SPF Technology handles the register and distribute the list of allowed IP addresses, which can send out e-mails on behalf of a particular domain. Today, however, sources of spam filtering usually solve in the opposite way – there are recorded and distributed lists of IP addresses, which are the source of spam and which should be blocked. Most SMTP servers have such blacklists – it can be either defined by the server administrator, who is forced to manually manage and update them, or SMTP servers communicate with blacklist servers, about which takes care either volunteers or providing a list of spammer IP addresses can be based on a commercial basis.
The main question is, how to distribute such lists of blocked IP addresses. Either the SMTP server would download the entire list use it and periodically update this list (this mostly applied for commercial blacklists), or SMTP server could inquire about the specific IP addresses in any blacklist when it is necessary (when receiving SMTP connection).
About the last mentioned option we will discuss. There is used the most common technology DNSBL (DNS-based Blackhole List). As the name suggests, the presence of some IP addresses in the blacklist is verified by using DNS. There are many servers, which offers this service free and publicly. Just send a specially formulated DNS requests to find out whether the IP address is recorded. For example, we have the IP address 22.214.171.124 and we use the DNSBL server zen.spamhaus.org. DNS name, for which we ask, shall be designed by taking the IP address in reverse order and joins it to the name of the DNSBL server. And with this name, we will ask for A record from DNS.
If the IP is recorded, we get one or more A records. We could be pleased with the existence of this A records or we can further analyze its values and find out, why this IP address is blacklisted. As values are used special local IP addresses 127.0.0.X. Their importance is not standardized and each DNSBL operator can define it differently.
Here is an example of a request for IP address 126.96.36.199, which is blocked because it is from ADSL range:
;; QUESTION SECTION: ;188.8.131.52.zen.spamhaus.org. IN A ;; ANSWER SECTION: 184.108.40.206.zen.spamhaus.org. 900 IN A 127.0.0.11
On pages www.spamhaus.org you can find, that their database named PBL (Policy Block List), contains a list of IP addresses of end-users, who would not be able to send e-mails anywhere without authorization and corresponds precisely to „return value“ 127.0.0.11.
DNSBL can be theoretically operated using any DNS software and there create zones, containing names, which correspond to the forbidden IP addresses. This is not a good solution, because there are often banned whole large ranges of IP addresses and it can lead to very large and poorly-care files. Therefore, is used special software that keeps track of IP addresses better, but from outside it behaves as a DNS server. DNSBL of course benefit from the many advantages that brings DNS – You can easily split the load, delegate the part of IP addresses to other groups of DNS servers, etc.. But the most important advantage is that requests to DNSBL servers are cached just like any other requests to DNS. So, if our email server over and over again asking the same sender it should read the result of some local cache. But it also means that if we achieve the removal of our IP addresses from the blacklist, we will have to wait until the TTL expires at those A records. For example, spamhaus.org provides TTL value of 30 minutes.
The biggest problem of DNSBL systems is the question of the reliability of lists of registered IP addresses. If somebody truly spamming then it will undoubtedly appear at one or more of DNSBL servers soon. There may also appear IP address, which in fact is not a source of spam by mistake. Some of DNSBL servers operate on the principle of voluntary when the spammer IP addresses can be announced even anonymously. Another DNSBL performs a detailed investigation before placing IP address to the list.
Another method of obtaining the identity of spammers and attackers is so-called Honeypots, which are generally computers or systems that look real and are purposely unprotected or otherwise abused. In fact, they are baits that lots of users never use, but attackers will fall into the trap. In our case, it may be mail server for a domain that has never had nor has been used for any of your e-mail addresses. If an e-mail is still delivered, it means that someone made a mistake, or that it is a spammer who tries to deliver spam to all possible recipients. Such honeypots are usually more and only after the message arrives from a single source to multiple such nodes, the sender is declared as a source of spam.
Often on some of DNSBL are preventive recorded whole ranges of IP addresses, from which was not delivered any spam – for example, ranges used for the dynamic allocation of IP ADSL customers, where it is assumed that they will never send e-mails directly, but will use the official SMTP gateway of their ISP. However, the fundamental problem occurs when someone wants to use own SMTP server via ADSL and then find out that server is blocked everywhere. If someone is blocked, each DNSBL server processes how to unblock, IP usually is not automatically deleted, but it must be requested.