DNSBL

From MattWiki
Jump to: navigation, search

DNSBL stands for Domain Name System Block List. Most DNSBL systems list IP addresses, often those that have been observed by the list operator to be sending spam, hosting spammers, or by policy not allowed to deliver email directly to servers using that particular DNSBL. These lists are used by applications to decrease the delivery of spam email. Some DNSBLs have other listing criteria, for example geographic lists of IPs by country, or other categories, too, and they may be used for a variety of purposes.

DNSBLs which list domain names are called URIBLs.

It is important to note that a DNSBL cannot stop anyone from sending mail, it only prevents delivery at the receiving end, by the receiver's instruction. DNSBLs are strictly defensive tools, they cannot do any offensive damage such as denial of service attacks.

zen.spamhaus.org

ZEN is the combination of all Spamhaus DNSBLs into one single powerful and comprehensive blocklist to make querying faster and simpler. It contains the SBL[1], the XBL[2] and the PBL[3] blocklist.

In most cases, zen.spamhaus.org replaces sbl-xbl.spamhaus.org. If you are currently using sbl-xbl.spamhaus.org you should now replace 'sbl-xbl.spamhaus.org' with 'zen.spamhaus.org'.

zen.spamhaus.org should now be the only spamhaus.org DNSBL in your configuration. You should not use ZEN together with other Spamhaus blocklists, or with blocklists already included in our zones (such as the CBL) or you will simply be wasting DNS queries and slowing your mail queue.

Caution: Because ZEN includes the XBL and PBL lists, do not use ZEN on smarthosts or SMTP AUTH outbound servers for your own customers (or you risk blocking your own customers). Do not use ZEN in filters that do any ‘deep parsing’ of Received headers, or for other than checking IP addresses that hand off to your mailservers.

zen.spamhaus.org's Block Lists

SBL (Spamhaus Block List)

The Spamhaus Block List (SBL) is a realtime database of IP addresses of verified spam sources and spam operations (including spammers, spam gangs and spam support services), maintained by the Spamhaus Project team and supplied as a free service to help email administrators better manage incoming email streams.

XBL (Exploits Block List)

The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of hijacked PCs infected by illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits.

PBL (Policy Block List)

The Spamhaus PBL is a DNSBL database of end-user IP address ranges which should not be delivering unauthenticated SMTP email to any Internet mail server except those provided for specifically by an ISP for that customer's use. The PBL helps networks enforce their Acceptable Use Policy for dynamic and non-MTA customer IP ranges.

PBL IP address ranges are added and maintained by each network participating in the PBL project, working in conjunction with the Spamhaus PBL team, to help apply their outbound email policies.

Additional IP address ranges are added and maintained by the Spamhaus PBL Team, particularly for networks which are not participating themselves (either because the ISP/block owner does not know about, is proving difficult to contact, or because of language difficulties), and where spam received from those ranges, rDNS and server patterns are consistent with end-user IP space which typically contain high concentrations of "botnet zombies", a major source of spam. Once aware of them, the ISP/block owner can take over such records at any time to manage them further.

The PBL lists both dynamic and static IPs, any IP which by policy (whether the block owner's or -interim in its absence- Spamhaus' policy) should not be sending email directly to the MX servers of third parties.

Using zen.spamhaus.org with Postfix

In /etc/postfix/main.cf add reject_rbl_client zen.spamhaus.org to the smtpd_recipient_restrictions section. This entry should be near the bottom of the list since DNSBL's use more resources then most other tests.

smtpd_recipient_restrictions = 
...
   reject_rbl_client zen.spamhaus.org

zen.spamhaus.org troubleshooting

To troubleshoot an address, you need to query the spamhaus DNS servers. So if you were trying troubleshooting the domain mattrude.com, first you need to find the name of the domain's mail server.

# host mattrude.com
mattrude.com mail is handled by 10 mail.mattrude.com.

So since we now know what the mail server's name is we need to find it's IP address.

# host mail.mattrude.com
mail.mattrude.com has address 76.17.242.165

Now lets query spamhaus. Spamhaus uses the inverse IP address as a subdomain of the DNSBL zone. So for IP address 76.17.242.165 you would query spamhaus by running.

# host 165.242.17.76.zen.spamhaus.org
165.242.17.76.zen.spamhaus.org has address 127.0.0.10

As you can see by the table below, this address is being blocked by the PBL list.

Return Code Source Notes
127.0.0.2 SBL Spamhaus Maintained
127.0.0.3 --- reserved for future use
127.0.0.4 XBL CBL Detected Address
127.0.0.5 XBL NJABL Proxies (customized)
127.0.0.6 XBL reserved for future use
127.0.0.7 XBL reserved for future use
127.0.0.8 XBL reserved for future use
127.0.0.9 --- reserved for future use
127.0.0.10 PBL ISP Maintained
127.0.0.11 PBL Spamhaus Maintained

dnsbl.sorbs.net

DNSBL Note
dnsbl.sorbs.net Aggregate zone (contains all the following DNS zones except spam.dnsbl.sorbs.net)
http.dnsbl.sorbs.net List of Open HTTP Proxy Servers.
socks.dnsbl.sorbs.net List of Open SOCKS Proxy Servers.
misc.dnsbl.sorbs.net List of open Proxy Servers not listed in the SOCKS or HTTP lists.
smtp.dnsbl.sorbs.net List of Open SMTP relay servers.
web.dnsbl.sorbs.net List of web (WWW) servers which have spammer abusable vulnerabilities (e.g. FormMail scripts) Note: This zone now includes non-webserver IP addresses that have abusable vulnerabilities.
new.spam.dnsbl.sorbs.net List of hosts that have been noted as sending spam/UCE/UBE to the admins of SORBS within the last 48 hours.
recent.spam.dnsbl.sorbs.net List of hosts that have been noted as sending spam/UCE/UBE to the admins of SORBS within the last 28 days (includes new.spam.dnsbl.sorbs.net).
old.spam.dnsbl.sorbs.net List of hosts that have been noted as sending spam/UCE/UBE to the admins of SORBS within the last year. (includes recent.spam.dnsbl.sorbs.net).
spam.dnsbl.sorbs.net List of hosts that have been noted as sending spam/UCE/UBE to the admins of SORBS at any time, and not subsequently resolving the matter and/or requesting a delisting. (Includes both old.spam.dnsbl.sorbs.net and escalations.dnsbl.sorbs.net).
escalations.dnsbl.sorbs.net This zone contains netblocks of spam supporting service providers, including those who provide websites, DNS or drop boxes for a spammer. Spam supporters are added on a 'third strike and you are out' basis, where the third spam will cause the supporter to be added to the list.
block.dnsbl.sorbs.net List of hosts demanding that they never be tested by SORBS.
zombie.dnsbl.sorbs.net List of networks hijacked from their original owners, some of which have already used for spamming.
dul.dnsbl.sorbs.net Dynamic IP Address ranges (NOT a Dial Up list!)
rhsbl.sorbs.net Aggregate zone (contains all RHS zones)
badconf.rhsbl.sorbs.net List of domain names where the A or MX records point to bad address space.
nomail.rhsbl.sorbs.net List of domain names where the owners have indicated no email should ever originate from these domains.