By Deane Barker | July 8, 2004 | 2 Comments
My business mail server got blacklisted the other day. We started getting consistent bounces from a couple of clients that referenced some odd site. A little poking around revealed that our mail server had been inexplicably identified as an open relay and was on a spam blacklist that the clients of this ISP subscribed to.
This, then, is a primer on open relays and spam blacklists for those that don’t know what they are, and who may fall prey to the same problem we did.
What is an Open Relay?
An open relay is a mail server that will allow anyone to connect and send an email to anyone else. Contrast this to a server that will only allow authorized users to send email through it.
Open relay mail servers are a lot like mailboxes on street corners — it doesn’t so much matter which one you drop your mail into, because they all get into the same system and end up at their destination. This being the case, it doesn’t really matter which server I use to send outgoing mail. I could connect to a server in China to send an email to my next-door neighbor, if I wanted to, just as I could fly to China to send myself a letter.
Whether or not an email server is an open relay is just a matter of configuration — any Internet-connected mail server can be an open relay if it’s not configured with access control.
Why are open relays bad?
They weren’t at first. But, like a lot of things, the spammers ruined it.
Back when the Web was young (up until 1995 or 1996), lots of people maintained an open relay to which other people could connect and send email through. The spirit of the Internet back then was openness and cooperation, even with people you didn’t know.
Then came spam. To explain why spammers ruined this, we have to disgress a second to discuss how spammers operate.
A spammer’s business depends on him being able to send email through an email server. At the same time, people don’t like spam and they tend to complain about it. When an ISP gets enough complaints, they look at where the spam is coming from (what mail server), and they can usually arrange (with the help of the ISP through which the server is connected to the Internet) to have that server “kicked off” the Internet — shut off its access so it can’t send anymore mail.
Thus, spammers have to “spam and run” — use an email server to send millions of emails an hour until the server gets noticed and neutralized, then find another one. They can’t afford the time or expense of setting up server accounts at various hosting providers over and over, so they find new mail servers to abuse in one of two ways:
Thus, open relays quickly became a bad thing. Maintaining an open relay gives spammers a potential tool to send millions of emails until your server gets enough complaints or gets noticed by your ISP (millions of outgoing emails an hour are kind of hard to miss), and kicked off the Net.
What are blacklists?
Right about the time spammers started abusing open relays, system administrators starting keeping blacklists. If a network started getting a lot of spam, and the sysadmin noticed it was coming from the same server, he just configured his email server to throw away or return any email coming from that server.
As the number of spam servers grew, so did the list. Inevitably, a sysadmin shared this list with his friends, the lists became public, and they got formalized with organizations growing up around them.
But ingenious sysadmins took the lists a step further. If an email server was an open relay, it made sense that email coming from it had a higher than normal chance of being spam, so why not blacklist that server as well? Let’s pre-emptively block it because there’s a chance it will start spewing spam at any moment.
To this end, scripts were created that wandered around the Internet, found mail servers, and tried to connect and send mail through them. If they succeeded, then this was an open relay, and they added it to the blacklist.
The purpose of the lists are two-fold, then:
- To enable sysadmins to throw away (or bounce) email from compromised or open servers, and
- To prompt sysadmins to secure their servers — if a lot of their outbound email doesn’t get through because they’re on a blacklist due to having an open relay, then they’ll usually snap-to and tighten up their server so they can get off the list. (Besides, having your server on a blacklist is kind of embarrassing.)
What are the big black lists?
There are dozens. The one which a given sysadmin subscribes to is a matter of preference. Some of the big ones:
- Spamhaus (http://www.spamhaus.org/rokso/)
- SpamCop (http://spamcop.net/bl.shtml)
- Open Relay Database (http://www.ordb.org/)
How do I know if I’m on a blacklist?
Your first clue will be that email either (1) just vanishes enroute to certain recipients, or (2) starts bouncing. If you start getting bounces, examine the bounce email. If it bounced because of a blacklist, the returned email usually have reference to the blacklist.
How does a server get removed from a blacklist?
Different lists have different procedures, but it usually involves entering your IP address in a Web form. The list will re-test the server to see if it can send mail through it, and if it can’t, it will remove the IP from the list. (Theoretically, of course — you’re entirely at the mercy of the list to make sure you’re actually removed.)
Again, specific procedures vary. All blacklists have Web sites, so visit the site to find out what their procedure is.
Can I get blacklisted by mistake?
Yup, usually in two ways —
This is rare, but the event that prompted me to write this was that my mail server got blacklisted. We suddenly started getting odd bounces (the only emails that would bounce were emails to domains that subscribed to this particular list).
The problem was that the IP address they had listed has been locked away behind a firewall for the last 18 months. It won’t even accept inbound connections. (On top of this — it was secured. Not an open relay by any means.)
As near as we can tell, we got blacklisted by this organization about two weeks ago. We still have no idea why, and multiple attempts to get removed have been ignored.
By inheriting a bad IP
If you get a new IP from your hosting provider, it may have previously belonged to a blacklisted machine.
When you take possession of a new machine at a hosting provider, check the IP immediately against all the blacklists. If it comes up listed, notify the hosting company so they can get it removed, and request a new IP so you don’t have to deal with a problem you didn’t create.
So, there you have it — a primer on open relays and spam blacklists. If anyone has anything to add, comments are open.
2004-07-08 22:48:00 16347
2005-07-28 09:28:00 12012