Previous month:
June 2017
Next month:
February 2018

November 2017

How Far Will Email Operators Take Blocklisting to Prevent Spam?

Security administrators use firewalls, web proxies, or antispam gateways to block traffic sources that exhibit suspicious or known attack pattern behaviors. Blocking individual IP addresses has been a staple defensive measure for years. Security system administrators have also blocked entire IP network allocations to mitigate attacks and on rare occasions, they have blocked all of the addresses that have been allocated to an ISP. Are enterprise and ISP email operators poised to apply similarly sweeping security measures to protect their organizations against perceived or reported domain name abuse by blocking TLDs to manage spam?

Image by Waxy Dan

The Roles of Blocklists

Administrators of private networks, public networks, or mail exchange services use reputation block lists and community (threat) intelligence to mitigate security threats; for example, email operators often create filters to prevent delivery of spam or phishing email originating from blocklisted IP addresses or domain names; similarly, security administrators will use blocklists in web application proxies to prevent users from visiting web sites known to host malware.  

The SURBL Most Abused TLDs list is one of several reports from reputation service providers that call attention to Internet address space, hyperlink, or domain name abuse. SURBL reports hourly on the number of domain names it has block listed, by top-level domain. Others that report on the most abused TLDs include Domain Tools and the Spamhaus Project. These and other blocklists serve as trust or confidence indicators for individual domain names or IP addresses, Internet Service Providers, hosting providers, and increasingly, for Top-level Domains.

Spam Is A Singularly Worrisome Security Threat

Spam is a widely employed delivery mechanism for phishing or malware site hyperlinks or malicious attachments, and for delivering advanced email threats such as business email compromise or ransomware as well. Because spam is so diversely used, preventing delivery of spam is a priority concern for email administrators.  

Domain names, hyperlinks and IP addresses are commonly encountered in email message headers or bodies. Spam mitigation measures accept or deny email based on rules that may include any or all of these identifiers. Do organizations that employ these mitigation measures have Top-level Domains in their crosshairs?

Community Forums: Discussion Sites for Spam Mitigation Policy Enforcement

Community forums offer a source for understanding evolving sentiments among participating email administrators towards Internet Identifier abuse. Email administrators discuss measures they take to detect or block potential spam as openly as developers share programs or scripts in community forums such as Stack Overflow or github. Email services or email security product vendors moderate certain of these sites: others are open communities for acquiring knowledge, sharing abuse intelligence, or discussing practices.

Discussion threads in Barracuda Forums, Vamsoft Community, SpamTitan Spiceworks Community, HowtoForge, Slipstick Exchange Server Community, SpamAssassin and forums reveal a common and important operating principle:

Email administrators weigh risk against reward when they make decisions regarding how to mitigate spam. They think first or exclusively about the security of their organization, their users, or their customers.

Email administrators are willing and by their own accounts do apply filtering rules to block delivery of email from entire TLDs. Blocking at the TLD level is a practice that has been and continues to be applied to ccTLDs. One administrator justifies this practice saying, “some countries have no laws against spam, and providers are happy to take money from spammers and allow them to send millions of emails.”

Administrators have blocked entire TLDs in the past, using event logs or “most abused lists” as the basis for blocklisting. Several strategies regarding new TLDs appear in discussion threads:

  • Administrators in several email communities have discussed the merits of implementing a policy to block abused TLDs or all new TLDs and have shared policy configurations because they believe that this action will reduce their organizational or subscribers’ risk.
  • Some administrators comment that they use their passive DNS replication data to block all newly registered domains in new TLDs in order to catch abuse domain names that have not yet been added to URI blocklists.
  • Some administrators are willing to tolerate false positives to mitigate spam if they believe that this action will effectively block abuse domains used in spam attacks. Administrators who appear more familiar with domain registration services claim to create filtering rules that block email based on the name server names that are associated with registrars that have poor reputations, again demonstrating a willingness to accept false positives until the registrar’s reputation improves.
  • Email administrators admit to blocking entire new TLDs to mitigate spam when their organizations conclude that there is little likelihood that it will receive legitimate business correspondence from any but a few recognized legacy TLDs.

Small or medium business administrators across several email communities have suggested that policies of these kinds are reasonable because the implementation, while severe, is simple to deploy and the risk associated with such policies are perceived to be low relative to their organization sizes. One administrator comments that, “a fortune 500 company has a lot more to lose by whacking those [new TLDs], but someone with 100 users is probably ok blocking anything”.

Reputation Matters

Review sites such as Yelp!, TripAdvisor and consumer product ratings at emerchant sites have made reputation an integral part of consumer choice. The amplification factor from social media further empowers consumers to express dissatisfaction or fear of harm. Wittingly or not, our societies are becoming accustomed to assessing risk through reputation. It’s worth noting that these ratings do not have the same accuracy, reliability, accountability characteristics of reputation blocklists yet they still shape decision making.

Email community forums are neither trade nor industry policy associations. They are, however, influential; in particular, administrators from small and medium businesses greatly value sharing opportunities with administrators who are employed at larger organizations. The informal discussions in such forums, however anecdotal, illustrate that abuse reputation matters. The ICANN community may find it beneficial to consider the attitudes within email communities regarding TLDs and consider, too, the policies and attitudes that email administrators have shared during discussions about spam or other abuse filtering.

Registry operators may also wish to consider the importance of earning the confidence of the administrator communities to ensure that their TLDs and possibly all domain names registered in their TLDs are not preemptively blocked from email delivery or access via other client (e.g., web) connections. Consider engaging with these communities. Some registries already participate: in one thread, the co-founder of .Club Domains LLC offers to set up a "feedback loop with your company  so that any club URLs determined to be spam etc can be forwarded to us, investigated and shut down." This kind of outreach encourages dialog and cooperation and other operators should consider the benefit to demonstrating that Top-level Domain reputation does indeed matter.


Spam: The Security Threat You Easily Forget

About this time last year, I spoke at a Cybersecurity conference in Krakow. I was asked during a video interview to identify security threats that I believed were most pressing. (Ignore the suit...)

Yes, I said spam.

Not DDoS? Not ransomware? Not breach of personal data? Not IoT? Are you daft, Dave?


My thinking has not changed a full year later.

Spam is a criminal infrastructure enabler

Spam may have been merely annoying, unsolicited messages in your inbox at one time, but that was a millennia ago. The average spam volume reported to the Cisco Talos Email and Web Reputation Center for September 2017 was 367 billion. To date in October, volume is up fifteen percent. Due to the near ubiquitous adoption of reputation block lists, you see very few of these. Be thankful that most spam is not delivered, because spam is the preferred delivery infrastructure for phishing, ransomware or malware, and many other threats.

Spam is also more pervasive today than ever, affecting not only your email experience but texting and social media as well. Social spam infrastructures are now allegedly used to influence or control political expression.

You've perhaps been lulled into complacency about spam because you don't see it. The ubiquity of reputation block lists is the reason average every user isn't inundated with spam, and the reason why security professionals don't spend all of their waking hours remediating infected devices of co-workers, friends or family.

The Strategic Asset Value of Spam Networks

Today, spam infrastructures are as important a weapon in the cyber attacker arsenal as nuclear submarines are to warfare. Spam infrastructures have similar operational properties to submarine fleets:

Operational stealth is "the ability to operate in a medium generally unfavourable to counter-detecting sensors". Spam networks operate below the "sea surface" as a highly geographically distributed armada of compromised devices and servers that can be engaged in cyber attacks through a command infrastructure.  A spam network is also like a submarine force in the respect that it can operate in a location- and numbers-independent fashion: the bots that use fast flux techniques to provide the underlay network for a spam infrastructure such as Avalanche exhibit this uncertainty of presence.  

Operational Survivability is the ability to operate in hostile environments. Infected devices (bots) that support spam infrastructures operate malware that may defeat, modify or remove security measures and dismantle communications between the bots and their "Force Commander" (in bot-speak, command-control or C2).

Operational Endurance is the ability to sustain operations for long periods of time without support. Spam infrastructures employ domain generation algorithms, fast flux, and persistent bot recruitment to sustain availability. They also typically infect devices on a scale that requires global or multi-jurisdictional cooperation to contain or dismantle. 


The most frightening strategic asset value of a submarine is its ability to bring considerable lethal force to bear on targets. Increasingly, cyber attackers are employing spam infrastructures to deliver ransomware or to censor or influence political expression.  These, too, are "lethal", in the context of being extremely dangerous attacks, capable of causing serious harm or damage.

Spam is no longer unsolicited communications or content. It is a prolific threat that we must monitor, report, and learn to better mitigate.  I'm cautiously optimistic that projects like our Domain Abuse Activity Reporting at ICANN will help diverse communities to understand and respond to defang spam.