In-Depth

Using DNSBLs

How Black Lists work for blocking spam.

Just about every server-side anti-spam product offers DNS Black Lists (DNSBLs, sometimes called Real-time Black Lists or RBLs) as an option for blocking spam. You may be able to use this as an effective anti-spam tool, but you’ll need to have some basic understanding of the field first.

A DNSBL uses the DNS protocol to signal whether a particular mail server is a source of unwanted e-mail. Some such lists are free, and others are supported by subscription. Your anti-spam software makes a DNS inquiry to the DNSBL server, but the returned IP address doesn’t point to a server. Rather, it’s a code that tells you what the DNSBL server thinks of the domain in question. For example, a return code of 127.0.0.2 usually indicates a server that the DNSBL thinks you should block.

The original DNSBLs concentrated on identifying open relays. An open relay is an SMTP server that will accept mail from anyone, for anyone, regardless of domain. Open relays are often targeted by spammers, because they will happily accept mail from bogus return addresses and deliver it anywhere. If you’re running an open relay, you should almost certainly stop doing so; starting with Exchange 2000, Microsoft Exchange is not open by default.

Many of the best-known DNSBLs still concentrate on open relays. ORDB, MAPS, and OsiruSoft are probably the leaders in this class. More recently, other organizations (notably SpamHaus) have started using the DNSBL protocol to indicate servers that host known spammers, whether they’re open relays or not. By running your e-mail through such a known spammer’s relay, you can effectively block much spam e-mail before it gets to your users.

Additional Information on Spam

Outrun the Avalanche
http://mcpmag.com/features/article.asp?editorialsid=362

What's New in Exchange 2003
http://mcpmag.com/features/article.asp?editorialsid=363

Understanding Bayesian Analysis
http://mcpmag.com/features/article.asp?editorialsid=364

Two Services for the Enterprise
http://mcpmag.com/features/article.asp?editorialsid=365

A Thanks to Hormel
http://mcpmag.com/features/article.asp?editorialsid=367

Spam-Fighting Terminology
http://mcpmag.com/features/article.asp?editorialsid=368

While DNSBLs seem like an ideal way to block spam, you need to exercise considerable caution to use them effectively. First, the different DNSBLs differ in how aggressive they are. Some have been known to declare all of yahoo.com or hotmail.com as spam, based on the actions of a few users. Second, mistakes can and do happen. Over the month that I was working on this roundup, I had DNSBL mistakenly identify MCP Magazine’s own domain as a spam source. And one of my own domains spent time on the ORDB list thanks to an IP address change that they were slow to react to.

For a good list of DNSBL servers, try www.email-policy.com/Spam-black-lists.htm.

About the Author

Mike Gunderloy, MCSE, MCSD, MCDBA, is a former MCP columnist and the author of numerous development books.

Featured