Rbl

From Qmail Info Wiki

RBL is an abbreviation for Realtime Blackhole List. An RBL is a list of IP addresses which share some common trait- usually that they belong to, or have been used by, spammers.

There are organizations such as Spamcop (http://www.spamcop.net/), NJABL (http://dnsbl.njabl.org/), ORDB (http://www.ordb.org/), and Spamhaus (http://www.spamhaus.org/) which keep track of spammers, and publish lists of the IP addresses they use. The mechanism for publishing this information is through DNS.

[edit]

Using an RBL

Each RBL is identified by a "zone", or domain name. To check whether or not a given IP address is listed in that RBL, you check the REVERSED IP within the associated zone.

For example, to check whether or not the IP address 1.2.3.4 is listed in the rbl.domain.xyz, you would do a DNS query for the name "4.3.2.1.rbl.domain.xyz". If the query returns "record not found", the IP address is not listed. Otherwise, depending on the list, the values returned may give information about why the IP is listed. If there is a TXT record as part of the results, the value of the TXT record will usually be a human-readable string, suitable for presentation to the client. It is common for RBL's to return an A record pointing to 127.0.0.2 to indicate that the IP address is listed.

[edit]

Links

Home page for the ucspi-tcp package (http://cr.yp.to/ucspi-tcp.html)
Home page for the rblsmtpd program (http://cr.yp.to/ucspi-tcp/rblsmtpd.html)

Spamcop (http://www.spamcop.net/) is a service which allows normal users to forward any spam you receive to them. Their system analyzes the headers and automatically figures out which IP address it came from, and forwards a report to the ISP who owns that IP address. They also publish an RBL of the IP addresses which are currently being used as spam sources (this includes a lot of "zombie" Windows PC's which have been taken over by spammers.)

ORDB (http://www.ordb.org/) is the Open Relay DataBase. They maintain a list of IP addresses which are known to be "open relays", meaning that they will accept email FROM any IP address, and forward that mail to the rest of the Internet. These machines, when they pop up, are almost immediately exploited by spammers who actively scan the Internet looking for them.

NJABL (http://djsbl.njabl.org/) is Not Just Another Black List (or "Not Just Another Bogus List", as they now call themselves.) This is a group of guys whose "day job" is running the mail servers for a large ISP here in Florida- in fact I know one of them personally. Their blacklist system is one of the best ones out there, and is one of the few that I trust for filtering the mail on my own server.

SpamHaus (http://www.spamhaus.org/) keeps track of the world's largest spammers. Not only do they publish several blacklists, but their web site lets you look up information about the spammers themselves- for example, the single largest spammer on the planet lives in Michigan, while the area with the largest concentration of spammers is southern Florida.

DNSstuff (http://www.dnsstuff.com/) has a set of tools relating to DNS, one of which is a tool to check an IP address against over two hundred known RBLs.

Multi-RBL Check (http://rbls.org/) is a web page which will check an IP address against many public RBLs.

John Simpson 2005-09-17

Retrieved from "http://www.qmailinfo.org/index.php/Rbl"