Choosing a Good DNSBL

stry_cat submitted a story about selecting a good DNSBL. It talks about some of the problems with DNS blacklists and the sorts of things that you should be looking for. Things like Speed, Selection Criteria, and Goals make the list. And of course not requiring payment to be removed from the blacklist.

There is no such thing as a good DNSBL

[deviator]

They all have issues; all of them create headaches for administrators of legitimate e-mail servers at one time or another.

NEVER use a DNSBL as an absolute block

[ebunga]

DNSBLs are subject to the whims of some of the most unreliable and whiny schmucks on the face of the planet. NEVER under any circumstances use a single DNSBL as an absolute block. Use it to increment a score along the lines of Spam Assassin that will eventually hit a threshold, preferably with a minimal content-based component. Don't even think about using multiple hits on multiple lists as a gauge of spam-worthiness. The amount of inbreeding and sharing among lists is disgustingly high. Not even the Spamhaus aggregate is trustworthy these days.

Spammers can get around blacklists anyways. They're about as effective as locking a door made of tissue paper. The number of false positives is high. The amount of spam blocked is negligible. My suggestion is to abandon the idea altogether.

Re:NEVER use a DNSBL as an absolute block

[Shaman]

Sounds good, except it's not true. I was just on one of our spam systems (Barracuda 400) and the stats look something like this:

20,000,000 blocked e-mails
480,000 tagged e-mails
90,000 viruses found
135,000 quarantined messages (user choice to quarantine or not)
610,000 delivered/approved mail

To nobody's surprise, some spam is still getting through. This is in less than two weeks, and there are two servers to handle the load, the other one is more or less as bad.

So what were you saying about not using blacklists?

Re:NEVER use a DNSBL as an absolute block

[ion++]

how many of your 20,000,000 blocked emails are false positives? aka legit email.

I would so much agree that using a DNSBL as a absolute block is a bad idea. I have experienced being caught up in them, and that is annoying. Even if the mailserver is removed some days later. Later is not soon enough, i want my email to arrive now.

I would much rather suggest running some sort of spamassassin while the SMTP connection is still open, and if it looks like spam i would reject it. This can be parallized if needed.

I would also consider to reject any email that came with an attachment if you have not already received legit email from the same address. This tries to use that spammers seldom send from the same email address and that they started sending attachments. Legit email does not usually start with an attachment in the first email (at least mine does not). So, if you previously received emails and that email address has a negative spam score, aka not being a spammer, then i would accept attachments, else i would not.

This might be pr. domain, but hotmail and others are often used by spammers. This could lead to a domain spamscore, aka if you received emails before from this domain and none was spam, then accept attachments, even if it is the first time someone sends you something from the domain. This is for company uses where John sends you something and then later Jane sends you something with an attachment.

You might want to allow certain kinds of attachments even if they are not listed before. These attachments could be .vcf files, and possible .html, but not .pdf or .jpg

Re:NEVER use a DNSBL as an absolute block

how many of your 20,000,000 blocked emails are false positives? aka legit email.

We publish our help desk number in the bounced message. In the 9 months we've been using them, we've been called once. So lets imagine the real rate is 100x worse than that. A false positive rate of .0005%. Which is far higher than many of our Spam Assissin rules, and far higher than the miss rate caused by spam floods tying up servers.

Pick you DNSBL carefully and they work wonders, cutting server loads by orders of magnitudes (We block 98% of incoming connections these days based on DNSBL's, so that effectively makes my server 50x more powerful) Your position on such a powerful anti-spam tech makes me think you yourself are a spammer.

Speed, Selection Criteria and Goals make the list?

[jsse]

No...

It's how quick the maintainers of this particular DNSBL responding to your request to remove your ass from the list when they choose to blacklist you.

We've multiple MTAs for a single mail domain, because when an attacker found some way to relay or bounce-back one of our MTA and cause it to be backlisted by major DNSBL on earth, we still have other MTAs take up the job.

Then we could spend the rest of the week to ask for removing that MTA from their DNSBL, by email, or worse, by forum.

Trust me, it's painful.

Re:Requiring payment for delisting

[ciscoguy01]

SORBS require a "donation" to get your IP range off their list, and since we refused to hand over extortion money to these gangsters, there was no way for us to deal with them.
Which stinks to high heaven. I wish Matthew Sullivan wouldn't do that.

There are many reasons someone who is not an actual wrongdoer could become listed as a spam source. I have little doubt the parent's organization was such a spam source and did not properly address the issue. They deserved it.
It's not what problems you have, it's how you handle those problems is what matters.
As long as a site addresses the spam problem and gets results, reads their abuse mail and acts like a good net neighbor I have no problems with them. They should be delisted as soon as possible.
There have been times when certain cable modem operators were the major source of spam in the world and they essentially ignored abuse mail. They should have been disciplined until they clean up their act. Anyone who is not addressing the problem promptly deserves to be blackholed until they solve their problems.
There are plenty of clueless sysadmins in the world, people who are in over their head, or dominated by the company sales department so they cannot disable a circuit with deliberate spammers on it.
That's what DNSBLs are supposed to work to change.

Re:Requiring payment for delisting

[ciscoguy01]

If the true goal is to go after the spammers, how does a DNSBL help this?

ISPs have customers, customers who want their mail to go through. Customers like you. If an ISP has lax abuse policies (or no abuse policies, or is a willing spam host) and you are a legitimate customer of that ISP, your mail may be blocked with the other legitimate customers of the ISP.
You are not being listed, your ISP is.

The DNSBL hopes you will call your ISP, and as a valuable customer demand they cure their spam problem so you will be able to send mail.

If an ISP's customer is spamming me all I can do is complain, and they can ignore me. You are their customer, you are influential and you want your mail to go through, so you are completely within your rights to demand they get rid of their spammers that are causing you problems. Your ISP can make a choice, either deal with spammers and all their legitimate customers go elsewhere or sue them, or get rid of the spammers and have you, legitimate customers.

It makes perfect sense, doesn't it?

If we ever get blacklisted by SORBS or any other extortionist and they ask for money, we'll probably sue and/or file a criminal complaint.
Criminal complaint? Nobody has to accept your email!
If you are a spammer that's what you might do, which is why most of the DNSBLs are in countries other than the US where they are protected by the local laws from lawsuits like that.
What you should do is sue your ISP for getting you listed along with them, or demand they cure their spam problem.
Unless it's you that are the spammers, that is.