Some theories on why DNSBLs may be dwindling away

April 27, 2013

In yesterday's entry I mentioned that I had some theories about why anti-spam DNS blocklists might be diminishing (beyond the obvious one that running a good DNSBL is a pain in the rear and people get tired of those after a while). I don't claim to have the answer and I'm not sure that any of these theories are right, just possibly interesting. First off I think we can rule out the idea that DNSBLs are going away because email spam itself is diminishing. Put simply, email spam isn't (and probably never will until email itself dies). The anti-spam forces may win tactical victories from time to time, but long-lasting general ones seem elusive.

But the historical evolution of spam and anti-spam efforts does make a good lead in to two related theories about this. My first theory is that the kind of obvious bad sources that used to provoke such arguments (and get listed or not listed depending on the aggression of the DNSBL operator) have basically gone away. In the beginning, many spammers basically painted target signs on themselves by using static IP ranges (beyond 'bulletproof hosting' and various other disguises) and there were a lot of places that would give them connectivity. These days, well, not so much in most places. The overall effect is to leave little room for a new DNSBL because there really isn't much to argue about any more in potential listings. Either they're one of a small clutch of bad actors (and almost certainly already in Spamhaus) or you're detecting them based on more or less automated technical criteria and things like the CBL and the Spamhaus CSS have that area well covered by now.

My second theory is that DNSBLs were first generation anti-spam technology that has now been significantly supplanted. In the early days of the anti-spam fight there were very few defenses, especially easily deployed ones. DNSBLs were easy to put together, worked fairly well on first-generation spam, and DNSBL lookups and connection rejection were really easy to add to mailers, so people reached for the available solution. But that's not the case any more. Spammers got more and more sophisticated while people developed more elaborate anti-spam systems (some free, some commercial). The result is DNSBLs are nowhere near as important as they used to be which makes starting a new one much less interesting. If you want to make your mark on the anti-spam world today, a DNSBL is probably not the place to do it.

(This certainly the case here. Our main anti-spam precaution is a commercial anti-spam system that's more or less a black box as far as we're concerned; our DNSBL usage is functionally a fallback measure.)

Sidebar: One remaining area that maybe could use a DNSBL

In short, so called 'snowshoe spam'. Our stats strongly suggest that there are active ranges used by snowshoe spammers, but the Spamhaus CSS only does automated single-IP listings that expire relatively rapidly. This seems ripe for someone to watch for patterns and then start preemptively blocking active snowshoe ranges.

(It's possible that this doesn't work and that, eg, the CSS is so good at picking up new showshoe emitter IPs in bad ranges that they get blocked before they can really spam anyone anyways.)

Written on 27 April 2013.
« Are there less anti-spam DNS blocklists than there used to be?
My sysadmin view of Python virtualenvs »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sat Apr 27 01:52:38 2013
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.