Using DNS blacklists to prevent spam can be tricky. This tip, which originally appeared on SearchSecurity.com, provides value-added resellers (VARs) and security consultants with the pros and cons of using DNS blacklists and recommends three blacklists with useful features.
DNS blacklisting is the practice of comparing the routing addresses of incoming emails to a list of servers that spammers are suspected to use. If an email appears to be from a blacklisted server, it is blocked, usually with a 503-type error for the recipient (assuming the recipient is contactable!).
A DNS blacklist is simply a variety of DNS server kept updated through feedback from users and administrators. To poll the list and determine if a particular address is stored in it, a client sends a standard lookup request to the server. DNS blacklists have the advantage of convenience: Rather than install and possibly train a product to block spam, you can simply use a DNS blacklist to perform filtering on likely targets. Third parties have already done all of the hard work for you.
Implementing a DNS blacklist in Exchange 2000 can be done in one of several ways. A third-party product such as GFI MailEssentials allows Exchange to work with DNS blacklist servers. Another possibility is to write an event sink in Exchange that performs a DNS lookup on incoming messages against one or more blacklist servers. However, this is not a trivial operation and requires fairly extensive programming knowledge.
Exchange 2003 natively supports the ability to use one or more DNS blacklist servers. To add a blacklist server, open the Exchange System Manager, then go to Message Delivery in Global Settings and open Message Delivery's Properties pane. Under Connection Filtering, click Add to enter a new connection filter, and supply the name, DNS suffix and a custom error message (if desired) for each blacklist server. For instance, Spamcop's DNS suffix would be bl.spamcop.net.
You should note that among the downsides to Exchange 2003's native DNS blacklist functionality is there is no easy way to track what or how much this system is blocking.
You also need to consider several other important downsides to DNS blacklisting. First, DNS blacklists can be notoriously inaccurate. One common practice with DNS blacklisting is to place everyone in a given block of addresses into a blacklist, simply because one computer in that block may be a spammer. This causes everyone in the block to suddenly be unable to send and possibly also receive e-mail, depending on which DNS blacklists their own mail hosts are subscribed to. This practice is on the wane, but is still known to happen.
Some blacklists also do not allow a user to remove himself from the blacklist through any kind of intervention. The blacklist may be maintained with a timeout, which means that the user must simply wait until his entry in the DNS is not reinforced by additional spam reports and expires on its own. In theory this is a good way to keep spammers from manipulating the system to their own ends, but it has the downside of putting other people at a serious disadvantage, especially if their only connection to the blocked server is that they were renting mail services from it. One of the major exceptions to this rule is the Composite Blocking List or CBL -- http://cbl.abuseat.org/ -- which does allow for removal but does not allow for removal "with prejudice" (i.e., it's not possible to be permanently delisted).
Blacklisting is also not useful for blocking truly virulent spammers, who may use "disposable" dial-up connections to keep changing IP addresses and avoid being associated with any one address block. This puts the maintainers of the DNS blacklist and administrators trying to stop emails based on address blocks at a serious disadvantage, since the effective lifespan of any one address might not be any more than a few hours at most.
On the whole, DNS blacklisting can be a useful way to augment rather than supplant an existing antispam solution. Many antispam products have native support for blacklists, and with judicious use they can be a powerful adjunct to -- but not a replacement for -- other strategies.
There are several popular DNS blacklists currently in use, but there are three that I like for their useful mechanisms and features:
- The Open Relay Database (ORDB) stores the IP addresses of machines that have been verified as open SMTP relays. Such machines are not secured against use by unverified users, who can use them to send bulk email. One of the advantages of the ORDB system is that an administrator can test one of his systems with the ORDB site to determine if he is indeed running an open relay, and also use the same test to verify that a previously open relay has been closed. I think for this reason that this is one of the most useful DNS blacklists.
- Spamcop works as both a spam-reporting service and a DNS blacklist. Administrators can forward spam to the service for tagging and automated processing, where Spamcop attempts to determine the originating ISP for the spam and notify the administrator of a possible TOS violation.
- Spamhaus not only publishes a list of spammers, but also a real-time list of IP addresses of exploits such as open proxies, viruses and worms with built-in spam engines and other dangerous beasts. Spamhaus also prides itself on having as few false positives as possible, but the time-to-live on its blocking records (barring a user contacting them for removal) is six months.
About the author
Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter. Check out his Windows 2000 blog for his latest advice and musings on the world of Windows network administrators.
This tip originally appeared on SearchSecurity.com.
Dig deeper on Threat management and prevention