DNSBL
|
A DNS-based Blackhole List, or DNSBL, is a means by which an Internet site may publish a list of IP addresses, in a format which can be easily queried by computer programs on the Internet. As the name suggests, the technology is built on top of the Internet DNS or Domain Name System. DNSBLs are chiefly used to publish lists of addresses linked to spamming. Most mail transport agent (mail server) software can be configured to reject or flag messages which have been sent from a site listed on one or more such lists.
DNSBL names a medium, not any specific list or policy. There has been a good deal of controversy over the past several years over the operation of specific lists, such as the MAPS RBL, ORBS, and SPEWS.
Contents |
History of DNSBLs
The first DNSBL was the Real-time Blackhole List (RBL), created in 1997 by Paul Vixie as part of his Mail Abuse Prevention System (MAPS). Vixie, an influential Internet programmer and administrator, encouraged the authors of sendmail and other mail software to implement RBL clients. These allowed the mail software to query the RBL and reject mail from listed sites. However, the purpose of the RBL was not simply to block spam—it was to educate Internet service providers and other Internet sites about spam and related problems, such as open SMTP relays. Before an address would be listed on the RBL, volunteers and MAPS staff would attempt repeatedly to contact the persons responsible for it and get its problems corrected.
Soon after the advent of the RBL, others started developing their own lists with different policies. One of the first was Alan Brown's Open Relay Behavior-modification System (ORBS). This used automated testing to discover and list mail servers running as open mail relays—exploitable by spammers to carry their spam. ORBS was controversial at the time because many people felt running an open relay was acceptable, and that scanning the Internet for open mail servers could be abusive.
In recent events (2003), a number of DNSBLs have come under denial-of-service attacks. Since no party has admitted to these attacks nor been discovered responsible, their purpose is a matter of speculation. However, many observers believe the attacks are perpetrated by spammers in order to interfere with the DNSBLs’ operation or hound them into shutting down. In August 2003, the firm Osirusoft, an operator of several DNSBLs including one based on the SPEWS data set, shut down its lists after suffering weeks of near-continuous attack.
A number of parties, such as the Electronic Frontier Foundation and Peacefire, have raised concerns about some use of DNSBLs by ISPs. One joint statement issued by a group including EFF and Peacefire addressed "stealth blocking", in which ISPs use DNSBLs or other spam-blocking techniques without informing their clients. [1] (http://www.peacefire.org/stealth/group-statement.5-17-2001.html)
Major events: ORBS controversy, lawsuits, RBL commercialization, ORBS breakup, ORBZ, SBL, SPEWS, RHSBLs
DNSBL Operation
To operate a DNSBL requires three things: a domain to host it under, a nameserver for that domain, and a list of addresses to publish.
It is possible to serve a DNSBL using BIND, the popular DNS software. However, BIND is inefficient for zones containing large numbers of addresses, particularly DNSBLs which list entire CIDR netblocks. DNSBL-specific software—such as Michael J. Tokarev's rbldnsd (http://www.corpit.ru/mjt/rbldnsd.html) or Daniel J. Bernstein's rbldns (http://cr.yp.to/djbdns.html)—is faster, uses less memory, and is easier to configure than the general-purpose BIND.
The hard part of operating a DNSBL is populating it with addresses. DNSBLs intended for public use usually have specific, published policies as to what a listing means, and must be operated accordingly to attain or keep public confidence.
DNSBL Queries
When a mail server receives a connection from a client, and wishes to check that client against a DNSBL (let's say, spammers.example.net), it does more or less the following:
- Take the client's IP address—say, 192.168.42.23—and reverse the bytes, yielding 23.42.168.192.
- Append the DNSBL's domain name: 23.42.168.192.spammers.example.net.
- Look up this name in the DNS as a domain name ("A" record). This will return either an address, indicating that the client is listed; or an "NXDOMAIN" ("No such domain") code, indicating that the client is not.
- Optionally, if the client is listed, look up the name as a text record ("TXT" record). Most DNSBLs publish information about why a client is listed as TXT records.
Looking up an address in a DNSBL is thus similar to looking it up in reverse-DNS. The differences are that a DNSBL lookup uses the "A" rather than "PTR" record type, and uses a forward domain (such as spammers.example.net above) rather than the special reverse domain in-addr.arpa.
There is an informal protocol for the addresses returned by DNSBL queries which match. Most DNSBLs return an address in the 127.0.0.0/8 IP loopback network. The address 127.0.0.2 indicates a generic listing. Other addresses in this block may indicate something specific about the listing—that it indicates an open relay, proxy, spammer-owned host, etc. [2] (http://www.dnsbl.us.sorbs.net/using.shtml)
DNSBL Policies
Different DNSBLs have different policies. DNSBL policies differ from one another on three fronts:
- Goals. What does the DNSBL seek to list? Is it a list of open-relay mail servers or open proxies—or of IP addresses known to send spam—or perhaps of IP addresses belonging to ISPs that harbor spammers?
- Nomination. How does the DNSBL discover addresses to list? Does it use nominations submitted by users? Spam-trap addresses or honeypots?
- Listing lifetime. How long does a listing last? Are they automatically expired, or only removed manually? What can the operator of a listed host do to have it delisted?
Terminology
The proprietary term RBL is sometimes erroneously used in place of the generic DNSBL. RBL is a service mark of MAPS LLC. Some pieces of mail software have configuration parameters for the use of "RBLs" or "RBL domains", used to set the DNSBLs that the software should use. This may be trademark dilution.
An RHSBL or Right-Hand-Side Blackhole List is a DNSBL which lists domain names rather than IP addresses. The term comes from the "right-hand side" of an email address -- the part after the @ sign -- which clients look up in the RHSBL.
This article is part of the Spamming series.
|
E-mail spam | Messaging spam | Newsgroup spam | Spamdexing Blog spam | Mobile phone spam | VoIP spam |
Make money fast | Advance fee fraud | Lottery scam | Phishing |
History of spamming |
Stopping e-mail abuse | DNSBL |