Reputation Block Lists

Revision as of 17:03, 4 February 2022 by Jessica (talk | contribs) (Overview)

Reputation Block Lists, or RBLs, are lists of Domain Names, Universal Resource Locators (URLs), and/or Internet Protocol (IP) addresses that have been identified as posing security threats.[1] DNS reputation systems can detect malicious domains at the registration time (with PREDATOR) or domain activity phase (with EXPOSURE). They classify domains as either malicious or benign; however, they do not consider compromised domains. The blocklists represent activity such as spam, malware distribution, command-and-control, phishing, and/or intellectual property rights infringement. Intermediaries, such as internet service providers, use them to block malicious communications.

Overview

Commercial service providers, researchers, and non-profit organizations operate the most prominent RBLs that detect or receive notifications of security threats.

  • Cisco’s Talos has an email reputation system.
  • the Anti-Phishing Working Group's RBL's contains phishing URLs submitted by accredited users through the eCrime Exchange platform. The URLs are accompanied by metadata, including the confidence level and the target brand name; this RBL makes no distinction between malicious domains and compromised websites.
  • Google Safe Browsing,
  • SURBL's feed is composed of domain names in unsolicited email messages and external blacklists, which are categorized into lists of phishing, malware, or spam activity.[2]
  • ThreatStop
  • OpenPhish's feed contains phishing URLs and targeted brands.
  • PhishTank is a community-based phishing verification system. Phishing URLs are submitted and verified manually by its contributors and contain metadata like the target brand name but do not distinguish between malicious and compromised domains.
  • Abuse.ch is an anti-malware non-profit organization working with ISPs and network operators that runs URLHaus, which focuses on maliciously registered domains, and ThreatFox, which focuses on compromised websites.
  • Spamhaus's blocklist provides malicious domains obtained from URLs enumerated in spam email payloads, spammers, phishing, malware-related websites, or suspicious domain names that share patterns with domains involved in technical or content abuse.[3]

History

With the advent of email, email administrators began creating and sharing blocklists, which gave rise to some cases of false positives, which led to their creating a list of exceptions, known as allowlists.[4] In the early days, in some circles today, these lists were called blacklists and whitelists, but the racial implications of those terms, among many others, have led people to switch to block/allow.[5]

Then, in 1997 Paul Rand and Paul Vixie used the DNS protocol to access a blocklist to see whether a sending IP address had sent spam recently, and trademarked "Real-time Blackhole List" to refer to the blocklist. ISPs followed suit, which led to finer-tuned descriptions of the legitimacy of an IP address.[6]

In 2010, the Internet Research Task Force released Request for Comments 5782 in acknowledgment of network managers worldwide using DNSxLs (DNS block or allow lists) to filter traffic and to make sure such managers were on the same page as to the structure and usage of DNSxLs and the protocol to query them.[7]

As of April 2021, Intra2net's Blacklist Monitor ranked Distributed Checksum Clearinghouses or (DCC) as showing the highest rate of accuracy in filtering spam.[8]

References