The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

DNSBLs - what is best?

Discussion in 'Bind / DNS / Nameserver Issues' started by jcsolutions, Aug 26, 2003.

  1. jcsolutions

    jcsolutions Well-Known Member

    Joined:
    Nov 4, 2002
    Messages:
    184
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    I've compiled a small list of, what seem to be, reasonably popular DNS Blacklists (DNSBL / RBL). I would like to find out the following things:

    1. What are some other good DNSBLs?
    2. Are any listed NO good?
    3. What lists do you use (whether listed here or not)?
    4. Do you use them to block or just tag the potential spam emails?

    Here is my list:

    blackholes.mail-abuse.org
    dialups.mail-abuse.org
    relays.ordb.org
    relays.mail-abuse.org
    relays.osirusoft.com - DOWN UNTIL FURTHER NOTICE
    bl.spamcop.net
    dsn.rfc-ignorant.org
    ipwhois.rfc-ignorant.org
    list.dsbl.org
    relays.visi.com
    blacklist.spambag.org
    dnsbl.njabl.org
    vox.schpider.com
    korea.services.net
    dnsbl.njabl.org
    spam.dnsrbl.net
    dnsbl.sorbs.net
    opm.blitzed.org
    blackholes.easynet.nl
    proxies.blackholes.easynet.nl
    dynablock.easynet.nl
    sbl.spamhaus.org

    Thanks for any input!

    cPanel.net Support Ticket Number:
     
  2. Doctor

    Doctor Well-Known Member

    Joined:
    Apr 26, 2003
    Messages:
    180
    Likes Received:
    0
    Trophy Points:
    16
    I noticed that EXIM 4 now has this portion:

    --------------------------------------------
    # Exim contains support for the Realtime Blocking List (RBL) that is being
    # maintained as part of the DNS. See http://maps.vix.com/rbl/ for background.
    # Uncommenting the first line below will make Exim reject mail from any
    # host whose IP address is blacklisted in the RBL at maps.vix.com. Some
    # others have followed the RBL lead and have produced other lists: DUL is
    # a list of dial-up addresses, and ORBS is a list of open relay systems. The
    # second line below checks all three lists.

    rbl_domains = rbl.maps.vix.com
    --------------------------------------------

    If I want to add all your DNSBLs, should I add it like:

    rbl_domains = blackholes.mail-abuse.org: dialups.mail-abuse.org...

    OR...

    rbl_domains = blackholes.mail-abuse.org
    rbl_domains = dialups.mail-abuse.org
    .
    .
    .

    cPanel.net Support Ticket Number:
     
  3. jcsolutions

    jcsolutions Well-Known Member

    Joined:
    Nov 4, 2002
    Messages:
    184
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    You would add it in the ACL section of the exim.conf file. Under
    ---
    require verify = header_sender
    accept
    ---

    Add this:
    ---
    deny message = rejected because $sender_host_address is blacklisted at $dnslist_domain\n $dnslist_text
    dnslists = relays.ordb.org : list.dsbl.org : number3 : etc

    cPanel.net Support Ticket Number:
     
  4. Doctor

    Doctor Well-Known Member

    Joined:
    Apr 26, 2003
    Messages:
    180
    Likes Received:
    0
    Trophy Points:
    16
  5. jcsolutions

    jcsolutions Well-Known Member

    Joined:
    Nov 4, 2002
    Messages:
    184
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    I believe the rbl_domains method is from Exim3. The method I described is right out of the Exim4 docs. rbl_domains is not mentioned.

    I could be wrong, but I'd say this is just the new method.

    cPanel.net Support Ticket Number:
     
  6. Annette

    Annette Well-Known Member
    PartnerNOC

    Joined:
    Aug 12, 2001
    Messages:
    445
    Likes Received:
    0
    Trophy Points:
    16
    rbl_domains is a leftover from the converted exim 3 config file. dnslists is the way to go, as noted.

    As far as the lists themselves go, Spamhaus is of course excellent. We'd use some of the lists from blackholes.us, like Brazil and Korea, but have we have customers in those countries. Spamcop I would never use for anything but tagging, as it's prone to errant reporting by end users. The relay lists are nice, but tend to have a higher catch factor, collaterally speaking, and we only use those temporarily when someone is being mailbombed (which also results in an increased ticket count from users on the affected server who can no longer send mail though it). The *.mail-abuse items should probably be stricken from your list, as they either no longer exist or were rolled into the MAPS subscription service. The rest have their ups and downs, depending on what the admin specifically wants to do.

    Currently, we are using only the Spamhaus list and our own private list, which we developed to catch things others did not. Since Jared's osirusoft zones went down, we're now looking to also either mirror or simply pull in raw data from certain external lists/zones so that all lookups are done locally.

    cPanel.net Support Ticket Number:
     
  7. kris1351

    kris1351 Well-Known Member

    Joined:
    Apr 18, 2003
    Messages:
    963
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lewisville, Tx
    What are the best RBLs to use? We are warning spamcop users and blocking:
    list.dsbl.org :
    flowgoaway.com :
    dialups.visi.com :
    blackholes.easynet.nl :
    opm.blitzed.org
    deny local_parts = ^.*[@%!/|]
    message = I've never seen @, %, !, /, or | in an e-mail.


    Should we go with more than this?

    cPanel.net Support Ticket Number:
     
  8. Annette

    Annette Well-Known Member
    PartnerNOC

    Joined:
    Aug 12, 2001
    Messages:
    445
    Likes Received:
    0
    Trophy Points:
    16
    To use more (or less) depends on what your goals are in relation to your clients and keeping them happy. At the moment, our users are distinctly unhappy with the increased spam load running through the servers, because we used three different external lists previously, two of which are now toast, and now the spam is like a wave that won't end. When in doubt, check with your clients, because they will always tell you exactly what they want. You might not be able to give them that exact thing, but you can often come close.

    Whatever lists anyone uses, they would do well to automatically whitelist themselves at a minimum, to ensure that any listing of their own servers - whether because of their own issues or their provider's - will be ignored by machines in their own network.

    cPanel.net Support Ticket Number:
     
  9. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    Good point. Thanks for that.

    cPanel.net Support Ticket Number:
     
  10. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    That's a big list. If one of those sites goes down, do you have to remove it from your configuration file? In other words, do you have to constantly monitor those sites?

    cPanel.net Support Ticket Number:
     
  11. jcsolutions

    jcsolutions Well-Known Member

    Joined:
    Nov 4, 2002
    Messages:
    184
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    I don't actually use all of those in the list. I just got a group together of what seemed to be more popular ones and asked who I should use.

    This is what I actually use in my current exim.conf file:

    sbl.spamhaus.org, relays.ordb.org, list.dsbl.org, blackholes.easynet.nl, nigeria.blackholes.us, russia.blackholes.us

    I also send warnings for bl.spamcop.net

    cPanel.net Support Ticket Number:
     
  12. jcsolutions

    jcsolutions Well-Known Member

    Joined:
    Nov 4, 2002
    Messages:
    184
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Thanks Annette. I agree with you and have thought of this, but how would we do it?

    cPanel.net Support Ticket Number:
     
  13. tAzMaNiAc

    tAzMaNiAc Well-Known Member

    Joined:
    Feb 16, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sachse, TX
    accept hosts = <your own ip's here> ? :-D

    cPanel.net Support Ticket Number:
     
  14. jcsolutions

    jcsolutions Well-Known Member

    Joined:
    Nov 4, 2002
    Messages:
    184
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    I looked at that, but I though it meant that ONLY hosts listed here could access the server.

    Exim docs: "This condition tests that the calling host matches the host list."

    What happens if the calling host doesn't match? It's allowed access to the server unless it's found in the 'deny hosts'?

    cPanel.net Support Ticket Number:
     
  15. Annette

    Annette Well-Known Member
    PartnerNOC

    Joined:
    Aug 12, 2001
    Messages:
    445
    Likes Received:
    0
    Trophy Points:
    16
    For whitelisting, it is indeed the accept hosts item under the check recipient acl:

    accept hosts = 1.2.3.4 : 2.3.4.5 : a.b.c.d

    Restart exim afterwards, and mail from those IPs will be allowed through even if they would otherwise be listed in the dnslists/private deny items - further checks on those IPs will not be done because they have matched the first conditional entry. This is handy when you have a server or servers (as we did) land in SPEWS because of upstream responsibilities that were not addressed.

    cPanel.net Support Ticket Number:
     
  16. jcsolutions

    jcsolutions Well-Known Member

    Joined:
    Nov 4, 2002
    Messages:
    184
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    I already had 'accept hosts = +relay_hosts' in my conf file. That points to /etc/relayhosts. When I open this file, there are a whole list of IPs that I didn't add and they are not my assigned IPs. There are also lines like 'adsl-65-65-208-33.dsl.rcsntx.swbell.net'. Should I be worried?

    cPanel.net Support Ticket Number:
     
  17. Annette

    Annette Well-Known Member
    PartnerNOC

    Joined:
    Aug 12, 2001
    Messages:
    445
    Likes Received:
    0
    Trophy Points:
    16
    There are several accept hosts entries. The one to be concerned about for whitelisting purposes is the very first one that appears under the check recipient acl - this is because once a match is found, Exim 4, unlike Exim 3, will not check any further conditions for that matched entry. This is also why it's so very important to set custom configurations in a particular order. The one you're after is here:

    ---------
    begin acl


    #!!# ACL that is used after the RCPT command
    check_recipient:
    # Exim 3 had no checking on -bs messages, so for compatibility
    # we accept if the source is local SMTP (i.e. not over TCP/IP).
    # We do this by testing for an empty sending host field.

    accept hosts = (entries here)
    ---------

    This will be just above the mailman rewrite entries on servers running current versions of cPanel.

    cPanel.net Support Ticket Number:
     
  18. perlchild

    perlchild Well-Known Member

    Joined:
    Sep 1, 2002
    Messages:
    279
    Likes Received:
    0
    Trophy Points:
    16
    It's my understanding that antirelayd adds those automatically when users from those ip when those users connect by pop, and removes them after a timeout period, there should be no cause for concern

    cPanel.net Support Ticket Number:
     
  19. croakingtoad

    croakingtoad Member

    Joined:
    Dec 30, 2003
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Roanoke, VA, US
    For those of us who are still ignorant and learning, can someone post a copy of exactly what should go where if I were interested in using the spamhaus block lists and allowing any mail from my domain?

    Thanks!
     
  20. Bruce

    Bruce Well-Known Member

    Joined:
    Oct 4, 2001
    Messages:
    147
    Likes Received:
    0
    Trophy Points:
    16
    This is our list in use and is cutting spam down by 75%

    deny message = $sender_host_address is listed \
    at $dnslist_domain
    dnslists = relays.ordb.org : \
    sbl-xbl.spamhaus.org : \
    list.dsbl.org : \
    blackholes.mail-abuse.org : \
    bl.spamcop.net : \
    spam.dnsrbl.net : \
    blackholes.easynet.nl : \
    proxies.blackholes.easynet.nl : \
    cbl.abuseat.org : \
    infolink.blackholes.us : \
    korea.blackholes.us : \
    brazil.blackholes.us : \
    nigeria.blackholes.us : \
    argentina.blackholes.us : \
    malaysia.blackholes.us : \
    singapore.blackholes.us : \
    taiwan.blackholes.us : \
    turkey.blackholes.us : \
    wanadoo-fr.blackholes.us : \
    russia.blackholes.us : \
    mexico.blackholes.us : \
    above.blackholes.us : \
    he.blackholes.us : \
    interbusiness.blackholes.us : \
    china.blackholes.us : \
    opm.blitzed.org
    deny local_parts = ^.*[@%!/|]
    message = I've never seen @, %, !, /, or | in an e-mail. Neither should you.
     
Loading...

Share This Page