When looking at your mail server configuration or blocklist tools like mxtoolbox.com, multirbl.valli.org you may notice the big number of blocklists (email blacklists) that exist. 

Some lists you may recognize as commercial vendors, but others you may never have heard of before, like free projects or specialized lists.

So you may ask yourself:

“Why should you use a commercial vendor like Abusix’s Mail Intelligence vs. one of the other free or specialized lists? “

What do email blocklists block?

Blocklists are anti-spam solutions designed to block email-borne threats.

These are most often developed for a specific purpose and to fill a particular gap.

These gaps often appear when a change occurs to internet infrastructure or standards, or when cybercriminals exploit a new vulnerability. 

Often new emerging blocklist solutions also come from academic and special use settings and have included blocking things like:

• Specialized spam or phishing techniques
• Website URLs or IP addresses that are harming or with cross-site infections
• IP addresses that are smashing or vishing (SMS non-email phishing)
• ASNs of network operators who don’t take down abusive/infected compromised hosts within their networks.
• Malware files, like those sent by botnets to recruit other bots 
• IP addresses of countries of suspicious origin
• New IP addresses or domains with zero reputation when they first appear, thereby strengthening zero-day security
• Compromised accounts and malicious and or infected hosts
• Unauthenticated email from non-email servers

So, while all these problems need to be addressed, specialized blocklists are not comprehensive.

This is because it takes a well-funded commercial operation to tackle all these different attack vectors.

Also, malicious actors are usually identified and included in the comprehensive commercial blocklists, who are already blocked by their IP addresses, domains, and other identifiers.

Who develops Blocklists?

Often these are programmers who feel a moral obligation to address a specific wrong.

They are usually selective and sometimes, but not always, zealous.

The zealous blocklist developer may take punitive blocklisting measures to get a sender or a network provider to notice and stop certain behaviors. Punitive measures would include blocking neighboring IP addresses, ranges, or even full ASN ranges. 

While a network or mail operator notices punitive blocking, this approach does not always help the network security operations center.

This is especially true when the blocked range has many third-party services, hosting, or users operating on that range limiting their services.

We do not recommend punitive blocking as it creates too many false positives and collateral damage.

Why was the Abusix Mail Intelligence Blocklist developed?

1. We had pre-existing expertise in Spam Threat Intelligence

Abusix, hidden to most people over the years, has been the largest provider of raw spam threat intelligence to security providers around the globe.

Given this unique position, we developed expertise in deploying honeypots and a trap network that processes tens of billions of spam and malicious entity data points each day.

We are now developing a comprehensive commercial blocklist from our commercial threat intelligence service, reaching a broader marketplace. 

2. We address the new Email Abuse Threats

We also looked at what was in the market, which focused only on IP and domain listings, and the new threats that have emerged.

Short URLs, drive service URLs, cryptocurrency wallets, and email addresses are actively used.

Spam filters are not designed to address dynamic strings; the best way to address the problem is through a blocklist like ours.

It’s simple; no one was solving the problem at the time, so we did.

The most fantastic form of flattery is being copied, which Abusix was.

3. We combine our Blocklist with a Network Abuse Management Software

As we looked at the blocklist marketplace, Abusix Mail Intelligence is also adjacent to our other solution, AbuseHQ.

This is an abuse management automation solution for network providers like telecommunications providers, internet service providers, VPN companies, and cloud hosting providers to keep their networks free from abuse.

We saw a need for a comprehensive blocklist complimentary to customers using AbuseHQ to address abuse and compromised systems in their networks.

Thus, we decided to enter the mitigation market (Abusix Mail Intelligence, blacklist/blocklist) and continue improving our remediation market services (AbuseHQ, abuse desk).

4. We offer a Comprehensive Transparent Commercial Blocklist and Service

We saw that the world had shifted. It was no longer rooted in the same paradigms in which some blocklists were developed 20 years ago.

In the past, spam was often sent by spam gangs, and while malicious and criminal, it was often sent from a set of known IP addresses and domains.

Today is a different world.

The highest proportion of spam, phishing, malware, and the like are sent from compromised shape-shifting bots, organized into real-time networks known as Botnets.

Yes, criminals manage them at their core, known as bot herders; but that said, the problem being addressed is different.

Spam and phishing are the product, but the problem is users and their machines are being infected at its core.

It’s important not to be punitive but accurate, so the blocked entity knows its problem to solve it.

How do you choose a Blocklist for your mail platform?

Here is a list of criteria (and questions) you should take into account when deciding which Blocklist (Blacklist) to choose from:

1. Is the blocklist comprehensive in its blocking capabilities, or is it use case-specific?
2. Is it useful for inbound and outbound mail?
3. Is it automated, globally distributed, fast-acting block logic?
4. Does it have a Transparent Welcome List?
5. Does the blocklist you are considering have a zero-day zero trust domain and IP address list?
6. Can you check whether an IP address or domain is blocklisted and find out why it is listed?
7. Is there a way for senders to quickly find out why they are listed and delisted from the blocklist?
8. Is the pricing model clear, and does it scale appropriately? 
9. Do they offer good customer support?
10. Do they invite independent 3rd party evaluations ongoing?
11. Is the blocklist evaluated by an Independent 3rd party Benchmarking Service?
12. Does the blocklist offer you the ability to report and mitigate the impact of compromised hosts on your network?

1. Is the list comprehensive in its blocking capabilities?

Spam is an unsolicited commercial email originating

FROM infected, malicious, and misconfigured hosts.

THAT CONTAINS malicious content in the form of spamvertised domains, short and disk storage URLs, and malware attachments.

Does the list you are considering address these variables and more?

Components of successful inbound email blocklists include:

• IP address blocking
• Domain blocking
• Content blocking

Does the blocklist block on the IP address, domain, and URL level in content? If not, why not?

2. Is it useful for inbound and outbound mail?

Yes, your outbound is someone else’s inbound. 

Outbound email blocking includes:

• IP address authentication check blocking blocks IP addresses we have identified as attempting to compromise other accounts.
• Domain blocking
• Content blocking

Does the blocklist provide comprehensive outbound blocking?

3. Is it automated, globally distributed, fast-acting block logic?

Blocklists today must be robust and fast. The botnets certainly are.

Ask yourself, is the service is:

• Globally distributed for resiliency
• How fast is the block logic used?
• Is the list automatically created, free of manual human listings?
• Is the list false positive free?

When looking at a list, does it have global coverage, or is it selective?

Is it robust, redundant, and resilient? How so?

4. Does it have a transparent Welcome List?

Every good blocklist starts with a great welcome list (or allowlist) as there are many IPs and domains that you would not want to block as doing so would cause significant false positives.

Do you know what IP addresses and domains are suppressed from the blocklist to prevent false positives? Is your supplier transparent or secretive?

5. Does the blocklist you are considering have a zero-day zero trust domain and IP address list?

Zero-day zero trust, new domains, and new IP addresses that have never sent an email before are being handled with kid gloves until the content and sending reputation can be verified.

Does the list or lists you are considering have a zero-day zero trust domain and IP address list?

6. Can you check whether an IP address or domain is blocklisted and find out why it is listed?

A helpful blocklist must be transparent about why an IP address or domain is being blocked and how to fix the problem that caused the block.

Therefore, the blocklist provider MUST have an easy-to-use interface like https://lookup.abusix.com.

 

7. Is there a way for senders to quickly find out why they are listed and delisted from the blocklist?

A helpful blocklist must do service and support a priority, like the ability to chat with support or engineering about why they were blocked to resolve their issue.

If we don’t, these support questions come back to you.

It should provide instant delisting rights to the sender. But also present the option to relist, in less than a second, if the problem hasn’t been fixed.

In the end, it is our goal to provide each postmaster, abuse desk, and CISO with the tools that make it easier for them to do their jobs and keep their networks, the internet, and customers safer.

8. Is the pricing model clear, and does it scale appropriately? 

Another component to look at is: does the service offer logical tiers for pricing?

• Free for the everyday user?
• A pro-level for commercial users who use the query service?
• A price for elite users who need RSYNC? 

Is the pricing model clear, and does it scale appropriately? 

9. Do they invite independent 3rd party evaluations ongoing?

How easy it is to ramp up with any assistance you consider.

• Do they send you good support emails that help you get started? 
• Do they have a portal to manage your configuration easily and update your contact and user information, like: https://app.abusix.com 
• Do they have both easy and ubiquitous chat everywhere on their website, documentation and application, and blocklist lookup page? 

Simply put, are they supportive and make it easy to speak with someone?

10. Do they invite independent 3rd party evaluations ongoing?

Do they invite independent 3rd party evaluations ongoing?

With almost two decades of experience, VB (Virus Bulletin) is one of the world leaders in security software testing.

Using their team of expert testers and testing frameworks, they evaluate many suppliers and publish quarterly public reports comparing solutions. 

Do you know how much spam your lists block, or is it a mystery? It’s important to choose a Blocklist that is already evaluated by a third party.

Today, a better service, like Abusix, will stop 99.6% of spam.

11. Is the blocklist evaluated by an Independent 3rd party Benchmarking Service?

If you compare benefits, it seems vendors should make it easy to make comparisons on your own and use independent 3rd party evaluation services. 

Abusix provides a Mail Intelligence Comparison Tool, which does precisely that.

Does the supplier you are considering making it easy for you to compare the effectiveness of their service against others?

12. Does the blocklist offer you the ability to report and mitigate the impact of compromised hosts on your network?

If you are a network operator, an ISP, hosting provider, or Telco, it’s essential to integrate postmaster, compromised, and abusive user operations in your abuse operations. 

Does your blocklist provider provide tools that address remediation? 

If you need to report abusive hosts to another network, does your blocklist offer you the ability to report and mitigate the impact of these compromised hosts on your network?

The final analysis

The comprehensive commercial Blocklists (Blacklists) RBLs include all the components of project-based open-source and specialized email projects RBLs, all packaged in a simple to use service.

Don’t get me wrong, while some free or specialized lists are good, they aren’t comprehensive in their breadth of intelligence, and their techniques over time simply don’t produce much of an incremental benefit over comprehensive lists.

Separately, sometimes open-source or specialized lists artificially look broad as they become larger through bloat.

This simply means these lists don’t have an impact, as the breadth of a comprehensive list is constantly maintained and blocks 99.66% of spam, like Abusix. 

A commercially maintained comprehensive list produces better results at a marginally reasonable cost.