Overview
Purpose
Design
Implementation

How the EBL is Designed

The EBL was designed with lessons learned from several earlier blocklists in mind. It is robust, has an extremely low false postive rate, and catches spam that other blocklists cannot catch. It is also designed to be queried in much the same way that existing domain-based and URI blocklists are. Most of the effort required to add EBL checks to a mailserver is in extracting and preparing the email addresses for checking.

This page explains what must be done to query the EBL. Several tools exist already. We hope to encourage development of more of them. :)

Querying the EBL requires that email addresses first be extracted from email headres and message bodies, prepared (or canonicalized), and hashed. Email addresses need to be canonicalized before hashing because mailservers "see" email addresses differently than hashing algorithms do. Mailservers ignore case in email addresses, and most ignore tags. Tags are usually defined as the + character followed by any alphanumeric string, but some email services use other characters to signify the beginning of a tag. Gmail, the largest free webmail site, also ignores periods in the username, and treats @googlemail.com as equivalent to @gmail.com.

These differences in formatting and style of the what is effectively the same email address mean that hashing algorithms can easily create many different hashes of the same email address. Spammers know this, and some make use of it to evade spam blocking and filtering. Removal of formatting variations, tags, and extraneous characters, and regularizing of analogious domain names, ensures that spammers cannot evade detection on the EBL by using formatting tricks.

Canonicalizing an email address for hashing requires following the steps that the EBL's automated spam feed filters follow.

To smoothe implementation, the EBL scripts also create hashes of email addresses exactly as seen in the spam emails that they observe. However, canonicalizing an email address before hashing is the correct method for checking the EBL and will give the best results.

Once you have prepared the email address, you can use any hashing tool that creates SHA1 hashes. Make sure that you hash only the email address, without leading or trailing spaces, carriage returns or linefeeds. If your preferred hashing tool produces extraneous characters around the hash, use just the hash.

How to Use the EBL

  1. Extract the email addresses to be checked from the email.
  2. Canonicalize the email addresses as described above.
  3. Convert the email addresses into SHA1-format cryptographic hashes.
  4. Append ebl.msbl.org to the hash to form the query string, just as you would combine a domain with the zone of a domain-based blocklist.

EBL Query Details

Zone:  ebl.msbl.org
Query String:  ${hash}.ebl.msbl.org
Response Codes:  A record: 127.0.0.2
TXT record: Brief explanation of the reason the email address was listed.