You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by Apache Wiki <wi...@apache.org> on 2011/12/10 20:00:43 UTC

[Spamassassin Wiki] Update of "DnsBlocklists" by JohnHardin

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Spamassassin Wiki" for change notification.

The "DnsBlocklists" page has been changed by JohnHardin:
http://wiki.apache.org/spamassassin/DnsBlocklists?action=diff&rev1=65&rev2=66

Comment:
Make local DNS server more highly recommended, fix config examples being parsed as formatting codes

  Support for the following DNSBLs is built-in, and shipped in the default configuration.
  
  '''Spamhaus PBL+SBL+XBL''' http://www.spamhaus.org/ <<BR>>
- ''Note that Spamhaus is NOT free for commercial or high volume use, see: http://www.spamhaus.org/organization/dnsblusage.html'' <<BR>>
+ ''Note that Spamhaus is NOT free for commercial or high volume use, see: http://www.spamhaus.org/organization/dnsblusage.html'' and CachingNameserver.<<BR>>
  '''SPAMCOP''' http://www.spamcop.net/ <<BR>>
  '''NJABL'''  http://www.njabl.org/ <<BR>>
  '''AHBL''' http://www.ahbl.org/ <<BR>>
@@ -23, +23 @@

  
  == Policy Lists ==
  
- The following DNSBLs are not specifically about spam, but instead abou't sites which break net policies and conventions... practices which are often associated with spammers.
+ The following DNSBLs are not specifically about spam, but instead about sites which break net policies and conventions... practices which are often associated with spammers.
  
  '''Combined Bogon IP/Hijacked IP/Invalid Whois/'''  http://www.completewhois.com/bogons/index.htm <<BR>>
  '''RFC Ignorant'''  http://www.rfc-ignorant.org/ <<BR>>
@@ -31, +31 @@

  
  == Whitelists ==
  
- The following dns checks are actually for WHITE lists, or sites which are certified by someone to be a reasonable sender.
+ The following DNS checks are actually for WHITE lists, or sites which are certified by someone to be a reasonable sender.
  
  '''DNSWL''' http://www.dnswl.org/ <<BR>>
+ ''WARNING: DNSWL imposes usage limits for free (unregistered) DNS lookups and will return false results leading to FPs if you are configured to forward DNS requests through a busy ISP nameserver which exceeds those limits. See CachingNameserver.'' <<BR>>
  '''Sender Score Certified & Sender Score Safe List''' http://www.senderscorecertified.com/ (formerly Ironport Bonded Sender & Habeas Safelist) <<BR>>
  '''ISIPP Accreditation Database''' (IADB) http://www.isipp.com/email-accreditation/
  
@@ -59, +60 @@

  
  '''Q: This documentation doesn't seem to cover how to configure dns-blocklists. It says "Support for these is built-in" but I can't believe that all free BL's is called each time a mail is beeing checked. There must be a way to configure which to use.'''
  
- A: You're right.  You might look at the [[http://spamassassin.apache.org/doc/Mail_SpamAssassin_Conf.html|Mail::SpamAssassin::Conf]] documentation page which I admit doesn't really say how to configure which DNSBL to use, or the rules file [[http://spamassassin.apache.org/dist/rules/20_dnsbl_tests.cf|20_dnsbl_tests.cf]], for internal details, but no clear examples of how to configure the inclusion of various DNSBLs either.  For the latest list of DNSBLs you want to be using a recent SpamAssassin version (3.2.x at the time of this correction) and [[RuleUpdates| sa-update]], for the same reason that you wouldn't use an out-of-date virus scanner, but that also doesn't really have anything to do with the question. 
+ A: You're right.  You might look at the [[http://spamassassin.apache.org/doc/Mail_SpamAssassin_Conf.html|Mail::SpamAssassin::Conf]] documentation page which I admit doesn't really say how to configure which DNSBL to use, or the rules file [[http://spamassassin.apache.org/dist/rules/20_dnsbl_tests.cf|20_dnsbl_tests.cf]], for internal details, but no clear examples of how to configure the inclusion of various DNSBLs either.  For the latest list of DNSBLs you want to be using a recent SpamAssassin version (3.2.x at the time of this correction) and [[RuleUpdates| sa-update]], for the same reason that you wouldn't use an out-of-date virus scanner, but that also doesn't really have anything to do with the question.
  
  If you don't want ''any'' DNSBLs used, put a line like
  
-   skip_rbl_checks 1
+   {{{skip_rbl_checks  1}}}
  
  in your local.cf
  
- To eliminate the use of a particular DNSBL, set the score to zero. Put lines like  
+ To eliminate the use of a particular DNSBL, set the score to zero. Put lines like
  
-   score RCVD_IN_RFCI 0  
+   {{{score   RCVD_IN_RFCI   0}}}
  
-   score RCVD_IN_ORBS 0  
+   {{{score   RCVD_IN_ORBS   0}}}
  
-   score RCVD_IN_DSBL 0  
+   {{{score   RCVD_IN_DSBL   0}}}
  
- in your local.cf if you don't want certain DNSBLs listed with RCVD_IN_* in [[http://spamassassin.apache.org/dist/rules/50_scores.cf|50_scores.cf]] to be used.  
+ in your local.cf if you don't want certain DNSBLs listed with RCVD_IN_* in [[http://spamassassin.apache.org/dist/rules/50_scores.cf|50_scores.cf]] to be used.
  
  
- Note: many of the DNSBLs that can return multiple lists with one DNS query are implemented using one, unscored, rule that triggers the DNS lookup and stores the result, and several scored rules that check against that stored result (ie: zen.spamhaus.org). For these sets, if you wish to completely disable the DNS lookup, you will need to disable this rule. It can be found by looking at 20_dnsbl_tests.cf, and find the rule implemented using "check_rbl" instead of "check_rbl_sub". 
+ Note: many of the DNSBLs that can return multiple lists with one DNS query are implemented using one, unscored, rule that triggers the DNS lookup and stores the result, and several scored rules that check against that stored result (ie: zen.spamhaus.org). For these sets, if you wish to completely disable the DNS lookup, you will need to disable this rule. It can be found by looking at 20_dnsbl_tests.cf, and find the rule implemented using "check_rbl" instead of "check_rbl_sub".
  
  At present, the query trigger rule for SpamHaus looks like this:
  
- header __RCVD_IN_ZEN            eval:check_rbl('zen', 'zen.spamhaus.org.')
+   {{{header  __RCVD_IN_ZEN  eval:check_rbl('zen', 'zen.spamhaus.org.')}}}
  
  So to disable it you'd use:
  
- score __RCVD_IN_ZEN 0
+   {{{score   __RCVD_IN_ZEN  0}}}
  
  
  '''Q: The dns-blocklists just don't appear to be used.  What is going wrong?'''
@@ -100, +101 @@

  
  '''Q. Wouldn't it be a good idea to run a local nameserver anyway? So, you can run caching-nameserver to cache blocklist query results.'''
  
- A. Yes!  In fact, if you're running a busy mailserver, this is ''essential'' for efficiency.  See CachingNameserver.
+ A. Yes!  In fact, doing this is important to ''avoid false results from some DNS lists (e.g. DNSWL) if you have a large ISP'' and, if you're running a busy mailserver, this is ''essential'' for efficiency.  See CachingNameserver.
  
  
  '''Q: Does anybody know of a good way to use the [[http://www.cluecentral.net/rbl/showcountries.php|cluecentral.net country lists]]? I'd like to penalize certain countries from which I get a lot of spam and almost no real mail. I can't seem to get it working with multiple countries.'''