Why I hate RBLs

I hate real-time block lists (RBLs). I really do. I don’t think there is an administrator or a PC technician that hasn’t cussed them out at one time or another.

[ RogerGrimes's column is now a blog! Get the latest IT security news from the Security Adviser blog. ]

RBLs are a crude but simple tool invented to help reduce e-mail spam. Essentially, an RBL is a roster of DNS domains, fully qualified host names, or IP addresses that have been known to send large quantities of spam. RBL-enabled defense tools can implement RBLs and use them to reject e-mail from any computer or sender on the list.

Historically, RBLs are e-mail and DNS extensions of early online malware lists, such as Eric Newhouse’s Dirty Dozen list from the late 1980s. The first anti-spam RBL I personally know of was started by DNS BIND inventor Paul Vixie and David Rand in 1997. Anyone finding an SMTP server that allowed unauthorized e-mail relaying (called an "open relay") could report the offender to the DRBL (DNS Real-Time Blackhole List). Administrators could then configure their routers to deny traffic from entries listed on the DRBL.

Eventually, several (now several dozen) people created huge, global RBLs that could be downloaded and automated. Most anti-spam software programs and appliances allow links to one or more online RBL centers. Spamhaus is one of my long-term favorites; it contains some of the best information on spam senders and maintains three separate RBLs. The SBL (Spamhaus Block List) is a traditional online RBL, while the XBL (Spamhaus Exploits Block List) is a real-time, online database of IP addresses of illegal exploits, open proxies (HTTP, socks, and so on), spam-sending malware, and other types of Trojans. The XBL pulls additional data from the Composite Block List (CBL) and Not Just Another Bogus List Open Proxy’s list. Spamhaus’ PBL (Policy Block List) is an additional list of end-user IP addresses that should not be sending e-mail to any e-mail servers other than their primary, allowed ISP SMTP server. You can also download combined lists, such as sbl-xbl.spamhaus.org, to simplify administration.

Don’t get me wrong; RBLs have their purpose. It’s just that they have always been too easy to get on and way too hard to get off of. For most of their useful life, a single, solitary report to an RBL was all it took to get your company’s e-mail server put on notice. There was no authentication of the sender (and there still isn’t) and no check to see if the reported e-mail server was actually in violation. The RBL simply put the offender on the list and didn’t care enough to see if innocent servers were being wrongfully accused by malicious reporters. 

Today, most RBLs implement a single e-mail check, which, if confirmed, results in the verified offender being placed on the RBL. Many minor RBLs pull their information from the larger RBLs, such as Spamhaus, so being placed on one list results in the offender’s e-mail server (or domain or IP address) being placed on dozens of RBLs.