Sunday, May 07, 2006

SANS on the Blocking of Non-Spam E-Mail by Realtime Blacklists

SANS - Internet Storm Center: Spam blocking by RBL, when is a good thing too much?

Real Time Blacklists are the common tools of the trade of spam blocking. The idea is simple. Put the sending addresses, domain names, and IP addresses of people who are sending spam on a list, so others can use it for a directory for blocking spam.

But it isn't always that easy:
It is a long standing issue with the various RBLs that it is easy to get blacklisted, and tough to get unlisted. Needless to say the company in question requested a new address assignment from the ISP and resolved the problem that way. Leaving that address to the next poor victim to deal with it.

I have seen this situation personally a few times in the last year. I have started to suggest that anyone working with an ISP to get a new address assignment check the address block with various RBLs before accepting and putting the addresses into production. I also recommend that they request the ISP perform this check prior to making the assignment, some are more cooperative than others. Sorry I will not mention any names of ISPs.

An anonymous user wrote to SANS as a follow-up advocating individuals building local RBLs for local use. This sort of system won't work for those of us using an out of the box solution such as Symantec's Anti-Spam/Anti-Virus products on our SMTP gateways. The less labor intensive strategy is to keep a local whitelist.

There is further reading listed by SANS:
Why don't spam blocking lists block only the spammers?
Remember that the system administrators who use blocking lists use them because they trust that using the list will eliminate a maximum of spam while blocking a minimum of wanted e-mail. Admins who find that a blocking list is not working that way will stop using it. Most likely the list in question affects very little non-spam e-mail.

As I've said before, the practice of some blacklists blocking non-spam legitimate email in a law firm environment is a nightmare. For now all we can do is keep small local whitelist and hope those who have been blacklisted will seek to be removed.

Technorati Tags:
, ,


Blogger p226 said...

We ran into one "legitimate" blacklist which would charge you money for the research to remove you. It was akin to blackmail.

Blacklists scare me a bit, but we've found some of them useful. RBLs have resulted in several million pieces of UCE being blocked for us over the past couple of months alone. We've had few false positives. Right now, we're sitting at roughly 16 million blocked UCE since March. I'd say about half of those are based on RBLs.

5:55 PM  

Post a Comment

<< Home