You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 54 Next »

DNS Blocklists

Introduction

DNS Blocklists are a common form of network-accessible database used in spam detection. They're also referred to as "DNSBLs", "DNS Blacklists" and "RBLs". (The latter usage is incorrect; see ["RBL"].)

SpamAssassin includes support for many of the bigger DNSBLs, with optimal scores (or at least, optimal as determined by the GeneticAlgorithm).

Black Lists

Support for the following DNSBLs is built-in, and shipped in the default configuration.

DSBL http://dsbl.org/ BR NAJBL http://www.njabl.org/dynablock.html BR RHSBL dnsbl.ahbl.org BR SORBS http://www.sorbs.net/ BR Spamhaus SBL+XBL http://www.spamhaus.org/ BR SECURITYSAGE blackholes.securitysage.com BR SPAMCOP http://www.spamcop.net/ BR MAPS http://www.mailabuse.org/ BR If you're installing SpamAssassin for site-wide use, you must license their services; mail-abuse.org is now only free for personal use. (Note that SpamAssassin still works very well without using these services, however.)

Policy Lists

The following DNSBLs are not specifically about spam, but instead abou't sites which break net policies and conventions... practices which are often associated with spammers.

Combined Bogon IP/Hijacked IP/Invalid Whois/ http://www.completewhois.com/bogons/index.htm BR RFC Ignorant http://www.rfc-ignorant.org/ BR
Some people disable or score down the RFC Ignorant list because they get false positives from sites which aren't maintained well. Others prefer not to accept their mail.

Whitelists

The following dns checks are actually for WHITE lists, or sites which are certified by someone to be a reasonable sender.

Bonded Sender Program Trusted sender in Bonded Sender ProgramBR IADB Vouched ISIPP Vouched for SenderBR Habeas Accredited Senders Habeas accredited senderBR

Accuracy

Live accuracy figures for most of the DNSBLs used in SpamAssassin, based on the Oct 2003 mail feed for one user, can be found [http://taint.org/2003/11/07/184247a_mail.html here].

Other Lists

Other places to find out about DNS blacklists / blocklists:

Note that it's extremely important to compare false positive rates (nonspam messages marked as spam), as well as spam hit-rates, when evaluating any anti-spam system, include DNS blocklists. (For example, a blocklist that returned a match for every single mail would 'catch all the spam', but would also mark every nonspam mail too.) Some of the above pages omit this information, so take with a pinch of salt.

[http://www.blocklisting.com/faq.html news.admin.net-abuse.blocklisting] is a newsgroup devoted to discussion of subjects related to the use, administration, and effects of blocklists in ameliorating the problem of unsolicited bulk email and other unwanted or abusive network traffic. It is also accessible through [http://groups.google.com/groups?group=news.admin.net-abuse.blocklisting groups.google.com].

Questions And Answers

Q: This documentation doesn't seem to cover how to configure dns-blocklists. It says "Support for these is built-in" but I can't believe that all free BL's is called each time a mail is beeing checked. There must be a way to configure which to use.

A: You're right. You might look at the [http://spamassassin.apache.org/doc/Mail_SpamAssassin_Conf.html Mail::SpamAssassin::Conf] documentation page which I admit doesn't really say how to configure which DNSBL to use, or the rules file [http://old.spamassassin.org/full/2.6x/dist/rules/20_dnsbl_tests.cf 20_dnsbl_tests.cf], for internal details, but no clear examples of how to configure the inclusion of various DNSBLs either. For the latest list of DNSBLs you want to be using SpamAssassin version 2.63 or 3.0.0-pre2, for the same reason that you wouldn't use an out-of-date virus scanner, but that also doesn't really have anything to do with the question.

To eliminate the use of a particular DNSBL, set the score to zero. Put lines like

score RCVD_IN_RFCI 0

score RCVD_IN_ORBS 0

score RCVD_IN_DSBL 0

in your local.cf if you don't want certain DNSBLs listed with RCVD_IN_* [http://old.spamassassin.org/full/2.6x/dist/rules/20_dnsbl_tests.cf 50_scores.cf] to be used. If you don't want any DNSBLs used, put a line like

skip_rbl_checks 1

in your local.cf

Q: The dns-blocklists just don't appear to be used. What is going wrong?

A: First, make sure Net::DNS for perl is installed. Without this the blocklists will not be used.

A: Second, do some tests with Net::DNS to make sure it is resolving names (see the Net::DNS site for examples). A common mistake for client machines (such as Mandrake 9.2) is to have 127.0.0.1 in the </etc/resolv.conf> file – Net::DNS does not check multiple nameservers it appears, so you need to comment this line out for Net::DNS to work. (Anybody with a better solution, other than running a local nameserver?)

A: Third, if your email gateway is behind a firewall make sure that SpamAssassin is resolving the gateway to it's external address. If SpamAssassin resolves the gateway to an private IP or can't resolve the name at all, it may mark the sending system as a trusted relay. As a result, some or all of the spammer's systems will not be checked against the DNSBL. (I'm not aware of anyway to specify 'last trusted relay' in SA).

Q. Wouldn't it be a good idea to run a local nameserver anyway? So, you can run caching-nameserver to cache blocklist query results.

  1. Yes! In fact, if you're running a busy mailserver, this is essential for efficiency. See CachingNameserver.

Q: Does anybody know of a good way to use the [http://www.cluecentral.net/rbl/showcountries.php cluecentral.net country lists]? I'd like to penalize certain countries from which I get a lot of spam and almost no real mail. I can't seem to get it working with multiple countries.

  1. See RelayCountryPlugin.
  • No labels