For most average Internet Service Providers and networks in North America, Europe or Australasia, today's incoming email traffic consists of approximately 90% spam and 10% normal legitimate email. [1]

The main problem for mail system administrators is how to filter out the spam while not losing legitimate email, and how to keep mail queues flowing without spam-filter processes slowing the mail queue.

The main problem for ISP executives is also how to do this cost-effectively.


2-Stage Filtering

Using only the Spamhaus DNS-based Blocklists (SBL, XBL and PBL) ISPs and internet networks can very safely reject 75% of inbound mail traffic outright, rejecting the vast majority of spam at SMTP connect time and before mail servers are burdened with it, or have to process or accept the messages.

Remaining spam that gets past the Spamhaus blocklist checks at SMTP connect time, should then be filtered by checking the IP addresses of web sites advertised in the spam against the SBL in a second stage called "URI SBL". [2]

Using the setup described below, UK ISP uxn.com achieves a catch rate of 299 out of every 300 spams (99.6%) with zero false positives.


1st Stage

The first stage is to install the Spamhaus ZEN blocklist on your incoming mail relay(s). ZEN, which is a combination of Spamhaus's SBL, XBL and PBL blocklists, will identify and reject 75% of a normal mail relay's incoming mail traffic.

Incoming mail from servers listed on SBL, XBL or PBL at this first stage should be rejected at the RCPT TO command, terminating the SMTP transaction before the message body is accepted, sent or received.

This is cost effective - more than halving your incoming mail bandwidth and the subsequent mail queue - and is the safe way to handle message filtering, because in the event a legitimate Sender is ever blocked in error they are immediately notified by the reject notice of the reason why their message could not be delivered as well as what to do and who to contact about it. [3]


2nd Stage

Over 60% of spam contains URLs of spammer web sites whose webserver IPs are listed on the Spamhaus SBL. [4] Therefore the second stage is to scan the 25% of mail which gets past first stage IP filtering, looking for URIs (web site addresses) in the message body and testing their host IPs against the SBL.

This is done by installing an application capable of scanning message bodies for URLs and checking them against the SBL.

There are a number of free/open source applications - such as SpamAssassin, SpamBouncer, and there is also a free Sendmail milter with this feature.

If using SpamAssassin, we recommend you increase the value of SpamAssassin's SBL-check feature, URIBL_SBL to at least 5 or 6 (by default it's set to 1 which in most cases is too low to trigger the spam flag).

Spamhaus lists the IPs of spammers' web servers and DNS servers, in addition to spam sources in the SBL for this purpose. Spammers may find fresh sources not yet on our DNSBLs, but they in most cases need to advertize a web site hosted somewhere.

Remaining spam, which should now be reduced to less than 7% of your total incoming email traffic, is taken care of easily by SpamAssassin's other filter components, including SURBL, with the result that the total spam catch rate should now average 99.6%, or 299 in every 300 spams.