Sunday, April 10, 2016

blackholes.five-ten-sg.com Blacklist Details

blackholes.five-ten-sg.com Blacklist Details

blackholes.five-ten-sg.com

Summary

Background

Information on blackholes.five-ten-sg.com is slightly sparse. According to independent research, blackholes.five-ten-sg.com has been run by the 510 Software Group since February of 2001. This DNS blacklist is a culmination of 13 total sub lists, all operating under the same zone, each returning a different IP address return code for classification.

blackholes.five-ten-sg.com is generally thought of to have a high false positive rate, making it a viable candidate for score based systems, but not a good match for direct and outright blocking. One reason for the high rate of false positives is their position that "bulk mailers that don't require closed loop confirmation opt-in from all their customers." be listed by default. This means that there is high chance many thousands of senders are listed, though they have never sent a single piece of spam. The senders are listed because they have chosen to not mandate a double opt-in process for mailing lists and marketing mailers.

The policies of any DNS based blacklist are entirely up to the maintainer of the blacklist. blackholes.five-ten-sg.com should be looked at with caution if to be used on a commercial or public email server in which delivery of legitimate email is of high importance. For a personal server, in which you are at liberty to control only your own personal mail, blackholes.five-ten-sg.com may be a more appropriate match.

Listing criteria

Specific listing criteria are defined by the nature of each blacklist that blackholes.five-ten-sg.com operates. While some are obvious, others could be considered ambiguous. Regardless of your choice to use one, or many of the possible IP address return codes, it is advised to run each in a logging only or test mode before using blackholes.five-ten-sg.com in production.

Zones

blackholes.five-ten-sg.com

blackholes.five-ten-sg.com is a single zone that can be queried in standard reversed IP lookup format. The IP address returned is in the format of 127.0.0.x, where the x defines which blacklist the sender is in. Each of the possible return codes are as follows:

unused - This return code is currently not in use.

spam - Sources of spam that have sent email to blackholes.five-ten-sg.com. Also listed here are IP's that have been determined to be spammers from discussions on the news.admin.net-abuse.email usenet discussion group. Often times, being listed in "spam" can simply be the result of inheriting someone else's IP space which was at one time deemed dirty by blackholes.five-ten-sg.com.

dialup - Previously a list of dialup based IP addresses. As with almost all other dialup lists, or DUL's as they are sometimes referred to, this list has been discontinued stating too much administrative work for too little actual spam prevention.

bulk - blackholes.five-ten-sg.com describes a bulk mailer as anyone who does not require closed loop confirmed opt-in from all users. A closed loop confirmed opt-in is also known throughout the bulk mail industry as a double opt-in. In the past, a user would ask to receive emails, and taking no further action would begin the process of their membership in a mailing list. To pass a closed loop, or double opt-in, you must not only ask for subscription, but must specifically confirm your subscription a second time.

The closed loop system provides assurance that the person asking to be subscribed to a mailing list did so on their own behalf. It also affords the maintainer of the system the ability to keep detailed records such as the date, time, and IP of when the requester first attempted membership.

multistage - A multistage open relay or proxy is a system of multiple machines all working together to send spam. Usually it involves one front line SMTP server that is under the control of a spammer group. That SMTP server then passes all its outbound mail through an open relay or open proxy that has been left unsecured. In this case, it is the output SMTP server, or the exploited servers IP address that will be listed.

singlestage - A single stage open relay or proxy is simply an unsecured host on a network. Any arbitrary spammer can connect directly to it and use it as a means to anonymously send large volumes of email through another network. "singlestage" lists IP addresses of open relays seen spamming.

spam-support - "spam-support" lists any network that supports a spammer in any form. blackholes.five-ten-sg.com appears to be extremely aggressive in their "spam-support" category. Any IP that is known to be part of an operation that supports spam will be listed. From basic connectivity, dns, email, sales, or even general service and support, providers that cater to spammers will be listed here. IP addresses generally do not leave the "spam-support" listing category; aside from organization wide policy change, changing service providers is generally the only effective way to bypass this listing.

webform - "webform" lists web servers running vulnerable versions of formmail.pl or other abusable web-to-mail gateways. This can also include smarthosts that play a role in delivering mail for the exploited web forms.

misc - The "misc" category lists IP ranges in groups of /24 CIDR style ranges. A listing is caused by one of more violations of the following:

  • Missing reverse DNS
  • Falsified reverse DNS
  • Domains with no attached web server
  • Domains with boilerplate content served from their web server
  • Suspect servers that are part of multistage open relays that could not be entirely confirmed for listing in "multistage"

klez - Most spammers will forge the return address of the emails they are sending, and set a custom "reply-to" address. If one of these forged messages hits a server that has anti-virus software installed on it, there is a chance that anti-virus software deliver an alert to the forged address, or worse, the reply-to address. While this is not technically spam, but more a misconfiguration or broken anti-virus tool, "klez" lists servers that exhibit this behavior.

tcpa - The TCPA, or Telephone Consumer Reporting Act was passed by US Congress in 1991. The TCPA established the "Do Not Call List", as well as many of the newer rules and regulations for telephone marketers. The "tcpa" list of blackholes.five-ten-sg.com will list the IP addresses of any organization that has been in violation of any of the TCPA provisions.

free - blackholes.five-ten-sg.com "free" list contains IP addresses of all large and well known free email providers. This would include common services such as gmail, hotmail, yahoo, aol, and many others.

cr - A challenge response system is a method that some end users choose to combat spam. If someone sends you an email and it is the first time that person has ever sent you an email, they will be delivered a challenge via email. If that sender chooses to do so, they solve the challenge, usually by clicking on a link, at which point, the original email will be delivered. Most people have learned that the sender of an email is not willing to put up with a challenge response system, and no longer deploy them. Those that do still use a challenge response system, will have their IP address listed in the "cr" category.

Removal Process

The blackholes.five-ten-sg.com website does not list any information on the removal process if your IP address is listed.

Related Articles



^ed 

No comments:

Post a Comment