A typical server receives a ton of traffic everyday. Even small to medium sized ones are bombarded with e-mails, login attempts, regular visitors, and others. One of the main jobs of server administrators is to ensure that only “clean” traffic is processed. That is, we want to avoid undesirable activities like spam, and security hack attempts. One way of course is to toughen your server so that such activities are thwarted. Even better however, is to deny that traffic in advance.
But how do we know beforehand whether or not a particular request is likely to be malicious? The answer is community. There are large and small organizations all over the world that track bad behavior by certain IP addresses and store that information on their own servers for anyone to look up. These lists are called RBLs or Real time Black Hole Lists. They are also called DNSBLs (DNS based Blackhole Lists).
The idea is simple. Whenever you have an incoming mail request or a comment is posted on your site, you send a quick and efficient query to one of several RBL servers around the world. If they respond back positively, it means that they recognize that IP address from some past bad behavior. You can then decide to ignore the (likely malicious) request, or process it.
This way, the community shares knowledge about bad IP addresses and protects itself.
Having your own IP address on a DNS Blacklist can be a huge problem. Your server might have its e-mail deliveries rejected, you might not be able to initiate browser requests, or post comments. If your business depends upon targeted marketing, it could be a huge blow to your organization if e-mails are getting sent back. No business can afford to have its IP address blacklisted.
Your IP address might be shared with others on the same server, and if they get blacklisted, you’re affected as well. Dynamic IP addresses change all the time and you might be stuck with one that has a bad reputation. In such cases, removing the IP from the list involves the following:
The easiest way to check if an IP address is blacklisted is to use the form at the top of this page. However, you might want to test an IP address against a remote blacklist not listed here. Here’s a quick way to do this manually:
Step 1: Select an RBL Service
There are many DNSBL lists. Here is a partial one on Wikipedia. Some are very well known, like Spamhaus. Their servers provide information for both e-mail spam, hacking, exploits, as well as suspicious IP addresses that are not supposed to be sending out mail in the first place.
For this example, I’ll use Spamhaus.
Step 2: Identify your IP Address and REVERSE it
If you don’t know your IP address on your local PC, you can find it via this Google query. Or else, your hosting control panel will tell you what it is. Once you have it, reverse the blocks while keeping the digit sequence in individual blocks intact.
For example, if your IP address is 123.456.789.101, reversing it will give: 101.789.456.123
Step 3: Identify the RBL Service Zone
In the Wikipedia RBL link above, there is a column for “zone”. Each RBL purpose has a separate zone. For example, if you want to check e-mail spammers, the “zone” is sbl.spamhaus.org. To check for exploit IPs, the zone is xbl.spamhaus.org. To check both at once, the zone is sbl-xbl.spamhaus.org
Step 4: Add the Zone to the Reverse IP Address Separated by a “.”
Merging steps 2 and 3, add your reverse IP address in front of the zone. For example, if my reverse IP is 101.789.456.123. and the zone I want to check is sbl-xbl.spamhaus.org, adding the two gives me:
Step 5: Query via the Command Line
If you’re on Windows, you can open up a command line interface and use the NSLOOKUP command with what you got in step 4. The command looks like this:
On Linux, you can use the “host” command instead like this:
Step 6: Analyze the Output
Here’s an example of the above command run with an IP address:
If like in the above screenshot you get the message “Non-existent domain”, it means you’re clean! At least for that particular zone. You should repeat the experiment with multiple zones and see if you get the same response. If your domain isn’t found on any of them, then you’re clean for that particular RBL or DNSRBL!
If however the server returns a response, then your IP address is blacklisted and you need to work on removing it as soon as possible!