DNS-based blackhole list
As DNSBL ( DNSBL ) be in real-time searchable lists Black called, used to e-mail of dubious origin as spam categorization. The first DNSBL to become known to a broader professional public was the Real-time Blackhole List ( RBL ), which was part of
Paul Vixie's MAPS (English: Mail Abuse Prevention System) was first made available as a BGP feed and later as a DNSBL. RBL is a registered trademark of Trend Micro .
function
Most of the DNSBLs list the IP addresses of computers that have attracted attention in the past due to frequent sending of unwanted spam messages. Some lists also contain sources of computer viruses and other malware . Today these computers are mostly Trojanized PCs or, less often, open mail relays that have been misused by spammers.
Mail servers or spam detection software (e.g. SpamAssassin ) can evaluate these lists almost in real time via the DNS protocol when a mail is received and, if the result is positive, refuse to accept the mail, delay the acceptance of the mail ( tar pit , greylisting ) or the Mark the mail so that it can be filtered by the recipient without much effort. A list of several trustworthy AVLs in connection with greylisting has proven to be very efficient (status at the end of 2007).
As the name suggests, querying a DNSBL is, from a technical point of view, a DNS query. In most cases, no additional approval is required in the firewall.
Advantages and disadvantages
The main advantage of DNSBLs is that the query is quick and technically easy to implement.
When used appropriately, it is very efficient to use and rarely produces false positive results.
The main disadvantage of DNSBLs is best illustrated by an example:
If a customer sends spam via the mail server of his provider and the IP address of the mail server is therefore listed, mail from other customers using the same mail server can be classified as spam. Practically every sender of mass emails has similar problems, even with confirmed opt-in .
If e-mails are rejected due to DNSBL entries and several DNSBLs are used in a row, this has the disadvantage that the proportion of false positives adds up. For this reason, only a few, well-chosen DNSBLs should be used to reject email. In order to defuse this problem, the results of the DNSBL queries can be weighted together with other criteria. The result is then used for spam classification and, if necessary, to reject the mail (used for example with SpamAssassin ).
With some DNSBLs it is difficult, expensive or even impossible to have an IP address removed again (delisting). In such cases, the DNSBL does less harm to the spammers than to the owners of abused computers. The administrator of a mail server must therefore carefully consider which RBLs to use in order to avoid false positives. Some RBLs such as spamhaus.org or Spamcop automatically remove the list entries after a certain period of time.
swell
- ^ Paul Vixie: Mail Abuse Prevention System, 1997.
- ↑ MAPS - Stopping Spam at its Source. Trend Micro, archived from the original on March 14, 2007 ; Retrieved March 14, 2007 .
literature
- Bert Ungerer, NiX Spam: Insights into a Blacklist Project, Mail Server Conference 2009 (PDF file; 413 kB)
- Bert Ungerer, Restricted: IP blacklists against unwanted data traffic, iX 4/2007
Web links
- Blacklist monitor. Statistics on hit and error rates. Intra2net AG.
- Spam Links - DNS & RHS Blackhole Lists ( Memento from January 30, 2014 in the Internet Archive )
- Spam Links - Dead DNS and RHS Blackhole Lists ( Memento from February 13, 2014 in the Internet Archive )
- RBL query from Spamhaus.org (English)
- Parallel query of many known RBLs (English)
- AVL check of common AVLs (German)
- DNSBL Lookup (English)