online advertising

online advertising

DNSBL

A DNS-based Blackhole List (DNSBL, Real-time Blackhole List or RBL), is a means by which an Internet site may publish a list of IP addresses, in a format which can be easily queried by computer programs on the Internet. As the name suggests, the technology is built on top of the Internet DNS or Domain Name System. DNSBLs are chiefly used to publish lists of addresses linked to spamming. Most mail transport agent (mail server) software can be configured to reject or flag messages which have been sent from a site listed on one or more such lists.

DNSBL names a medium, not any specific list or policy. There has been a good deal of controversy over the past several years over the operation of specific lists, such as the MAPS RBL, ORBS, and SPEWS.

History of DNSBLs

The first DNSBL was the Real-time Blackhole List (RBL), created in 1997 by Paul Vixie as part of his Mail Abuse Prevention System (MAPS). Vixie, an influential Internet programmer and administrator, encouraged the authors of sendmail and other mail software to implement RBL clients. These allowed the mail software to query the RBL and reject mail from listed sites. However, the purpose of the RBL was not simply to block spam—it was to educate Internet service providers and other Internet sites about spam and related problems, such as open SMTP relays. Before an address would be listed on the RBL, volunteers and MAPS staff would attempt repeatedly to contact the persons responsible for it and get its problems corrected.

Soon after the advent of the RBL, others started developing their own lists with different policies. One of the first was Alan Brown's Open Relay Behavior-modification System (ORBS). This used automated testing to discover and list mail servers running as open mail relays—exploitable by spammers to carry their spam. ORBS was controversial at the time because many people felt running an open relay was acceptable, and that scanning the Internet for open mail servers could be abusive.

In recent events (2003), a number of DNSBLs have come under denial-of-service attacks. Since no party has admitted to these attacks nor been discovered responsible, their purpose is a matter of speculation. However, many observers believe the attacks are perpetrated by spammers in order to interfere with the DNSBLs’ operation or hound them into shutting down. In August 2003, the firm Osirusoft, an operator of several DNSBLs including one based on the SPEWS data set, shut down its lists after suffering weeks of near-continuous attack.

A number of parties, such as the Electronic Frontier Foundation and Peacefire, have raised concerns about some use of DNSBLs by ISPs. One joint statement issued by a group including EFF and Peacefire addressed "stealth blocking", in which ISPs use DNSBLs or other spam-blocking techniques without informing their clients. [1]

DNSBL Operation

To operate a DNSBL requires three things: a domain to host it under, a nameserver for that domain, and a list of addresses to publish.

It is possible to serve a DNSBL using BIND, the popular DNS software. However, BIND is inefficient for zones containing large numbers of addresses, particularly DNSBLs which list entire Classless Inter-Domain Routing netblocks. DNSBL-specific software—such as Michael J. Tokarev's rbldnsd or Daniel J. Bernstein's rbldns—is faster, uses less memory, and is easier to configure than the general-purpose BIND. Alternatively, Simplicita Software offers a commercial DNSBL server that provides additional benefits such as point-in-time auditing and 24/7 IP address monitoring.

The hard part of operating a DNSBL is populating it with addresses. DNSBLs intended for public use usually have specific, published policies as to what a listing means, and must be operated accordingly to attain or keep public confidence.

DNSBL Queries

When a mail server receives a connection from a client, and wishes to check that client against a DNSBL (let's say, spammers.example.net), it does more or less the following:

1. Take the client's IP address—say, 192.168.42.23—and reverse the bytes, yielding 23.42.168.192.
2. Append the DNSBL's domain name: 23.42.168.192.spammers.example.net.
3. Look up this name in the DNS as a domain name ("A" record). This will return either an address, indicating that the client is listed; or an "NXDOMAIN" ("No such domain") code, indicating that the client is not.
4. Optionally, if the client is listed, look up the name as a text record ("TXT" record). Most DNSBLs publish information about why a client is listed as TXT records.

Looking up an address in a DNSBL is thus similar to looking it up in reverse-DNS. The differences are that a DNSBL lookup uses the "A" rather than "PTR" record type, and uses a forward domain (such as spammers.example.net above) rather than the special reverse domain in-addr.arpa.

There is an informal protocol for the addresses returned by DNSBL queries which match. Most DNSBLs return an address in the 127.0.0.0/8 IP loopback network. The address 127.0.0.2 indicates a generic listing. Other addresses in this block may indicate something specific about the listing—that it indicates an open relay, proxy, spammer-owned host, etc. [2]

DNSBL Policies

Different DNSBLs have different policies. DNSBL policies differ from one another on three fronts:

• Goals. What does the DNSBL seek to list? Is it a list of open-relay mail servers or open proxies—or of IP addresses known to send spam—or perhaps of IP addresses belonging to ISPs that harbor spammers?
• Nomination. How does the DNSBL discover addresses to list? Does it use nominations submitted by users? Spam-trap addresses or honeypots?
• Listing lifetime. How long does a listing last? Are they automatically expired, or only removed manually? What can the operator of a listed host do to have it delisted?

Terminology

The proprietary term RBL is sometimes erroneously used in place of the generic DNSBL. RBL is a service mark of MAPS LLC. Some pieces of mail software have configuration parameters for the use of "RBLs" or "RBL domains", used to set the DNSBLs that the software should use. This may be trademark dilution.

Note: Trend Micro bought MAPS LLC in June 2005.

An RHSBL or Right-Hand-Side Blackhole List is a DNSBL which lists domain names rather than IP addresses. The term comes from the "right-hand side" of an email address -- the part after the @ sign -- which clients look up in the RHSBL.

Criticisms

Email users who find their messages blocked from mail servers that use DNSBLs often object vociferously, sometimes to the extent of attacking the existence of the lists themselves. The following lists are controversial:

• Lists of dynamic and dial-up IP addresses. Some mail sites choose not to accept messages from dynamic addresses, since they are often home computers exploited by spammer viruses. This can inconvenience users who wish to run their own mail servers on residential ISP connections or local MTAs on laptops for example.
• Lists that include "spam-support operations", such as MAPS RBL. A spam-support operation is a site that may not directly send spam, but provides commercial services for spammers, such as hosting of Web sites that are advertised in spam. Refusal to accept mail from spam-support operations is intended as a boycott to encourage such sites to cease doing business with spammers, at the expense of inconveniencing non-spammers who use the same site as spammers.
• Predictive ("early warning") lists, notably SPEWS. SPEWS lists addresses belonging to spam-support operations, under the hypothesis that such addresses are more likely to send spam in the future. SPEWS "escalates" listings, increasing the size of the netblock listed, as a site continues to support spam.

Although many have voiced objections to specific DNSBLs, few people object to the principle that mail-receiving sites should be able to reject undesired mail systematically. One who does is John Gilmore, who deliberately operates an open mail relay. Gilmore accuses DNSBL operators of violating antitrust law.

For Joe Blow to refuse emails is legal (though it's bad policy, akin to "shooting the messenger"). But if Joe and ten million friends all gang up to make a blacklist, they are exercising illegal monopoly power. [3]

Spammers have pursued lawsuits against DNSBL operators on similar grounds. In 2003, a newly-formed corporation calling itself "EmarketersAmerica" filed suit against a number of DNSBL operators in Florida court. Backed by spammer Eddy Marin, the company claimed to be a trade organization of "email marketers" and that DNSBL operators Spamhaus and SPEWS were engaged in restraint of trade. The suit was eventually dismissed for lack of standing. [4]

External links

• rbls.org — checks the status of an IP on several DNSBLs
• Spamhaus Block List
• Sorbs DNSBL
• Distributed Sender Boycott List
• spam filtering daemon, that use DNSBL
• Black-Hole DNS List for blocking Malware and Spyware
• linux.ie: What is a DNS Blacklist?
• Declude's list of known DNS-Based spam databases
• Jørgen Mash's list of DNSBL Databases

---

Back | Home | Up | Next

By MultiMedia | Licensed under the GNU Free Documentation License, material from the Wikipedia. | Design by uli sobers