Realtime Blackhole Lists (RBL) and Domain Name System BlockList (DNSBL) are publicly available lists on the Internet, with addresses and servers that have recently been the source of malicious and unwanted or suspicious activity, such as the sending of spam or phishing e-mails.
Prevent SPAM and phishing emails
Blacklists were created to prevent the flood of unwanted emails. IP addresses of suspicious mail senders reported by spamtraps are collected on blacklists. E-mail servers compare received e-mails to see whether the sender is on a blacklist. If the classification is positive, the e-mail is moved directly to the Junk E-mail folder or not accepted at all and rejected by the server.
The widely used open-source spam filters SpamAssassin from the Apache project, and the Postfix MTA (Mail Transfer Agent) for Unix and Unix derivatives, are particularly suitable for integration. This tutorial deals with the integration of Realtime Blackhole Lists (RBL) and DNS Based Realtime Blocklists (DNSBL) using Postfix.
How to use DNS-based Blackhole List on Postfix
As the name suggests, querying a DNSBL is, from a technical point of view, a DNS query. DNS-based blackhole lists are queried in near real time, DNSBLs are adding in the
/etc/postfix/main.cffile usually under smtpd_recipient_restrictions, as shown in the example.
smtpd_recipient_restrictions = permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_pipelining, reject_unauth_destination, reject_rbl_client zen.spamhaus.org=127.0.0.[2..11], reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[2..99], reject_rhsbl_helo dbl.spamhaus.org=127.0.1.[2..99], reject_rhsbl_reverse_client dbl.spamhaus.org=127.0.1.[2..99], warn_if_reject reject_rbl_client zen.spamhaus.org=127.255.255.[1..255], reject_rbl_client dnsbl-1.uceprotect.net, reject_rbl_client bl.0spam.org=127.0.0.[7..9], reject_unverified_recipient, Permit
There are usually many more rules for checking the criteria, this tutorial will show how to use DNSBL query.
A right-hand side blacklist (RHSBL) is a listing that contains the domain names of spammers, which mail servers can be programmed to reject. RHSBL functions the same way as a domain name system blacklist (DNSBL) with one important distinction: RHSBLs include domain names rather than IP addresses.
The sooner the better – the verification is done before queuing, with the guidelines be carried out undersmtpd_client_restrictions
smtpd_helo_required = yes smtpd_helo_restrictions = smtpd_sender_restrictions = smtpd_client_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_non_fqdn_sender, reject_unauth_pipelining, reject_unknown_sender_domain, reject_unknown_hostname, reject_unknown_client, reject_invalid_hostname, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2, reject_rhsbl_sender hostkarma.junkemailfilter.com=127.0.0.2, reject_rhsbl_sender dsn.rfc-ignorant.org, Permit
With this check, the DNSBL query takes place before writing to the mail spool, and a NOQUEUE: reject: is returned. The advantage comes from the fact that the system resources are used less.
As after any change, Postfix must be reloaded.
$ postfix reload
The Black List test record 127.0.0.2 is the loopback address of the SBL DNS zone like “sbl.spamhaus.org” used for testing SBL configuration on mailservers. It is also listed in most other DNSBL systems as the standard testing address for those zones, as recommended by RFC5782 and RFC6471.
$ dig +short ANY 18.104.22.168.zen.spamhaus.org @your_dns "https://www.spamhaus.org/sbl/query/SBL2" "https://www.spamhaus.org/query/ip/127.0.0.2" 127.0.0.2 127.0.0.10 127.0.0.4
Note. If you are using a free “open DNS resolver” service such as the Google Public DNS (22.214.171.124) in most cases they will return a “not listed” (NXDOMAIN) reply from Spamhaus’ public DNSBL servers. It is recommend using your own DNS servers when doing DNSBL queries to Spamhaus.
The DNSBL query for the dummy record returns 127.0.0.2 if the IP is listed as a spam source in the database. To check a domain query, for example 0spam.org, a lookup to bl.0spam.org can by used, depending on the respective DNSBL.
$ host 126.96.36.199.bl.0spam.org
The query with reverse loopback address of bl.0spam.org.
$ host -tTXT 188.8.131.52.bl.0spam.org
Querying the TXT record from 0spam.org outputs the following.
184.108.40.206.bl.0spam.org descriptive text "This listings is for RFC Compliance. See RFC 5782. For support and listing removal go to https://0spam.org Possible Values: 127.0.0.1(General Listings), 127.0.0.2(depreciated) 127.0.0.3(can-spam violators) 127.0.0.4(non RFC compliant) 127.0.0.5(repeat of" "fender) 127.0.0.6(bouncing email to the wrong server) 127.0.0.7(open relay) 127.0.0.8(bouncing spoofed emails) 127.0.0.9(fraud/scam, malware or illegal/abusive content)"
Some DNSBLs provide useful information, such as multiple loopback addresses able to testing queries.
$ dig +short TXT 220.127.116.11.hostkarma.junkemailfilter.com @18.104.22.168 "Black listed at hostkarma http://ipadmin.junkemailfilter.com/remove.php?ip=127.0.0.2" "Black listed (authentication hacker) at hostkarma http://ipadmin.junkemailfilter.com/remove.php?ip=127.0.0.2" "White listed 127.0.0.2 See http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists" "Yellow listed 127.0.0.2 See http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists" $ dig +short ANY 22.214.171.124.multi.surbl.org 127.0.0.254 "wild.surbl.org permanent test point" $ dig +short ANY 126.96.36.199.psbl.surriel.com "Listed in PSBL, see http://psbl.org/listing?ip=127.0.0.2" 127.0.0.2 $ dig +short ANY 188.8.131.52.dnsbl.sorbs.net 127.0.0.10 "Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?127.0.0.2" 127.0.0.5 "Open SMTP Relay See: http://www.sorbs.net/lookup.shtml?127.0.0.2" 127.0.0.7 "Exploitable Server See: http://www.sorbs.net/lookup.shtml?127.0.0.2" 127.0.0.2 "HTTP Proxy See: http://www.sorbs.net/lookup.shtml?127.0.0.2" 127.0.0.3 "SOCKS Proxy See: http://www.sorbs.net/lookup.shtml?127.0.0.2" $ dig +short ANY 184.108.40.206.bl.nordspam.com "RFC5782 TEST-record." 127.0.0.2 $ dig +short ANY 220.127.116.11.truncate.gbudb.net 127.0.0.2 "Test Record"
The queries can be narrowed down, for example to only get the RBL addresses from U.S. by using usa.bl.blocklist.de
$ host -t any 18.104.22.168.usa.bl.blocklist.de 22.214.171.124.usa.bl.blocklist.de has address 127.0.0.2 126.96.36.199.usa.bl.blocklist.de descriptive text "Infected System, see http://www.blocklist.de/en/view.html?ip=127.0.0.2"
The zone bruteforcelogin.bl.blocklist.de queries IPs that attacks Joomla, WordPress and other web logins via brute force attacks, or ftp.bl.blocklist.de queries only IPs from which FTP attacks have been recorded. The individual RBL zones with used return codes and guidelines can be found on the websites of the DNSBL providers. Whitelists such as DNSWL are also used to avoid false positives.
E-Mail Reputation Protect against false positives
Useful Frequently Asked Questions (FAQ) by Spamhaus.org
DNS-based Blackhole List (DNSBL) not allow exceed 1,000 requests per second, if the requests exceed 1,000 per second, the rsync method should be applied.
$ rsync -z psbl-mirror.surriel.com::psbl/psbl.txt .
Postfix main configuration main.cf
Table of some DNSBLs
|List Name||Website||Blocklist Typ|
Combined List (SBL, SBLCSS, XBL, PBL)
DNSBLs are generally the first line of defense against spam. The DNSLB providers pursue their own requirements for criteria and quality, the results must be determined in order to make the choice of DNSBLs so that they meet the desired requirements and criteria. Most postmasters rely on real-time DNS-based blocklists (DNSBL). Messages from these are not even accepted or the information from a listing is included in the spam scoring. These methods are also technically described by the IETF: https://tools.ietf.org/html/rfc5782
- 0spam.org free DNSBL for eMail Service providers
- blocklist.de free and voluntary anti-fraud/abuse service
- spamhaus IP and domain reputation data
- Surbl reputation data provided in near real-time feeds
- dnswl.org E-Mail Reputation Protect against false positives
We are sorry that this post was not useful for you!
Let us improve this post!
Tell us how we can improve this post?