dnsbl

[Tom Anderson]

Hi all, I recently added a step to my spam-fighting process which I thought 
I'd share.  I'm sure many of you are aware already of various block lists 
for rejecting mail at SMTP time, but I didn't really bother until recently 
because I thought Bogofilter was all I needed.  However, even though 
Bogofilter has been working beautifully, my mail server has been bogged down 
processing all of the spams.  So I figured, what they hey, I'll try these 
things out and see how they work.  Well, let me tell you!  I eliminated at 
least 80% of spam being accepted for delivery!  From the user's perspective, 
the only thing it accomplishes is to reduce the number of emails to delete 
in their "spam" folder, since Bogofilter was filtering these already; but 
from the administrator's perspective, the server is spending much less time 
crunching unnecessary spams, plus it uses much less bandwidth now.  By far, 
Spamhaus has been the most active match on spammers, but SORBS and DSBL have 
shown up in the logs fairly regularly as well.  Here are all of the lines I 
added to my sendmail.mc file:

FEATURE(`dnsbl',`http.dnsbl.sorbs.net',`"554 Rejected. " $&{client_addr} " 
found in http.dnsbl.sorbs.net. Please correct your open proxy issue, and/or 
contact addressee through other means."')dnl
FEATURE(`dnsbl',`socks.dnsbl.sorbs.net',`"554 Rejected. " $&{client_addr} " 
found in socks.dnsbl.sorbs.net. Please correct your open proxy issue, and/or 
contact addressee through other means."')dnl
FEATURE(`dnsbl',`smtp.dnsbl.sorbs.net',`"554 Rejected. " $&{client_addr} " 
found in smtp.dnsbl.sorbs.net. Please correct your open proxy issue, and/or 
contact addressee through other means."')dnl
FEATURE(`dnsbl',`web.dnsbl.sorbs.net',`"554 Rejected. " $&{client_addr} " 
found in web.dnsbl.sorbs.net. Please correct your open proxy issue, and/or 
contact addressee through other means."')dnl
FEATURE(`dnsbl',`relays.visi.com',`"554 Rejected. " $&{client_addr} " found 
in relays.visi.com. Please correct your open relay problem, and/or contact 
addressee through other means."')dnl
FEATURE(`dnsbl',`sbl-xbl.spamhaus.org',`"554 Rejected. " $&{client_addr} " 
found in sbl-xbl.spamhaus.org. Please correct your Spamhaus designation as a 
spammer, and/or contact addressee through other means."')dnl
FEATURE(`dnsbl',`list.dsbl.org',`"550 Refused. " $`'&{client_addr} " found 
in list.dsbl.org. Please correct your DSBL designation as a spammer, and/or 
contact addressee through other means."')dnl
FEATURE(rhsbl,`dsn.rfc-ignorant.org',`"550 Mail from domain " $`'&{RHS} " 
refused. MX of domain does not accept bounces. This violates RFC 
821/2505/2821 - see http://www.rfc-ignorant.org/"')dnl
FEATURE(rhsbl,`postmaster.rfc-ignorant.org',`"550 Mail from domain " 
$`'&{RHS} " refused. MX of domain does not have a working postmaster 
address - see http://www.rfc-ignorant.org/"')dnl
FEATURE(rhsbl,`bogusmx.rfc-ignorant.org',`"550 Mail from domain " $`'&{RHS} 
" refused. An MX for your domain is bogus - see 
http://www.rfc-ignorant.org/"')dnl
FEATURE(rhsbl,`whois.rfc-ignorant.org',`"550 Mail from domain " $`'&{RHS} " 
refused. The WHOIS information is missing, incomplete, or incorrect - see 
http://www.rfc-ignorant.org/"')dnl

Note: do not use the DUL or "dynamic and dial-up" lists, as these will tend 
to reject mail from anyone on DSL, Cable, or dial-up who happens to receive 
a dynamic IP which had previously been used to spam, either consciously or 
via a worm or spyware.  This is why I don't use just "dnsbl.sorbs.net", as 
that includes the DUL list, and I ended up rejecting mail from my own home 
workstation!  The open proxy/relay, known spammer, and rfc-ignorant lists 
are objective and do not rely on user reporting which can be flawed. 
Therefore I only use these objective lists.  BTW, you need to add a special 
.m4 file from rfc-ignorant.org to use those "rhsbl" lists... the 
instructions on the site are pretty clear.  Does anyone else have favorite 
lists, preferably free as these are, that I haven't included here?

I'm thinking about writing a script which will maintain a list on my domain 
which is built from Bogofilter results.  Has anyone else done anything 
similar?

Tom