Versions Compared

Old Version 61

changes.mady.by.user ASF Infrabot

Saved on

compared with

New Version 62

changes.mady.by.user ASF Infrabot

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: converted to 1.6 markup

DNS Blocklists

Introduction

Wiki MarkupDNS Blocklists are a common form of network-accessible database used in spam detection. They're also referred to as "DNSBLs", "DNS Blacklists" and "RBLs". (The latter usage is incorrect; see \["RBL"\].)

SpamAssassin includes support for many of the bigger DNSBLs, with optimal scores (or at least, optimal as determined by the GeneticAlgorithm).

...

Spamhaus PBL+SBL+XBL http://www.spamhaus.org/

_ BR Note that Spamhaus is NOT free for commercial or high volume use, see: http://www.spamhaus.org/organization/dnsblusage.html_ BR

SPAMCOP http://www.spamcop.net/

BR NJABLhttp://www.njabl.org/ BR

AHBL http://www.ahbl.org/

BR SORBS http://www.sorbs.net/

BR Trend Micro http://www.mailabuse.org/

BR _If you're installing SpamAssassin for site-wide use, you must license their services; mail-abuse.org is now only free for personal use. (Note that SpamAssassin still works very well without using these services, however.)

...

Combined Bogon IP/Hijacked IP/Invalid Whois/ http://www.completewhois.com/bogons/index.htm BR

RFC Ignorant http://www.rfc-ignorant.org/ BR

Some people disable or score down the RFC Ignorant list because they get false positives from sites which aren't maintained well. Others prefer not to accept their mail.

...

DNSWL http://www.dnswl.org/

BR Sender Score Certified & Sender Score Safe List http://www.senderscorecertified.com/ (formerly Ironport Bonded Sender & Habeas Safelist) BR

IADB Vouched ISIPP Vouched for Sender http://www.isipp.com/iadb.phpBR

Accuracy

...

Live accuracy figures for most of the DNSBLs used in [SpamAssassin], based on the Oct 2003 mail feed for one user, can be found \[http://taint.org/2003/11/07/184247a_mail.html here\].

Other Lists

Other places to find out about DNS blacklists / blocklists:

...

Note that it's extremely important to compare false positive rates (nonspam messages marked as spam), as well as spam hit-rates, when evaluating any anti-spam system, include DNS blocklists. (For example, a blocklist that returned a match for every single mail would 'catch all the spam', but would also mark every nonspam mail too.) Some of the above pages omit this information, so take with a pinch of salt.

Wiki Markup\[http://www.blocklisting.com/faq.html news.admin.net-abuse.blocklisting\] is a newsgroup devoted to discussion of subjects related to the use, administration, and effects of blocklists in ameliorating the problem of unsolicited bulk email and other unwanted or abusive network traffic. It is also accessible through \[http://groups.google.com/groups?group=news.admin.net-abuse.blocklisting groups.google.com\].

Questions And Answers

Q: This documentation doesn't seem to cover how to configure dns-blocklists. It says "Support for these is built-in" but I can't believe that all free BL's is called each time a mail is beeing checked. There must be a way to configure which to use.

Wiki MarkupA: You're right. You might look at the \[http://spamassassin.apache.org/doc/Mail_SpamAssassin_Conf.html Mail::SpamAssassin::Conf\] documentation page which I admit doesn't really say how to configure which DNSBL to use, or the rules file \[http://spamassassin.apache.org/dist/rules/20_dnsbl_tests.cf 20_dnsbl_tests.cf\], for internal details, but no clear examples of how to configure the inclusion of various DNSBLs either. For the latest list of DNSBLs you want to be using a recent [SpamAssassin] version (3.2.x at the time of this correction) and \[:RuleUpdates: sa-update\], for the same reason that you wouldn't use an out-of-date virus scanner, but that also doesn't really have anything to do with the question.

If you don't want any DNSBLs used, put a line like

...

score RCVD_IN_ORBS 0

score RCVD_IN_DSBL 0 unmigrated-wiki-markup

in your local.cf if you don't want certain DNSBLs listed with RCVD_IN_\* in \[http://spamassassin.apache.org/dist/rules/50_scores.cf 50_scores.cf\] to be used.

Note: many of the DNSBLs that can return multiple lists with one DNS query are implemented using one, unscored, rule that triggers the DNS lookup and stores the result, and several scored rules that check against that stored result (ie: zen.spamhaus.org). For these sets, if you wish to completely disable the DNS lookup, you will need to disable this rule. It can be found by looking at 20_dnsbl_tests.cf, and find the rule implemented using "check_rbl" instead of "check_rbl_sub".

...

  1. Yes! In fact, if you're running a busy mailserver, this is essential for efficiency. See CachingNameserver.

Wiki Markup*Q: Does anybody know of a good way to use the \[http://www.cluecentral.net /rbl/showcountries.php cluecentral.net country lists\]? I'd like to penalize certain countries from which I get a lot of spam and almost no real mail. I can't seem to get it working with multiple countries.*

  1. See RelayCountryPlugin.