Why is my IP listed on DroneBL and how to remove it?

Key findings

• Nature of DroneBL: DroneBL is an IP-based blocklist that focuses on compromised machines, open proxies, and other security threats. It is not exclusively or primarily an email spam blocklist, differentiating it from lists like Spamhaus.
• Common Listing Reasons: Listings often occur due to activities such as dictionary attacks on honeypots, being an IRC drone, or operating as an open proxy. It can also stem from a dirty IP range, generic rDNS, or infected servers.
• Impact on Security Scores: While DroneBL might not directly block your emails at major mailboxes, its listing can impact your company's security scorecard ratings. This can be a significant concern for cybersecurity teams, affecting vendor contracts or compliance.
• Delisting Process: Typically, removing an IP from DroneBL is straightforward, often involving a simple request through their website.

Key considerations

• Identify the Root Cause: Before requesting delisting, it is crucial to understand why your IP was listed. This might involve investigating your network for open proxies, compromised systems, or identifying issues with your mailing lists that could lead to hitting honeypots. Our guide to how blocklists work can provide more context.
• Security vs. Email Impact: Recognize that the primary concern for a DroneBL listing is often security-related rather than email deliverability, though deliverability can be impacted if receiving servers use it. Your internal teams might have different priorities for delisting.
• Prevent Future Listings: Implement robust security measures and maintain clean email lists to prevent future listings. Regularly review your outbound traffic and security logs. For email-related blocklists, consider using a blocklist checker.

Key opinions

• Unfamiliarity: Many marketers are not aware of DroneBL, primarily focusing on more common email blocklists like Spamhaus. This can lead to confusion when their IPs appear on such a list.
• Security Scorecard Impact: A significant concern for marketers (and their cybersecurity teams) is how a DroneBL listing reflects on their company's security scorecard, which can affect business relationships and contracts.
• Cause for Listing: Marketers often find their IPs listed due to sending to bad addresses or honeypots, especially with smaller, less managed client lists, leading to 'dictionary attack' classifications.
• VPN/Proxy Misattribution: Some users reported being accused of VPN abuse when using mobile hotspots or proxies, suggesting misidentification or issues with shared IP spaces.

Key considerations

• Distinguish Listing Types: Marketers should understand the difference between email-specific blocklists and security-focused ones like DroneBL. This clarity helps in prioritizing remediation efforts and communicating effectively with security teams. For deeper understanding, read our article, The difference between a blacklist and a blocklist.
• Clean List Management: Even if DroneBL is not an email blocklist, practices that prevent email blocklistings (like regular list hygiene) can reduce the likelihood of being flagged for dictionary attacks, which is a common DroneBL listing reason.
• Proactive Monitoring: While DroneBL might not impact email deliverability directly, monitoring all relevant blocklists (including security-focused ones) can help identify broader IP reputation issues early on, before they escalate to more critical problems. Our guide on IP blacklisting offers more insights.
• Collaborate with Security: Marketers should foster open communication with their cybersecurity teams to understand their concerns regarding IP reputation beyond email deliverability, aligning efforts to protect the company's overall security posture.

Key opinions

• Security, Not Spam: Experts stress that a DroneBL listing is not always related to spam but is frequently due to compromised machines or open proxies. This makes it a security issue, not solely an email deliverability problem.
• Compromised Machines: The list primarily identifies compromised machines, such as those involved in dictionary attacks on honeypots, making it a valid concern for security teams looking to identify system vulnerabilities. Further reading on spam traps may be useful.
• Ease of Delisting: Delisting from DroneBL is generally simple, often requiring just a few clicks to request removal, provided the underlying issue has been addressed.
• Principle-Driven: DroneBL is perceived as an old-school blocklist that operates on principles rather than revenue, suggesting a different philosophy compared to commercial blocklists.

Key considerations

• Investigate Underlying Issues: Even if delisting is easy, experts advise a thorough investigation into the security of MTA (Mail Transfer Agent) machines to ensure they are not compromised. While unlikely for old listings, new ones warrant immediate review.
• Context is Key: The appropriate response to a DroneBL listing depends heavily on whether the concern is email blockage or a broader security posture. Tailor your communication and actions accordingly.
• Maintain Data Quality: For email senders, a DroneBL listing for 'dictionary attack on honeypots' indicates issues with mailing list quality. Regular list cleaning and validation are essential to prevent hitting spam traps and associated blocklists. Learn about different types of spam traps.

Key findings

• Diverse Listing Categories: DroneBL lists IPs across many categories, including 'IRC Drone', 'Bottler', 'Unknown spambot or drone', 'DDOS Drone', 'SOCKS Proxy', 'HTTP Proxy', 'ProxyChain', 'Web Page Proxy', 'Open DNS Resolver', 'Brute force attackers', 'Open Wingate Proxy', 'Compromised router / gateway', 'Autorooting worms', and 'Automatically determined botnet IPs (experimental)'.
• Primary Focus: While 'spam' is a minor reason, DroneBL's core mission is to identify and list IP addresses belonging to systems that are compromised and being used for malicious purposes, such as operating as open proxies or participating in botnet activities. This aligns with the understanding of DNSBLs.
• Specific Listing Reasons: A common specific reason, such as a category 13 listing, indicates 'brute force attackers' often with a comment like 'dictionary attack on honeypots', highlighting issues with outbound connection attempts rather than email content.
• Dynamic Updates: The lists are dynamic, with IPs being added and removed over time, as shown by change history charts, reflecting ongoing monitoring of threat landscapes. You can find more information on FireHOL IP Lists.

Key considerations

• Interpret Listing Data: When an IP is listed, access the specific listing details on the DroneBL website to understand the exact category and associated comments. This information is crucial for pinpointing the specific security vulnerability or misuse.
• Secure Systems: Documentation often implies that a listing means a machine or network segment is compromised or misconfigured. This necessitates a thorough security audit to close open proxies, fix misconfigured DNS resolvers, or clean infected servers.
• Address Root Cause: Simply requesting delisting without resolving the underlying issue will likely result in a re-listing. Technical documentation often provides guidance on the behaviors that lead to listings, emphasizing that remediation requires addressing the core problem.
• Long-term Monitoring: Documentation for such blocklists, as well as general security best practices, recommends continuous monitoring of IP addresses for suspicious activity to prevent future listings and maintain a clean reputation. Our guide on email domain reputation covers broader aspects.