Blog , 08 Mar 2021

Abusix’s approach of changing the blacklist market

Steve Freegard,

Sr. Product Owner Abusix Intelligence

Hello, and welcome to the first in a series of blog posts where we’ll be detailing each of our Abusix Mail Intelligence lists.  

We’ll let you know how our blacklists work, where we might behave differently to other lists, describe the typical reasons that might cause a listing on them, and what you can do to avoid this. We’ll also share some useful tips along the way.

When we started developing Abusix Mail Intelligence, we wanted it to be different from what has been done before. We also felt that the whole blacklist market lacks transparency and we want to put an end to that.  So let’s start with this very first blog post by digging deeper into our approach to changing the blacklist market. 

IPs/ Domains only get blacklisted if there is a clear evidence

We will never blacklist an IP address unless we have solid evidence that they send spam, phishing, malware, viruses, or other threats. All but a small part of one of our lists are completely automated.

We care about being transparent

We will always be transparent about our listing policies and how long we maintain listings. We aim for quality over quantity at all times. Everyone has the occasional issues with compromised accounts, computers, or devices. Helping the responsible people identify these as quickly as possible and get them fixed is our goal.

As this is an ongoing task, we will be providing more and more data via our online lookup services and to our platform in the coming months to provide this information immediately without the need to contact support.

We obviously have to offset this against protecting our trap infrastructure, so we always redact any unique identifiers, minutes/seconds in dates, recipients, and anything else we feel might allow someone to identify our traps or listwash recipients. 

We want problems to get resolved as quickly as possible

Our goal is to get issues fixed as soon as possible, not to inflict deliberate pain. We will never use blacklisting to apply pressure on individuals or entities.

We will always advise you on what you should do to fix any problems you might have, but if you have poor practices and keep getting listed because of this, then . there is nothing we can do for you and your IP will remain blacklisted.

We don’t tolerate abusive behavior of our services 

Following on from the last point, we allow anyone to delist themselves instantly, provided we have not seen recent activity from the item being delisted (e.g., it’s been at least an hour since the last event). However, if we see further activity then the item will be instantly relisted.

We also only allow a certain amount of delists of a given entity per day and month, at which point the delisting of that item is disabled and can only be taken care of by our support team. Anyone trying to abuse the delisting system will be permanently banned, and any entities delisted will be relisted immediately.

We are always being cooperative

Abusix Mail Intelligence is designed to be suitable for use in ISPs and Enterprises and is designed to operate accordingly. We are not zealots, so we always apply sensible compromises to keep false-positives low and effectiveness as high as possible. Several internet entities are simply “too big to block” by IP or domain without causing significant collateral damage, so we aim to block abuse from these entities in other ways. We will always work with email service providers to provide evidence to identify issues with their customers and mailings.

We are always aiming to improve our lists and services

Our policy is one of continuous development and improvement. If we see a way to improve effectiveness or provide additional context to our customers’ filtering solutions, we will always create new lists to deliver this. Likewise, if we see a way to improve the speed at which compromises can be taken down, we will do so..


We are the only commercial Domain Name System-based Blackhole List (DNSBL) provider to supply certain datasets, for example, Newly Observed IPs, Newly Observed Domains, Short URL hashes, etc., and we’re the first to provide Attachment hashes and Cryptocurrency Wallet hashes. Here’s an overview of our current lists, which we will cover separately in the next few upcoming blog posts.

We ensure minimum latency between detection and listing

Our infrastructure is modern, highly redundant, and designed for as close to real-time as we can possibly make it. Traffic is ingested into a state of the art stream processor, which extracts and enriches data and delivers this onto our message bus. From there, our detectors are implemented as microservices running inside Kubernetes and retrieve their data from that message bus. This means that a new IP hitting a trap will be blacklisted within a second, and it is always our goal to keep this latency as low as possible. This architecture also allows us to quickly develop new detectors and make improvements to the existing ones.

On top of that, Abusix provides a modern user platform that provides information and statistics for your account with more tools and features to come. As you can see, we’ve spent a lot of time planning and have lofty expectations for our blacklist service Abusix Mail Intelligence, and we’d love to have you along for the ride.

In the next blog post in this series, we’ll tell you all about our IP blacklist.

Until next time – stay safe.

Steve

Share
Linkedin Icon Twitter Icon Facebook Icon E-mal Icon
Two computer monitors showing AbuseHQ

Free Trial

Keep malicious messages out of your mail server and your user’s inboxes with our 14-day free trial!

Get started

Products & Tools

Type

Topic

Get in Touch

Talk to us

Do you want to know more about our products and services? Get in touch, we are always happy to answer any questions you may have.

The quickest way to get in touch with the team is via our online chat feature at the bottom right of this page.

Alternatively, feel free to email us at [email protected] or send us a message via our form.