Monday, October 15, 2007

DNS block list effectiveness

There has been some discussion this morning on one of the lists that I am on about the effectiveness of DNS block lists (aka realtime block lists). I have made no secret of my support of block lists over the years, but others think they are downright evil. I have had great success with RBL / DNSBL's over the years provided I have used the right one. My favorite is the ZEN list from the Spamhaus Project. It is not too agressive and I find that it blocks between 70 and 80% of the connections from spammers.

Other RBLs are a bit too agressive for me and I end up blocking legitimate traffic. Spamhaus has a number of different lists but I use their ZEN list (which combines all of their other lists). Here is a summary of their lists taken from the DNSBL resource site:
  • SBL (Spamhaus Block List), which aims to block verified spam sources, spam gangs, and supporters of spam. This list is manually operated, in that every listing is the result of a volunteer deciding that a given IP address or network block merits listing.
  • XBL (Exploits Block List), which aims to block infected computers, open proxies, and the like. Data for this list is supplied by (or supplemented by) outside sources, such as the CBL (Composite Blocking List), meaning that if you use the XBL to filter or reject mail, you do not need to also use the CBL.
  • PBL (Policy Block List), which aims to reject mail from machines that are not meant to be mail servers, ones that would not normally send mail. This includes end user computers on dynamic internet connections (dialup, cable modems, DSL), unassigned IP addresses, web servers, etc. The data from this list is compiled by Spamhaus based on their personal observations, and also from information provided from various internet service providers who choose to cooperate in attempts to help reduce spam delivery effectiveness.
  • ZEN (zone: zen.spamhaus.org) is a combination of all of the above lists. If you are using the ZEN list, you do not need to also use the other lists individually.

One issue that some people find when using the CBL (composite block list) is that it includes DHCP ranges for residential providers, but every once and a while one of those IP ranges is used by a business provider.

Remember, if you use an RBL, start out by adding one at time (if you are going to use more than one). Always implement your RBL settings on the message hygiene system that accepts mail from the Internet. If you use a managed provider, you don't need one. If you have a 3rd party system sitting in your DMZ/Perimeter network, THAT is where you implement the RBL.

3 Comments:

At 1:35 PM, Blogger Howie said...

Jim -

I also use zen.spamhaus.org ... in addition to:

list.dsbl.org
combined.njabl.org
bhnc.njabl.org
dnsbl.ahbl.org

I'm extremely weary to use something too aggressive as I don't want anything potentially blocked that shouldn't be ... and I've had great success with these.

I've tried spamcop and have had some valid messages rejected so I don't use them anymore for outright rejection (but I use it in a weighing system once it gets past the first filter).

What other lists do you also use? I've found the best source for new / changing RBL settings is to ask others what they use and how they implement it.

-Howie

 
At 1:48 AM, Blogger Jes Darmanin said...

This comment has been removed by a blog administrator.

 
At 6:06 AM, Blogger robert henrichs said...

I'd be careful using Spamhaus->XBL->CBL . . . The CBL and by proxy the XBL are too aggressive, they go beyond the bounds of detecting spam operators and list sites that have even the slightest configuration problem, even with zero spam messages ever being sent, no spyware, no open proxies!

 

Post a Comment

<< Home