Raindrops on Roses and Whiskers on Kittens...This is a subjective list, based on my own experience, but may form a useful starting point for those new to DNSBLs and spam blocking. I will describe in no particular order the pros and cons of using DNSBLs listing spamhausen, relays, proxies, dynamically assigned hosts, spam in progress and spamtraps and offer when to use each type.
The Spamhaus Block List -- let's start here because the SBL is without doubt the safest DNSBL to use. Just look at the listing criteria. You can be absolutely certain that any email you block as a result of a hit on the SBL is spam. Don't just think about it. Use it.
Distributed Server Boycott List (DSBL) -- in my experience, fairly safe to use and extremely effective. We have seen false positives but only where a legitimate sender has left their SMTP server open to relay and the relay has been found and exploited. In these circumstances a DSBL listing serves as a heads up to us and the remote party to close the relay and have it retested. The sheer size of the DSBL is its great strength and this stems from the distributed nature of submissions to the lists, so using the DSBL will kill a lot of spam coming at you from trojaned proxies and the like. Always consider. If you have a whitelist, always use.
There is only one Spamcop -- increasingly safe to use because providing a chain can be verified for a spam which has been through multiple routing hops, Spamcop will not usually list the IP of the host that delivers it. Where Spamcop does list the IP that delivers the mail, it is almost invariably going direct-to-MX from an IP that is not known to send a lot of good email, a pretty reliable spam indicator in my book. Spamcop's official advice is not to use for blocking, but only for tagging and statistical analysis. I think this overcautious. Can't remember the last time I saw a false positive from Spamcop. Always consider.
The Open Relay Database (ORDB) -- is beginning to look a little redundant to me. We have used it to great effect in the past but because it only lists simple relays and so much spam comes from sources other than simple relays these days, the balance of risk/reward has shifted. Consider if you have a whitelist.
SORBS -- this is a very effective list being a composite of a number of zones with different listing criteria, but will inevitably cause some false positives for at least two reasons. Firstly, one of the SORBS sub zones is populated automatically from spamtraps. If an AOL user spams a SORBS spamtrap, SORBS will list an AOL mail relay and sites that block using SORBS will start to deny AOL email. Secondly, another of the SORBS sub zones is SPEWS and it is the stated policy (which I personally support) of SPEWS to cause collateral damage thus causing non-spamming users to abandon spam friendly ISPs. Therefore, consider if you have a whitelist. Otherwise consider using some of the SORBS subzones, particularly the dun.dnsbl.sorbs.net zone which replaces that late and very much lamented Easynet Dynablocker.
Lastly for today, The CBL (Composite Blocking List) deserves an honourable mention. Its stated listing policy is designed to operate in a way that avoids false positives while providing good coverage. It seems to achieve this, because I have never seen a false positive. The CBL probably overlaps with other DNSBLs mentioned here (DSBL, Spamcop and SORBS are the most likely) but if you can't or don't want to use all of those, the CBL is a worthy substitute. Consider using if unable to use at least two of DSBL, Spamcop and SORBS. Or, use xbl.spamhaus.org which contains largely the same data.
If you choose to use the SBL and the CBL, a better alternative is to use the combined sbl-xbl.spamhaus.org zone -- two lists for the price of one.
Category: DNSBLs
Technorati: DNSBLs
1. Eric Parsons19/04/2004 16:30:23
Homepage: http://www.startingblockcomputing.com
For those of you working or considering working on your own list, I have been creating a RBL converter that converts the headers into the zone file for the DNS crew. In the next week or so, I will be putting it up as freeware to see if it has any use to others.
Chris, I understand if you nuke this post, and please accept my pardons if I'm way out of line.
2. Chris Linfoot19/04/2004 16:57:01
Nope. Not nuking this. But curious.
What do you mean "RBL converter that converts the headers into the zone file"?
I know what a zone file is. But what headers are you converting? Is the idea that you grab IP addresses from Received headers and use those to construct an RBL zone? If so, what name servers will you support? If not...
Well, please clarify.
3. Eric Parsons11/05/2004 04:02:17
Homepage: http://www.startingblockcomputing.com
RBL II is now available on the site. It's freeware, but like anyone, I will accept donatations to keep it going.
Yes, Chris, it's a converter from raw headers. I'll post the Domino code to condense messages in an inbox to a text file that fits right into the converter.
I also have the Report Abuse agent in the mail template. Cannot take credit for that agent, it's in the Sandbox at NN. (or whatever they call it these days.)
Taking about 300-500 reported abuses in a Mail in database, creating a zone file for the DNS guys, all in less than 15 minutes. This includes Reverse DNS lookup of the ip address at a 40 second timeout. (Biggest issue to get running better.)
The other big item to add is the White listing feature. There is currently the Sacred Cow list, but that only keeps an address off the RBL. It doesn't produce the second list. Will try to get that in by Domino 7.
Any call for a sql database? Who knows.
Play with it, and let me know your thoughts.
Keep up the solid spam work.
Unable to post a comment? Please read this for a possible explanation...
- 
