Security Basics mailing list archives
RE: Help with SPAM blocking
From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 20 Jan 2005 18:58:50 -0800
Typically, the RBL is implemented as a DNS server. When your SMTP gateway wants to know whether to accept mail from a source, it queries the RBL server using DNS. Typically, a known source of spam will be resolved by the RBL to a loopback address 127.0.0.n, where n>1 and different values of n may indicate different classes of culprit. (n=1 is the canonical loopback address, of course, even though the entire Class A 127.x.x.x block was reserved for loopback use.) You do not want to download the RBL to your server, because it's a dynamic list that is constantly being revised as new sources are identified or as discovered relays get fixed. You want to leave it on the maintainers' server and query it only as necessary. At worst, you might cache some results for an hour or two. I'm not sure what you get back if the source in question is not currently in the RBL. I'd expect that names not resolved by the RBL server would be forwarded to more generic DNS servers and return the normal non-loopback address, but it's possible that some RBLs just return a "no such name" response. David Gillett
-----Original Message----- From: Dan Lynch [mailto:dan.lynch () placer ca gov] Sent: Wednesday, January 19, 2005 10:38 AM To: security-basics () securityfocus com Subject: Help with SPAM blocking Greetings list, I'm new to SPAM blocking and am trying to ramp up my knowledge of its mechanisms. I've done several days of research all over the net and there are still some points of confusion I can't seem to find explanations for. Anything you can help clarify for me is most appreciated. I also welcome reference to more focused mail lists I can query. First, I'm still looking for a good technical explanation of how Realtime Blackhole Lists (RBLs) work. Many references have specific implementation details (the syntax of the sendmail config lines, etc), but not the overview of RBL technology. The overviews I have found are too generic and mail-recipient/end-user oriented to be of much use. Do RBL's have a standard file format? What's it look like? What I can glean from FAQs and documentation implies there are two types: SMTP based and DNS based. Is this correct? Or is DNSRBL synonymous with RBL? Some lists (like njabl.org) imply they can be used by a DNS server, but I'm not clear how that functions. Why do so many references mention loopback addresses (see www.njabl.org/use.html, or the declude.com database). What's the connection? Is it best practice to use one list integrated with your DNS server, or saved as a hosts file on your mail server, and another configured at your SMTP gateway? Also, is an RBL downloaded to your SMTP host, or is it used as a remote query? If it's remote, how can one create exceptions when needed? Is that where your SMTP gateway's white-list feature comes in? Again, thanks for any info you can provide. Dan Lynch, CISSP County of Placer Auburn, CA dlynch at placer dot ca dot gov
Current thread:
- Help with SPAM blocking Dan Lynch (Jan 20)
- RE: Help with SPAM blocking David Gillett (Jan 24)
- Re: Help with SPAM blocking Michael Gale (Jan 24)
- Re: Help with SPAM blocking Ned Fleming (Jan 24)
- RE: Help with SPAM blocking Kurt (Jan 24)
- Re: Help with SPAM blocking bernie (Jan 24)
- Re: Help with SPAM blocking Sebastian Reitenbach (Jan 24)