List the world!

L

We often say that a blacklist has “listed the world” when it shuts down ungracefully. What exactly does that mean, and why does it happen?
Blacklists are queried by sending a DNS lookup for an A record, just the same as you’d find the address of a domain for opening a webpage there. The IP address or domain name that’s being queried is encoded in the hostname that’s looked up.
For example, if you wanted to see whether the IP address 82.165.36.226 was listed on the SpamHaus SBL you’d ask DNS for an A record for the hostname 226.36.165.82.sbl.spamhaus.org. If that returns an answer, the IP address is listed. If it doesn’t, it isn’t.
If a blacklist returns an answer for any IP address (or domain) you ask it about it’s “listing the world” or “listing the internet”, saying that everyone you ask about is listed.
Sometimes this is done intentionally as an attempt to get people to stop using a blacklist. If it blocks all your mail, you’ll stop using it. Unfortunately, that never works. Most blacklists aren’t used to block mail, they’re used as part of a scoring based spam filter. And a blacklist that’s poorly run or unmaintained enough that it shuts down ungracefully probably wasn’t trusted much, so added a very small spamminess value to a spam filters score … so nobody notices when they start listing every address.
More often it’s done when a blacklist is abandoned, leaving it’s base domain name to expire.
When a domain expires it reverts to the control of the registrar and eventually is resold, typically to a domain squatter. (A domain squatter is someone who buys up domains when they become available and hopes to sell them on at vastly inflated prices).
Both the registrar and the squatter really want to resell the domain, for a lot of money. But while they control the domain they might as well make tiny amounts of money from it. The way they do that is to run advertising on the site, typically with low end banner or text ads (cheap to serve, low standards as to where they can be run) along with a link to “Buy This Domain For A Lot Of Money!”.
Every bit of traffic that went to websites in the expired domain is valuable to them – every misdirected open from someone looking for the expired content is now an advertising view. They don’t know what hostnames in the domain were actually in use. www.example.com and example.com are a safe bet, but there may also have been forums.example.com, webmail.example.com, chat.example.com and so on …
They don’t know, or care, what hostnames were in use. They just want as many page views as possible to inflate the tiny amount of money they’re getting from their text ads.
So they set up wildcard DNS for the domain, pointing it at a webserver that’s configured to show a domain-specific advertising page for any hostname pointed at it.
*.example.com -> 192.0.2.25
That means that forums.example.com will resolve to 192.0.2.25, as will www.example.com.
And so will 226.36.165.82.nfn.example.com – so anyone using nfn.example.com as a blacklist will get a valid A record response for any IP address the look up. It “listed the world”.

About the author

3 comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • I just don’t have a problem with doing that to get people to wake up and stop querying that domain. It’s not for that anymore.
    When osirusoft did that, a lot of people got upset. Well, start paying attention. Ya don’t put stuff in your mailserver and then forget it. If you do it’s at your peril.
    Too darned bad.

  • Postfix 2.1+ allows you to check the DNSBL return codes. So if you know your BL of choice responds 127.0.0.2 if listed and nothing otherwise,
    reject_rbl_client BLZONENAME=127.0.0.2
    When you start getting response that are something else (such as the IP address of a website for the abovementioned purpose), no problem.
    For blocklists that use multiple return codes, there is a feature in Postfix 2.8+
    “Each “d” is a number, or a pattern inside “[]” that contains one or more “;”-separated numbers or number..number ranges (Postfix version 2.8 and later).”

  • As often pointed out, if you use DNSBLs you need to test them periodically to see if they’re still live. The test is easy — on a live list 127.0.0.2 will return an answer, while 127.0.0.1 will not. If you get two answers or no answers, don’t use the list.
    See RFC 5782.

By steve

Recent Posts

Archives

Follow Us