IP Blocklist and Blocklist Removal
By Lee Howard
June 23, 2020
Everyone hates spam. Even worse is malware—something that infects your computer and sends spam out to you and others or tries to hack into systems. In response to these problems, many people began to maintain lists recording who generates spam and malware. An “IP blocklist” is used by most mail servers and some firewalls as a step in deciding whether to accept emails, mark as “Junk,” or just drop traffic altogether.
IP Blocklist Listings
Different blocklists have different ways of collecting addresses. Some mail servers collect data from users clicking “This is spam” and report this to blocklist maintainers, while other blocklist operators have “honeypots.” Honeypots are systems designed to attract spam, so they can blocklist any IP address from which they receive spam.
A significant amount of spam comes from home computers and other devices that have been infected with malware, making them part of a “botnet.” Some operators even actively scan the Internet, looking for devices with certain vulnerabilities that they know have been exploited by botnets. Residential users and cell phones generally don’t run mail servers, so any indication that an IP address is part of a pool used for those may put an address range on a blocklist.
Problems with Blocklists
The main problem with blocklists is collateral damage – traffic blocked that shouldn’t be. A few blocklists intentionally do this, to force large IPv4 block holders to take action in preventing spam from reaching their customers. In some cases, a device got blocklisted for spam, but was later patched and the spam stopped. Many blocklists have an “aging” policy, where if no further problems are seen or reported over a period of time, an IP address will be removed from the list. If it’s reported again, it may take longer to age out next time.
Often, IPv4 addresses for sale will include some that have been blocklisted. Companies looking to buy, should always conduct some diligence. But it is important to remember that IP addresses can be listed (or de-listed) at any time, so a blocklist check two weeks ago may have no correlation with one today.
Most blocklists offer a web page where you can check whether an IP address has been listed. That’s not going to work if you want to check 65,536 IPv4 addresses. A few blocklists allow you to download their list to search locally (or sync with github). For two major operators, SORBS and Spamhaus, you’ll need to script a test.
Both SORBS and Spamhaus operate DNSBLs, for Domain Name Service Block-Lists. They allow queries over DNS and return a code that tells you which list an address is on.
For instance, if I want to find out about 192.0.2.43, I can run the Unix command:
$ dig 220.127.116.11.in-addr.arpa @dnsbl.sorbs.net +short
I may get a response like “127.0.0.6,” which SORBS tells me means it’s on their spam list. The equivalent command in Windows command line console is:
> nslookup -email@example.com 18.104.22.168.in-addr.arpa
To query an entire block, you’ll need a script that queries every address in that block. IPv4.Global is able and happy to run such a check for our customers.
IP Blocklist Removal
Every blocklist maintainer has their own mechanism for getting addresses removed that often requires some demonstration that the original cause of the listing has been removed. For several SORBS lists, you have to request a retest:
- Log into a machine using the blocklisted IP address, browse to their support page, and click “Request Key.”
- You then email the key to SORBS and they retest;
If the test passes, SORBS will flag the address to be removed. If you don’t have access to that machine, or it doesn’t have a browser, you can try to open a support ticket.
Spamhaus similarly provides a web interface, which tells you which list you’re on with links to clean up.
Fortunately, most blocklist operators recognize that spam doesn’t come from unrouted IP addresses, so simply taking the network offline, as you would in preparation to sell, provides a good reason why you can’t retest and why they should reconsider. Similarly, showing the record of when an IPv4 address block was transferred is often acceptable documentation: the old management may have been lacs, but you, the IP address buyer, are not responsible for their actions.
As with so many parts of buying and selling IP addresses, you can do it yourself, but the help of an experienced broker like IPv4.Global can make your life a whole lot easier. Reach out to us today for all of your IPv4 needs.
We use the term “blocklist” here instead of “blacklist” because that’s how the services refer to themselves. Spamhaus has its DNS Block List (DNSBL) and Spamhaus BlockList, as well as other BlockLists. SORBS stands for Spam and Open Relay Blocking System. We note that historically, a “blacklist” is a list of people who are prohibited from employment or other activity by an authority (such as a government or cartel). The Reputation Block Lists (RBLs) described here take pains to point out that they are not an authority and do not block services themselves; we therefore eschew the use of “blacklist” as inaccurate.