RBL – Realtime Blackhole List, good or bad?

13th September 2016

email-spam-filter-300x203-pngAs someone that has been in the hosting industry for many years, I have had my fair share of ‘blacklisting’ and the associated headaches that come with it.  This blog post is more a rant about how it affects us as a host than the protection is does offer.  Webopedia.com describes an RBL far better than I could:

Short for Realtime Blackhole List, a list of IP addresses whose owners refuse to stop the proliferation of spam. The RBL usually lists server IP addresses from ISPs whose customers are responsible for the spam and from ISPs whose servers are hijacked for spam relay.

As subscribers to the RBL, ISPs and companies will know from which IP addresses to block traffic. Most traffic blocking occurs during the SMTP connection phase. The receiving end will check the RBL for the connecting IP address. If the IP address matches one on the list, then the connection gets dropped before accepting any traffic from the spammer. Some ISPs, though, will choose to blackhole (or ignore) IP packets at their routers. The goal here is to block all IP traffic.

It is important to note that all e-mail and packet blocking is done by the recipient, not the RBL administrator, which is only responsible for bouncing spam that is directed at its servers.

The RBL was created by Mail Abuse Prevention System (MAPS) LLC., but there are other entities that keep RBLs aside from MAPS.

Sounds great so far – the end to all our inbox-filling SPAM woes… unless you are a web host!  As a host, ValueVPS does actually make use of RBL’s to stop most spam in it’s tracks.  This has the benefit of reducing load on our servers, bandwidth, storage and reduces the amount of junk our end customer has to deal with – in essence it’s a great idea that does work.

Conversely, ValueVPS has also been on the wrong side of the RBL, finding a server IP address ends up on one of (or even multiple!) the lists through no fault of our own.  This usually happens when a customer is running old and outdated scripts or their password is compromised and the spammers use their account to send thousands of unsolicited emails.  The negatives in this situation are huge.  Often the first signs that we are on an RBL is that emails any of our clients send from the blacklisted IP start bouncing.  This is a major headache for our support staff as they have to find where the spam is coming from by looking through server logs and then once found, convincing the client that they have caused a problem (90% of the time a client refuses to believe that their WordPress version 1.2 is the culprit), resolving the problem, and finally, cleaning up the mess left behind – usually many hundreds of thousands of emails sitting in the mail queue waiting to send and the associated ‘bounce’ messages for each of them.  Once that is done it’s then a matter of us contacting each of the RBL maintainers and asking for a ‘delist’ – a process where we must show what evidence we found, how we resolved it, show that it is no longer happening and a promise that we will not do it again – resulting in removal from the list *if* the powers that be agree to it.  Some RBL maintainers will remove instantly, others will wait a period of time (sometimes up to a month) before automatic removal – and the worst ones will remove the listing for a fee or you wait the allotted period of time.   Meanwhile, ValueVPS support staff are busy answering many clients who all want to know why their email is bouncing and ‘when will it be fixed’.  It’s very frustrating for all of us, more so the lack of control placed in our hands.

But wait… it gets worse!  Only 2 weeks ago one of our servers was listed in three RBL’s.  After sorting the mess out we applied for delisting and all but one of them complied.  The final one, Protected Sky, seemed to be ignoring our many requests.  Their website did eventually, after many days, have a message stating that delisting was not available due to maintenance.  This caused many, many hours of wasted time for us – after all, our clients were still finding mail to anything@google were still bouncing and looked to us to fix it yet it was 100% out of our hands.  I have seen today that we were obviously not the only hosts affected by this as a number of other sites are reporting on it, including mxToolBox

Protected Sky Delisting

Recently, we’ve received a number of enquiries about delisting with Protected Sky.  For the last week or so, Protected Sky has had a maintenance notice reminding users that delisting is not available.  Over the weekend, they added another announcement:

Automatic removal will occur for IPs that are seen to be clean

MxToolbox Support is currently trying to contact Protected Sky for clarification, but we have an operating theory.  Currently, we believe this to mean that they have a system in place to automatically delist an IP address if it is not captured in one of their spam traps or reported by one of their customers as spam.

Once we have confirmation or update from Protected Sky, we will update this post with more information.

It really is a shame that the protection we are being used, that works very well, is also biting us back!