Versions Compared

Old Version 53

changes.mady.by.user ASF Infrabot

Saved on

compared with

New Version Current

changes.mady.by.user Giovanni Bechis

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

DNS Blocklists

Introduction

Wiki MarkupDNS Blocklists are a common form of network-accessible database used in spam detection. They're also referred to as "DNSBLs", "DNS Blacklists" and "RBLs". (The latter usage is incorrect; see \["RBL"\].)

SpamAssassin includes support for many of the bigger DNSBLs, with optimal scores (or at least, optimal as determined by the GeneticAlgorithm).

...

To implement DNS Blocklists, it is heavily recommended to run your own CachingNameserver

SpamAssassin Policy for DNSBL Inclusion

The SpamAssassin Policy for DNSBL Inclusion is available at DnsBlocklistsInclusionPolicy

Block Lists

Support for the following DNSBLs is built-in, and shipped in the default configuration.DSBL

...

...

  • net/ Mailspike has a few components: in the sense of blacklists Mailspike has a blacklist and a zombie-list (participants of current spam waves).


...

  • .sorbs.net/ Note: most zones are included except the actual spam zone due to a $50 delisting fee. You can enable it manually it desired.



...

...

...


...

...

  • org/ NOTE: SURBL is enabled as a "free for most" provider. See: http://www.

...

...



Policy Lists

The following DNSBLs are not specifically about spam, but instead abou't sites which break net policies and conventions... practices which are often associated with spammers.

...

  • Validity

...

...

  • NOTE: Validity is enabled as a "free for most" provider..


Reputation

The following DNS checks have diverse levels of reputation:

...

...

  • net/ Mailspike has a reputation list of 10 different levels between a good and bad reputation. The top and bottom define their white and blacklists.


Whitelists

The following dns DNS checks are actually for WHITE lists, or sites which are certified by someone to be a reasonable sender.

Bonded Sender Program Trusted sender in Bonded Sender ProgramBR IADB Vouched ISIPP Vouched for SenderBR Habeas Accredited Senders Habeas accreddited senderBR

Accuracy

...



URIBLs

The following DNS checks are for URI's (eg http links).

  • Spamhaus http://www.spamhaus.org/dbl/ Checking for spamvertized/phishing/malware/botnet/abused redirector sites. Also checking for NS and A records.


Other Lists

Other places to find out about DNS blacklists / blocklists:

Note that it's extremely important to compare false positive rates (nonspam messages marked as spam), as well as spam hit-rates, when evaluating any anti-spam system, include DNS blocklists. (For example, a blocklist that returned a match for every single mail would 'catch all the spam', but would also mark every nonspam mail too.) Some of the above pages omit this information, so take with a pinch of salt.

Wiki Markup
\[http://www.blocklisting.com/faq.html news.admin.net-abuse.blocklisting\] is a newsgroup devoted to discussion of subjects related to the use, administration, and effects of blocklists in ameliorating the problem of unsolicited bulk email and other unwanted or abusive network traffic.  It is also accessible through \[http://groups.google.com/groups?group=news.admin.net-abuse.blocklisting groups.google.com\].

Questions And Answers

Anchor
dnsbl-block
dnsbl-block
Q: My queries to a DNS-blocklist were blocked. What does this mean?

A: DNS-Blocklists often run on the "free for some" model and/or they may limit the number of queries you can perform to maximize resources.

If you were directed to this link from a rule description, then you have a DNS-Blocklist that is purposefully blocking your queries.

Resolving the block might be as simple as using your own non-forwarding caching nameserver to avoid being lumped together with other users queries; setting up your own mirror of the DNS-blocklist; or paying to use the blocklist. The choice is up to the DNS-Blocklist administrator.

SpamAssassin supports the "free for some" model since it works for the majority of SpamAssassin installations. However, we do not support methodologies that purposefully return wrong answers and those DNS-Blocklists will be disabled by default.

The following blocklist providers have implemented a Block Notification Rule with SpamAssassin:

...

Q: This documentation doesn't seem to cover how to configure dnsDNS-blocklistsBlocklists. It says "Support for these is built-in" but I can't believe that all free BL's is called each time a mail is beeing checked. There must be a way to configure which to use.

Wiki MarkupA: You're right. You might look at the \[http://spamassassin.apache.org/doc/Mail_SpamAssassin_Conf.html Mail::SpamAssassin::Conf\] documentation page which I admit doesn't really say how to configure which DNSBL to use, or the rules file \[http://old.spamassassin.org/full/2.6x/dist/rules/20_dnsbl_tests.cf 20_dnsbl_tests.cf\], for internal details, but no clear examples of how to configure the inclusion of various DNSBLs either. For the latest list of DNSBLs you want to be using [a recent SpamAssassin] version 2.63 or version (3.0.0-pre2, for the same reason that you wouldn't use an 4.1 at the time of this correction) and sa-update, for the same reason that you wouldn't use an out-of-date virus scanner, but that also doesn't really have anything to do with the question.

If you don't want any DNSBLs used, put a line like

  • skip_rbl_checks 1

in your local.cf

To eliminate the use of a particular DNSBL, set the score to zero. Put lines like

  • score RCVD_IN_RFCI 0

...

  • score RCVD_IN_ORBS 0

...

  • score RCVD_IN_DSBL 0

...

in your local.cf if you don't want certain DNSBLs listed with RCVD_IN_\* \[http://old.spamassassin.org/full/2.6x/dist/rules/* in 50_scores.cf to be used.

Note: many of the DNSBLs that can return multiple lists with one DNS query are implemented using one, unscored, rule that triggers the DNS lookup and stores the result, and several scored rules that check against that stored result (ie: zen.spamhaus.org). For these sets, if you wish to completely disable the DNS lookup, you will need to disable this rule. It can be found by looking at 20_dnsbl_tests.cf 50_scores.cf\] to be used. If you don't want _any_ DNSBLs used, put a line like

skip_rbl_checks 1

in your local.cf

, and find the rule implemented using "check_rbl" instead of "check_rbl_sub".

At present, the query trigger rule for SpamHaus looks like this:

  • header __RCVD_IN_ZEN eval:check_rbl('zen', 'zen.spamhaus.org.')

So to disable it you'd use:

  • score __RCVD_IN_ZEN 0

To disable all DNSWL rules, use:

  • score __RCVD_IN_DNSWL 0

NOTE: As from SpamAssassin version 3.4 you may disable queries for any BL by adding: (local.cf)

dns_query_restriction deny bldomain

for example:

dns_query_restriction deny sorbs.net

Q: The dns-blocklists just don't appear to be used. What is going wrong?

...

A: Third, if your email gateway is behind a firewall make sure that SpamAssassin is resolving the gateway to it's its external address. If SpamAssassin resolves the gateway to an private IP or can't resolve the name at all, it may mark the sending system as a trusted relay. As a result, some or all of the spammer's systems will not be checked against the DNSBL. (I'm not aware of anyway to specify 'last trusted relay' in SA).

Q. Wouldn't it be a good idea to run a local nameserver anyway? So, you can run caching-nameserver to cache blocklist query results.

  1. Yes! In fact, doing this is important to avoid false results from some DNS lists (e.g. DNSWL) if you have a large ISP and, if you're running a busy mailserver, this is essential for efficiency. See CachingNameserver.

Wiki Markup*Q: Does anybody know of a good way to use the \[http: //www.cluecentral.net/rbl/showcountries.php cluecentral.net country lists\]? I'd like to penalize certain countries from which I get a lot of spam and almost no real mail. I can't seem to get it working with multiple countries.*

  1. See RelayCountryPlugin.