Realtime Blackhole Lists with Postfix


Realtime Blackhole Lists (RBL) and Domain Name System BlockList (DNSBL) are publicly available lists on the Internet, with addresses and servers that have recently been the source of malicious and unwanted or suspicious activity, such as the sending of spam or phishing e-mails.

Prevent SPAM and phishing emails

Blacklists were created to prevent the flood of unwanted emails. IP addresses of suspicious mail senders reported by spamtraps are collected on blacklists. E-mail servers compare received e-mails to see whether the sender is on a blacklist. If the classification is positive, the e-mail is moved directly to the Junk E-mail folder or not accepted at all and rejected by the server.

The widely used open-source spam filters SpamAssassin from the Apache project, and the Postfix MTA (Mail Transfer Agent) for Unix and Unix derivatives, are particularly suitable for integration. This tutorial deals with the integration of Realtime Blackhole Lists (RBL) and DNS Based Realtime Blocklists (DNSBL) using Postfix.

How to use DNS-based Blackhole List on Postfix

As the name suggests, querying a DNSBL is, from a technical point of view, a DNS query. DNS-based blackhole lists are queried in near real time, DNSBLs are adding in the/etc/postfix/main.cffile usually under smtpd_recipient_restrictions, as shown in the example.

smtpd_recipient_restrictions = permit_mynetworks,
        warn_if_reject reject_rbl_client[1..255],

There are usually many more rules for checking the criteria, this tutorial will show how to use DNSBL query.

  A right-hand side blacklist (RHSBL) is a listing that contains the domain names of spammers, which mail servers can be programmed to reject. RHSBL functions the same way as a domain name system blacklist (DNSBL) with one important distinction: RHSBLs include domain names rather than IP addresses.

The sooner the better – the verification is done before queuing, with the guidelines be carried out undersmtpd_client_restrictions

smtpd_helo_required = yes
smtpd_helo_restrictions =
smtpd_sender_restrictions =
smtpd_client_restrictions = permit_mynetworks,

With this check, the DNSBL query takes place before writing to the mail spool, and a NOQUEUE: reject: is returned. The advantage comes from the fact that the system resources are used less.

As after any change, Postfix must be reloaded.

$ postfix reload

SBL DNSBL Black List testing

The Black List test record is the loopback address of the SBL DNS zone like “” used for testing SBL configuration on mailservers. It is also listed in most other DNSBL systems as the standard testing address for those zones, as recommended by RFC5782 and RFC6471.

$ dig +short ANY @your_dns

Note. If you are using a free “open DNS resolver” service such as the Google Public DNS ( in most cases they will return a “not listed” (NXDOMAIN) reply from Spamhaus’ public DNSBL servers. It is recommend using your own DNS servers when doing DNSBL queries to Spamhaus.

The DNSBL query for the dummy record returns if the IP is listed as a spam source in the database. To check a domain query, for example, a lookup to can by used, depending on the respective DNSBL.

$ host

The query with reverse loopback address of

$ host -tTXT

Querying the TXT record from outputs the following. descriptive text "This listings is for RFC Compliance. See RFC 5782. For support and listing removal go to Possible Values: Listings), violators) RFC compliant) of" "fender) email to the wrong server) relay) spoofed emails), malware or illegal/abusive content)"

Some DNSBLs provide useful information, such as multiple loopback addresses able to testing queries.

$ dig +short TXT @
"Black listed at hostkarma"
"Black listed (authentication hacker) at hostkarma"
"White listed See"
"Yellow listed See"

$ dig +short ANY
" permanent test point"

$ dig +short ANY
"Listed in PSBL, see"

$ dig +short ANY
"Dynamic IP Addresses See:"
"Open SMTP Relay See:"
"Exploitable Server See:"
"HTTP Proxy See:"
"SOCKS Proxy See:"

$ dig +short ANY
"RFC5782 TEST-record."

$ dig +short ANY
"Test Record"

queries can be narrowed down, for example to only get the RBL addresses from U.S. by using

$ host -t any has address descriptive text "Infected System, see"

The zone queries IPs that attacks Joomla, WordPress and other web logins via brute force attacks, or queries only IPs from which FTP attacks have been recorded. The individual RBL zones with used return codes and guidelines can be found on the websites of the DNSBL providers. Whitelists such as DNSWL are also used to avoid false positives. E-Mail Reputation Protect against false positives


E-Mail Reputation Protect against false positives

Useful Frequently Asked Questions (FAQ) by

  DNS-based Blackhole List (DNSBL) not allow exceed 1,000 requests per second, if the requests exceed 1,000 per second, the rsync method should be applied.

$ rsync -z .

GitHub Postfix main configuration

Table of some DNSBLs

List NameWebsiteBlocklist Typ
Combined List (SBL, SBLCSS, XBL, PBL)
Mailspikemailspike.orgCombined List


DNSBLs are generally the first line of defense against spam. The DNSLB providers pursue their own requirements for criteria and quality, the results must be determined in order to make the choice of DNSBLs so that they meet the desired requirements and criteria. Most postmasters rely on real-time DNS-based blocklists (DNSBL). Messages from these are not even accepted or the information from a listing is included in the spam scoring. These methods are also technically described by the IETF:

  • free DNSBL for eMail Service providers
  • free and voluntary anti-fraud/abuse service
  • spamhaus IP and domain reputation data
  • Surbl reputation data provided in near real-time feeds
  • E-Mail Reputation Protect against false positives

How useful was this post?

Click on a star to rate it!

Average rating / 5. Vote count:

No votes so far! Be the first to rate this post.

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Leave a Reply

Your email address will not be published. Required fields are marked *