Delisting for hosting companies.
The following text exists to fill in and inform MTA hosts/servers which may find themselves in the RBL polspam.pl blacklist. For what reason could a host domain, it’s IP address and it’s address classes or whole ASN be found on our RBL polspam.pl blacklists? Well, to explain it briefly, the reasons might be;
- Independent sending of spam. The operator's domain or IP addresses belonging to the operator's domain may send spam on their own for the purpose of self-advertising or on behalf of third parties, trademarks, third-party services, etc.
- Lack of network supervision. This includes, but isn’t limited to: providing infrastructure to spam, (intentional or otherwise) help in sending out spam, owning computers with a lot of viruses, owning www. domains with viruses (without any effort to get rid of said viruses).
- The sending of spam by a host’s client(s). An operator's domain can be used as an SMTP server by any of its clients. Very often, then, the main hosting domain happens to also be an email server for its own clients. If one client gets blacklisted, all of the email servers they use will also get blacklisted.
- Receiving e-mail responses to spam sent from third-party servers. Often, spam is sent from beyond the borders of the target country, however victims' responses are supposed to be sent to e-mail accounts located in the hosting operator's infrastructure. In this way, spammers hide the fact that millions of e-mails are being sent every day.
- Hosting of spam-related domains, including spam requests, but not local email services. The hosting company itself and the hosting client do not send or receive e-mails at all, but the hosting infrastructure includes spammers’ 'websites or landing pages, phishing victims' data and redirects it to other websites. Once again- In this way, spammers hide the fact that millions of e-mails are being sent out, encouraging people to visit specific websites
- Outsourcing of spam. This includes domains that advertise spam-related services on order, ways to send out emails en masse. These are called SMTP services.
- Use of rented address classes with BGP-level routing redirection. Sometimes, spammers borrow IP address classes from third parties and, at the BGP routing level, place them in the data centers of different hosting companies. In this case, these classes, the domains within them, and the ASN of the new hosting domain may be blacklisted. This is however a much more elaborate and advanced way to provide spamming infrastructure.
RBL polspam.pl does not ban anyone. Neither does it block anyone from sending and/or receiving e-mails. RBL polspam.pl is only there to inform other MTA administrators about the given address, class or ASN that seems to take part in spamming. It’s the MTA administrators’ jobs to decide what to do with this information.
Alongside the spammer’s domain (which is written down by hand thanks to our volunteers), the domain’s DNS records are also read. All found records of types A, AAAA or MX are added automatically (by the software thanks to which RBL runs) to the blacklist meant for IP addresses. If an IP address is shared to a lot of domains, all those domains will also be blacklisted. Their names might not appear on the rhsbl domain list, however. The domain name blacklist and IP blacklists are entirely separate from one another.
RBL polspam supports and lists IPv4 and IPv6 addressing.
If spam is sent from hundreds or thousands of IP addresses in conjunction with domains purchased for one-time use, it may just happen that the entire ASN of the hosting operator will be manually blacklisted by our volunteers. The same situation might occur when the operator does not spam on their own, but shows a lack of care in the reputation of their service or served customers. This would classify as indirect helping in the sending of spam.
Often times, many computer network hosting providers simply do not care about their customers’ actions. They only show interest in the company’s profit or any other matters outside of fighting spam and cyber crime. In this case one can see, many times, attacks, attempts to log into other people's accounts or infected computers. Nobody does anything about this. This leads to poisoning the lives of other internet users for months- be it by trying to send out viruses, offers of miracle drugs or fake therapies.
This next section pertains to applying for deletion off the blacklists.
RBL polspam.pl does not delete domains, IP addresses or ASNs of operators without them introducing any mechanisms that fight spam. Neither will RBL polspam.pl delete them without justification as to why the spam was being sent out/why help with sending spam was provided. Short explanations or replies will not suffice. In addition, the operator's domain must be properly configured and its website cannot use sneaky tracking techniques such as canvas fingerprinting. What we are trying to say here is that overall, the domain should behave decently and appropriately.
Domains participating in e-mail correspondence, i.e. the sender's domain, the SMTP server's domain and the domain of the hosting itself, should all be properly configured.
- DMARC with the policy of “p=reject” set up
- A working DKIM signature mechanism with a verifiable selector
- The SPF record should have the “-all” policy (- instead of a ~)
- E-mails should be encrypted with a TLS 1.2 or higher
- Individual e-mails must not include trackers or remotely loaded objects that could identify the recipient
- All websites should have an SSL certificate
These are some tools needed to verify the working of one’s domain:
Measures to be taken to properly fight spam.
Some of the domains in any address can be determined via the securitytrails website. Just enter your domain or range of IP addresses in the CIDR format to get a list of domains and subdomains. Unfortunately, this list is incomplete and not always up-to-date. Only the hosting operator knows the full list of their own domains and subdomains.
First, one should start by identifying which domains are blacklisted. This is easy enough. Without this action, it is impossible to separate honest domains from spam domains. With that, it would be impossible to remove entries from RBL polspam.pl blacklists. This is the reason why web hosts that want to remove domains from the blacklist must actively cooperate at least to some extent.
Prepare a text file with all the domains and their subdomains, name it something along the lines of "domains.txt" and run the script presented below.
It is a simple script that checks each domain contained in the "domains.txt" file to see if it is blacklisted on the RBL server. Furthermore, it checks if there is any information stored about it in said server. This command will automatically create two files- names „white.txt” and „black.txt” respectively. The following example uses the rhsbl.rbl.polspam.pl list. There are also other domain lists such as rhsbl-h and rhsbl-v. The rest of the lists are IP address databases and are not useful for this step. Of course, you can query other popular foreign RBL lists, but only do so with those that store domain names.
The script does not check the list rhsbl-danger, because nominating a domain to this list completely disqualifies the possibility of unsubscribing a domain from RBL polspam blacklists, and therefore domain deletion requests from this list will be permanently ignored.
#!/bin/bash
#Below OS dependent file's locations. You may change it's.
#This bash shell command will answer where the file is on your system: whereis host etc.
export CMD_HOST="/usr/bin/host"
export CMD_ECHO="/usr/bin/echo"
export CMD_GREP="/usr/bin/grep"
#Do not change nothing below ...
###########################################
export CUR_DIR=$(dirname $(realpath $0))
export RHSBL_POLSPAM="rhsbl.rbl.polspam.pl"
export RHSBH_POLSPAM="rhsbl-h.rbl.polspam.pl"
export COL_RED="\033[0;31m"
export COL_GRN="\033[0;32m"
export COL_YEL="\033[0;33m"
export COL_DEF="\033[0m"
export FILE_DMNS="{CUR_DIR}/domains.txt"
export DMN_F_B="{CUR_DIR}/domains.black"
export DMN_F_W="{CUR_DIR}/domains.white"
export STAMP=`date +'%Y.%m.%d %T'`
##########################################
if [ ! -f ${FILE_DMNS} ]
then
${CMD_ECHO} -e "${COL_RED}${FILE_DMNS} not exists.\n${COL_YEL}Create a file named ${FILE_DMNS} and save the domains to be checked in it.${COL_DEF}"
exit
fi
${CMD_ECHO} "#Start ${STAMP}" > ${DMN_F_B}
${CMD_ECHO} "#Start ${STAMP}" > ${DMN_F_W}
while IFS= read -r DMN
do
RET_RHSBL=`${CMD_HOST} $DMN.${RHSBL_POLSPAM} | ${CMD_GREP} -o '[^ ]*$'`
RET_RHSBH=`${CMD_HOST} $DMN.${RHSBH_POLSPAM} | ${CMD_GREP} -o '[^ ]*$'`
if [ $RET_RHSBL == '127.1.1.1' ]
then
${CMD_ECHO} -e "${COL_RED}$DMN listed on ${RHSBL_POLSPAM}.${COL_DEF}"
${CMD_ECHO} "$DMN" >> "${DMN_F_B}"
else
if [ $RET_RHSBH != '127.0.0.2' ]
then
${CMD_ECHO} -e "${COL_GRN}$DMN NOT listed on ${RHSBL_POLSPAM}.${COL_DEF}"
${CMD_ECHO} "$DMN" >> "${DMN_F_W}"
else
${CMD_ECHO} -e "${COL_YEL}$DMN is a candidate for the real blacklist.${COL_DEF}"
fi
fi
done < ${FILE_DMNS}
#end
This activity should be performed frequently, always checking the current pool of domains being serviced and immediately reacting to the appearance of any domain on the blacklist. All transferred domains should be checked for appearance on any RBL list at the time of their transfer. If this isn’t done, it might just happen that the new hosting domain will immediately get blacklisted. This process is automatic and if a spammer moves the domain to a new hosting, it will immediately "infect" them with a bad reputation. The new hosting and its SMTP server will be automatically added to the RBL list containing IP addresses, e.g. bl.rbl.polspam.pl.
Of course, you can query RBL lists for IP addresses. This is done as follows, (for, let’s say, the example of IP 1.2.3.4) by specifying the address bytes in reverse order.
4.3.2.1.bl.rbl.polspam.plDomains from the "black.txt" file should be immediately transferred to a separate IP address, away from the rest of the domains, and assigned a separate SMTP server with a separate domain and IP address. It’s useful to setup multiple so-called „junk domains”, all with a varying level of harmfulness. If these domains appear on a lot of lists, including foreign ones, they may very well damage the whole’s reputation even more, and thus honest domains might suffer if they are to share an IP address with domains from the blacklist. SMTP servers, which are automatically listed with these domains, are particularly at risk.
This is an example:
- (1.2.3.4)(spam1.pl, spam2.pl, spam3.pl) → (1.2.3.40) smtp.spammers.pl
- (2.3.4.5)(user1.xyz, user2.fun, user3.abc) → (2.3.4.50) smtp.unsure.pl
- (3.4.5.6)(good1.pl, good2.pl, good3.pl) → (3.4.5.60) smtp.honest.pl
Separate IP addresses should also be provided for so called uncertain TLDs, xyz, space, world, moon, fun domains and the like. These are domains sold on promotions, almost given away for free, and some of them are permanently entered into the RBLs, and cannot be delisted. A common sense rule says that domains wanting to send mail should be national domains. This does not mean that some of the "stranger sounding" ones do not have good intentions, though. Unfortunately, the truth is that it is rather difficult to find at least one such domain because most of them are used only for one-time spamming, receiving spam or as a landing page.
Esteemed domains, RBL polspam.pl asks that you do not submit requests for deletion before reading through the entirety of this article and heeding the warnings, instructions and tips within it. An address appearing on the BL list (the list with IP addresses) only means that a domain that it frequents has caused it harm which resulted in its addition to the BL list. The hosting domain should do research on its own to find the root of the issue.
The domain which causes a listing on the BL doesn’t have to be on its own hosting server. It’s more than enough for it to have permissions to send e-mails and have an MX record pointing towards a server of a different hosting. If the hosting domain itself or ASN is on the RBL list, it means that it was unable to fight the successively appearing, newly registered domains and it was necessary to warn RBL users of this fact.
In truth, a singular spammer can completely decimate the reputation of an entire IP address (which includes all of its domains). Unfortunately, such a spammer can worsen the lives of their victims immensely. It is the hosting domain’s job to care for the reputation of it’s served customers, not ours.