AHBL Wildcards the Internet

A

AHBL (Abusive Host Blocking List) is a DNSBL (Domain Name Service Blacklist) that has been available since 2003 and is used by administrators to crowd-source spam sources, open proxies, and open relays.  By collecting the data into a single list, an email system can check this blacklist to determine if a message should be accepted or rejected. AHBL is managed by The Summit Open Source Development Group and they have decided after 11 years they no longer wish to maintain the blacklist.
A DNSBL works like this, a mail server checks the sender’s IP address of every inbound email against a blacklist and the blacklist responses with either, yes that IP address is on the blacklist or no I did not find that IP address on the list.  If an IP address is found on the list, the email administrator, based on the policies setup on their server, can take a number of actions such as rejecting the message, quarantining the message, or increasing the spam score of the email.
The administrators of AHBL have chosen to list the world as their shutdown strategy. The DNSBL now answers ‘yes’ to every query. The theory behind this strategy is that users of the list will discover that their mail is all being blocked and stop querying the list causing this. In principle, this should work. But in practice it really does not because many people querying lists are not doing it as part of a pass/fail delivery system. Many lists are queried as part of a scoring system.
Maintaining a DNSBL is a lot of work and after years of providing a valuable service, you are thanked with the difficulties with decommissioning the list.  Popular DNSBLs like the AHBL list are used by thousands of administrators and it is a tough task to get them to all stop using the list.  RFC6471 has a number of recommendations such as increasing the delay in how long it takes to respond to a query but this does not stop people from using the list.  You could change the page responding to the site to advise people the list is no longer valid, but unlike when you surf the web and come across a 404 page, a computer does not mind checking the same 404 page over and over.
Many mailservers, particularly those only serving a small number of users, are running spam filters in fire-and-forget mode, unmaintained, unmonitored, and seldom upgraded until the hardware they are running on dies and is replaced. Unless they do proper liveness detection on the blacklists they are using (and they basically never do) they will keep querying a list forever, unless it breaks something so spectacularly that the admin notices it.
So spread the word,

If you are using dnsbl.ahbl.org, ircbl.ahbl.org, or rhsbl.ahbl.org, you should remove them immediately.

AHBL has published a list IP addresses and ASN of who is still querying the blacklist.

About the author

11 comments

Leave a Reply to Ken Magill

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • Remember when Osirusoft did the same thing, they were maintaining the SPEWS.org list?
    They were sued because some people thought they were somehow blocking mail.
    But it was those that were querying them that were doing the blocking, and they asked those people to stop querying.
    But as the story mentioned, so many mail admins are not paying attention, not reading their logs, not fixing errors. It just goes on all the time, day after day. Carelessness.
    I never thought they were so powerful as to be able to block other people’s mail. Heh.

  • we can just send postmaster@ for these hosts an email. after all, these are well maintained servers, so it is guaranteed that someone will answer.
    it is also certain that they are following best practices by not activating spam filtering on postmaster aliases.
    Myself, I am going to analyze the list for any moderately important ISPs and see if we can contact them somehow. will report here if I find anyone large enough to warrant interest.

  • I wish there was a better solution to shutting down the list – I tried to warn people ahead of time, but as pointed out, doesn’t make much of a difference…
    People ask, why can’t we just remove the name servers? Well, the public DNSbl lists are not the only services on that domain. We have private DNSbl lists and other services that run off of the same domain.
    I’ll be updating the list of networks/hosts still querying over the next few days. I’ve thought about trying to automatically e-mail the whois contacts, but based on past experiences, it will either result in an awful lot of bounces, or people making threats/accusations.
    :-/

  • Brielle: I would have whitelisted the internet. while there is a chance that people use additional RBLs or anti-spam mechanisms, the corollary is not as likely – that is, you are more likely to hurt innocent postmasters.
    then again, I would also start returning obvious garbage, so errors might register in logs. everything goes – CNAMEs to random hosts, SRV records, TXT records, unsupported record types – anything that might register in logs, because blacklist won’t go there. maybe even EICAR as part of the TXT record to alert IDS systems (too risky perhaps…)

  • Brielle,
    I’ve gone through this sort of thing before. You’ll probably still be getting a ton of traffic years from now.
    When you really want to be rid of it, move the domain to new name servers registered to RFC 1918 addresses, and just put up A records for those name servers with very long TTLs. In theory then at least only the client machines and their local resolvers should be much affected by the resulting lack of responses.

  • I would very much appreciate it of someone would explain to me in simpleton terms I can understand why whitelisting the entire Internet, or setting the DNSBL to answer ‘no’ to every query, was not an option.

  • Ken, where’s the fun in that? After all postmasters are a bored bunch, they wouldn’t mind some spice now would they?
    Now if you don’t mind, i am preparing a submission to amazon to purge parts of their global suppression list

  • Ken, because that doesn’t work. The blacklist will continue to get queries *forever*. (Listing the entire Internet doesn’t work well either, but it’s a little better).
    As an example of how long it can last, I am still receiving queries for typos of CBL queries that I set to list the entire Internet seven years ago.
    And as to how big a problem that is, a long time ago I had abuseat.com pointing at a commercial DNS provider I was evaluating. One user decided that he hostname for the CBL was cbl.abuseat.com, not cbl.abuseat.org. That cause me to be charged something like $7000 of traffic overage fees in the couple of weeks before I mitigated it. A slightly extreme example, but it gives some idea of how much traffic a DNSBL handles.

  • Thanks, Steve:
    Brielle also gave me a long and detailed answer, which I published along with links to your blog.
    I found this whole business very interesting and educational.

  • I had analyzed a client which use the blacklist from sorbs and he was blocking emails based on this. Some good messages aren’t delivered because sorbs reported sender’s ip addresses are listed but when I did a research more deeply I figured out that the problem was in AHBL… Sorbs must to fix it asap.

  • G B: I did return garbage data for several months. Rather then fix their servers, they whined and bitched at me through e-mail on how my garbage data was causing them issues.
    People querying my list, even though it is shut down, costs time and money. Most of these people have never ever even asked if they could use my service in the first place. As much as I would have loved to pretend like their queries didn’t impact me – they did.
    Alan Hodgson: I am getting much much less queries now then I was before, so mission partly accomplished. Part of the problem, is that even with high TTLs, some resolvers seem to ignore TTL settings and hammer constantly on the name servers.
    We actually had a rather good discussion on MailOps about why some of the ideas people had to mitigate the traffic wasn’t working, or wouldn’t work.

By josh

Recent Posts

Archives

Follow Us