Let us connect you

Let Us Connect You

Creating Effective Blacklists

Blacklists can be used in Spasm to block certain spam messages that would normally be delivered to your mailbox. While blacklisting the IP address of the sending server can help, sometimes blocking every IP address owned by a company can be more effective. In almost every case, blacklisting a sender address is futile, as spammers rarely, if ever, use the same email address twice. These instructions explain how to find the range of IP addresses used by a company, based upon a single IP address in a message header, and block the entire company in the Blacklist.

These instructions require the use of the UNIX command line, but some of the steps can be replaced with web-based tools at www.dnsstuff.com. Although the actual commands are included in these instructions, in order to use them, you must either be logged in to our shell server, or have the relevant software (aggis, rblcheck) installed locally. Since the rblcheck package requires so much tedious configuration, we recommend you use the version installed on our shell server.

Commands meant to be typed directly into your shell window are in blue.

Read the headers

First, check the headers of the piece of spam. There's only one header you need to worry about, the one where the remote server handed the message to us. This header will look something like this:

Received: from st9hh14.lztoo.com (st9hh14.lztoo.com [85.129.6.185]) by 
	localhost (spasm) for <username@spiritone.com>

Ignore the Hostname. It's easier to deal with just the IP address. We'll use the IP address 85.129.6.185 as an example for the rest of these instructions.

Check the filters

Find out if any of Spasm's filters would have caught it. In your shell window, type:

rbl 85.129.6.185

This gives you:

85.129.6.185 not RBL filtered by relays.ordb.org
85.129.6.185 not RBL filtered by list.dsbl.org
85.129.6.185 not RBL filtered by ipwhois.rfc-ignorant.org
85.129.6.185 not RBL filtered by whois.rfc-ignorant.org
85.129.6.185 not RBL filtered by sbl.spamhaus.org
85.129.6.185 not RBL filtered by dnsbl.sorbs.net
85.129.6.185 not RBL filtered by bl.spamcop.net
85.129.6.185 not RBL filtered by dsn.rfc-ignorant.org
85.129.6.185 not RBL filtered by abuse.rfc-ignorant.org
85.129.6.185 not RBL filtered by postmaster.rfc-ignorant.org
85.129.6.185 not RBL filtered by korea.blackholes.us
85.129.6.185 not RBL filtered by china.blackholes.us
85.129.6.185 not RBL filtered by brazil.blackholes.us
85.129.6.185 not RBL filtered by japan.blackholes.us
85.129.6.185 not RBL filtered by taiwan.blackholes.us
85.129.6.185 not RBL filtered by verio.blackholes.us
85.129.6.185 not RBL filtered by valueweb.blackholes.us
85.129.6.185 not RBL filtered by rackspace.blackholes.us
85.129.6.185 not RBL filtered by inflow.blackholes.us
85.129.6.185 not RBL filtered by broadwing.blackholes.us
85.129.6.185 not RBL filtered by xo.blackholes.us
85.129.6.185 not RBL filtered by eli.blackholes.us
85.129.6.185 not RBL filtered by argentina.blackholes.us
85.129.6.185 not RBL filtered by nigeria.blackholes.us
85.129.6.185 not RBL filtered by russia.blackholes.us
85.129.6.185 not RBL filtered by singapore.blackholes.us
85.129.6.185 not RBL filtered by thailand.blackholes.us
85.129.6.185 not RBL filtered by ciberlynx.blackholes.us
85.129.6.185 not RBL filtered by cw.blackholes.us
85.129.6.185 not RBL filtered by epoch.blackholes.us
85.129.6.185 not RBL filtered by he.blackholes.us
85.129.6.185 not RBL filtered by internap.blackholes.us
85.129.6.185 not RBL filtered by level3.blackholes.us
85.129.6.185 not RBL filtered by rr.blackholes.us
85.129.6.185 not RBL filtered by wanadoofr.blackholes.us
85.129.6.185 not RBL filtered by skynetweb.blackholes.us

None of the filters would have caught it. If you saw that it was filtered by one of those, you could enable that filter. Some of those filters, especially blackholes.us, can be very aggressive and may be overkill to block a single spam source. Let's err on the side of caution and blacklist them instead. Now you could just input 85.129.6.185 into your blacklist and be done with it, but in this case we'll assume that the company owning that IP address is full of spammers, and that you don't want to receive *any* mail from that company.

Find out who owns the IP address

In your shell window, type:

whois 85.129.6.185

Here's the output of that command:

NetRange:   85.0.0.0 - 85.255.255.255
NetName:    85-RIPE
NetHandle:  NET-85-0-0-0-1
Parent:
NetType:    Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: SUNIC.SUNET.SE
NameServer: TINNIE.ARIN.NET
NameServer: NS.LACNIC.NET
Comment:    These addresses have been further assigned to users in
Comment:    the RIPE NCC region. Contact information can be found in
Comment:    the RIPE database at http://www.ripe.net/whois
RegDate:    2004-04-01
Updated:    2004-04-06

Note that sometimes, the WHOIS command will return a line like this:


CIDR:       85.0.0.0/8

If you see that, just enter 85.0.0.0/8 into the blacklist and skip the next step.

Find what to enter in the Blacklist

The easy answer is 85, which will block all servers with 85. as the first numbers of their IP address. For the sake of making these instructions useful, we'll take the long way around and use Aggis to provide proper CIDR notation. In your shell window, type: aggis 85.0.0.0 - 85.255.255.255

This gives you:

The range of nets from 85.0.0.0 to 85.255.255.255/32 can be represented by:

85.0.0.0/8  (  1 net:   85.0.0.0 )

And there is the CIDR notation. Enter 85.0.0.0/8 into your Blacklist, hit Update to save the changes, and you've just blocked every IP address from 85.0.0.0 to 85.255.255.255.

Home
Join SpiritOne
Services
Support
- Dial-up
- DSL
- Email
- Spasm-Spam Filters
- Web Hosting
SPASM - Spam filters
My Account

What are People Saying about SpiritOne?

"The sales rep even followed up with me later to make sure my email was working. I appreciate that."