HomeFAQ

How does the AHBL work?

Sun, 04/01/2007 - 16:33 — stephanie

How Does The AHBL Work?

The AHBL is a real time blocking system. This means that data is collected from various sources 24 hours a day, 7 days a week in real time, and merged into our database.

Some of the sources for our database come from our own mail servers, some from our spam traps, others from exchanged information with other DNSbl type lists. Much of our data comes from our own users and our partners, who allow us the ability to scan their mail server logs and forward us different types of spam, which is then broken down into lists of IP addresses, From: addresses, etc.

Standard tests on a host known to be sending spam includes a proxy sweep, to try and determine if the machine is infected with one of the many Windows viruses and troans floating around on the Internet, running a relay check on the SMTP port (if open), and checking it against various other sources of information, including other lists such as SpamHaus, ORDB, DSBL, SORBS, and similar.

If the open proxy tests fail (meaning the host is open to relaying via the proxy), or the SMTP port test fails (meaning it is an open SMTP relay) the host is automatically added to the list within 30 minutes and propigated to all of our mirror servers in under an hour.

Other hosts that show signs of possibly being owned by a spamer, are cross-referenced with the AHBL's RHSbl system, which tracks known spammer domains (which includes WHOIS information, name server addresses, etc), and also cross-referenced with SpamHaus's ROKSO listings.

Should the host score highly enough, it is automatically queued for manual addition by an AHBL administrator. If the host does not pass enough of the automatic checks, but still shows signs of being a possible spam source, AHBL administrators will do an investigation on the host, using various tools and websites (including the usenet groups NANAS, NANAB, NANAE), and make a decision on if the host should be added.

How Are Removals Handled?
A user/provider can request a delisting of an open proxy/open relay host using our automated testing system. It takes between 1-5 days before a host will be tested by our automated system (it is done randomly), and provided that the host is no longer open, the listing will be removed.

If the listing is a Spam Source, Spam Support, or similar that was manually added by an AHBL administrator, the person/company/ISP that is being blocked must provide a reason for delisting via the online form from the lookup page. Most times, removals of these types requires a vote by the AHBL administration (which can take 2-7 days usually). Provided the majority of the votes are Yes for delisting, the host will be removed from the database and the ticket closed.

In the case of a Shoot On Sight listing, removals are rarely if ever accepted or considered. If a SOS removal is accepted, it must pass a vote of unamious Yes, or the host will not be removed.

‹ How does the AHBL differ from other DNSBLs?upWhat can a system administrator do to control spam? ›