How Black Lists work for blocking spam.
- By Mike Gunderloy
- October 01, 2003
Just about every server-side anti-spam product offers DNS Black Lists
(DNSBLs, sometimes called Real-time Black Lists or RBLs) as an option
for blocking spam. You may be able to use this as an effective anti-spam
tool, but you’ll need to have some basic understanding of the field first.
A DNSBL uses the DNS protocol to signal whether a particular mail server is a source of unwanted e-mail. Some such lists are free, and others are supported by subscription. Your anti-spam software makes a DNS inquiry to the DNSBL server, but the returned IP address doesn’t point to a server. Rather, it’s a code that tells you what the DNSBL server thinks of the domain in question. For example, a return code of 127.0.0.2 usually indicates a server that the DNSBL thinks you should block.
The original DNSBLs concentrated on identifying open relays. An open relay is an SMTP server that will accept mail from anyone, for anyone, regardless of domain. Open relays are often targeted by spammers, because they will happily accept mail from bogus return addresses and deliver it anywhere. If you’re running an open relay, you should almost certainly stop doing so; starting with Exchange 2000, Microsoft Exchange is not open by default.
Many of the best-known DNSBLs still concentrate on open relays. ORDB,
MAPS, and OsiruSoft are probably the leaders in this class. More recently,
other organizations (notably SpamHaus) have started using the DNSBL protocol
to indicate servers that host known spammers, whether they’re open relays
or not. By running your e-mail through such a known spammer’s relay, you
can effectively block much spam e-mail before it gets to your users.
While DNSBLs seem like an ideal way to block spam, you need to exercise
considerable caution to use them effectively. First, the different DNSBLs
differ in how aggressive they are. Some have been known to declare all
of yahoo.com or hotmail.com as spam, based on the actions of a few users.
Second, mistakes can and do happen. Over the month that I was working
on this roundup, I had DNSBL mistakenly identify MCP Magazine’s
own domain as a spam source. And one of my own domains spent time on the
ORDB list thanks to an IP address change that they were slow to react
For a good list of DNSBL servers, try www.email-policy.com/Spam-black-lists.htm.
Mike Gunderloy, MCSE, MCSD, MCDBA, is a former MCP columnist and the author of numerous development books.