DNS Blocklists
Introduction
DNS Blocklists are a common form of network-accessible database used in spam detection. They're also referred to as "DNSBLs", "DNS Blacklists" and "RBLs". (The latter usage is incorrect; see \["RBL"\].) Wiki Markup
SpamAssassin includes support for many of the bigger DNSBLs, with optimal scores (or at least, optimal as determined by the GeneticAlgorithm).
...
Spamhaus PBL+SBL+XBL http://www.spamhaus.org/
_ BR Note that Spamhaus is NOT free for commercial or high volume use, see: http://www.spamhaus.org/organization/dnsblusage.html_ BR
SPAMCOP http://www.spamcop.net/
BR NJABLhttp://www.njabl.org/ BR
AHBL http://www.ahbl.org/
BR SORBS http://www.sorbs.net/
BR Trend Micro http://www.mailabuse.org/
BR _If you're installing SpamAssassin for site-wide use, you must license their services; mail-abuse.org is now only free for personal use. (Note that SpamAssassin still works very well without using these services, however.)
...
Combined Bogon IP/Hijacked IP/Invalid Whois/ http://www.completewhois.com/bogons/index.htm BR
RFC Ignorant http://www.rfc-ignorant.org/ BR
Some people disable or score down the RFC Ignorant list because they get false positives from sites which aren't maintained well. Others prefer not to accept their mail.
...
DNSWL http://www.dnswl.org/
BR Sender Score Certified & Sender Score Safe List http://www.senderscorecertified.com/ (formerly Ironport Bonded Sender & Habeas Safelist) BR
IADB Vouched ISIPP Vouched for Sender http://www.isipp.com/iadb.phpBR
Accuracy
...
Live accuracy figures for most of the DNSBLs used in [SpamAssassin], based on the Oct 2003 mail feed for one user, can be found \[http://taint.org/2003/11/07/184247a_mail.html here\].
Other Lists
Other places to find out about DNS blacklists / blocklists:
...
Note that it's extremely important to compare false positive rates (nonspam messages marked as spam), as well as spam hit-rates, when evaluating any anti-spam system, include DNS blocklists. (For example, a blocklist that returned a match for every single mail would 'catch all the spam', but would also mark every nonspam mail too.) Some of the above pages omit this information, so take with a pinch of salt.
\[http://www.blocklisting.com/faq.html news.admin.net-abuse.blocklisting\] is a newsgroup devoted to discussion of subjects related to the use, administration, and effects of blocklists in ameliorating the problem of unsolicited bulk email and other unwanted or abusive network traffic. It is also accessible through \[http://groups.google.com/groups?group=news.admin.net-abuse.blocklisting groups.google.com\]. Wiki Markup
Questions And Answers
Q: This documentation doesn't seem to cover how to configure dns-blocklists. It says "Support for these is built-in" but I can't believe that all free BL's is called each time a mail is beeing checked. There must be a way to configure which to use.
A: You're right. You might look at the \[http://spamassassin.apache.org/doc/Mail_SpamAssassin_Conf.html Mail::SpamAssassin::Conf\] documentation page which I admit doesn't really say how to configure which DNSBL to use, or the rules file \[http://spamassassin.apache.org/dist/rules/20_dnsbl_tests.cf 20_dnsbl_tests.cf\], for internal details, but no clear examples of how to configure the inclusion of various DNSBLs either. For the latest list of DNSBLs you want to be using a recent [SpamAssassin] version (3.2.x at the time of this correction) and \[:RuleUpdates: sa-update\], for the same reason that you wouldn't use an out-of-date virus scanner, but that also doesn't really have anything to do with the question. Wiki Markup
If you don't want any DNSBLs used, put a line like
...
score RCVD_IN_ORBS 0
score RCVD_IN_DSBL 0 unmigrated-wiki-markup
in your local.cf if you don't want certain DNSBLs listed with RCVD_IN_\* in \[http://spamassassin.apache.org/dist/rules/50_scores.cf 50_scores.cf\] to be used.
Note: many of the DNSBLs that can return multiple lists with one DNS query are implemented using one, unscored, rule that triggers the DNS lookup and stores the result, and several scored rules that check against that stored result (ie: zen.spamhaus.org). For these sets, if you wish to completely disable the DNS lookup, you will need to disable this rule. It can be found by looking at 20_dnsbl_tests.cf, and find the rule implemented using "check_rbl" instead of "check_rbl_sub".
...
- Yes! In fact, if you're running a busy mailserver, this is essential for efficiency. See CachingNameserver.
*Q: Does anybody know of a good way to use the \[http://www.cluecentral.net /rbl/showcountries.php cluecentral.net country lists\]? I'd like to penalize certain countries from which I get a lot of spam and almost no real mail. I can't seem to get it working with multiple countries.* Wiki Markup
- See RelayCountryPlugin.