making it more secure 
 
« New spate of trojans
February Report »

The sbl.internetdefence.net Realtime Black List

What is the SBL?

The Spam IP Blacklist (SBL) is a realtime database provided by the Internet Defence team. This is an advisory database which includes a list of all IP addresses that have sent email identified as spam. This identification is an automated process - no user preferences are involved in making the decision about whether an email is spam not.

How the SBL works

In order for an IP address to find its way into SBL, it must:

  • Have been caught sending spam using a variety of heuristic methods
  • Must have been confirmed as spam using a different set of heuristic methods
  • Must have sent spam more than once (typically five times)
  • Must have never sent an innocent (non-spam) email

The SBL is an aged list. If no spam is received for, typically, three days, then the IP is automatically dropped. This time, and the number of “hits” for each email address are varied from time to time to ensure that the accuracy and integrity of the list is maintained.

Heuristic Methods

A number of heuristic methods are used including:

  • Spam Trap addresses
  • Statistical Content Analysis
  • Other “trusted” sources
  • URL Checks on the spam
  • Sender Authority checks

What sort of spammer gets listed?

The list doesn’t differentiate between different types of spam - it contains the lot! Phishing, pharming, products, stock, scams and other frauds.

Using sbl.internetdefence.net

The sbl is used in the convential way, with the order of the IP address being reversed - e.g. to check the IP address 1.2.3.4 you would query 4.3.2.1.sbl.internetdefence.net. If the IP is in the SBL then the DNS lookup of the A record will return 127.0.0.2, otherwise “Not Found” is returned. A descriptive TXT record is also available. Instructions for using your particular system with Realtime Black lists are readily available, either with the documentation that comes with your package, or on the internet.

Thresholds

As blacklists quickly evolve, IP addresses that have not received spam in three days are removed from the list. The database is updated every ten minutes, twenty-four/seven.

Sensitivity thresholds are implemented to futher increase the accuracy of the database.

An innocence threshold exists in the case of an innocent mail been sent to this address, then the IP address is removed.

This entry was posted on Wednesday, March 1st, 2006 at 9:06 am and is filed under E-Mail, General, Services, Spam. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.

Internet Defence is proudly powered by WordPress
Entries (RSS) and Comments (RSS).