That said, the most popular DNS blacklists have been honing their service over the past few years and offer significantly more accurate results than previous incarnations. In fact, services such as spamhaus.org and sorbs.net offer freely available lists that don’t just blacklist known spammer netblocks, but also list known dynamic IP netblocks used by carriers for home broadband connections, hosts running open proxies, buggy Web code that can be co-opted to send spam, and lists of hosts that have been identified as zombies and are spamming at the whim of a botnet controller.
How popular are these DNS blacklists? Steve Linford at spamhaus.org estimates that the spamhaus network receives between 80,000 and 100,000 queries per second, and that doesn’t count the number of large entities that don’t use the public servers, but have arrangements to pull the DNS blacklist databases to local servers on a scheduled basis, which significantly reduces the amount of queries to the public servers.
The cry of the wrongly accused
But what about false positives? “Funny you should ask,” says John Shearer, Network Manager at Northfield Mount Hermon School. “Until last night we’d stayed away from DNS blacklists due to fear of false positives. In the past few months, however, we’ve seen a significant increase in our spam volume, and I finally implemented the njabl.org DNS blacklist in our mail filter. It’s stopped over 3,100 connections in the past 15 hours.”
Given the prevalence of DNS blacklists, false positives are always a threat, but the ever-growing spam problem is overriding those fears, as the benefits largely outweigh the negatives.
When a server is blacklisted, the site admins generally don’t know until rejected e-mails start bouncing back to users. In most cases, the bounced messages contain information on why the e-mail was blocked, and by whom. A URL is usually included in the warning message to instruct admins on how to request removal from the blacklist. Linford estimates that spamhaus.org’s turnover is 500,000 entries a day.
Each DNS blacklist uses its own method of collecting and maintaining its database. Many run honeynets that exist solely to catalog automated attacks from zombie networks, adding the source IP addresses to the database when they’re seen. Dead-end SMTP servers are also used. They don’t have actual mailboxes but simply absorb e-mail addressed to nonexistent users to identify spamming networks and systems.
Although the threat of open relays on the Internet isn’t nearly what it used to be, some still exist, and several DNS blacklists actively scan for open relays, blacklisting them when they’re discovered. It wasn’t long ago that many commercial SMTP servers shipped as open relays when used with their default settings. Today, that’s not an option. Nevertheless, John Gilmore, the fifth employee at Sun Microsystems -- a founder of the EFF, Cygnus solutions, and the father of UseNet’s alt.* hierarchy -- continues to run a restricted open relay. For him, it’s a free speech issue. For the rest of us, it’s simply bad practice and will render e-mail basically useless.
Floating in the grey area
Greylisting cleverly stymies the stupid bots responsible for most spam. The main functionality lies in an SMTP errorcode, which replies to the sending server to wait a few minutes before delivering the e-mail it just tried to deliver.