As we know, spam can be more than annoying marketing campaigns; spam are vectors for phishing attempts and counterfeit messaging. That’s why Realtime Blackhole Lists (RBL) exist to serve the public interest and help Internet users mitigate cybersecurity risks.
You may know Realtime BlockLists (RBL) as blocklists or blacklists; they are also often referred to as Domain Name System-based Black Lists (DNSBLs). There are dozens of RBLs in existence using different criteria to check and list IP addresses. But the primary purpose of an RBL is to identify and block known spam origins and spam-supporting ISPs, by establishing certain IPs or Domains as bad or as suspicious.
As we know, spam is a general definition that can be more than annoying marketing campaigns; spam is a route for malware, phishing attempts, and counterfeit messaging. Every intelligent information that users and systems can use to prevent attacks is valuable.
Typically, RBL operators are commercial service providers or researchers serving the public interest and helping Internet users mitigate cybersecurity risks. Most of the lists are free to consult, and there isn't a single email system (security gateways, firewalls, email servers) that does not consult one or more of these lists to decide what to do with incoming email traffic.
How does RBL work?
RBL or DNSBL mechanisms are used in mail systems to complement content filters. Internet mail servers can query RBL databases in real-time to obtain their opinion on an incoming email’s origin. And depending on the email server’s specific criteria, it can decide what to do with such information.
Every list has a certain reputation of its own. Systems find it more reliable to use the most notorious (such as Spamhaus, Mailspike, Abusix, and Spamcop) in favour of others. The usual process is to weight the response of several lists to reach a conclusion.
With that conclusion, an email system may automatically decide to trash all incoming emails from IP addresses listed in the RBL or, instead, accept the messages and have them passed through other filters, such as Anti Virus, or content analysis.
Some lists are more sophisticated and classify IPs and Domains in different ways. Some of the lists also keep lists of recently created IPs and Domains (where there is no history of activity)
These lists usually allow for manual removal of an IP from the list. Obviously, because this verification is mostly automatic, removing an IP that is infected will only delay the re-listing, as soon as the list updates. As for automatic removal, this usual happens over a period of good email or no email being seen coming from a certain origin.
Why is it important?
This lists are really prevalent in the email security world. If your IP of Domain is blacklist in one or some of the most notorious lists you should expect being unable to deliver your email everywhere, as all the major email providers, such as Google and Microsoft, also use lists as part of their assessment. But not just Email Providers. Infrastructure Services such as Amazon AWS or Oracle Cloud will use lists to assess if a system in their platform can send email, and even web traffic. Many cases of clients expelled from these services due to "bad behaviour" have been reported.
What can you do about it?
Apart from the obvious (avoid becoming infected with spam sending bots), users and organizations should be careful in where to host their email infrastructure. Because IPs are usually shared among several customers, you may find it difficult to send emails just because of other's misbehaviours.
Email administrators can also contribute to RBLs by submitting IP addresses they believe are attempting to abuse their systems. Some signs of abuse may include suspicious sending patterns. A good website to search for your domains is Multirbl.valli.org. It is a free multiple RBL lookup.
* Note that we at AnubisNetworks offer Mailspike.org, a free IP Blocklist service, used globally, and included by default in spamassassin systems.