You are here: Home > Publications > RIPE Labs > Razvan C. Oprea > Mail Filtering - Rethinking Our Reliance on RBLs

Mail Filtering - Rethinking Our Reliance on RBLs

Razvan C. Oprea — 17 Oct 2019
Keeping the channels of communication between us and the wider Internet community open has always been one of our main priorities. Just lately we received some input that caused us to rethink the way we've been doing things on this front.

Receiving Mail

Like any organisation in charge of running an email service, we have tried a mix of methods over the years to fend off spam. These have included Bayesian filtering, greylisting, various ACL checks, and external, third-party RBLs (Real-time Blackhole Lists). Although each of these methods has helped us defend against spam to an extent, we have found that the RBL service available from zen.spamhaus.org has provided a particularly high level of protection. For this reason, we have now been using Spamhaus RBL for well over a decade.

Recently, one of our members contacted us with concerns about our use of the Spamhaus RBL. And we believe that this member made a number of good points. In particular, we agree that if someone is blacklisted in error, or is in conflict with a blacklist operator, this should in no way affect their ability to contact us. As a neutral organisation committed to contributing to a stable Internet, we have a responsibility to ensure that the channels of communication between us and the rest of the community stay open.

So, shortly, we will implement the following measures:

  1. Whitelist our members by making sure any email address subscribed to the ncc-announce _at_ ripe _dot_ net mailing list will always reach RIPE NCC support (this being the most efficient way to gather emails for members right now)
  2. For any other sender whose email to us is rejected because of RBL filtering they will receive a link to a web form that they can use to contact us 

While not a complete solution, we believe these are good first steps.

In the long term, the solution to all this would involve reducing our reliance on external RBLs for spam filtering. What exact steps this would involve is still to be worked out and will take some work to implement. Simply switching off RBL filtering isn’t an option at this point, especially when you consider that it helped us block 60,000 mails in August this year alone. We welcome input regarding the experiences others in the community and our members have had in their attempts to reduce reliance on third-party sources for filtering incoming emails.

Sending Mail

We also have some news on how we are sending emails. We are generally quite conservative in adopting technologies that are not mature or widely adopted enough to minimise potentially negative effects for our recipients. This we are mainly referring here to email authentication methods.

About a year ago, for instance, we introduced a Sender Policy Framework (SPF) record that allowed remote mail servers to validate that the emails received from us were sent from servers authorised to send on our behalf. Around the same time we wrote about a change in our Mailman configuration, caused by more and more subscribers having email addresses in domains that have configured Domain-based Message Authentication, Reporting and Conformance (DMARC) policies.

To ensure deliverability of emails sent to our mailing lists subscribers, we set a DMARC option in Mailman (dmarc_moderation_action) that rewrites (munges) the From: header field to include the list address and the original sender’s name “via the list”, but only for those messages with the original domain having a DMARC policy p=reject or p=quarantine. In short, this enabled us to ensure that anyone subscribed to our mailing lists would receive emails from all other subscribers.

These changes will stay in place and now it is the time to take an additional step. Shortly we will also start signing our outgoing mails with a DomainKeys Identified Mail (DKIM) signature and we will be publishing a DMARC record with the policy p=none. Thus emails we send out will contain an extra DKIM signature header and the DMARC aggregate reports will offer us visibility on the SPF and DKIM alignment and produce failure reports. 

Feedback

Please leave a comment if you have any questions or believe any of the issues or proposed changes described about affect you in any way.

13 Comments

john jones says:
29 Oct, 2019 05:09 AM
just going to leave this report on mail here:

https://internet.nl/mail/ripe.net/274171/

consider also implementing DANE
Razvan C. Oprea says:
04 Nov, 2019 10:38 AM
Thank you for the link, we know about the internet.nl reports. DANE is indeed something we are looking into as well.
Alex says:
29 Oct, 2019 12:54 PM
RIPE NCC should follow only official SMTP standartds and RFCs. Strange private and not transparent companies like spamhaus should not be used. People, ISPs, Datacenters lot of times got delivery problems with because of non transparent, not objective blacklists. There are a lot of cases in the internet showing that such blacklists should not be used.

It's a good opportunity to use only new SMTP options like TLS, DMARK, SPF specially done for that.
Third-party RBLs should not be used.
Razvan C. Oprea says:
04 Nov, 2019 10:39 AM
We are already using TLS and SPF. I mentioned above we will implement DKIM, DMARC and dial down on relying on third party RBLs.
Pavel Polyakov says:
30 Oct, 2019 03:10 PM
I hope this is fixed asap..

host mahimahi.ripe.net[193.0.19.114] said: 550-rejected: XXX.XXX.XXX.XXX is in a black list....
Razvan C. Oprea says:
04 Nov, 2019 10:41 AM
Pavel, if you are subscribed to ncc-announce mailing list and still get this message, please contact us at https://www.ripe.net/contact-form and we'll look into it.
Yevhen Bohomol says:
30 Oct, 2019 03:21 PM
Are you serious ? RIPE using SPAMHAUS ? I'm already see topic post in news like "RIPE IS GENERAL SPONSOR OF CYBER TERRORISM-SPAMHAUS". It's not a good idea to use cyber terrorist tools.
Nick says:
30 Oct, 2019 03:40 PM
Why do you think that blacklists are so effective? Look at Gmail, they never used 3rd party blacklists..
So why do provide Spamhaus opportunity to control you and your customers?
I'm afraid that you didnt investigated their work properly, as they hides real crimes and real spam.
And btw, Spamhaus is nonexisting organization, it's not possible to find them, check this by yourself!

I'm sure RIPE doing a BIG mistake by using spamhaus..
Pavel says:
30 Oct, 2019 03:59 PM
Ripe must not use private RBLs.
Spamhaus is bad.
Den says:
30 Oct, 2019 04:00 PM
Guys,
please dont use this 3rd party crime service like Spamhaus, they can block whole country, it's crime organization! please make your own blacklists, other services, but dont trust Spamhaus!
Michael says:
30 Oct, 2019 04:02 PM
Mark says:
31 Oct, 2019 09:34 PM
Maybe you can get in touch with Peter, who is actively running the BGP powered Spam list at https://bgp-spamd.net/, where you vould also contribute with the amount of Mails you receive
Razvan C. Oprea says:
04 Nov, 2019 10:43 AM
Thanks for the pointer, Mark, I'll look into it.
Add comment

You can add a comment by filling out the form below. Comments are moderated so they won't appear immediately. If you have a RIPE NCC Access account, we would like you to log in.