A blacklist is simply a list of IP addresses or domain names that an organization has decided to block for one reason or another. Blacklists started as a means to combat email spam. Early on, it was just a list of IP addresses or domain names that were sending junk email. These lists were manually managed with IPs added and removed based upon human interactions between a few systems administrators. As the Internet evolved these individual lists became larger, more centralized and list curators developed unique tools, spam traps and service models to make the lists more widely available, and more accurate.
There are a few different types of Blacklists that you need to be aware of to fully understand the market.
Public Blacklists are shared publicly via the web or, more traditionally, via DNS. A public blacklist can be referenced by anyone online to check individual IP addresses. Checking more than one list or more than one IP requires development of tools, like MxToolbox that can programmatically check these lists. Often a subscription to the full list can be purchased for use internally, or commercially in appliances or software. Examples of public blacklist are SORBS and Spamhaus Zen.
Private Blacklists have been setup by a company for their own security usage and are not made available externally. Often, these are considered proprietary or trade secrets because proprietary methods of data collection are used in the curation of the list. Examples of these include your ISP’s blacklist, Microsoft’s blacklist and those used by security companies.
IP Blacklists contain a list of IP addresses that are suspect. Typically, each IP blacklist has a different method of generating suspect email or web traffic and therefore different reason for listing the IP address. Typical reasons for listing are:
- Spam has been received from this IP in a honey trap, directly by the organization or has been reported by subscribers to the list.
- Malware or viruses were sent from this IP address.
- Open relays or other configuration issues allow for bad actors to exploit the server at this IP address for spam or malware distribution.
- This IP address has been marked as dynamic (DHCP) by the owner and leased out to their customers. Since it is dynamic, no servers should be on these IPs and you cannot trust the ones that are.
Note: If you are on a dynamic IP address, you will automatically be blacklisted by most blacklists. This is normal. If you’re not sure if you are on a static IP, then you’re probably not on a static IP.
Domain Blacklists simply list domains that have been found in spam email or are known to be sources of malware infections. There are only a handful of domain blacklists or blacklists that list domains alongside IP addresses. While a Domain Blacklist is a useful tool to alert you to reputation issues, they do not contain comprehensive domain reputation information. In general, checking your website’s IP address against an IP blacklist is also necessary to protect the reputation of your website and checking the IP addresses of your email servers is necessary for protecting your email reputation.
You can find the full list of blacklists checked by MxToolbox here.