A misuse of Spamhaus blocklists: PART 1 - blocking outbound email

While it is estimated that there are several billions of devices on the internet, email is not sent or received directly by end user devices. Spamhaus data, and in particular the IP blocklists Policy Blocklist (PBL) and Exploits Blocklist (XBL), are designed to be deployed at the MX server, in defense of the receiving/inbound side, not at the outbound SMTP server, where the sending side accepts email submissions from their users. Why is that so?

PBL can not be applied at mail submission/outbound

PBL sits apart from the rest of our datasets as it is not designed to indicate “badness”. There is in fact no value judgement involved with an IP listed in PBL. It is our goal to list in PBL all the IP ranges that are not supposed to host mail servers. This includes residential connections (interestingly this is where the vast majority of the billions of infected devices sit)..

Quite commonly, users in these ranges have a dynamic IP (which commonly changes frequently). In some cases they are CGNAT IPs where many users may simultaneously be sharing the same IP. The important thing here is that mail servers are not listed in PBL. This means the IPs of end user devices will typically be in PBL (together with the majority of IPs on the internet), while those of the servers will not.

The receiver that applies PBL at the MX server will continue receiving email from other mail servers, but will also block generic end user devices attempting to send emails to their users by means of “direct to MX” SMTP connections.

End user devices are not expected to send emails to destinations directly, without using the ISP’s mail servers to send it. ISPs directly help Spamhaus maintain PBL by creating and maintaining PBL accounts that specify their end user ranges that by policy (that’s the “P” in PBL) are not allowed or expected to run mail services.

Blocking inbound emails directly coming from end user devices has enormous advantages: the criminal gangs who - thanks to malware - are in control of those devices, can no longer send emails bypassing the mail submission stage. They MUST follow the normal route, which gives the administrator of the sending mail servers a chance to intercept and suppress abusive traffic.

PBL can not be applied at the egress point! Doing so would block your own users from sending fully legitimate emails! Again, an IP being present in PBL does not mean anything is wrong: it exists to prevent IP from sending emails that bypass the use of a mail server - but this can ONLY be checked on the inbound side.

XBL can not be applied at mail submission/outbound

In contrast with PBL, XBL does indicate badness. The IPs it lists have been observed to be infected, possibly carrying malware and performing nefarious activities.

An IP listed in XBL is very likely to be in PBL as well, and this indeed happens in about 85% of the cases. The remaining 15% are mostly located in ranges that should have been in PBL but are not (hey, the internet is large and it changes quickly, we do our best but perfection is impossible!). In a sense, you can see XBL as a “PBL boost” that is automatically driven by our abuse sensors detecting activity.

Therefore, an IP listed by XBL has actually been observed to be an abuse source, but blocking it at the outbound mail server has a very high risk of blocking legitimate emails. Furthermore, an IP listed by XBL does not necessarily mean that the device connecting from that IP in a particular moment is infected. In dynamic ranges, the same IP is often reassigned to a different user, and in CGNAT ranges the same IP may be simultaneously used by different users, of which only one with an infected device.

So again: you cannot apply XBL at the Mail Submission Agent because you risk blocking your own users from sending fully legitimate emails!

If I want to limit my outbound spam, what should I do?

This is a very good question. But first of all, thank you! Not everybody worries about this. People like you make the world a better place, and we support your endeavour.

In order to understand how to limit outbound spam, without blocking users legitimate emails, we recommend reading part two in this series: ‘A misuse of Spamhaus Blocklists'.