Mail server spam blacklists

Fri, 2008-10-10 23:30 by admin

DNS spam blacklists are run by independent companies or small groups of private persons to help fight spam. They work like this:

  1. They find objectionable SMTP (sending mail) servers through various methods like spam traps or IP range qualifications. For example, at least one of the blacklists contains all known IP address ranges that are used for direct dial-in, so they catch spammers using hijacked computers for direct spamming, like botnets.
  2. The blacklisted IP addresses are put into a special DNS (Domain Name System) server.
  3. Receiving mail servers like mine query all of these DNS blacklists for each incoming mail.
  4. If the sending mail server bears an IP address that is in at least one of the blacklists, the mail is instantly rejected with an error message.
  5. The sending server, the one that is blacklisted, is supposed to generate a bounce mail and send it back to the original mail sender, which seems to work reliably.

I keep tuning my mail server and regularly try to find and check the available DNS blacklists (DNSBL) by reading statistics and opinions. The result is that I currently (last change: 2011-07-10) use the following blacklists to block mail without any scoring or further conditions:

  1. zen.spamhaus.org
  2. b.barracudacentral.org
  3. cbl.abuseat.org
  4. psbl.surriel.com
  5. dul.dnsbl.sorbs.net
  6. bl.spamcop.net
  7. ix.dnsbl.manitu.net
  8. v4.fullbogons.cymru.com

The lists are ordered such that the upper ones are most likely to catch a bogus mail, for performance reasons.

Together these blacklists block roughly 95% of all incoming spam on my server, which is a really nice result.

Notes:

  1. I had to stop using dnsbl-1.uceprotect.net, because it led to too many rejections, mostly from African mail servers, but also from at least one American mail server. Don't even think about using dnsbl-2.uceprotect.net, because that, and even more so dnsbl-3.uceprotect.net, blacklists whole ranges of IP addresses if just one of them was caught spamming. You can use these lists only if you have a scoring mechanism in place and then only with a low weight.
  2. The spamcop blacklist used to be over-aggressive, but this has changed recently. This list is now eminently usable even in conservative settings.
  3. At least two of the blacklist contain dynamic IP addresses like dial-in ports and DSL addresses. If your mail server checks mail coming from authenticated users against the blacklists (which it shouldn't do, but some do it), then you cannot use these lists. Try to make all your mail users use port 587, the new mail submission port, for SMTP, instead of port 25, because some mail servers do check mail coming in through port 25 against the blacklists, even if the user has authenticated himself, while incoming mail on port 587 can only be delivered by authenticated users and should never be checked against any blacklist.

I am grateful for comments.