DNS-based blackhole list

from Wikipedia, the free encyclopedia

As DNSBL ( DNSBL ) be in real-time searchable lists Black called, used to e-mail of dubious origin as spam categorization. The first DNSBL to become known to a broader professional public was the Real-time Blackhole List ( RBL ), which was part of

Paul Vixie's MAPS (English: Mail Abuse Prevention System) was first made available as a BGP feed and later as a DNSBL. RBL is a registered trademark of Trend Micro .


Most of the DNSBLs list the IP addresses of computers that have attracted attention in the past due to frequent sending of unwanted spam messages. Some lists also contain sources of computer viruses and other malware . Today these computers are mostly Trojanized PCs or, less often, open mail relays that have been misused by spammers.

Mail servers or spam detection software (e.g. SpamAssassin ) can evaluate these lists almost in real time via the DNS protocol when a mail is received and, if the result is positive, refuse to accept the mail, delay the acceptance of the mail ( tar pit , greylisting ) or the Mark the mail so that it can be filtered by the recipient without much effort. A list of several trustworthy AVLs in connection with greylisting has proven to be very efficient (status at the end of 2007).

As the name suggests, querying a DNSBL is, from a technical point of view, a DNS query. In most cases, no additional approval is required in the firewall.

Advantages and disadvantages

The main advantage of DNSBLs is that the query is quick and technically easy to implement.

When used appropriately, it is very efficient to use and rarely produces false positive results.

The main disadvantage of DNSBLs is best illustrated by an example:

If a customer sends spam via the mail server of his provider and the IP address of the mail server is therefore listed, mail from other customers using the same mail server can be classified as spam. Practically every sender of mass emails has similar problems, even with confirmed opt-in .

If e-mails are rejected due to DNSBL entries and several DNSBLs are used in a row, this has the disadvantage that the proportion of false positives adds up. For this reason, only a few, well-chosen DNSBLs should be used to reject email. In order to defuse this problem, the results of the DNSBL queries can be weighted together with other criteria. The result is then used for spam classification and, if necessary, to reject the mail (used for example with SpamAssassin ).

With some DNSBLs it is difficult, expensive or even impossible to have an IP address removed again (delisting). In such cases, the DNSBL does less harm to the spammers than to the owners of abused computers. The administrator of a mail server must therefore carefully consider which RBLs to use in order to avoid false positives. Some RBLs such as spamhaus.org or Spamcop automatically remove the list entries after a certain period of time.


  1. ^ Paul Vixie: Mail Abuse Prevention System, 1997.
  2. MAPS - Stopping Spam at its Source. Trend Micro, archived from the original on March 14, 2007 ; Retrieved March 14, 2007 .


Web links