home | O'Reilly's CD bookshelfs | FreeBSD | Linux | Cisco | Cisco Exam  


Previous Section Next Section

7.2 How DNSBL Works

The acronym DNSBL stands for "Domain Name Services BlackList," where the term blacklist refers to the desire to prohibit all spam.

When sendmail accepts a connection from another site, one of the first things it does is get the IP address of that site. Once armed with that address, it can do a lookup of that address at a DNSBL site. To illustrate, we will use the mail-abuse.org site.[11] To see if the connecting site is an open relay site, sendmail first reverses the IP address. For example, the address 123.45.67.89 becomes 89.67.45.123. Then sendmail prefixes the hostname relays.mail-abuse.org with that reversed IP number and looks up the result as though it is a hostname:

[11] This is a commercial site to which your name server must subscribe to use. Visit http://www.mail-abuse.org/> to find your cost, which can range from free for hobbyists to several thousand dollars for ISPs. Other such sites have existed prior to this writing, but they are now defunct. New sites worth investigating are http://www.ordb.org/, http://spamcop.net/bl.shtml, and http://www.iki.fi/era/rbl/rbl.html.

89.67.45.123.relays.mail-abuse.org

If that hostname is found, that means the site is listed with mail-abuse.org as an open relay site. If that hostname is not found, the site is a good one.

Prior to V8.12, the rbl feature allowed you to use this DNSBL process. Beginning with V8.10, a new feature was added called dnsbl. As of V8.12, the rbl feature was removed. The enhdnsbl feature, an extended version of dnsbl, became available. These features are summarized in Table 7-1 and explained below.

Table 7-1. DNSBL features

Feature

Description

rbl

Deprecated, see dnsbl

dnsbl

Reject mail from hosts in a DNS-based rejection list

enhdnsbl

An enhanced version of dnsbl

7.2.1 FEATURE(dnsbl)

The dnsbl feature is used to enable the blocking of email from open relay sites, dialup sites, or known spamming sites. It does so by invoking the rbl technique discussed in the previous section. The feature is included in your mc configuration file like this:

FEATURE(dnsbl)                        simple form
FEATURE(dnsbl, `optional arguments')  declared with arguments 

In its simplest form, when mail arrives from a site, that site's IP address is reversed and prefixed to the default host blackholes.mail-abuse.org.[12] If the lookup succeeds, the host is considered bad and the following error is sent in reply to the initial connection:

[12] See http://www.mail-abuse.org/ for information about how to subscribe to this service.

550 5.7.1 Rejected: IPlisted at blackholes.mail-abuse.org

If the address is not found, the connection is allowed and the mail is accepted depending on subsequent SMTP and header checks. By default, temporary failures are ignored and the connection is treated as good. If you wish temporary failures to cause the sending site to defer the message, you can supply a third argument such as this:

FEATURE(dnsbl, , ,`t')

If the third argument is a literal t character, instead of ignoring temporary errors, the following will be returned:

451 Temporary lookup failure of IPat blackholes.mail-abuse.org

A second argument can be supplied to this feature if you wish to use a lookup host other than, or in addition to, blackholes.mail-abuse.org. The canonical name of the lookup host is simply inserted following a comma after the literal dnsbl:

FEATURE(dnsbl,`dialups.mail-abuse.org')
FEATURE(dnsbl,`dialups.mail-abuse.org', ,`t')

Here, the same check and error returns are done as described earlier, but with the host you specify, dialups.mail-abuse.org, replacing the default host blackholes.mail-abuse.org. The first of the two alternatives ignores temporary errors, and the second honors temporary errors.

Multiple dnsbl features can be included in a single mc file. Each will cause the same host's IP address to be looked up at a different server. For example, the following will cause the IP address to be looked up first with blackholes.mail-abuse.org, and then with dialups.mail-abuse.org:

FEATURE(dnsbl)
FEATURE(dnsbl,`dialups.mail-abuse.org')

In addition to the name of a lookup host, you can also specify your own error message as a second argument. For example, the following looks up the IP number on the host dialups.mail-abuse.org and issues a custom error message in the second argument to the feature (note that this is one line that is wrapped):

FEATURE(dnsbl,`dialups.mail-abuse.org', `"550 Mail from dial-up site " $&{client_addr}
" refused"',`t')

Here, the value of the {client_addr} macro will contain the IP address of the offending host at the time the error is reported.

7.2.2 FEATURE(enhdnsbl)

The enhdnsbl feature (for enhanced dnsbl) is a superset of the dnsbl feature described earlier. It is used like this:

FEATURE(enhdnsbl, optional args)

The enhancement consists of additional arguments—that is, one or more literal addresses you expect returned when an address should be rejected. For example, the following rejects bad dial-up hosts and defers temporary lookup errors:

FEATURE(enhdnsbl,`dialups.mail-abuse.org',`"550 dial-up site 
refused"',`t',`127.0.0.3')
                     
				additional

The first three arguments are the same as those you saw for the dnsbl feature (Section 7.2): the lookup host, an error message, and a t character. But, unlike the dnsbl feature, an error specified in the second argument prevents temporary lookup errors from being deferred. The third argument to enhdnsbl (the t) allows temporary lookup errors to be recognized, which causes delivery to be deferred:

451 Temporary lookup failure of addressat dialups.mail-abuse.org

Here, the address is the IP address of the sending host. The dialups.mail-abuse.org matches the lookup host specified in the second argument to the enhdnsbl feature. If the t were omitted, as for example:

FEATURE(enhdnsbl,`dialups.mail-abuse.org', `"550 dial-up site refused"', 
,`127.0.0.3')

temporary lookups will be ignored and the message will be accepted.

The fourth argument is the expected result of the lookup. For the lookup host dialups.mail-abuse.org, a successful lookup (one that means the message should be rejected) will return the address 127.0.0.3. Different lookup hosts will return different addresses on success, so you will need to visit the appropriate web site to determine the address to match. If the address is omitted from the enhdnsbl feature, any successfully returned address will cause the message to be rejected.

If more than one address can be returned, you can list up to five more following the first one. In the following, we list three possible returned addresses (the line is wrapped to fit the page):

FEATURE(enhdnsbl,`dialups.mail-abuse.org', `"550 dial-up site refused"', 
,`127.0.0.1',
`127.0.0.2', `127.0.0.3')

Here, if any of the three addresses is returned, the message will be rejected. Note that if you don't know specifically what will be returned, you can use rule LHS operators in place of specific numbers. For example, instead of the three addresses shown earlier, you can specify one like this:

FEATURE(enhdnsbl,`dialups.mail-abuse.org', `"550 dial-up site refused"', ,`127.0.0.$-
')

Here, the $- will match any number in that position. If you need to restrict the range of acceptable values you can use a class, perhaps like this:

LOCAL_CONFIG
C{OneTwoThree}1 2 3
FEATURE(enhdnsbl,`dialups.mail-abuse.org', `"550 dial-up site refused"', 
,`127.0.0.$={OneTwoThree}')

Here, the $={OneTwoThree} class restricts a match to any 127.0.0. address that ends in a 1, 2, or 3. Other operators you might find useful are $+ (match one or more), and $@ (match zero tokens).

    Previous Section Next Section