Why I hate RBLs

Anti-spam real-time block lists become a royal pain when it comes to getting innocent servers off the list

I hate real-time block lists (RBLs). I really do. I don’t think there is an administrator or a PC technician that hasn’t cussed them out at one time or another.

[ RogerGrimes's column is now a blog! Get the latest IT security news from the Security Adviser blog. ]

RBLs are a crude but simple tool invented to help reduce e-mail spam. Essentially, an RBL is a roster of DNS domains, fully qualified host names, or IP addresses that have been known to send large quantities of spam. RBL-enabled defense tools can implement RBLs and use them to reject e-mail from any computer or sender on the list.

Historically, RBLs are e-mail and DNS extensions of early online malware lists, such as Eric Newhouse’s Dirty Dozen list from the late 1980s. The first anti-spam RBL I personally know of was started by DNS BIND inventor Paul Vixie and David Rand in 1997. Anyone finding an SMTP server that allowed unauthorized e-mail relaying (called an "open relay") could report the offender to the DRBL (DNS Real-Time Blackhole List). Administrators could then configure their routers to deny traffic from entries listed on the DRBL.

Eventually, several (now several dozen) people created huge, global RBLs that could be downloaded and automated. Most anti-spam software programs and appliances allow links to one or more online RBL centers. Spamhaus is one of my long-term favorites; it contains some of the best information on spam senders and maintains three separate RBLs. The SBL (Spamhaus Block List) is a traditional online RBL, while the XBL (Spamhaus Exploits Block List) is a real-time, online database of IP addresses of illegal exploits, open proxies (HTTP, socks, and so on), spam-sending malware, and other types of Trojans. The XBL pulls additional data from the Composite Block List (CBL) and Not Just Another Bogus List Open Proxy’s list. Spamhaus’ PBL (Policy Block List) is an additional list of end-user IP addresses that should not be sending e-mail to any e-mail servers other than their primary, allowed ISP SMTP server. You can also download combined lists, such as sbl-xbl.spamhaus.org, to simplify administration.

Don’t get me wrong; RBLs have their purpose. It’s just that they have always been too easy to get on and way too hard to get off of. For most of their useful life, a single, solitary report to an RBL was all it took to get your company’s e-mail server put on notice. There was no authentication of the sender (and there still isn’t) and no check to see if the reported e-mail server was actually in violation. The RBL simply put the offender on the list and didn’t care enough to see if innocent servers were being wrongfully accused by malicious reporters. 

Today, most RBLs implement a single e-mail check, which, if confirmed, results in the verified offender being placed on the RBL. Many minor RBLs pull their information from the larger RBLs, such as Spamhaus, so being placed on one list results in the offender’s e-mail server (or domain or IP address) being placed on dozens of RBLs.

In either case, real offender or not, proactive notification to the e-mail administrator — which is listed in the mail server’s MX record — is never done. Companies normally don’t find out that they’ve been placed on an RBL until days or weeks later when they try to troubleshoot why an e-mail isn’t reaching a particular customer. It takes 10 seconds to get on a list, and 10 days to get off — if you’re lucky.

I’m working for a customer right now that was incorrectly placed on AT&T’s RBL, the second one this year. This customer was never an open relay, and their firewall doesn’t allow spam-sending worms and bots to succeed. Maybe their ISP updated their IP address and they got assigned some past owner’s RBL-blocked IP address? (Lesson to learn: Make sure to ask before you get assigned a new IP address.) 

Regardless of how they ended up there, trying to find AT&T’s instructions for getting my customer off the RBL is like searching for a needle in a haystack. There's a page with instructions, but it isn’t easy to reach. You’re much more likely to find people on the Internet complaining about how they can’t locate the instructions and how they, too, can’t get off AT&T’s RBL. 

I was lucky: I’ve contacted AT&T before, so I had the correct abuse address. I followed the instructions and sent the removal request. In both cases this year, AT&T responded to me, saying that my client has been removed from the RBL.

But in both cases, the client wasn’t actually removed.

Additional pleading, begging e-mails to the abuse address just results in the same “You will be removed soon” auto-reply, but the action never takes place. Good luck in finding a real person to talk to on the phone and get a resolution. In both of my cases, these customers simply can no longer use their company’s e-mail system to contact AT&T e-mail customers. It’s a shame — and AT&T should be ashamed.

Is it too much to ask that RBL maintainers place easy-to-find removal instructions on their sites and actually follow through on the e-mails sent to them? I dare to dream.

Send me an e-mail or post a comment if you’ve had similar problems with AT&T's RBL. Maybe with enough collected evidence we can force the company to improve its process.