IP Address Blocklists – The Guardians of Reputation
by Leo Vegoda
There are two basic kinds of businesses that use IP addresses and domain names. One kind provides the content of the internet, hosting and delivering it – normally in the form of a website. The other sort of internet business serves the eyeballs that consume that content. That is, it provides users with access – usually an ISP (internet service provider).
The send-and-receive relationship surrounding websites is different from that of email. In the case of email, users generate content for one another and rely on email services to transmit that content. But in both cases of data being sent and received, some point of entry into the internet is required for the dispatch of good content and bad.
In response to an increasing number of bad actors on the internet stage quite early in its development, various proposals were offered in the 1990s to curb or eliminate the delivery of that content. The primary target of this effort was email, especially spam or other objectionable material. The best ideas proposed sought to identify senders and disseminate information about them that might block their distribution capabilities.
Content IP Address Blocklisting
Computer scientist Paul Vixie created MAPS, the first real-time blocklist, in 1997. Its goal was to identify the IP addresses that send bad material. And, it let those who provide access to users block those who send it by blocking those sending IP addresses. The core idea was to publish the IP addresses of bad actors in the form of lists so they could be blocked from successfully delivering their content.
Today, reputation lists evaluate domain names as well as IP addresses. Their goal is to give engineering teams information to help them decide whether to accept a message, or other data traffic. They are important at helping companies filter out security threats, like phishing and botnets as well as mundane spam.
Mail and other messaging services are mostly operated by a few centralized service providers. But even marketing messages are uniquely tailored to each recipient in many outreach efforts. So, while content-based filters can be useful, knowing whether a sender generally sends messages that people want to read is very useful.
Some reputation list managers, like Spamhaus, are nonprofit. Others are commercial businesses. The key similarities are that they provide datasets of IP addresses and their characteristics. Users can send dynamic queries to the list or arrange for a regularly updated local copy.
The factors to check for when evaluating lists include:
- Do they make the listing and delisting criteria easily available?
- Do they maintain an audit trail?
- Do they document how aggressive they are? e.g. do they list individual addresses, CIDR networks, or whole ASNs – and when?
The right blocklist providers will depend on your business needs. These are worth evaluating.
- Multiple lists, including content blocklists
- Highly regarded
- Industry veterans
- Free service
- Automated
- Transparent reporting
Barracuda Reputation Block List
- Free service
- Provided by a network security company
- Free service
- Local mirror available
These blocklists are often used alongside allow lists. The allow lists ensure that temporary problems don’t result in problems sending and receiving legitimate mail.
Getting listed and delisted
DNS blocklists run spam traps and honeypots – addresses used to detect spam – and list the servers sending mail. But they don’t have just one list. Typically, they will have several including:
- IP addresses that should not be sending mail directly, like residential subscriber addresses
- IP addresses that sent mail to spam traps
- IP addresses that might be compromised
- IP addresses that are VPNs, proxies and TOR exit nodes
- A list of newly registered IP domain names
If your IP address is listed, then fixing the problem should result in an automatic delisting. If it does not, the blocklist owner should provide an explanation of why an address was listed. They should also provide a way to request removal from the list.
Charging fees to list subscribers is considered fine. This is “the definition of a commercial DNSBL.” But charging to achieve or expedite removal from a list steers perilously close to notions of extortion, blackmail, or a ‘protection racket’. Internet engineers recommend that lists imposing these fees should not be used.
Location is part of IP Address reputation
Reputation is about more than just spam and malware. Banks, retailers, and content networks use GeoIP location data when evaluating how they’ll serve their customers. Banks and retailers use GeoIP location data as a part of their risk management. Content networks use it to comply with contractual responsibilities.
Banking websites know where you normally do business from. If you change location they can use that as input to their overall risk management. The greater the change the greater the risk. A bank might decide not to limit payment orders made from a higher risk location. Similarly, retailers use GeoIP data in their automatic fraud risk evaluation for sales. They don’t want to deliver goods or services bought with a stolen card.
Content networks can be a bit more relaxed. They obviously want to localize user interface and advertising based on location. United States based account holders will see French user interfaces in France, along with local advertising.
But content is often licensed per territory, so streamers need to use GeoIP to limit access from outside permitted territories. Research into content unblocking VPNs has demonstrated that this is a highly dynamic set of services. Evolution in action. The rights for sports content sell for the highest rates, so sports content enforcement is stronger.
What can you do to clean your IP addresses?
DNS blocklists, like Spamhaus, only list your IP addresses if they see spam from them and you don’t resolve the issue.
- List addresses that should never be used to send mail on lists like Spamhaus’ Policy Block List
- Make sure your abuse contact address works
- Respond to automated contact address checks by RIRs
- Resolve abuse reports in hours, not days or weeks
- Publish a geofeed for your IP addresses, so geolocation services can provide the services your users expect
If you are new to managing network abuse issues, take the RIPE NCC’s free webinar.