 – Repeat offenders, these are IP’s that have been removed and listed again (3) or more times in a short period of time.
- 6 – Bouncing email to the wrong server, NON RFC compliant configurations.
- 7 – Relay or Open relay with reports of spam.
- 8 – bouncing spoofed emails, you need to disable bounce of spoofed emails in order to get de listed.
- 9 – Fraud/Scam emails, malware or illegal/abusive content.
Most listing are single IP listings(127.0.0.#) however when spam from a class C IP range hits a certian threshold a full class C block occurs.
In our case we received: 127.0.0.1
This means that spam emails from this ip address has been sent to spam trap.
Thanks a lot for reading.
If you have any questions please leave them in a comment section below.