BLOG

What is a dot-zero listing?

320px-HITRON_MH-65C_Fires_warning_shots

Some email blacklists focus solely on allowing their users to block mail from problematic sources. Others aim to reduce the amount of bad mail sent and prefer senders clean up their practices, rather than just blocking them wholesale. The Spamhaus SBL is one of the second type, using listings both to block mail permanently from irredeemable spammers and as short term encouragement for a sender to fix their practices.

All a blacklists infrastructure – and the infrastructure of related companies, such as reputation monitoring services – is based on identifying senders by their IP addresses and recording their misbehaviour as records associated with those IP addresses. For example, one test entry for the SBL is the IP address 192.203.178.107, and the associated record is SBL230. Because of that they tend not to have a good way to deal with entities that aren’t associated with an IP address range.

Sometimes a blacklist operator would like put a sender on notice that the mail they’re emitting is a problem, and that they should take steps to fix that, but they don’t want to actually block that senders mail immediately. How to do that, within the constraints of the IP address based blacklist infrastructure?

IP addresses are assigned to users in contiguous blocks and there’s always a few wasted, as you can’t use the first or last addresses in that range (for technical / historical reasons). Our main network consists of 128 IP addresses, 184.105.179.128 to 184.105.179.255, but we can’t put servers on 184.105.179.128 (as it’s our router) or 184.105.179.255 (as it’s the “broadcast address” for our subnet).

So if Spamhaus wanted to warn us that we were in danger of having our mail blocked, they could fire a shot across our bow without risk of blocking any mail right now by listing the first address in our subnet – 184.105.179.128 – knowing that we don’t have a server running on that address.

For any organization with more than 128 IP addresses – which includes pretty much all ISPs and ESPs – IP addresses are assigned such that the first IP address in the range ends in a zero, so that warning listing will be for an address “x.y.z.0” – it’s a dot-zero listing.

9 comments

  1. Tom says

    Does Spamhaus actually provide these kinds of warnings or are you just saying they could do this?

  2. steve says

    Spamhaus do use this sort of listing, usually to provide a an SBL record for an issue at a reasonably respected ESP or ISP without actually blocking mail. I don’t have a current example handy because, well, those respected ESPs and ISPs tend to resolve the issues and get them delisted fairly quickly.

  3. Catherine Jefferson says

    Spamhaus definitely provides dot-zero warnings, Tom. Here is one that’s live now:

    http://www.spamhaus.org/sbl/query/SBL187554

    I noticed this particular SBL because I used ZoneAlarm in the 1990s and gave Zonelabs an email address when registering my copy. That email address had become unusable by the early 2000s because of the amount of spam that it received, and I closed it in 2002. Checkpoint, who at some point bought ZoneLabs, is still mailing that email address.

  4. Larry Sheldon says

    Interesting. All of the networks I have ever administered have the default gateway (“the router”) on one less than the broadcast–w.x.y.254 in the example case.

  5. Al Iverson says

    Interesting, ZA/ZL was a client of mine back in my Minnesota days. I can’t remember if they used our confirmed opt-in signup server, though.

    Spamhaus does indeed provide these kind of warnings. They will also move an active listing to a “dot zero” listing as a probationary measure after mitigation has begun and while perhaps waiting to watch for a positive outcome.

  6. steve says

    @Larry. Yes, the default gateway can be anywhere in the range, and one below the top (.254) is nearly as common as one above the bottom (.1), I think. The first address in the range (.0) is used to identify the subnet itself (for anything bigger than a /31, anyway).

    (There’s actually a second reason not to use any .0 address, even if it’s in the middle of /23 or bigger CIDR block – there are still machines out there that have remnants of pre-CIDR logic and won’t communicate successfully with another machine that has a .0 address.)

  7. Tom says

    I’d never heard of this before. Spamhaus should do this for all IP ranges, not just for respected ESPs/ISPs. Is there any reason not to give all mailers a warning and an opportunity to clean up what they’re doing?

  8. Huey says

    I’m gonna guess that it’s because there’s no point in giving warnings to people who won’t heed them, therefore ‘respected’.

  9. Johan Haagsma says

    Another reason for listing .0/32 addresses on the SBL can be to notify an upstream provider if a network asset is found to be hijacked for example. In such cases, a ‘network pointer record’ is created to send off a SBL notification to the upstream provider in question. The IP of the last network hop prior to entering the network asset is then listed, see http://www.spamhaus.org/sbl/query/SBL179085 for example.

    Some network owners actually have .0 addresses in their IP pool, OVH is one example that springs to mind.

Comment:

Your email address will not be published. Required fields are marked *

  • OTA joins the ISOC

    The Online Trust Alliance (OTA) announced today they were joining forces with the Internet Society (ISOC). Starting in May, they will operate as an initiative under the ISOC umbrella. “The Internet Society and OTA share the belief that trust is the key issue in defining the future value of the Internet,” said Internet Society President and CEO, Kathryn Brown. “Now is the right time for these two organizations to come together to help build user trust in the Internet. At a time when cyber-attacks and identity theft are on the rise, this partnership will help improve security and data privacy for users,” added Brown.No Comments


  • Friday blogging... or lack of it

    It seems the last few Friday's I've been lax on posting. Some of that is just by Friday I'm frantically trying to complete all my client deliverables before the weekend. The rest of it is by Friday I'm just tired. Today had the added complication of watching the Trumpcare debate and following how (and how soon) it would affect my company if it passed. That's been a bit distracting, along with the other stuff I posted about yesterday. I wish everyone a great weekend.1 Comment


  • Indictments in Yahoo data breach

    Today the US government unsealed an indictment against 2 Russian agents and 2 hackers for breaking into Yahoo's servers and stealing personal information. The information gathered during the hack was used to target government officials, security employees and private individuals. Email is so central to our online identity. Compromise an email account and you can get access to social media, and other accounts. Email is the key to the kingdom.No Comments


Archives