Realtime Black Lists (RBLs)

The Double-Edged Sword of Using RBLs for Spam Filtering- The UCEPROTECT Scam

By Christopher Robison
2020-06-06

Realtime Black Lists

Introduction

In the ceaseless battle against spam, Realtime Black Lists (RBLs) have emerged as a potent weapon. A RBL contains lists of email servers, domain names, and IP addresses that are associated with hosting, producing, forwarding or otherwise contributing to creating spam. Email servers can reference these lists to determine if an email is being from a “spammer” host and flagging or denying the message.

Gathering Intel

The RBL services use a number of methods to compile lists of IP addresses reputed to send spam, mostly by using honeypots. Honeypots are basically email servers setup to accept mail to “poison” email addresses that have been seeded in the wild by various means but it doesn’t take much more than simply listing an email address on a web page for the spam to start flowing. If a honeypot receives any messages to a “poisoned” email, that sender is a spammer and they are added to the RBL. Other ways to get added to the RBL include being reported or having an insecure or improperly configured server (open relays, etc.).

How RBLs Work

RBLs leverage the DNS service; normally known for looking up IP addresses for domain names. A suspected spamming domain is added to the RBLs DNS as host entry. This makes it incredibly simple to check if a domain or IP address is in the RBL using a normal DNS lookup; if a record is returned, they are are spammer and you can “blackhole” or otherwise handle the message as having a high probability of being spam. https://www.dnsbl.info/ has a good short explanation and history of the technology.

But like any tool, RBLs come with their own set of pros and cons so let’s dive into why they’re both a blessing and a curse and what happens when a once trusted RBL turns bad.

The Benefits

Here’s a quick rundown of the benefits of using an RBL:

Efficient Filtering

The most obvious benefit of RBLs is their ability to efficiently filter out spam. By cross-referencing incoming emails with a list of known spam IPs, email servers can quickly identify and block unwanted messages.
Resource Savings

Spam filtering can be resource-intensive. RBLs help to alleviate this by providing a quick way to reject spam before it even enters the system, saving both computational power and storage space.
Community-Driven

Many RBLs are maintained by communities of volunteers or organizations dedicated to internet security. This collective effort often results in highly accurate and up-to-date lists.
Flexible

RBLs can be customized to suit the specific needs of an organization. You can choose to implement multiple lists, or even create your own based on the spam you encounter.

The Drawbacks

There are always two sides to every coin, so let’s take a look at some of drawbacks of RBLs:

False Positives

The most glaring issue with RBLs is the potential for false positives. Legitimate emails can sometimes be flagged and blocked, which can lead to missed opportunities or strained relationships.
Lack of Due Process

Once an IP is blacklisted, it can be challenging to get it removed, especially if the RBL is not well-maintained. This can be particularly problematic for dynamic IPs, which may be reassigned to innocent users.
Potential for Abuse

RBLs can be weaponized to block competitors or dissenting voices. Even worse is when an RBL goes bad as I discuss further a bit later. While neither of these are common, the potential for abuse exists.

Renegade RBL Providers: The UCEPROTECT Case

While RBLs generally aim to make the digital world a safer place, not all providers play by the same rules. Some, like UCEPROTECT, have garnered controversy for their aggressive tactics. The following are some of the tactics UCEPROTECT uses to extort money from innocent sevice providers:

Broad Strokes: Blocking Entire Subnets

UCEPROTECT is known for blocking entire subnets instead of individual IPs, a practice that can cause significant collateral damage. This “guilty by association” approach can result in the blocking of numerous innocent users who happen to share a subnet with a spam source.
Pay-to-Play: The Delisting Dilemma

What sets UCEPROTECT apart from most other RBLs is their requirement for payment to expedite delisting. This has led to accusations of operating more like a “ransom” service than a legitimate security tool. While they argue that the fee is a deterrent against spammers, critics claim it’s a revenue-generating scheme that exploits those desperate to restore their online reputation.
Ethical Concerns

Such practices raise ethical questions about the role and governance of RBL providers. Should they be allowed to hold such sway over online communications, especially when their actions can affect innocent parties? And should delisting ever be a paid service, or should it be based solely on the merit of the case?

Final Thoughts

The case of UCEPROTECT serves as a cautionary tale in the use of RBLs. While these lists can be incredibly useful, it’s crucial to consider the source and their practices. Always do your due diligence when choosing an RBL provider, and be aware that some may come with ethical and practical complications that could do more harm than good.

Realtime Black Lists offer a powerful means of filtering out spam, saving resources, and leveraging community knowledge for better security. However, they are not without their flaws, such as the potential for false positives and abuse. Like any tool, the key to using RBLs effectively lies in understanding their limitations and remembering that not all RBLs are created equal. Choose wisely, and keep an eye out for those that might be playing fast and loose with your online security.

(From 0 to 100) Next > < Previous (Adapting to Agile)