RE: Help with SPAM blocking

["David Gillett" <gillettdavid () fhda edu>]

  Typically, the RBL is implemented as a DNS server.  When your SMTP
gateway wants to know whether to accept mail from a source, it queries
the RBL server using DNS.  Typically, a known source of spam will be
resolved by the RBL to a loopback address 127.0.0.n, where n>1 and
different values of n may indicate different classes of culprit.  (n=1
is the canonical loopback address, of course, even though the entire
Class A 127.x.x.x block was reserved for loopback use.)
  You do not want to download the RBL to your server, because it's a
dynamic list that is constantly being revised as new sources are
identified or as discovered relays get fixed.  You want to leave it
on the maintainers' server and query it only as necessary.  At worst,
you might cache some results for an hour or two.
  I'm not sure what you get back if the source in question is not currently
in the RBL.  I'd expect that names not resolved by the RBL server would
be forwarded to more generic DNS servers and return the normal non-loopback
address, but it's possible that some RBLs just return a "no such name"
response.

David Gillett


> -----Original Message-----
> From: Dan Lynch [mailto:dan.lynch () placer ca gov]
> Sent: Wednesday, January 19, 2005 10:38 AM
> To: security-basics () securityfocus com
> Subject: Help with SPAM blocking
>
>
> Greetings list,
>
> I'm new to SPAM blocking and am trying to ramp up my knowledge of its
> mechanisms. I've done several days of research all over the net and
> there are still some points of confusion I can't seem to find
> explanations for. Anything you can help clarify for me is most
> appreciated. I also welcome reference to more focused mail lists I can
> query.
>
> First, I'm still looking for a good technical explanation of how
> Realtime Blackhole Lists (RBLs) work. Many references have specific
> implementation details (the syntax of the sendmail config lines, etc),
> but not the overview of RBL technology. The overviews I have found are
> too generic and mail-recipient/end-user oriented to be of much use.
>
> Do RBL's have a standard file format? What's it look like?
>
> What I can glean from FAQs and documentation implies there are two
> types: SMTP based and DNS based. Is this correct? Or is DNSRBL
> synonymous with RBL? Some lists (like njabl.org) imply they
> can be used
> by a DNS server, but I'm not clear how that functions. Why do so many
> references mention loopback addresses (see www.njabl.org/use.html, or
> the declude.com database). What's the connection?
>
> Is it best practice to use one list integrated with your DNS
> server, or
> saved as a hosts file on your mail server, and another configured at
> your SMTP gateway?
>
> Also, is an RBL downloaded to your SMTP host, or is it used
> as a remote
> query? If it's remote, how can one create exceptions when needed? Is
> that where your SMTP gateway's white-list feature comes in?
>
> Again, thanks for any info you can provide.
>
> Dan Lynch, CISSP
> County of Placer
> Auburn, CA
>
> dlynch at placer dot ca dot gov