news
The Spamhaus Policy Block List now covers One Billion IP addresses
In this News Article
Jump to
As we always try keep tabs on what spammers do, we couldn't help to overhear this at an Evil Botnet Spam Gang's headquarters:
EBSG Boss: Uh-oh, I believe the Spamhaus PBL now lists One Million IP addresses!
EBSG Number 2: No. Don't you think the PBL would list more than a million IP addresses? A million IP addresses isn't exactly a lot of space these days.
EBSG Boss: Okay, the PBL now lists… One…Hundred…Billion… IP addresses?!
EBSG Number 2: Uh, no, sorry, that is more than the total available in IPv4 address space.
EBSG Boss: Oh, how I hate doing Evil Maths! So, then, tell me: how many addresses does it have?!?
Perhaps we can help these EBSG fellows, and anyone else who may be curious. This month, the Spamhaus Policy Block List (PBL) surpassed one billion listed IP addresses.
Due to the ever-expanding reach of the Internet around the world, more and more people are getting online via wired and now wireless connections. Internet Service Providers (ISPs) are provisioning ever greater IPv4 IP address space to provide connectivity to these users.
What is the Spamhaus PBL?
What the PBL is not: a list of spamming or exploited IP addresses. If an IP address is in the PBL zone, it does not mean there is anything wrong with it.
What the PBL is: a database of end-user IP address ranges which should not be delivering unauthenticated SMTP email to any mail server, except those provided specifically by an ISP for that customer's use. The PBL helps networks enforce their Acceptable Use Policy for dynamic and non-MTA customer IP address ranges.
Those who use the PBL can configure their inbound email systems to block, filter/score, or tag traffic, depending on their own wishes & needs. Due to the massive number of compromised machines in the PBL covered ranges, using just this one single Spamhaus zone can prevent a large numbers of spam, phishing, and malware attacks via email. Most users query it via the DNSBL method. Larger users transfer updates to the IP address zone to their servers every few minutes.
A short history of Port 25 management
For nearly a decade, many ISPs have blocked or managed the use of personal/residential IP addresses from directly connecting to mail servers other than their own. In fact, back in 2005, the world's largest ISP organization, M3AAWG, put out a "best practices" document ("Managing Port 25 for Residential or Dynamic IP Space Benefits of Adoption and Risks of Inaction" [.pdf]) that outlined the reasons and benefits of this policy. Sadly, even now - in 2014 - a lot of ISPs still do not manage the outbound port 25 connections (SMTP email) on end user IP address space.
Since the PBL started, even as ISPs deployed port 25 management, many ISPs have submitted their dynamic IP address ranges to the Spamhaus PBL as a way to tell the world that these IP addresses should never be making direct connections to SMTP servers. As most botnet spam originates from end-users' computers after they have been infected with a spam virus or trojan, the wide use of the PBL around the world has a two-fold benefit for ISPs who submitted their ranges. Firstly, it prevents billions, and in some cases, trillions of spam emails from being delivered from their network to worldwide mailservers, helping the ISP's online image and reputation. Secondly, it greatly lowers the load on the ISP's abuse handling department, as less spam delivered means fewer reports and complaints. This was - and is - a free service which Spamhaus offers to ISPs around the globe. To check on one's eligibility, please read the PBL FAQ.
Generating the Spamhaus PBL data
PBL IP address ranges are added and maintained by each network participating in the PBL project, working in conjunction with the Spamhaus PBL team, to help apply their outbound email policies. This possibility is open to any ISP, but is especially important for those without port 25 blocking that still wish to be able to tell a large part of the world's email receivers that by-policy, emails should not be accepted directly from specified ranges.
In addition to ranges submitted by ISPs, Spamhaus uses the knowledge gained by tracking worldwide spam & email delivery to map out new IP address ranges that are candidates for the PBL.
Using PBL alongside the Spamhaus data
The PBL is just one of several data sets that Spamhaus builds and offers to the world's internet users. For inbound email management, there is ZEN. ZEN is the combination of all the Spamhaus IP address-based DNSBL zones into one single powerful and comprehensive blocklist to make querying faster and simpler. It contains the PBL, as well as the SBL, SBLCSS, and XBL blocklists. Using ZEN can drastically reduce the amount of spam and malicious emails flowing into one's mail systems.
To work alongside these IP address-based DNSBL zones in one's email filters, Spamhaus built our Domain based Block List, the DBL. It contains a list of current spammed domains that we update nearly in realtime as we see and identify domains used in spam and malicious emails.
To further protect ones network, Spamhaus has specialized feeds such as our Botnet C&C List. This is a zone built for use in firewalls and routing equipment to prevent the most damaging areas of the internet from reaching your network. The Botnet C&C List zone is offered via Spamhaus Technologys BGP. This Spamhaus data zone can also be used with a Response Policy Zone (RPZ) DNS firewalling system. One can read more about the Spamhaus RPZ data here.
The PBL and the future: IPv6
The PBL, and all of the IP address-based versions of the zones, will also be available for IPv6 since we now see some spammers moving into abusing these newer areas of the internet.
As the Evil Botnet Spam Gang's "Number 2" noted above, a hundred billion is a very large number of IP addresses, yet someday soon, the PBL will very likely also contain that many, and far many more! IPv6 address space is already widely deployed, and the number of v6 IP addresses is truly enormous. Many of those IP addresses will be used for dynamic assignments such as mobile and wifi networks, as well as broadband and many "smart" devices, and since none of those need to make "direct-to-MX" SMTP connections, they will be a good match for the PBL. PBLv6 is not yet deployed, but it is under current development. As that zone is built and populated, the total number of IP addresses will dwarf the IPv4 numbers.
We'll check back in with that Evil Botnet Spam Gang as we get up to around a hundred billion.
««»»