In my last blog post Why Is It Really So Hard to Tackle Spam I mentioned that a lot of spam originates from compromised home computers, not email servers, and that many of these computers end up on blocklists such as Spamhaus as a result.  In a comment on that post our reader Donovan Hill also mentions Spamhaus.

“I found the most effective thing to preventing spam was to start by using a list like Spamhaus…”

So what exactly is Spamhaus, and how do these blocklists work?  To answer this question we must first understand the problem that blocklists were created to solve.

Why Do Blocklists Exist?

Blocklists came about due to the desire by email administrators to easily block spam emails from likely spam sources.  If a particular sending host is known to be a spam source, or is very likely to be a spam source, it is more cost effective to make that determination based on the IP address of the sending host rather than on the content of the email message.

This is because terminating an SMTP (the TCP/IP protocol used for sending email) connection during the initial connection phase has a lower cost than accepting the entire email message and inspecting it for spam.  The “cost” in this case is bandwidth and computational resources.  Server resources and network bandwidth are consumed when an email message is accepted by the receiving server and then inspected with content filtering to determine whether or not it is spam.

The more server and network resources a business needs to provide for email the more costly it will be in dollars.  I examined this in more detail in my blog post Can You Afford The Hardware You Need to NOT Block Spam.

Blocklist providers such as Spamhaus fill this need for email administrators by providing a database of known and likely spam sources that email servers can check before accepting email from a sending host.

What is on a Blocklist?

A blocklist is essentially a database of IP addresses on the internet. These IP addresses will typically fall into three categories:

Known Spammers – these IP addresses belong to known spammers, spam gangs, and spam support services.  An IP address will end up on the list if it is verified as a source of spam emails.

Compromised Computers – these IP addresses belong to computers on the internet that are either misconfigured (e.g. as an open relay) or have been determined as compromised by some kind of exploit (such as a virus).  Typically these addresses will include computers that have been compromised and become part of a botnet.

Unlikely Email Sources – these IP addresses are usually provided by ISPs to blocklist providers to identify parts of the ISP network (e.g. blocks of IP addresses reserved for their customers) that are unlikely to be a source for legitimate email.  Most email sent from home computers is sent via the ISP’s email server or via other services such as web-based email providers.  Email directly sent from an ISP customer’s computer is often spam sent by malicious software that has infected their computer; hence it is reasonably safe to block these IP addresses without impeding legitimate email communication.

How do Blocklists Work?

As mentioned earlier a blocklist provides a database of IP addresses than an email server can check to determine whether or not to accept an email from a sending host.  Blocklist provider Spamhaus describes this process in this simple diagram.

Credit: Spamhaus.org

Basically the email server asks Spamhaus if the sending IP is in one of their databases, and Spamhaus replies with codes that mean Yes or No.  It is then up to the email server to decide what to do with the email based on the configuration that has been set.  Most email administrators will simply terminate the SMTP connection, but some will still accept the email and tag the subject line with “Spam” so that end users can decide what to do with it.

There are other blocklist providers other than Spamhaus, but they all operate in largely the same manner.  Most of the differences will be in how the database itself is managed, e.g. what process a person would have to go through to get their IP address removed from the database.

Do Blocklists Stop Spam?

Email administrators such as Donovan quoted earlier in this blog post will tell you that blocklists are very effective at reducing the volume of spam that an organisation needs to deal with.  Any business that is struggling with a spam problem should certainly look at implementing an anti-spam solution that can utilise blocklist providers to efficiently block spam emails before they reach the email server.