Distributed Sender Blackhole List - Methodology

Methodology

DSBL lists IP addresses of hosts that are demonstrated to be insecure. DSBL defines an insecure host as one that allows e-mail to be sent from anyone to anyone else. Normal servers only send mail from their own users to anyone else. Insecure servers are commonly abused by spammers, although DSBL does not claim that the hosts have sent spam or have been abused by spammers; only that they could be.

DSBL builds its lists by receiving specially-formatted "listme" e-mails triggered by testers. DSBL itself does not test hosts for security vulnerabilities. The testers use software that causes insecure servers to send a message to an e-mail address monitored by DSBL. The message includes a time-sensitive cryptographically secure cookie to prevent servers from being listed by mistake. When a valid listme message is received DSBL adds the IP address of the server that delivered the message to one of its lists.

For these messages to reach DSBL the insecure server must have allowed anyone (a DSBL tester) to send mail to anyone (DSBL's monitored address). This proof-of-vulnerability is kept on file at DSBL's web site.

In addition to open mail relays, DSBL lists hosts that were vulnerable to abuse due to formmail bugs, open proxies, and other problems. Because the testers can use any available method to trigger the listme messages, they can adapt to newly-discovered vulnerabilities as spammers do.

The testers normally perform tests on hosts that have sent spam to them. Thus many of the IP addresses listed by DSBL are the addresses of servers that have been abused by spammers.