Blocklists, also known as Real-time Blackhole Lists (RBL) or Domain Name System-based Blackhole Lists (DNSBL), have historically been used to reject or flag email. This is typically done by checking whether the IP address of the sending mail server is listed on the blocklist. The fact that blocklists are still widely used today is a testament to its reliability and effectiveness against spam.
Though with the evolving threat landscape, we want to illustrate how blocklists can be used to mitigate a larger class of threats besides just spam.
Beyond the Spam
Mail server operators face more problems than just unwanted email. While it may be true that many blocklists are made for the purpose of filtering email traffic, it would be more accurate to say that blocklists are used to flag or reject incoming traffic. Traffic, in this case, does not always mean email traffic.
The Threat of Authentication Attacks
Authentication Attacks refer to unwanted traffic which attempt to log into user accounts and strangely enough, they aren’t mentioned even though the consequence is potentially enormous. Imagine a sales@ account (a very common authentication attack target) being compromised, sending spam, damaging company reputation, and even destroying partnerships. Think about the importance of your own email account; your subscriptions, your Facebook and Twitter accounts, and your bank account, could now be at risk of being accessed unbeknownst to you.
Azure, Amazon AWS and Digital Ocean being abused by Threat Actors
Cloud networks are becoming a major source of unwanted traffic. When reviewing your logs are you seeing an uptick in volume from certain cloud networks, be it connecting to Port 25 to send spam, or Port 587/465 with multiple attempts to authenticate? Once an account is cracked your network will be sending phishing and malware– or worse.
Blocklists at the Firewall Level
There may be some cases where you would want to restrict certain connections from your server. For example, you may not want connections from machines on dynamic networks, or ones that don’t fully identify themselves. Then there are servers and networks so bad that you would never want your server to interact with, period. These bad networks are a source of malicious email, malware, authentication attacks, and data exfiltration.
Blocklists — An effective multi-purpose security tool
Blocklists are a tried and true tool that everybody should use to secure their systems. Besides spam, they can be used to identify suspicious authentications and abusive networks connecting to your server. Understanding the purpose of a blocklist and implementing the best action given the data, will improve the security of your server.
The Threat Research team at SpamRATS have worked diligently for years developing and refining RBL tools and technology. Reputation lists purposed for authentication attacks and identifying bad networks are just some of the tools offered by SpamRATS. If you have any questions about using blocklists to secure your servers, don’t hesitate to reach out to the Threat Research team!