Which anti spam DNS blacklists should used?

spam blacklist email-server
43,651

Solution 1

Here is my list and why I use them:

zen.spamhaus.org - Comprehensive RBL, catches a ton of spam sources, updated regularly. They have a long history and decent reputation in the spam filtering community. I have heard some negative things about them from time to time, but those are generally without real merit. Downside is that if your volume of traffic is high enough they will block access to the free list and you'll need to setup a paid account. Personal or small business mail servers usually do not have this problem.

b.barracudacentral.org - Another very good list from another major industry player. I've heard a lot of negative things about the Barracuda devices themselves, but their RBL is top-notch. Downside is that you have to register with them in order to use it. We've never had a false positive reported that was caused by this list, and it blocks a lot of traffic for us. See http://www.barracudacentral.org/rbl for details.

We've found that using these two lists alone, we see a significant reduction in spam intake on the server. The other lists that we've tried did not even come close to being as productive as either of these lists and essentially just wasted network resources and time while processing the incoming messages.

Here are some that I do not use and why (your experience may vary):

bl.spamcop.net - Too many false positives for our taste. They rely almost entirely on user submissions to power the list, and the people submitting are usually trigger happy and submit even legitimate messages as spam to their service, causing popular providers to get blocked when they probably shouldn't be. I have heard that this has been improved recently but we got burned too many times to go back and try again just yet.

dnsbl.sorbs.net - They run a comprehensive list, but there are too many options for my taste. They have a lot of coverage, and block a lot of traffic, but finding the right mix of lists that they supply requires a lot of trial and error. The removal process for their spam list requires a verifiable minimum donation to one of their approved charities. If one of my clients ends up on their list (whatever the cause) and we block their traffic, I don't want to have to tell them that they have to donate to a charity to appease a blacklist that we use. They are, of course, free to run their list however they like, but that is not the kind of news I want to deliver to my clients if they end up on the SORBS list and are unable to send me e-mail.

Solution 2

'zen.spamhaus.org' is pretty good. I recommend it.

Solution 3

You shouldn't be using DNSBL's directly. They cause too many false positives. The goal isn't necessarily to block spam, but to let all the good mail through. If you use a blacklist as an authority on what is spam, you'll have your bosses upset and nobody wants that.

Instead, use a composite approach. Tools like Spam Assassin or the various anti spam appliances use multiple sources and techniques. No one test determines if an email is spam.

Solution 4

The goal of using a DNS blacklist should not be to stop all spam -- it should be to block a good percentage of the spam, say 1/2 to maybe 2/3 of it. You're mainly doing this to reduce load on your servers.

The next step, the truly effective spam removal step, is a bayesian filtering engine. See Paul Grahams original article. They main benefit of bayesian filtering is that it provides an individual score for each email, based on the recipients past email history, interests and language.

If you follow the above approach it becomes important to avoid false positives in the first line of defense. You don't really care to maximize the effectiveness of the first filter, as you'll probably catch the remaining spam with the second filter. But you don't want false positives, as they cannot be undone later.

For this reason I like the University of Alberta traplist as my first filter. It contains only entries which have a very big probability of being spammers, and entries are removed if they have not been seen spamming within the last 24 hours.

The list can be downloaded from here. It is created by first greylisting (delaying first-time mail senders) and then greytrapping (if a mail server is already greylisted & it attempts delivery to a non-publicized email address, then greytrap it).

After 24 hours a host is automatically removed from the list, and is free to send emails again. Thus if the spamming has ended (say, a trojan was found and removed), then the host is free to send emails again. And if he's still spamming, then he will most likely just end up in the greytrap again shortly.

As said, I like the University of Alberta traplist a lot, but for completeness I should also mention Spamhaus DROP. It has a more minimalistic approach than most other RBLs, and would also make a good first filter in the above setup.

Solution 5

Whichever one you use, you should not trust it.

Trusting a third party to give you more than a small amount (perhaps 10%) of your spam scores is asking for trouble. In practice these blacklists contains LOTS of false positives. It is very easy to get on to a blacklist and very hard to get off one; most people who get on accidentally never get removed (or stay on for a long time).

You should DEFINITELY NOT refuse deliveries from senders who are on a third party blacklist; you should probably not even trust your own in-house reputation system for this. Spammers' IP addresses do occasionally get taken over by non-spammers, and your users will be annoyed if they cannot receive clean mail from them.

A third party blacklist could be used to give a small amont of spam score. It could also be used to prioritise mail that is coming from "cleaner" sources - but it should definitely not be used as a completely authoritative way of determining that a particular message is spam.

Share:
43,651

Related videos on Youtube

coding Bott
Author by

coding Bott

I'm a developer, nothing more and nothing less. I'm prefer do coding in C# or Delphi, but other languages are also welcome. Visit my Youtube channel https://www.youtube.com/channel/UCUGFh0z9maXLclwO9qA-lzA .

Updated on September 17, 2022

Comments

  • coding Bott
    coding Bott almost 2 years

    i want to protect my mailserver with dns blacklists for fighting the spam.

    there a so many blacklists out there.

    currently i use:

    ix.dnsbl.manitu.net
cbl.abuseat.org
bl.spamcop.net
safe.dnsbl.sorbs.net
dnsbl.njabl.org

    should i add/remove some entries? which are the best blacklists? which blacklists shouldn't used (like spamhaus)?

    • Erik Nijland
      Erik Nijland over 14 years
      safe.dnsbl.sorbs.net should definately be removed until/unless GFI becomes responsible for cleaning up sorbs. They currently do not exclude addresses upon request in a timely fashion leaving many innocent companies on the list based on overly broad blocking of address ranges.
  • coding Bott
    coding Bott about 15 years
    do you know this story of spamhaus: attempted extortion (in german - sorry) heise.de/netze/Kommentar-Spam-Ritter-auf-der-schiefen-Bahn--‌​/… klausnahr.wordpress.com/2007/06/20/…
  • Knox
    Knox about 15 years
    I do not know the story, but there's not much meat to that story.
  • Gene Gotimer
    Gene Gotimer about 15 years
    Translation via Google: translate.google.com/…
  • shylent
    shylent about 15 years
    Don't get me wrong, but it just somehow appears, that 99.9% complaints about dns banlists come from, how should I put it politically correct, inexperienced (really, its asking for a stronger word here) system administrators, that are unable to properly set up their misconfigured mail servers. If the mail server/dns is in order, you will not end up in a dns banlist such as spamhaus, that is a fact.
  • coding Bott
    coding Bott about 15 years
    critic comments are also welcome.
  • Barry Brown
    Barry Brown almost 15 years
    This should be a comment attached to Gary's answer, not a separate answer.
  • cas
    cas almost 15 years
    @barry: you need at least 50 rep to leave comments. shawn only has 1.
  • Sean Lynch
    Sean Lynch over 14 years
    opm.blitzed.org is dead please don't use that one wiki.blitzed.org/OPM_status See Aaron's answer.
  • Mike
    Mike over 9 years
    This is now over 5 years old. Does it need any updating?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Remove blacklist from spamRATS
Rejected - TRUSTmanager (in reply to MAIL FROM command)
CBL This IP address is HELO'ing as "localhost.localdomain"
how to prevent fake mails from being sent on my mail server?
PHP Web Mail going to spam folder
My mail server is sending a lot of spam using my domain
Can message go to spam because of X-AUTH and X-SID fail on hotmail
Email Server IP Address is Blacklisted
What is meant by '550 Relay not Permitted' when it comes to emails?
How to stop double-bounce FROM sender in postfix