The Policy Blocklist: what is it, and why should you be on it?

When was the Policy Blocklist introduced?

The Policy Blocklist (PBL) was created at the beginning of 2007 to address the problem of end-user abuse (typically spam).

What is the Policy Blocklist?

The Policy Blocklist contains IP address ranges from which email should never be sent directly to the final destination. Even static IP addresses that do not send email are listed in the PBL. However, the IPs in PBL are not necessarily “bad” - they simply should never send email in the first place. In fact, any IP space that should not send email directly to the Internet should be listed in PBL.

The PBL consists of two categories: IP ranges managed by ISPs themselves and zones generated by Spamhaus:

ISP PBL Zones: These zones are created by the ISP that owns these networks to declare that “these networks should not be sending email directly but rather should be using their ISP's smart hosts.”

Spamhaus PBL Zones: These zones are generated both automatically and manually, for networks where no email traffic is seen for long periods of time, and the DNS is either absent or generic.

PBL for providers.

The PBL is intended to be used proactively. Providers and other IP address owners can claim their own IP space, and then declare parts of this space assigned to dynamic end users who should not be sending email outside their network. Providers that claim their IP space and are approved to manage their networks can set their own policy.

How PBL works for providers

First, providers need to create an ISP account to declare IP ranges that they own. These are called “master ranges.” Within these master ranges, providers can create a “PBL zone” with a policy for IP addresses that are dynamic and/or should not be sending email. This policy contains the published rules for the zone. Once the account is set up, providers can manage their own bulk additions and removals.

What type of networks should have a PBL Zone?

End customer networks where accountability is entirely opaque are the best candidates for having a PBL zone. Examples of these include (but are not limited to):

• CGNAT pools
• Large proxy pools (Mentioning no names, of course!)
• Cloud
• Wireless networks
• DSL
• Dialup (for those who remember)

The key here is that the IP addresses within are dynamically assigned to customers or were never meant to send emails in the first place. They are not statically assigned to a specific corporate user.

What type of networks should not have a PBL Zone?

Networks that can easily determine accountability should not have PBL zones under normal circumstances. Typically, this may include:

• Commercial customers with static IP addresses from the ISP
• The ISP's own infrastructure and servers

For example, a pool of IP addresses assigned to an arena's wifi hotspots would be a good PBL candidate, but the arena's own web servers would not.

How should providers use the PBL data?

It is important to understand that a provider’s PBL zones should NEVER be used against its own users. This happens far more often than it should. The PBL is intended only to be used on mail servers as part of the Spamhaus Zen zone during SMTP sessions on port 25, as they are effectively anonymous and trivially abused. It is not intended to be used with SMTP authentication on port 587 (RFC 2554), where the server knows who the email sender is.

The Grey Zone.

Certain types of networks have other issues that may or may not be appropriate for a PBL Zone. The most common problem is shared hosting farms, where a large number of sites share a single IP address. These should not be allowed to email directly. All it takes is one person with malicious PHP to get the IP listed in one of the Spamhaus zones, and make all the other users on that host very unhappy.

How incorrect us of the PBL can negatively affect end users

For almost all Internet users, the PBL shouldn't affect their daily lives. But, unsurprisingly, there are some edge cases.

1. The most likely scenario is sending unauthenticated email outside their providers' own network. If the recipient uses the PBL, the email will be rejected with an error.

2. The second most likely scenario is online forums incorrectly using Spamhaus data to block connecting IP addresses. In the cases we have seen, this usually means that users are unable to post to their favourite forum. As we cannot control how our data is used, this is outside our remit. To resolve the issue, you would need to contact the forum directly.

There is more detailed information on the above two scenarios in our FAQs.

Inappropriate use of the PBL.

Spamhaus’ blocklists: SBL, DBL, CSS, PBL, XBL, and the unified ZEN, are intended to filter email. However, while they can be used in other ways, such as blocking service signups from listed IPs, these are not officially condoned. Where non-email-related applications are required for reputation data, we’d recommend users reach out to Spamhaus Technology to discuss their needs. After all, just because gardening shears are good for trimming a hedge, doesn’t mean that you’d use them to trim your beard!

If you find yourself on the wrong side of the PBL i.e. being blocked by uses it wasn’t intended for your best recourse is to find another way to contact the service provider e.g. the online forum.

Help! I’m on the PBL!

If you have received a rejection error message in reply to an attempt to send an email that mentions “Spamhaus,” then the Spamhaus IP and Domain Reputation checker can provide more information about the reason for being blocked, as it may not be the PBL: PBL listings are often a red herring that distracts from the real problem!

Do you want to know more?

For more information on PBL there is a detailed FAQ here. If you are an Internet Service Provider, sign up for an account to gain control of your network's IP space.