Category Archives: Uncategorized

The Economics of Blacklists

Blacklists have been around for over two decades, meaning that blacklists (blocklists or deny lists) existed before most humans were on the Internet. The goal of blacklists is to remove Spam email from the Internet, however, the implementations and algorithms vary dramatically. A few of examples:

  • Spamhaus ZEN CBL reports the IP address of sources of email that have been infected with Viruses or Malware. Even if your email was not used for spam, your computer could be.
  • NoSolicitado reports sources of Spanish language spam. There are many other language-based blocklists.
  • CASA CBL reports source of spam received by the China Anti-Spam Alliance.
  • FABELSOURCES reports entire networks that are the source of spam. There are several similar lists, including UCLPROTECTL2 and L3.
  • Open-Relays Verifying Engine Database List (ORVEDB) lists IP numbers of hosts that the Open-Relays Verifying Engine (ORVE) verified that are Open-Relays machines. Open relays are basically a purposeful or accidental email server misconfiguration that promotes spamming.
  • The Abusix Domain Blacklist contains domain names that have been identified being used in spam, phishing, or malware. Note: There are very few actual domain blacklists so the MxToolbox SuperTool also checks the IP address in the A record for the domain to see if the server has been compromised.

The Topic of Coin – How do Blacklists Make Money?

Early on Blocklists were free subscriptions for anyone to use to help reduce spam email to their servers. Since the lists were small, these were setup to be shared via FTP and then as the lists grew bigger via Realtime DNS. Many smaller blacklists are still free to query.

Eventually, security companies started to develop their own proprietary Blocklists or Deny Lists and integrate these into network appliances like firewalls, routers or email gateways. The primary economic model for blacklists is to sell their data to security-focused companies and automatically maintain the lists through remote syncing data feeds. Security services then update their hardware and software email filtering to include these lists. Often, weighing each blacklist differently but sometimes using them as a binary filter – if the sending IP is listed, deny the email.

Do blacklists charge for delisting?

MxToolbox recommends that you should never, ever pay to be delisted. All legitimate blocklists have a free method of delisting, that while sometimes slow, is still free. Fix the problem that caused you to be listed and wait it out. Delisting usually takes a week or so depending on the blocklist.

There are both for-profit and non-profit blacklists. For-profit blacklists make money by selling their lists to security companies or security minded companies for use in their products. For example, MxToolbox purchases subscriptions to some blacklists to enable our customers to lookup their blacklist status in the SuperTool.

Non-profit blacklists offer the option to donate to support them. This should never be conditional on the delisting of the IP address.

Some blacklists may offer an expedited delisting option for a fee. Sometimes this might seem like an enticing option, but, remember, MxToolbox does not recommend paying for delisting. It is your decision to pay, however, we have a few considerations:

  • Have you fixed the issue causing you to be classed as spam? If you have not fixed the issue causing you to be listed, you will be re-listed almost immediately. Paying doesn’t fix your systems or cause you to be whitelisted.
  • Do you do own the network? If you don’t own the entire network, in the case of a network or ASN listing, then you can’t stop your network or ASN neighbors from getting the entire network re-listed. It’s best to contact the network owner, ISP, datacenter provider, etc.
  • Has being blacklisted affected your email deliverability? If not, then you can wait it out. If so, then how many emails were affected? Is a small email delivery problem worth the expense?
  • Are you ready to be treated like a spammer? Blocklists with expedited pay setups sometimes assume that anyone willing to pay is a spammer. Spammers make all their money from email, so a block is potentially fatal. Legitimate businesses have other methods of customer communication. Paying could get you additional scrutiny in the future.
  • Is your IP address on multiple blacklists? If you are listed on multiple blacklists, do you want to pay multiple times or wait it out? Can you even pay to delist from all of the blocklists? Multiple listings means a serious problem, so we recommend taking care of the issue and waiting for delisting.

How do you prevent being blacklisted?

There is no one simple way to prevent blacklisting. Owning your own email servers requires constant adjustment and maintenance to prevent your systems from being used for spam or perceived as spam. Outbound email filters can help, but many companies, large and small are abandoning the idea of hosting their own email and adopting 3rd party email senders to improve email delivery. Google Workspace, Microsoft Office365, Yahoo!, Mailgun, Constant Contact, MailChimps, etc. all offer reduced risk of blacklisting by spreading email out over a large network of sending IP addresses and providing outbound email filtering.

New Technologies – DMARC, DKIM, SPF

Email delivery technologies are rapidly changing and the key to good email deliverability is actively managing your online reputation. Blacklisting is just one piece of the puzzle. SPF, DKIM and DMARC are now the most important factors at getting your email to the inbox. These technologies help identify you as the owner of the email and enable you to elicit feedback from Inbox Providers about problems with your email.

To maintain the highest levels of email deliverability using DMARC, businesses like yours need a proven Email Delivery management system like MxToolbox Delivery Center.  Delivery Center provides you with valuable insight into your email delivery posture and the ongoing maintenance necessary to maintain peak performance:

  • Manage SPF, DKIM, and DMARC (and BIMI) to improve compliance and reduce the threat of fraud and phishing using your domain.
  • Review daily volume and SPF, DKIM, and DMARC compliance rates to ensure the best email deliverability.
  • Implement Feedback Loops to gain unique information on how your recipients view your emails and when they mark you as spam.
  • Gradually move your DMARC policy to Reject to enable better inbox placement opportunities and reduce the risk of Phishing and Fraud using your domain.
  • Manage the on-going requirements of maintaining high levels of email deliverability

The Awesomeness of Plus Addressing

Microsoft recently announced their plan to support plus addressing in Office365 accounts, so we thought we would discuss how useful this technology is. Hotmail and Gmail have had this feature for several years, but with the addition to Office365, the majority of business inbox providers now support it.

What is Plus Addressing?

Plus addressing is a way to leverage your existing email inbox to create multiple email addresses that point back to your email box. For example, if your email is “me@example.com”, then email to “me+a@example.com” or “me+b@example.com” will also go to your inbox. “a” or “b” are considered a +tag.

How can I use it?

Plus tag addressing is highly useful, especially to those of us in highly technical environments. A few things you can do with it:

  • Create a +tag for your test accounts and segregate each days testing by the date
  • Create a +tag for different newsletters and filter based on the tag
  • Create a +tag for registrations and follow the distribution/sale of this tag to different “associated” websites

The permutations of +tags are truly infinite, allowing you greater control over your inbox and emails you receive.

Follow our Blog for more useful email delivery tips.

Email Delivery’s On-going Maintenance

You configured all your email senders.  SPF, DKIM and DMARC seem to be well-tuned.  Email compliance appear to be good.  Email is being delivered and most email appears to make it to your customers’ inboxes.  Open rates look reasonable.  You’re done, right?

Steps to a “Complete” Email Delivery posture

To get to an optimal email delivery posture, you need to finely tune the components of your email senders.

  1. Identify all your email senders.  Who is sending email on behalf of your domain? This may sound trivial, but it’s not.  IT setup your main outbound servers, but is Marketing using Marketing Automation, Sales using a CRM, or Order Management a separate Invoicing and Order Fulfillment system?
  2. Include all your senders in your SPF.  If not, most inbox providers will automatically deny your email.  Google, Office365, Yahoo! and many other inbox providers automatically refuse email if the sending domain’s SPF record does not include the sending servers.
  3. Setup DKIM on all your email senders.  DKIM allows you to cryptographically sign your emails so recipients know they are from you.
  4. Setup a DMARC record and direct RUA and RUF to a service, like MxToolbox’s Delivery Center, that can analyze and provide feedback on DMARC compliance.
  5. Monitor DMARC compliance across your senders.  This may mean revisiting steps 1, 2, 3 & 4 as you discover new senders or the configurations need updating.
  6. Gradually change your DMARC policy from None to Quarantine to Reject.  Stricter policies will help prevent fraud and phishing using your domain which will improve your overall email deliverability.

I’m at a Strict DMARC Policy, I’m done.  Right?

Nope!  Strict policies will help prevent fraud and phishing using your domain, but this can also deny legitimate email from new or misconfigured sources.

You need to have an on-going maintenance plan.

MxToolbox recommends:

  • Regular monitoring of SPF, DKIM and DMARC configurations.  If your senders change their configurations, it can cause issues with your email delivery.
  • Regular monitoring of your senders blacklist status.  If you or your senders are blacklisted, then your email will be blocked before ever reaching an inbox.
  • Regular monitoring of SPF, DKIM and DMARC compliance rates.  A low compliance rate means that legitimate email may be blocked.
  • Adoption of new technologies as they arise.  For example, BIMI, ARC or VMCare beginning to be adopted by inbox providers and email senders.
  • Regular monitoring for new email senders.  Some of these may be emerging threats to your brand while others may be legitimate senders adopted by other departments without your knowledge.

MxToolbox Delivery Center provides everything you need to manage the on-going maintenance of email delivery.  Learn more about Delivery Center and how we can help you with email deliverability!

What is Spear Phishing?

Phishing attacks have become an unfortunately common occurrence.  A relatively new wrinkle is called spear phishing where the phishing email targets a specific individual, business, or organization.  Spear phishing is used for two main purposes:

  1. Steal data for malicious purposes
  2. Install malware on the target’s computer for use in against another organization

Regardless of intention, if executed properly, a spear phishing ploy is bad news for your company.

How Are Spear Phishing Attacks Performed?

Here’s a general rundown of how spear phishing scams work:

  • An email arrives in a colleague’s inbox, seemingly from a trustworthy source like a supplier, vendor or even your own corporate website. Spear phishing emails often use clever tactics like matching logos, verbiage and even similar looking URLs to those you would find normal to get the victim’s attention.)
  • The message leads the unsuspecting recipient to a well-designed bogus website either with a login portal or with a hidden cache of malware that they attempt to download and install.
  • Hackers will then sell the login credentials or malware networks to governments, private entities or other hackers for further exploitation.

Cybercriminals use tailored approaches that leverage social engineering techniques to encourage victims to act before they think to personalize messages and websites used in their scams. According to a March report on spear phishing from cybersecurity firm Barracuda Networks, these attacks are frequently researched in advance and intended to capture data, such as login credentials or other highly sensitive information. Analyzing 360,000 emails that involved spear phishing over a three-month period, the company’s researchers found that 83% of these attacks involve brand impersonation of companies users know and trust.1

Moreover, to increase success rates, spear phishing messages often contain urgent explanations on why sensitive information is needed. The combination of realistic branding and urgent need to act pushes users to act before they think.  This kind of social manipulation is “becoming the key ‘attack vector’ in cybersecurity attacks.”2  Victims are usually asked to open a malicious attachment or click on a link that takes them to a spoofed website where active passwords, account numbers, PINs, or access codes are requested. 

How to Fight Spear Phishing

Since spear phishing attacks are becoming more difficult to detect, protecting your business email is even more important. Traditional security can stop some of these scams but not all because of the clever customization. A single mistake enables fraudsters to gain access to commercially sensitive intel, forever damaging your company’s brand. In addition, spear phishing attacks can deploy malware to hijack computers, organizing them into enormous networks (botnets) that can be used for denial of service attacks.

To fight spear phishing scams, employees need to be aware of the threats, such as the possibility of bogus messages landing in their inbox. It’s a simple answer, but informed employees are the first line of defense in combatting malicious online attacks. Besides education, technology that focuses on email security is necessary.

In addition, it is important for email senders to protect their brands from use in spear phishing attempts.  Big brands like American Express, Amazon.com and PayPal were once often leveraged by fraudsters because of their wide usage, credibility and access to financial and personal information.  Now, large corporations are deploying technologies to prevent use of their brands so fraudsters are forced to use smaller, less protected brands.

Protecting Your Brand – MxToolbox Delivery Center

To protect your brand from use in phishing and fraud emails, you need to deploy new technologies like SPF, DKIM, DMARC and actively manage the information your receive from inbox providers about your email delivery status.  MxToolbox’s Delivery Center  provides your business with the email deliverability insight you need.  Our Experts combine best practices on email delivery with new technologies and our own experiences to give you best-in-class incite into the deliverability of your known email senders and early warning on emerging threats emails like spearphishing.  We can even manage your email delivery with our Managed Services program.

1, 2 Gizmodo, Privacy and Security. https://gizmodo.com/spear-phishing-attacks-are-on-the-rise-security-firm-s-1833455812

Can DMARC stop spam?

Yes, yes it can.  But, how?

DMARC, by itself, does not stop a spammer from sending email.  To be effective at reducing spam, everyone needs to implement DMARC and follow-up by improving the compliance rates of their outbound emails.  As your legitimate email becomes more DMARC compliant, you can begin to tell recipients to ignore email that isn’t compliant.  This spam will bounce and foil the spammers trying to use your brand!

Learn More about how MxToolbox can help you.

Improving DMARC Compliance

DMARC is not a set-and-forget type of technology.  It changes as your company adopts new email senders, and as fraud and phishing threats emerge.  Your legitimate email should be as compliant as possible in order to reach your audience.  Insight from MxToolbox Experts can help you improve DMARC compliance.  Learn More

INPS_DE Blacklist Offline

The INPS_DE blacklist, operated out of Germany recently decided to shut down their blacklist service due to changes in regulations. As such, we have temporarily removed them from our blacklist monitoring services. If they decide to reinstate their blacklist database we will re-evaluate their inclusion in our monitoring.

Notice of blacklist database termination from the blacklist operator:

For more than 10 years I, Christian Jung, have been working with passion and enthusiasm the inps.de DNSBL and the inps.de DNSWL. I wanted to work with these projects which have been very well received, making the internet a little bit better and also to be a small part of it.

The protection of data has always played a significant role in development. The entry into force of the basic data protection regulation DSGVO on 25.05.2018 succeeded for However, a massive insecurity and with the means available to me I can get one Legal advice, which would provide the necessary clarity, at the present time simply can not afford.

For this reason, I have decided with a heavy heart, the inps.de DNSBL for the time being “put on ice” and to offer it to the public only when there is clarity in this respect. From my DNS servers will be delivered an empty zone, so that all previously entered IP addresses to the outside are no longer registered. I thank from the bottom of my heart all those who have supported my projects in the past years so energetically supported. Without this support would be the hit rate far from being so good.

Sectoor Exitnodes shutting down

Update: We have shut down blacklist monitoring on Sectoor Exitnodes as this blacklist is in fact currently offline.

If you have received blacklist alerts regarding this list, the alerts and monitor status will be automatically corrected by our monitoring system during the next check. There is no action you need to take at this time.


Earlier today we detected abnormal behavior from the blacklist Sectoor Exitnodes. Its domain registration expired recently and their blacklist database is now showing signs it may be going offline.

We are monitoring this situation and will update this post once more details are available.

Abuse System Update

On May 9th we updated our abuse system to shutdown unauthorized and excessive access to our site and improve service to our free and paying customers.  During the update of the abuse management system all access to the site was shutdown for approximately 10 minutes instead of the shorter planned outage.

As of Noon Central US time all access has been restored.  We apologize for the inconvenience.

NoSolicitado False Positives

Blacklists operate using DNS system where a blacklist publishes a set of IP addresses that are blacklisted. We query these lists in real-time to give you a consolidated report of the blacklist reputation of and IP address. Sometimes a DNS server at a blacklist operator may get out of sync with the entire pool or the pool may get out of sync with the database. Regardless of the root cause, we always display what we receive when we query the blacklist providers’ DNS servers.

Currently, we are noticing On Friday, we noticed some issues where the Blacklist NoSolicitado is showing some IP addresses blacklisted and then quickly delisting them. These bounces are affecting customers with blacklist monitors and those searching IP addresses. We will update when there is more information.

Update:  NoSolicitado has updated their DNS and we are no longer showing false positives of listing/delisting bounces.  If you are on NoSolicitado, it is a legitimate listing.