blog.anta.net

Because of spam and other forms of network abuse, access to network services — such as mail exchangers — is restricted more and more often. This document suggests a procedural framework for administrators whose networks or servers have been “blacklisted”.

The basics

You cannot bully people into accepting your traffic

The Internet consists of a large number of individual networks. Most of these networks are privately owned. Whenever a network someone else pays for agrees to receive traffic that you send, it is extending hospitality to you and may revoke this hospitality without notice. In most cases, you will have no means to force a network to accept email or any other traffic from yours.

(A pointy-haired person once commented, in disbelief, “But that would be anarchy!” — Not far from the head of the nail, although “oligarchy” probably would be an even better description of the distributed nature of Internet governance.)

Issuing demands when blocked is probably the worst thing you can do to your own connectivity. Distributed block lists are protected through freedom of speech, and their operators are often highly regarded by the Internet community they serve. In addition, administrators have a duty to protect their resources, so they are usually very serious about their right to restrict access. Picking a fight with block list operators — especially issuing any threat of legal action — over your listing is therefore likely to swiftly place your networks in an indefinite number of static access lists all over the globe (yes, that is a lot of jurisdictions) for a long time.

Natural selection applies to block lists. If using a list does not produce good results, not many people will use it. Conversely, the lists that survive are likely to be both effective and esteemed.

Understanding block lists

• Local lists are typically static access list files used on one site or within one organization.
• Distributed lists, such as SBL and SORBS, are available to the public (perhaps for a fee), usually through the DNS. Mail servers typically query distributed lists dynamically rather than store a local copy of the entire list.

If you are dealing with a distributed block list, be sure to understand the difference between these roles:

• the list operator who has added you to their list
• the party who is using the list on their networks and/or servers

Adding a network to a distributed list is merely an informational service that by itself does not affect the listee’s traffic. Any decision to actually block or otherwise influence traffic to a site is up to an administrator at that site. In other words, the block list operator only runs a list — whether and how to use that list is up to individual network administrators.

Being blacklisted does not necessarily mean that anyone thinks someone using your network or domain has committed abuse. As an example, mail server administrators often use block lists to deny dial-up and DSL users SMTP access, encouraging those users to send their mail through their providers’ smarthosts instead. Some lists also define abuse in a debatable fashion, including therein RFC 821/5321 non-delivery messages and other automatic responses (since an erroneous return address would cause so-called outscatter to third, unrelated parties). Still others seek to list all networks assigned to certain countries, so that a provider can enforce a policy of not accepting mail sent from or through those countries.

(Although the terms “block list” and “blacklisting” are established de facto and therefore used in this document, they are technically incorrect. Administrators may also use distributed lists for other purposes than actually blocking traffic; spam filters often use them merely to tag email Subject: lines and they could, at least theoretically, even be used to favour listees.)

Things you can do to help prevent being listed

• Do not allow anyone or anything to send spam from your networks.
• Do not host any kind of spam support services, such as
  • directly or indirectly “spamvertised” web sites
  • “drop boxes” for replies to spam
  • DNS service for spammers
  • payment processing services for “spamvertised” products
  • spam tools, such as web pages marketing “millions of email addresses”
• Make sure all your hosts are secure. No “spam bots”, open SMTP relays, open proxy servers or similar abuse intermediaries may exist.
• Implement abuse and postmaster addresses.
• Make sure adequate contact information (most importantly, organization and person names, email addresses and telephone as well as fax numbers) for all your domains and networks is available on the relevant whois service.
• Publish an adequate, detailed and binding AUP. Focus on preventing abuse from occurring in the first place.
• Should your preventative anti-abuse measures fail: act upon legitimate problem reports, and consider publishing your actions.
• Make sure all your mail exchangers accept empty return path (MAIL From: <>) delivery status notifications.
• Avoid bad neighbourhoods. If your providers are ignorant or downright abuse-friendly, their reputation is likely to “trickle down” to you.

Steps to take if you find yourself listed

As discussed above, never threaten legal action over blacklisting issues.

1. Find out how you are being blocked

   There is no single universal Internet block list. Pay attention to the error messages you have received. If there are references to a distributed block list, note them.

   You can also try looking up your domains and networks on major block lists. Some blacklisting web sites allow you to query many lists at once. Note that you might be on several different lists, maybe even for several different reasons.

   You can usually query distributed lists by using a DNS resolver and prepending the lookup key (in the case of an IP address, in reverse order) to the zone name. The existence of any A record indicates a positive result. For example, if the IP address 192.0.2.2 were listed on relays.dnsbl.example, the query dig 2.2.0.192.relays.dnsbl.example might yield 2.2.0.192.relays.dnsbl.example. 300 IN A 127.0.0.2. In order to differentiate between reasons for listing, the list might also use 127.0.0.3, 127.0.0.4 and so on. An NXDOMAIN reply would instead indicate that 192.0.2.2 was not listed.

   If you do not find yourself listed on any of the distributed block lists, you will have to assume for now that a local access list is blocking your traffic. Most of this document still applies.

2. Find out why you are being blocked

   Sometimes an error message (or, in the case of distributed lists, a TXT record) will state the reason for the block. Distributed block lists often run informative web sites providing answers to frequently asked questions. Even if you have been blocked only locally, the organisation blocking your traffic might have a web page explaining their policy, possibly even displaying their current block lists.

   If you cannot find any clue as to why you are being blocked, you may have to contact the blocking site at this stage already.

3. Remove the problem, if possible

   Fixing the problem that has earned you a listing may be as easy as pulling the plug on a spam relay, or as complicated as implementing and enforcing new terms of service. Be as thorough as possible; do your best to make sure the problem is gone and cannot resurface.

   In some cases, you might conclude that the reason for the listing is impossible to remove. For example, you might be unable to relocate to a different country in order to evade a country-based listing. You might find it useful to contact (e.g. phone or fax) the party who is blocking you, and ask them to “whitelist” you. Think very carefully before attempting to circumvent a listing; if a recipient does not want your traffic, they are also likely to block any alternative routes you might find.

4. Request removal, if appropriate

   Many block lists have automated interfaces, such as web forms, for requesting removal of list entries. Always try to comply with the procedures set out by the list operator. If you need to phrase your request, make it polite. Most operators are eager to keep their lists up to date, but it is human to prioritize attractively written requests over hate mail.

   Whenever you contact someone — whether in public or in private — over a listing, please be specific. Someone who does not know which list and which networks or domains you mean would find phrases such as “please remove me” or “why am I blocked?” quite meaningless. Something like “the open relay at 192.0.2.2 has now been repaired, please consider removing 2.2.0.192.relays.dnsbl.example” would be much better.

   Please note that if your entire provider — or, indeed, one of their providers — is being blocked, removal is likely to require efforts by them. Therefore, in such a case, avoid bothering the list operator; instead direct your efforts at your own provider.

5. If unsuccessful, contact the recipient

   You might find your removal request denied (in fact, some lists do not allow for removal requests at all). If so, the senders should contact their intended recipients, for example by telephone or fax, to request a so-called whitelisting, in other words an exception that will allow certain mail through irrespective of any block list entries. After all, if the recipients do want mail from your users, blocking it makes no sense.

6. If you feel that you need professional advice, seek it (added on 30 December 2008)

   The editor of this blog may be able to assist other ICT pros individually, on a commercial basis.

7. Additionally, you might want to discuss the issue in a suitable public medium — such as here (free of charge, of course)! Please leave your comments!