Monday, October 15, 2007

DNS block list effectiveness

There has been some discussion this morning on one of the lists that I am on about the effectiveness of DNS block lists (aka realtime block lists). I have made no secret of my support of block lists over the years, but others think they are downright evil. I have had great success with RBL / DNSBL's over the years provided I have used the right one. My favorite is the ZEN list from the Spamhaus Project. It is not too agressive and I find that it blocks between 70 and 80% of the connections from spammers.

Other RBLs are a bit too agressive for me and I end up blocking legitimate traffic. Spamhaus has a number of different lists but I use their ZEN list (which combines all of their other lists). Here is a summary of their lists taken from the DNSBL resource site:
  • SBL (Spamhaus Block List), which aims to block verified spam sources, spam gangs, and supporters of spam. This list is manually operated, in that every listing is the result of a volunteer deciding that a given IP address or network block merits listing.
  • XBL (Exploits Block List), which aims to block infected computers, open proxies, and the like. Data for this list is supplied by (or supplemented by) outside sources, such as the CBL (Composite Blocking List), meaning that if you use the XBL to filter or reject mail, you do not need to also use the CBL.
  • PBL (Policy Block List), which aims to reject mail from machines that are not meant to be mail servers, ones that would not normally send mail. This includes end user computers on dynamic internet connections (dialup, cable modems, DSL), unassigned IP addresses, web servers, etc. The data from this list is compiled by Spamhaus based on their personal observations, and also from information provided from various internet service providers who choose to cooperate in attempts to help reduce spam delivery effectiveness.
  • ZEN (zone: zen.spamhaus.org) is a combination of all of the above lists. If you are using the ZEN list, you do not need to also use the other lists individually.

One issue that some people find when using the CBL (composite block list) is that it includes DHCP ranges for residential providers, but every once and a while one of those IP ranges is used by a business provider.

Remember, if you use an RBL, start out by adding one at time (if you are going to use more than one). Always implement your RBL settings on the message hygiene system that accepts mail from the Internet. If you use a managed provider, you don't need one. If you have a 3rd party system sitting in your DMZ/Perimeter network, THAT is where you implement the RBL.