Open Relays and Spam Blacklists

By Deane Barker on July 8, 2004

My business mail server got blacklisted the other day. We started getting consistent bounces from a couple of clients that referenced some odd site. A little poking around revealed that our mail server had been inexplicably identified as an open relay and was on a spam blacklist that the clients of this ISP subscribed to.

This, then, is a primer on open relays and spam blacklists for those that don’t know what they are, and who may fall prey to the same problem we did.

What is an Open Relay?
An open relay is a mail server that will allow anyone to connect and send an email to anyone else. Contrast this to a server that will only allow authorized users to send email through it.

Open relay mail servers are a lot like mailboxes on street corners — it doesn’t so much matter which one you drop your mail into, because they all get into the same system and end up at their destination. This being the case, it doesn’t really matter which server I use to send outgoing mail. I could connect to a server in China to send an email to my next-door neighbor, if I wanted to, just as I could fly to China to send myself a letter.

Whether or not an email server is an open relay is just a matter of configuration — any Internet-connected mail server can be an open relay if it’s not configured with access control.

Why are open relays bad?
They weren’t at first. But, like a lot of things, the spammers ruined it.

Back when the Web was young (up until 1995 or 1996), lots of people maintained an open relay to which other people could connect and send email through. The spirit of the Internet back then was openness and cooperation, even with people you didn’t know.

Then came spam. To explain why spammers ruined this, we have to disgress a second to discuss how spammers operate.

A spammer’s business depends on him being able to send email through an email server. At the same time, people don’t like spam and they tend to complain about it. When an ISP gets enough complaints, they look at where the spam is coming from (what mail server), and they can usually arrange (with the help of the ISP through which the server is connected to the Internet) to have that server “kicked off” the Internet — shut off its access so it can’t send anymore mail.

Thus, spammers have to “spam and run” — use an email server to send millions of emails an hour until the server gets noticed and neutralized, then find another one. They can’t afford the time or expense of setting up server accounts at various hosting providers over and over, so they find new mail servers to abuse in one of two ways:

  1. They hack into one (see this post and this post), or
  2. They find an open relay

Thus, open relays quickly became a bad thing. Maintaining an open relay gives spammers a potential tool to send millions of emails until your server gets enough complaints or gets noticed by your ISP (millions of outgoing emails an hour are kind of hard to miss), and kicked off the Net.

What are blacklists?
Right about the time spammers started abusing open relays, system administrators starting keeping blacklists. If a network started getting a lot of spam, and the sysadmin noticed it was coming from the same server, he just configured his email server to throw away or return any email coming from that server.

As the number of spam servers grew, so did the list. Inevitably, a sysadmin shared this list with his friends, the lists became public, and they got formalized with organizations growing up around them.

But ingenious sysadmins took the lists a step further. If an email server was an open relay, it made sense that email coming from it had a higher than normal chance of being spam, so why not blacklist that server as well? Let’s pre-emptively block it because there’s a chance it will start spewing spam at any moment.

To this end, scripts were created that wandered around the Internet, found mail servers, and tried to connect and send mail through them. If they succeeded, then this was an open relay, and they added it to the blacklist.

The purpose of the lists are two-fold, then:

  1. To enable sysadmins to throw away (or bounce) email from compromised or open servers, and
  2. To prompt sysadmins to secure their servers — if a lot of their outbound email doesn’t get through because they’re on a blacklist due to having an open relay, then they’ll usually snap-to and tighten up their server so they can get off the list. (Besides, having your server on a blacklist is kind of embarrassing.)

What are the big black lists?
There are dozens. The one which a given sysadmin subscribes to is a matter of preference. Some of the big ones:

How do I know if I’m on a blacklist?
Your first clue will be that email either (1) just vanishes enroute to certain recipients, or (2) starts bouncing. If you start getting bounces, examine the bounce email. If it bounced because of a blacklist, the returned email usually have reference to the blacklist.

How does a server get removed from a blacklist?
Different lists have different procedures, but it usually involves entering your IP address in a Web form. The list will re-test the server to see if it can send mail through it, and if it can’t, it will remove the IP from the list. (Theoretically, of course — you’re entirely at the mercy of the list to make sure you’re actually removed.)

Again, specific procedures vary. All blacklists have Web sites, so visit the site to find out what their procedure is.

Can I get blacklisted by mistake?
Yup, usually in two ways —

  1. By mistake
    This is rare, but the event that prompted me to write this was that my mail server got blacklisted. We suddenly started getting odd bounces (the only emails that would bounce were emails to domains that subscribed to this particular list).

    The problem was that the IP address they had listed has been locked away behind a firewall for the last 18 months. It won’t even accept inbound connections. (On top of this — it was secured. Not an open relay by any means.)

    As near as we can tell, we got blacklisted by this organization about two weeks ago. We still have no idea why, and multiple attempts to get removed have been ignored.

  2. By inheriting a bad IP
    If you get a new IP from your hosting provider, it may have previously belonged to a blacklisted machine.

    When you take possession of a new machine at a hosting provider, check the IP immediately against all the blacklists. If it comes up listed, notify the hosting company so they can get it removed, and request a new IP so you don’t have to deal with a problem you didn’t create.

So, there you have it — a primer on open relays and spam blacklists. If anyone has anything to add, comments are open.

Gadgetopia

Comments

  1. I had the unfortunate opportunity to experience the consequences of an open relay on a mail server I administer. It didn’t get blacklisted, but the server was unusable for several hours while I was trying to plug the holes back up.

    As near as I can figure, the settings on the mail server that kept it from relaying mail got blasted after an extended power outage took the server down, and I didn’t catch it for a few days. By that time spammers were shoving tens of thousands of messages through it every hour — the thing slowed to a crawl.

    The thing that got me is that while it was open the bozo spammers hammered it so hard it nearly froze. If it weren’t for that I probably wouldn’t have noticed for a while. So their own frenzied abuse of my server brought the problem to my attention, and I shut them down. Not the sharpest knives in the drawer I guess.

  2. I run the site iMillionaires.com – a free business information and help site and this looks like a good angle for a story on protecting your business site.

    Another problem we run into with our sites is spammers using our email address as a return address. This often causes bouncing of email since spammers will spam to any email address, weather its valid or not, and then the email bounces, and then your mail server will normally send back a reply if it’s an invalid address.

    We see about 20,000 bounced spam emails a day to one of our domain names alone.

    I’m not sure if replying to these bounced spams can get you blacklisted.

    Another problem we are concerned about is a site that we allow free classified ads to be posted. We send out an email to the poster (who often will use a fake email address) with their password to manage their ad.

    This has gotten our server blacklisted with AOL and when we called them about it they could not tell us any details but they did unblacklist it. It turns out, many people were using fake AOL return addresses that must have been real AOL users. According to AOL, the users probably reported the posting acknowledgement emails as spam.

    I think the problem is that people are pissed off about spam and are quick to pull the trigger on anyone and it’s possible that your business or website could get reported in their hast.

    Like I said, I see another good story here. I will probably reference this page and will give you guys credit.

Comments are closed. If you have something you really want to say, email editors@gadgetopia.com and we‘ll get it added for you.