What is Behavioral Blacklisting?


IP addresses known for distributing spam have been listed to reduce spam and limit the distribution of viruses or Trojan horses that debilitate systems and compromise data security. The downside to traditional blacklisting is that it is reactive. Before an IP address or domain can be blocked, it must be labelled as ‘bad’ and by that time it has usually caused harm to someone.

And while researchers are working at refining ways to blacklist spammers more proactively, the spammers are just as hard at work to outsmart blacklisting software. They use tactics like starting and stopping campaigns frequently, changing the actual machines used to send spam and using countless zombies to fire off campaigns that make blacklisting bad IP addresses rather ineffective.

Blame it on the zombies

Wikipedia defines zombies as “computers that have been compromised by a hacker, computer virus or Trojan horse and can be used to perform malicious tasks of one sort or another under remote direction.” The owner is usually unaware that their system is being used in this way and hence the comparison to zombies.

To avoid detection, zombies don’t only change their tactics frequently, but also send comparatively small amounts of spam from email addresses that also send valid messages. This practice makes it extremely difficult to differentiate between legitimate and spam traffic.

Spam is more than just an inconvenience

The relentless deluge of unsolicited and often offensive messages infringes on our right to choose the information we want to receive and share. Not to mention the time and resources wasted to manage unwanted emails.

How to curb unwanted messages

This is done using three major techniques to filter spam - blacklisting, whitelisting and behavioral blacklisting.

  1. Blacklisting is used to filter messages sent from email addresses, domains or IP addresses that have been flagged as spammers. Messages from these sources generally end up in the Junk Mail folder. Blacklisting is also used to protect systems against malicious code, by blocking known malware from opening or running.
  1. Whitelisting puts the responsibility on recipients to mark senders or domains as “safe” and then accepts and receives mail from these sources but blocks all other mail. Like blacklisting, whitelisting can protect systems from malicious code by preventing executable files that are not listed as ‘safe’ programs from running.
  1. Behavioural blacklisting differs from these techniques in that it doesn't categorise senders according to their IP addresses or domains. Instead, it categorises messages as spam based on behavioural patterns and these are blocked.

Behavioural blacklisting in a nutshell

Behavioural blacklisting was popularised by the SpamTracker solution. This spam filtering technique can loosely be compared to the psychological profiling we see in TV programs like CSI.

While a serial killer may move his activities from one area to another, his modus operandi helps the CSIs to link the different crimes and identify the perpetrator based on their unique attributes. Just like serial killers leave similar traces at each of their crime scenes, spammers engage in specific sending patterns that act as the “evidence” of spamming behaviour.

SpamTracker is a spam filtering system that uses behavioural blacklisting to identify spammers based on their email sending behaviour rather than their identity, i.e. their IP address or domain. Even if spammers try to conceal their identities by using “fresh” IP addresses in the same way a killer will move to a new area, their sending patterns or modus operandi will give them away.

Behavioural blacklisting is founded on the supposition that spammers generally engage in similar, stable sending behaviour. SpamTracker collects input data about confirmed spammers that includes an initial list of spam-flagged IP addresses as well as the sending patterns for those IP addresses to build “blacklist clusters”. SpamTracker uses the behaviour of these clusters as the baseline against which to compare the sending behaviour of other senders and identify similar spamming behaviour to compute a “spam score”.

So unlike whitelisting or blacklisting, behavioural blacklisting does not rely on engagement-based spam filtering, which takes the behaviour of email recipients into account. Instead, it is based on the behaviour of the sender. This method complements traditional content-based spam filtering systems by attempting to categorise email based on network traffic patterns, rather than on the contents of messages.

Regular blacklisting vs. behaviour blacklisting

Blacklisting publicises and blocks messages from IP addresses known for sending spam. While it is effective as a reactive remedy, blacklists need to be updated constantly to know what to block or filter and must adapt to rapidly changing spam campaign methods.

Behaviour blacklisting on the other hand follows inductive reasoning like that of the duck test - if it looks like a duck, swims like a duck, and quacks like a duck, then it probably is a duck. It is based on the similar patterns of senders’ behaviour rather than IP identity and therefore assumes that if a sender looks like a spammer and acts like a spammer, it must be a spammer.

It is an effective (though not perfect) method to protect systems from email, programs and files that have not yet been classified as “good” or “bad” without waiting for them to do harm first. However, there can be limitations to the number of data collection points and benchmark domains. Another consideration is the treatment and analysis of false positives, which still require additional testing to be resolved.

Which is the best approach?

When it comes to running software in the business environment, pure whitelisting is considered the most secure solution because the typical business organisation uses a known and limited number of applications. When a file is run, it only has to be checked against the contents of the whitelist - a significantly smaller database than the typical blacklist of virus signatures.

However, when it comes to spam filtering, all three techniques have pros and cons that make them suitable for different situations. Applying a multilayer approach that combines all three provides the most comprehensive protection. It will simultaneously block email from suspicious senders and from those IP addresses that have already been flagged as spammers or “bad”. At the same time, whitelists will allow email from legitimate senders or domains even if it meets behavioural spam criteria or engagement-based spam filtering.