What you will learn from this tip: The pros and cons of using DNS blacklists for spam mitigation, including an introduction to The Open Relay Database, Spamcop and Spamhaus.
DNS blacklisting is the practice of comparing the routing addresses of incoming e-mails to a list of servers that spammers are suspected to use. If an e-mail appears to be from a blacklisted server, it is blocked, usually with a 503-type error for the recipient (assuming the recipient is contactable!).
Implementing a DNS blacklist in Exchange 2000 can be done in one of several ways. A third-party product such as GFI MailEssentials allows Exchange to work with DNS blacklist servers. Another possibility is to write an event sink in Exchange that performs a DNS lookup on incoming messages against one or more blacklist servers. However, this is not a trivial operation and requires fairly extensive programming knowledge.
Exchange 2003 natively supports the ability to use one or more DNS blacklist servers. To add a blacklist server, open the Exchange System Manager, then go to Message Delivery in Global Settings and open Message Delivery's Properties pane. Under Connection Filtering, click Add to enter a new connection filter, and supply the name, DNS suffix and a custom error message (if desired) for each blacklist server. For instance, Spamcop's DNS suffix would be bl.spamcop.net.
You should note that among the downsides to Exchange 2003's native DNS blacklist functionality is there is no easy way to track what or how much this system is blocking.
You also need to consider several other important downsides to DNS blacklisting. First, DNS blacklists can be notoriously inaccurate. One common practice with DNS blacklisting is to place everyone in a given block of addresses into a blacklist, simply because one computer in that block may be a spammer. This causes everyone in the block to suddenly be unable to send and possibly also receive e-mail, depending on which DNS blacklists their own mail hosts are subscribed to. This practice is on the wane, but is still known to happen.
Some blacklists also do not allow a user to remove himself from the blacklist through any kind of intervention. The blacklist may be maintained with a timeout, which means that the user must simply wait until his entry in the DNS is not reinforced by additional spam reports and expires on its own. In theory this is a good way to keep spammers from manipulating the system to their own ends, but it has the downside of putting other people at a serious disadvantage, especially if their only connection to the blocked server is that they were renting mail services from it. One of the major exceptions to this rule is the Composite Blocking List or CBL -- http://cbl.abuseat.org/ -- which does allow for removal but does not allow for removal "with prejudice" (i.e., it's not possible to be permanently delisted).
Blacklisting is also not useful for blocking truly virulent spammers, who may use "disposable" dial-up connections to keep changing IP addresses and avoid being associated with any one address block. This puts the maintainers of the DNS blacklist and administrators trying to stop e-mails based on address blocks at a serious disadvantage, since the effective lifespan of any one address might not be any more than a few hours at most.
On the whole, DNS blacklisting can be a useful way to augment rather than supplant an existing antispam solution. Many antispam products have native support for blacklists, and with judicious use they can be a powerful adjunct to -- but not a replacement for -- other strategies.
There are several popular DNS blacklists currently in use, but there are three that I like for their useful mechanisms and features:
- The Open Relay Database (ORDB) stores the IP addresses of machines that have been verified as open SMTP relays. Such machines are not secured against use by unverified users, who can use them to send bulk e-mail. One of the advantages of the ORDB system is that an administrator can test one of his systems with the ORDB site to determine if he is indeed running an open relay, and also use the same test to verify that a previously open relay has been closed. I think for this reason that this is one of the most useful DNS blacklists.
- Spamcop works as both a spam-reporting service and a DNS blacklist. Administrators can forward spam to the service for tagging and automated processing, where Spamcop attempts to determine the originating ISP for the spam and notify the administrator of a possible TOS violation.
- Spamhaus not only publishes a list of spammers, but also a real-time list of IP addresses of exploits such as open proxies, viruses and worms with built-in spam engines and other dangerous beasts. Spamhaus also prides itself on having as few false positives as possible, but the time-to-live on its blocking records (barring a user contacting them for removal) is six months.
- Learn best and worst practices in spam mitigation.
- Earn a CPE credit while learning more about fighting spam in an on-demand webcast.
- Take a quiz to test your knowledge of antispam techniques.
About the author
Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter. Check out his Windows 2000 blog for his latest advice and musings on the world of Windows network administrators.
This tip originally appeared on our sister site SearchExchange.com.
This was first published in April 2005