Article

CleanDNS Editorials: Do RBLs Still Cut it?

Do RBLs Still Cut It?

CleanDNS Editorials: Exploring the strengths, limitations, and implications of RBLs in DNS Abuse management and online harm mitigation.
By Chris Lewis-Evans, COO | Article publication date: 06 August, 2025

Building on one of the key conclusions from my colleague Alan’s recent article in the CleanDNS Editorial series as we strive for higher standards in our fight against DNS Abuse we must, as he aptly puts it, “abandon the illusion that ‘abuse’ can be measured by overly simplistic approaches.” I’d like to continue that thread by exploring a crucial dimension of this shift: the importance of drawing from a diverse range of sources. At CleanDNS we believe that this is not only essential for effective abuse management, but also for grounding our policy discussions in a more nuanced and informed perspective.

Measuring abuse: do RBLs still have a place?

In the ever-evolving landscape of DNS abuse, Reputation Blocklists (RBLs) have long been a cornerstone of detection for mitigation. But as our fight against DNS abuse matures, as well as the complexity of tackling broader online abuses increases, so too does the level of scrutiny intensify, especially on the effectiveness of the tools we use to support our actions and to develop policy. Are RBLs enough? Or do we need to lean more heavily on evidence-based reporting sources? I will look into the strengths, limitations, and policy implications of RBLs and explore how they compare to more granular, evidence-driven approaches.

What Is an RBL?

  • Block access to harmful content
  • Monitor abuse trends
  • Inform security device policies and enforcement decisions

RBLs can be open-source, maintained by volunteer communities, or commercial, operated by security vendors using proprietary data and analytics. Importantly, RBLs are often risk-based, meaning they may list domains not because of confirmed abuse, but because of patterns or indicators that suggest a high likelihood of abuse.

What RBLs Actually Measure

Unlike systems that rely on verified abuse reports, RBLs often operate on predictive models and heuristics. This means:

  • Domains may be listed based on risk factors like hosting behaviour, registrar reputation, or historical abuse trends.
  • Inclusion doesn’t always mean the domain is actively abusive, it may simply be likely to become abusive. In some cases this can result in listed domains that have not yet been delegated.

This risk-based approach is useful for preventive blocking, but it can also lead to false positives or over-enforcement which is normally balanced with systems to allow for de-listing from the RBLs.

Blocking vs. Suspension

RBLs are designed for binary decisions, to block or not to block. They don’t require registrars or hosting providers to investigate or suspend a domain. This makes them:

  • Operationally simple: Easy to integrate into firewalls, spam filters, and abuse detection systems.
  • Fast-acting: Can block threats in real time without waiting for verification.

However, when RBL data is used to inform policy enforcement, such as domain suspension or registrar sanctions, the stakes are higher. In these cases, relying solely on RBLs can be problematic:

  • Suspension requires stronger evidence than blocking.
  • Policy decisions based on RBLs alone may lack transparency or fairness.

How Effective Are RBLs for Measuring Abuse?

RBLs offer a scalable way to track abuse across the DNS, but their effectiveness depends on several factors:

Strengths:

  • High-volume coverage: RBLs can process millions of domains and IPs, offering broad visibility.
  • Automation-friendly: Easily integrated into security workflows and abuse mitigation systems.
  • Useful for trend analysis: Can highlight spikes in phishing, malware, or spam activity.

Limitations:

  • Fragmented visibility: Different RBLs detect different types of abuse, often with little overlap.
  • Blind spots: Commercial RBLs may miss abuse outside their customer networks; open-source lists may lack depth.
  • Lack of context: RBLs often don’t provide detailed evidence or metadata about why a domain was listed.
  • Geographic bias: Some RBLs have stronger visibility in certain regions, skewing global abuse metrics.

These limitations can lead to inconsistent abuse rankings, making it difficult to compare registrars or TLDs fairly.

Evidence-Based Reporting

CleanDNS relies heavily on evidence-based sources and trusted verifiers and trusted notifiers (article to follow). Unlike RBLs, evidence-based reporting sources such as URLAbuse , or one of the other 50+ evidence-based sources we use, focus on verifiable, contextual abuse reports. These systems typically:

  • Include screenshots, payloads, and timestamps
  • Validate abuse through machine learning or human review
  • Provide actionable intelligence for registrars, registries, law enforcement, and other security professionals.

Key Differences:

Evidence-based systems are particularly valuable for policy development, as they allow stakeholders to:

  • Justify enforcement actions
  • Track abuse lifecycle and remediation
  • Build trust with registrants and regulators

Policy Implications

When DNS abuse metrics are used to shape policy or compliance, data integrity is critical. Relying solely on RBLs can lead to:

  • Misclassification of registrars or TLDs
  • Over- or under-reporting of certain abuse types
  • Misguided enforcement strategies

A multi-source approach, combining RBLs with evidence-based feeds, goes some of the way to offer a balanced view of abuse. ICANN’s Domain Metrica system is one example of this hybrid model and ICANN’s latest article utilising its data How Choice of Reputation Blocklists Affects DNS Abuse Metrics draws some interesting conclusions. For me it also highlights that using RBLs at all is not without its own pitfalls, due to the scale and nature of RBLs adding them to any statistical analysis quickly leads to a skew in abuse rankings that can quickly add confusion to results.

Final Thoughts

RBLs remain valuable tools for mitigating risk, but they were never intended to serve as definitive indicators of abuse. As the landscape evolves, it’s clear we’ve reached a point where RBLs should be used in alignment with their original purpose: as part of a broader, multi-source strategy. As such it’s important that sources built on verifiable, contextual abuse reports distinguish themselves from traditional RBLs—so their indicators aren’t drowned out in the broader noise of undifferentiated signals. At CleanDNS, our approach emphasizes the integration of transparent, evidence-rich reporting to support not just operational response but also informed policy development. By grounding decisions in robust data and context, we can move toward more precise and meaningful mitigation efforts.

By Chris Lewis-Evans, COO | Article publication date: 06 August, 2025

###

CleanDNS Editorials: Insights from the people on the front lines of the fight against DNS Abuse. CleanDNS Editorials offer a look into our mission of detecting, evidencing, escalating, and mitigating, DNS Abuse and online harms through actionable reports and streamlined processes. Take an inside view at what’s being done to reduce victimization across the Internet, straight from the people who know it best.