Developer: Pavel Ahafonau
One of the other hats I wear is as a web application developer predominately in the PHP / MySQL realm and I generally build, harden and deploy the web servers to run those applications on. Sometimes those servers also include a Mail Transfer Agent (MTA) / mail server depending upon the business need.
Whether you're troubleshooting an email issue or you're wanting to verify your mailform code is secure or that your mail server is properly hardened and not configured as an open-relay, Real-time Blackhole Lists (RBLs) can help you determine whether your server is listed as being a source of spam.
The efficacy of RBLs, also referred to as DNS blacklists or DNSRBLs, is debatable for a couple of reasons. One of the biggest problems it presents is the collateral damage that ensues when a single domain on a shared host is exploited to send spam. Because RBLs are IP based, an insecure mailform on a website sharing the same IP as you could cause the IP to be blacklisted. This is an extremely frustrating situation to be in because until they fix the problem you'll be punished right alongside them.
A similar situation can occur if you're running a server on a dynamic IP and you happen to one day pick up an IP that has been blacklisted.
To further complicate the matter, there are a number of RBL services and to effectively troubleshoot, you have to track down which one is being used by the mailserver denying your emails. Getting your IP delisted can sometimes be difficult and each RBL service has varying policies for automated or manual delisting.
If you'd like to learn more, take a look at Wikipedia's Comparison of DNS blacklists
The RBL Status app is an easy and quick tool to determine whether your IP address has been blacklisted. Currently it supports thirteen of the most popular RBLs, with seven selected by default for checking when you install the app. Based on your needs, you can select or deselect the RBLs that are most appropriate for you.
As an example, I took the IP for one of the top spam senders according to McAfee's Threat Intelligence site. In the below screenshot you can see that the IP is listed in two RBLs.
There are two downsides to the RBL Status app that I see. The first is that aside from the information it displays, you can not drill down to get more information. Based on the previous issue, the second is that the links it provides for further information where an IP is listed are not clickable and so you'll have to resort to typing the URLs in manually, or choosing the arrow button to the left of the Check button to send the info via email where you can then copy and paste the URL into a browser.
Visiting the URL listed for SORBS in the above screenshot will bring you to the below page where you can determine how fresh the listing is etc.
One nice benny RBL Status has is that you can perform a whois lookup on the domain, the IP, and the reverse hostname.
So, that's it in a nutshell. Hopefully you won't be on the wrong side of an RBL listing and have to deal with the headache of delisting.
- Leif Gregory, Security Professional
No comments:
Post a Comment