...
To implement DNS Blocklists, it is heavily recommended to run your own CachingNameserver
SpamAssassin Policy for DNSBL Inclusion
The SpamAssassin Policy for DNSBL Inclusion is available at DnsBlocklistsInclusionPolicy
Black Lists
Support for the following DNSBLs is built-in, and shipped in the default configuration.
- AHBL Mailspikehttp://www.ahblmailspike.org/net/ Mailspike has a few components: in the sense of blacklists Mailspike has a blacklist and a zombie-list (participants of current spam waves).
- SORBS DNSWL http://www.dnswl.org/ NOTE: DNSWL is enabled as a "free for most" provider. See: http://www.dnswlsorbs.org/license. <<BR>
- NJABL http://www.njabl.org/
- net/ Note: most zones are included except the actual spam zone due to a $50 delisting fee. You can enable it manually it desired.
- SpamCop SORBS http://www.sorbsspamcop.net/
- SPAMCOP http://www.spamcop.net/
- SpamCop accepts (automatic) submissions and sends abuse mail in your behalve. SA has a plugin for reporting.
- Spamhaus ZEN Spamhaus PBL+SBL+XBL http://www.spamhaus.org/zen/ NOTE: Spamhaus is enabled as a "free for most" provider. See: http://www.spamhaus.org/organization/dnsblusage.html.
...
- SURBL http://www.surbl.org/ NOTE: SURBL is enabled as a "free for most" provider. See: http://www.surbl.org/usage-policy.
- Trend Micro http://www.mailabuse.org/ NOTE: Mail Abuse aka MAPS is now TrendMicro Email Reputation Services aka RBL+. This is a commercial product and is no longer enabled by default.
- URIBL http://www.uribl.com/ NOTE: URIBL is enabled as a "free for most" provider. See: http://www.uribl.com/about.shtml.
Policy Lists
The following DNSBLs are not specifically about spam, but instead about sites which break net policies and conventions... practices which are often associated with spammers.
Reputation
The following DNS checks have diverse levels of reputation:
- Mailspike Combined Bogon IP/Hijacked IP/Invalid Whois/ http://www.completewhoismailspike.com/bogons/index.htmRFC Ignorant http://www.rfc-ignorant.org/ NOTE: RFC Ignorant is controversial. Some administrators may wish to disable or lower the score for the RFC Ignorant listnet/ Mailspike has a reputation list of 10 different levels between a good and bad reputation. The top and bottom define their white and blacklists.
Whitelists
The following DNS checks are actually for WHITE lists, or sites which are certified by someone to be a reasonable sender.
- DNSWL http://www.dnswl.org/ NOTE: DNSWL is enabled as a "free for most" provider. See http://www.dnswl.org/license.
- ISIPP Accreditation Database (IADB) http://www.isipp.com/email-accreditation/
- Mailspike http://www.mailspike.net/
- Sender Score Certified & Sender Score Safe List http://www.senderscorecertified.com/ (formerly Ironport Bonded Sender & Habeas Safelist)ISIPP Accreditation Database (IADB)
URIBLs
The following DNS checks are for URI's (eg http links).
- Spamhaus http://www.isippspamhaus.comorg/email-accreditation/
Accuracy
Live accuracy figures for most of the DNSBLs used in SpamAssassin, based on the Oct 2003 mail feed for one user, can be found here.
...
- dbl/ Checking for spamvertized/phishing/malware/botnet/abused redirector sites. Also checking for NS and A records.
Other Lists
Other places to find out about DNS blacklists / blocklists:
- Spamlinks Wikipedia on DNSBLs http://spamlinkswikipedia.net/filter-dnsbl.htmorg/wiki/DNSBL
- Dr. Jørgen Mash's DNS database list checker http://moensted.dk/spam/
- List of All Known DNS-based Spam Databases (blacklists) http://www.declude.com/junkmail/support/ip4r.htm
- Current Blacklist Comparison (note: no statistics for false positive ratesWeekly Blacklist Statistics (including hit rate and false positive rate) http://www.sdscintra2net.educom/~jeffen/spam/cbc.htmlWikipedia on DNSBLs http://wikipedia.org/wiki/DNSBL support/antispam/
Note that it's extremely important to compare false positive rates (nonspam messages marked as spam), as well as spam hit-rates, when evaluating any anti-spam system, include DNS blocklists. (For example, a blocklist that returned a match for every single mail would 'catch all the spam', but would also mark every nonspam mail too.) Some of the above pages omit this information, so take with a pinch of salt.
news.admin.net-abuse.blocklisting is a newsgroup devoted to discussion of subjects related to the use, administration, and effects of blocklists in ameliorating the problem of unsolicited bulk email and other unwanted or abusive network traffic. It is also accessible through groups.google.com.
Questions And Answers
Anchor | ||||
---|---|---|---|---|
|
...
Resolving the block might be as simple as using your own non-forwarding caching nameserver to avoid being lumped together with other users queries; setting up your own mirror of the DNS-blocklist; or paying to use the blocklist. The choice is up to the DNS-Blocklist administrator.
...
- URIBL http://www.uribl.com/ (rule URIBL_BLOCKED)
- DNSWL http://www.dnswl.org/ (rule RCVD_IN_DNSWL_BLOCKED)
- Spamhaus http://www.spamhaus.org/
- SURBL http://www.surbl.org/ (rule SURBL_BLOCKED)
Q: This documentation doesn't seem to cover how to configure DNS-Blocklists. It says "Support for these is built-in" but I can't believe that all free BL's is called each time a mail is beeing checked. There must be a way to configure which to use.
A: You're right. You might look at the Mail::SpamAssassin::Conf documentation page which I admit doesn't really say how to configure which DNSBL to use, or the rules file 20_dnsbl_tests.cf, for internal details, but no clear examples of how to configure the inclusion of various DNSBLs either. For the latest list of DNSBLs you want to be using a recent SpamAssassin version (3.24.x 1 at the time of this correction) and sa-update, for the same reason that you wouldn't use an out-of-date virus scanner, but that also doesn't really have anything to do with the question.
If you don't want any DNSBLs used, put a line like
skip_rbl_checks 1
in your local.cf
To eliminate the use of a particular DNSBL, set the score to zero. Put lines like
score RCVD_IN_RFCI 0
...
score RCVD_IN_ORBS 0
...
-
score RCVD_IN_DSBL 0
in your local.cf if you don't want certain DNSBLs listed with RCVD_IN_* in 50_scores.cf to be used.
...
At present, the query trigger rule for SpamHaus looks like this:
header __RCVD_IN_ZEN eval:check_rbl('zen', 'zen.spamhaus.org.')
So to disable it you'd use:
score __RCVD_IN_ZEN 0
To disable all DNSWL rules, use:
score __RCVD_IN_DNSWL 0
NOTE: As from SpamAssassin version 3.4 you may disable queries for any BL by adding: (local.cf)
dns_query_restriction deny bldomain
for example:
dns_query_restriction deny sorbs.net
Q: The dns-blocklists just don't appear to be used. What is going wrong?
...
- Yes! In fact, doing this is important to avoid false results from some DNS lists (e.g. DNSWL) if you have a large ISP and, if you're running a busy mailserver, this is essential for efficiency. See CachingNameserver.
Q: Does anybody know of a good way to use the cluecentral.net country lists? I'd like to penalize certain countries from which I get a lot of spam and almost no real mail. I can't seem to get it working with multiple countries.
...