The Learning Center

Not Just Another Bogus List

Summary

Status:Offline as of 3/1/2013
Terms:Free with no charge mailing list membership.
Zones:4
Website:www.njabl.org [Offline]
Lookup:www.njabl.org/lookup.html [Offline]
Removal:www.njabl.org/remove.html [Offline]
Contact:www.njabl.org/faq.html [Offline]

Background

NJABL, or Not Just Another Bogus List is a DNS based blacklist. NJABL.org started out of frustration with the amount of spam coming into the networks maintained by NJABL now, and the general dissatisfaction with the quality and ethics of other DNS blacklist providers. NJABL.org maintains DNS zones of known and potential spam sources such as open relays, open proxies, insecure form to mail gateways, dynamic IP pools, and direct spammers. The goal of NJABL.org is to provide a stable and effective DNS blacklist with clearly stated and strictly adhered to listing criteria.

NJABL.org also gathers listing information from 3rd party sources, and has instructions and tools for using DNS and mail server logs to allow end users to contribute. If you would like to contribute to the NJABL.org project, their FAQ has information on how to configure your system to act as a spam data node in which it can collect IP addresses for inclusion in one of the NJABL.org DNS blacklists.

Listing criteria

There are thee ways that your host could be listed in one of the NJABL.org DNS blacklist zones. The first is by being an open relay or proxy. This means the listed server allows the sending of email without authentication of any form. Essentially, anyone can use this server for sending any amount or type of email without ever communicating with the owner of the sending server.

The second way in which a host can be listed in one of the NJABL.org DNS blacklists does not even require for any email to have been sent at all. NJABL.org maintains large lists of IP address ranges that are either dialup modem pools, or dynamic IP address space. Dialup and dynamic IP space, in general, does not have a legitimate reason to be used for sending email. Legitimate users will make contact with a remote SMTP server, and send their email from that remote server. Most ISP's expressly forbid the direct sending of email data over port 25 if you are on dynamic of dialup IP address space.

The methods that NJABL.org uses to determine if an address range is dynamic or dialup are extensive. First, it should be noted that often is the case a large ISP will establish communication with NJABL.org and intentionally request a listing. These cases help to immediately block off some of the largest ranges of IP address space that could potentially be used for spamming. If a host is listed that did not come from an ISP's listing request, then it has been determined to be a dynamic or dialup address by investigation. This usually means that the reverse DNS was inspected, and a decision was made based on the name of the host. While this is not 100% accurate, it is accurate enough for the majority of most cases. Because NJABL.org has a simple removal process, and the rarity for incorrect listings, there is little reason to be concerned about false positives. ISP's have learned over time that DNS blacklists all use similar techniques, and as a result, have named their reverse DNS listing appropriately. In many cases, this simply means using the word "static" in the reverse records, or that the reverse hostname is of a purely custom name, perhaps matching the MX record itself. Matching of the reverse DNS record to an MX record is in no way required, though it may aid in preventing a false positive listing as it makes your intentions more obvious.

The third and final way in which you can be listed in the NJABL.org DNS blacklist is by simply being a host that allows or supports spamming in some way. This means that throughout DNS blocking, SpamCop reports, and complaints and warnings sent to your abuse@ and postmaster@ email addresses, you still choose to ignore those reports and allow unsolicited commercial or bulk email to be sent through your system(s). This class of spam sender has little hope of ever being delisted from NJABL.org. However, if they did clean up their act, they would be delisted, NJABL.org does not hold long term records for grudge keeping; the goal is to stop spam, but also to educate and help those that do not understand the huge problems they are contributing to.

It is also worth noting, that in the third listing method, there can be chance for a false positive listing. When spam is seen coming from a source address, WHOIS lookups, DNS lookups, and other general research is done. If it can not be determined who the owner of the IP address is that is causing spam, then a range surrounding the source IP address will be listed. The smallest range that will be listed is a /24, or 255 total IP addresses. This means those that are on shared hosting plans, could potentially be listed only because they happen to buy service from a provider that does not correctly list their IP address assignments. As a user of these services, you can ask your ISP to keep clean SWIP records, and terminate those accounts that are sending spam on the same network block as your services reside.

Zones

dnsbl.njabl.org

The original NJABL zone (combination of the below 127.0.0.x types except for 127.0.0.6)

dynablock.njabl.org

This sub-zone has been shut down. All dynablock.njabl.org zone data continues to be contributed to The SpamHaus Project. You can use their zones which are much larger and accurate than the previous dynablock.njabl.org zone.

combined.njabl.org

This zone used to be a combination of dnsbl.njabl.org and dynablock.njabl.org in a single zone. As dynablock.njabl.org has been shut down, combined. njabl.org currently acts as copy of dnsbl.njabl.org.

bhnc.njabl.org (Bad Host, No Cookie)

These hosts have done things properly configured SMTP servers are not intended to do. bhnc.njabl.org contains misconfigured servers, spam proxies, and other hosts deemed to have no interest of stopping the pollution of the internet with spam, malware, viruses, or other nefarious activity.

Return Codes

A few DNS blacklists offer granular return codes to allow you, as an administrator to fine tune exactly how much, or how little impact you want the NJABL.org system to have on your flow of email. While most DNS blacklist and whitelist systems returns only one commonly used IP address, NJABL.org returns IP addresses each with a specific meaning, as listed below. The below DNS return records are for queries against combined.njabl.org.

  • 127.0.0.2 - Open relays
  • 127.0.0.3 - Previous dial-up/dynamic IP ranges. This return type is no longer supported. For high quality dynamic and dialup IP address ranges, NJABL.org recommends that you use The Spamhaus PBL.
  • 127.0.0.4 - Spam Sources - Both commercial spammers as well as dial-up spammers and open proxies. Because it is not always possible to differentiate between these sources, all three are combined under this return code. This can also contain an entire /24 if accurate listing data could not be determined.
  • 127.0.0.5 - Multi-stage open relays - No longer supported, this return code should not be used.
  • 127.0.0.6 - Passively detected "bad hosts" - Any host that is listed in bhnc.njabl.org.
  • 127.0.0.8 - HTTP gateways - Insecure http servers deploying form to email gateways and cgi scripts.
  • 127.0.0.9 - Open proxy servers - Any server that acts as a proxy for spam, including innocent 3rd party servers that have been hijacked unbeknownst to the owner.

In addition to the IP address returned above being able to be used as a means to define with greater control what sources you will block, each listing has a companion DNS TXT record, with short descriptive text that indicates the reason for a listing. Some administrators configure their SMTP server to include this message in the Non Delivery Report (NDR). Before deploying any DNS blacklist, it is advisable to consult their website for any changes in policy, hostnames, and zone return codes. It is also a good idea to subscribe to the DNS blacklist providers mailing list to keep abreast of changes that may require immediate action on your end.

Removal Process

An IP address will that has been listed with NJABL.org for violation of any of the three above criteria can be delisted by fixing the problem. If you were inadvertently running an open SMTP relay, by closing your security issues, and requesting a retest, you should be delisted within a few hours at most. In the same regard, if you are somehow part of a multi-stage http to smtp relay, clean the source of the spam, and request a delisting. For whatever reasons you are listed, as long as you follow the instructions for contacting NJABL.org, or use their delisting tools, no payment is needed, and expedient delisting will happen. Even a mixup of your IP address being within a spammers IP address range can be delisted as easily as providing proof to NJABL.org that it is not a source of pollution. NJABL.org also maintains a "current queue" so you can see the progress of de-listings.

Effective 3/1/2013 NJABL is offline.

Related Articles

Facebook Google+ Twitter
Like this site?
Post a review!