|
| What is a DNSBL? |
|
The acronym DNSBL stands for Domain Name System Block List. Understanding DNSBL Filtering explains the concept in words and diagrams.
DNSBLs list IP addresses. These IP addresses are often those that the list operator has observed sending spam, hosting the web sites of spammers, or providing other services to spammers (collectively called spam support services). The Spamhaus Policy Blocklist (PBL) lists IPs that the ISP does not (or should not) allow to send email directly to other SMTP servers, but should send email only via the ISP's designated outgoing SMTP servers. Some DNSBLs have other listing criteria, such as geographic lists of IPs by country. Those DNSBLs may be used for a variety of purposes.
DNSBLs are used by companies, ISPs, and even individual email applications to help determine whether an email is likely to be spam, and if it is to prevent that email from being delivered to the recipient. Usually a company or ISP's SMTP server checks the DNSBL when an email is received, and refused that email if it is coming from a listed IP or if it contains a URL that is hosted on a listed IP.
DNSBLs are sometimes called RBLs (Realtime Blackhole Lists) after MAPS, the granddaddy of all DNSBLs. They can also be called just blocklists, blacklists, or simply BLs.
IMPORTANT: A DNSBL cannot stop anyone from sending mail. It only prevents delivery at the receiving end when the receiver specifically configures his mail server or mail software to consult it. DNSBLs are strictly defensive tools; they cannot be used to launch denial-of-service (DOS) attacks or to do any offensive damage.
|
| Why use a DNSBL? (DNS Block List) |
|
Doing a DNSBL lookup on a message at SMTP connect time is cheap in hardware cycles and system time. Your DNS server may even have it cached from the last time the spammer tried.
If your MTA already knows the incoming message is spam it can deny a spam message before having to pass it to mail-scanner (medium cost), through the virus scanner (medium to expensive), bayesian filtering (medium), spamassassin network tests: blacklists, DCC, pyzor, razor, etc. (medium - high).
Mail rejected by a DNSBL during delivery is not silently discarded into the "bit bucket". A DNSBL realtime rejection creates a delivery status notification (DSN) to the sender identifying the cause of the rejection, therebye allowing troubleshooting on the sender's end. (i.e., no "lost messages")
Realtime rejection avoids the "backscatter" problem of some spam filters which accept delivery, close the connection, and then try to return the mail after it is determined to be spam. Of course, as we all know, most spam and all viruses have forged sender addresses, and so the "bounce" goes back to an innocent third party (if it is deliverable at all).
Using the SBL-XBL lists together, or the combined Spamhaus Zen zone (recommended), rejects a very large amount of spam and virus mail with very low "false positive" rejections of legitimate mail. And remember, when used in SMTP realtime, all those rejected legitimate mails are instantly reported to the sender with a DSN.
|
| How do I use a Spamhaus DNSBL? |
|
These answers presume you are running your own mail servers!
All modern mail servers have a 'DNSBL' feature (sometimes called 'RBL Servers' or 'Blacklist'). If you are not sure whether yours does, read its 'Help' file or ask your mail server vendor.
Depending on how much email traffic you have, you can either use Spamhaus public mirrors free by setting your mail server's 'DNSBL' feature to query zen.spamhaus.org, or - if you have high traffic - you will need a special Data Feed from us.
There is more information in our "How-to-Use" FAQ, and see the following FAQ 'What zone should my server or spam filter query?'
Remember, use your mail server to query a Spamhaus DNS zone such as zen.spamhaus.org. Do not automate queries of our website lookup form!
There are other ways to use SBL beyond just checking the connecting IP. Our Effective Spam Filtering page has suggestions for checking URIs in the spam against SBL, which is very effective at stopping spam. Nameserver IPs of connecting hosts are another check which some admins have found effective. If you decide to do such checks on your mailstream, be very careful which Spamhaus zone you select for each step. Checking against SBL is quite conservative and will have few false positives. Checking against XBL is more aggressive and while it will catch more spam it may also intercept more non-spam mail. Don't use URI checks against PBL unless you know exactly what you're doing; that will result in rejecting non-spam mail for most servers. Remember that Zen zone contains SBL, XBL and PBL combined, so you will need to select the correct response based on the 127 return code.
|
| How to use the Block Lists |
|
The Spamhaus Block List (SBL), Exploits Block List (XBL) and Policy Block List (PBL) can be used by all modern mail servers by setting your mail server's anti-spam DNSBL feature (sometimes called "Blacklist DNS Servers" or "RBL servers") to query our zones. All three zones can be queried in one single DNS lookup at zen.spamhaus.org.
For information on how to configure your mail server to use the Spamhaus zones, please refer to your mail server documentation or manuals, or ask your mail server developer. With so many different mail servers in use we can not offer technical help with setting up the query system.
An overview off Effective Spam Filtering strategies explains additional uses of spam block lists such as URI_SBL in SpamAssassin and SURBLs and URIBL, domain-based DNS spam blocking lists. |
| What zone should my server or spam filter query? |
|
For most mail servers seeking general-purpose spam blocking, Spamhaus recommends using the combined zone zen.spamhaus.org which is a composite of all the Spamhaus IP lists, built for the most effective server-level spam blocking and long-term server configuration stability.
Because ZEN includes PBL (which has many dynamic ranges), be sure to whitelist any dynamic ranges which are authorized to use your outbound relay, of course. Authenticating users via SMTP AUTH is also a good idea.
For more about specific Spamhaus zones, see their respective sections in this FAQ (sidebar left), and particularly the main pages for each zone:
There is also a zone of sbl-xbl.spamhaus.org which includes both SBL and XBL, but not PBL. It may be appropriate for mail client filtering, later in this FAQ.
|
| DNSBL Queries |
|
We recommend you use SBL together with XBL and PBL, as the three zones block different spam sources. To save you having to query three separate DNSBL zones there is a special combined DNSBL zone called Zen which contains the complete SBL, XBL and PBL data. We recommend you use this combined DNSBL zone for checking SMTP connecting IP. To use it, simply set your mail server's DNSBL check to query zen.spamhaus.org only. (Don't query SBL, XBL or PBL and Zen!)
| DNSBL |
Zone to Query |
Returns |
Contains |
| SBL |
sbl.spamhaus.org |
127.0.0.2-3 |
Static UBE sources, verified spam services and ROKSO spammers |
| XBL |
xbl.spamhaus.org |
127.0.0.4-7 |
Illegal 3rd party exploits, including proxies, worms and trojan exploits |
| PBL |
pbl.spamhaus.org |
127.0.0.10-11 |
IP ranges which should not be delivering unauthenticated SMTP email. |
| ZEN |
zen.spamhaus.org |
127.0.0.2-11 |
Combined zone (recommended)
Includes SBL, XBL and PBL. |
|
| What do the 127.*.*.* Return Codes mean? |
|
| Return Code |
Zone |
Description |
| 127.0.0.2 |
SBL |
Spamhaus SBL Data |
| 127.0.0.3 |
SBL |
Spamhaus SBL CSS Data |
| 127.0.0.4 |
XBL |
CBL Data |
| 127.0.0.5 |
XBL |
Customized NJABL Data |
| 127.0.0.10 |
PBL |
ISP Maintained |
| 127.0.0.11 |
PBL |
Spamhaus Maintained |
Spamhaus uses this general convention for return codes:
| Return Code |
Description |
| 127.0.0.0/24 |
Spamhaus IP Blocklists |
| 127.0.1.0/24 |
Spamhaus Domain Blocklists |
| 127.0.2.0/24 |
Spamhaus Whitelists |
|
| Your DNSBL blocks the whole Internet! |
|
There can be several reason one would be seeing this:
When you implement Spamhaus DNSBL filtering in your mail server, you must check that the zone you have just entered is spelt properly. If you accidentally put in a wrong domain such as 'spamhous.org' or 'spamhouse.com', the DNS queries generated by your mail server will go to some entirely different and unrelated place which can answer your queries with a valid A record containing an IP address (this is often done by "typosquatters" to catch web traffic). Even if this IP is not a conventional DNSBL answer 127.0.0.x, your mail server may still interpret this answer as a "listed" answer, and act accordingly.
Another problem we've seen is where ISPs "hijack" DNS replies. This is done to monetize website traffic by rather than returning a "not found" (NXDOMAIN) for a DNS request that cannot be found (resolved), a pointer to an advertizing page or search page is given. We have heard that a US ISP, Cox Communication has been doing this in some areas and points people to a webpage like this one. As Spamhaus's "not listed in our zone" replies are the same as a webpage not found reply, users behind this sort of DNS monetization will always see an IP address returned rather than the correct NXDOMAIN DNS answer. If this is the issue, contact your ISP to see if you can opt-out. The above mentioned ISP has an informational page with opt-out instructions. Or set up your own DNS resolver.
A second form of DNS hijacking has been seen, where an ISP cuts off DNS traffic to DNS servers it feels are being queried too often. This at times returns a IP value, which will cause all emails to flagged as spam. They may even null the value of the DNSBL's name, this can cause unpredictable results. In this case, you will need to contact your ISP.
|
| Your DNSBL blocks nothing at all! |
|
First, check our FAQ answer for "Your DNSBL blocks the whole Internet!" and make sure you've not made a spelling mistake in your mailserver configuration.
Check what DNS resolvers you are using: If you are using a free "open DNS resolver" service such as Google Public DNS or Level3's public DNS servers to resolve your DNSBL requests, in most cases you will receive a "not listed" (NXDOMAIN) reply from Spamhaus' public DNSBL servers. Please use your own DNS servers when doing DNSBL queries to Spamhaus.
|
| I am getting a "This is not the DNSBL you're looking for" error, why?
|
|
You have probably misspelled "spamhaus.org" as "spamhouse.org" in your mail server configuration. This is the error message defined by the people administering that domain (not us). This case belongs to the category discussed
under the Your DNSBL blocks the whole Internet! question.
|
| Not just for connection queries... |
|
In addition to checking the IP addresses of the connecting servers against the SBL/XBL/PBL (or Zen), you can significantly boost your spam catch rate by also scanning the email body of any mails, that get past this first check, looking for host names of URLs (web sites) advertised in spams, and checking the IP addresses of those hosts, and their name servers, against the SBL. This is because the SBL lists the IP addresses of spammers' websites in addition to their mail servers. This feature ("URIBL_SBL") is available in SpamAssassin 3.0 on, and code to do this is also available as a sendmail milter from here. |
| Free Use vs Commercial Use |
|
Use of the Spamhaus DNSBLs via DNS queries to our public DNSBL mirrors is free of charge for low-volume non-commercial use. To check if you qualify for free use, please see Spamhaus DNSBL Usage Criteria.
Use of the Spamhaus DNSBLs by ISPs, corporations and networks with high email traffic, or commercial spam filter companies requires a subscription to the Spamhaus dedicated Data Feed Service.
|
| Data Feed: Zone Transfers (rsync) for Corporate networks & ISPs |
|
For corporate networks, Internet Service Providers and spam filter companies, Spamhaus provides a dedicated Data Feed service which transfers the Spamhaus DNSBL zones to a local DNS server on your network and keeps the zones synchronised every 30 minutes. To submit an application for this service see: Data Feed Application Form. |
| I'm seeing bounces, but I don't find my IP address in your list... help? |
|
The Spamhaus Blocklists are only some of many public DNSBL systems. In addition to publicly-queriable lists, many networks maintain their own private blocking lists. And DNSBLs are only one of many reasons that could cause a Delivery Status Notication (DSN).
Read the bounce ('DSN') messages carefully; they should provide clues as to why your mail was rejected. Unfortunately, some of them are not accurate or helpful; sometimes they even point to Spamhaus SBL for no reason at all. But, since each system which rejects your mail may give a different DSN, do read several of the messages and you will find some that make sense and help you track down the problem.
Locate the IP address which was rejected, generally the IP address of your outbound mail server and usually noted in the DSN message. Test it in the "IP Removal" form at www.spamhaus.org/lookup.lasso. If it does not show up with that form, the address is not listed in any Spamhaus DNSBL (that form queries all the most current Spamhaus zones).
A few sites which might help you track down DNSBL issues with other lists are:
http://www.dnsbl.com/ (general DNSBL info)
http://emailstuff.org/ (selection of meaningful DNSBLs)
http://moensted.dk/spam/
http://openrbl.org/
http://shopping.declude.com/Articles.asp?ID=97
Remember that none of those sites is a DNSBL itself so it cannot possibly block your mail, and that they are offered on a voluntary basis, without support. Use their web services, but please don't pester them!
Some DNSBLs are simply too aggressive, unreliable or otherwise unsuited to use by more than a few hobbyist domains, places where most legitimate senders are unlikely to ever send any mail. If your IP address is in such a list, just ignore it! It's not stopping you from mailing anyone and no one who knows anything about mail cares about such lists.
|
| Will doing a query to your DNSBL servers slow my system and delay the email? |
|
Our servers are very fast and run software optimized specifically for speedy DNSBL replies. They are geographically distributed around the globe and connected via high-bandwidth pipes. Query response time is typically in the low milliseconds so any delays will be indiscernible, and once a query is done, it is cached at your own local DNS resolver for a period of time. That makes further queries "local" to you and extremely fast.
|
| Testing your SBL Setup |
|
Once you have set up your mail server to use sbl.spamhaus.org, you can test to see if the SBL blocking is working by sending an email (any email) to: nelson-sbl-test@crynwr.com (you must send the email from the mail server which you wish to test). The Crynwr system robot will answer you to tell you if your server is correctly blocking SBL-listed IPs or not. |
| But if there is ever a delay, won't all my incoming email get backlogged? |
|
Modern mail-servers process separate incoming messages in parallel, so a slight pause in processing of one message will have no effect on another. |
| Querying your DNSBL servers will use a lot of bandwidth, won't it? |
|
DNS is inherently very efficient, using minimal amounts of bandwidth. Using SBL-XBL or Zen will use much less bandwidth than having to accept every spam and virus email sent to your system. By rejecting them at the SMTP connection, no further data is sent thereby reducing overall bandwidth. DNS caching by your local resolver means that not every query counts towards outside bandwidth use. (And, on the hardware side, your server won't have to do post-delivery filtering and storage of spam messages.) |
| How solid is the Spamhaus DNSBL server network? |
|
The Spamhaus DNSBL network currently consists of over 60 servers distributed throughout the world and located mainly in major collocation facilities with dedicated multi-megabit connections and with extensive network peering at each facility. The Spamhaus DNSBL network has been designed with complete redundancy and has never been "off the air" or unavailable since its inception in 2001. |
| Missing 'A' record for sbl/xbl/pbl/zen.spamhaus.org |
|
"I can't trace zen.spamhaus.org, I get 'host not found'..."
"All your DNSBLs are down! I can't resolve any of them to an IP!"
Occasionally users inform us that our DNSBLs must be down or that our DNS may be broken because: "I can't resolve zen.spamhaus.org to an IP address" or "I can't ping zen.spamhaus.org".
Spamhaus DNSBL zones (sbl.spamhaus.org, xbl.spamhaus.org, sbl-xbl.spamhaus.org, pbl.spamhaus.org, zen.spamhaus.org) are not hosts or servers, they are DNS zones. DNS zones map specially-formatted queries (such as '2.0.0.127.zen.spamhaus.org') to DNSBL servers which in turn provide authoritative answers to the DNSBL queries. DNS zones do not normally have 'A' records, therefore you can not resolve a DNS zone to an IP address or to a specific machine.
Trying to resolve or ping a DNS zone is like trying to resolve or ping '.com' (which is also a DNS zone) and of course '.com' doesn't have an 'A' record (so you can not resolve '.com' to an IP address either).
Each of Spamhaus's DNSBL zones is load-balanced into sub-zones, served by over 60 DNSBL servers ('mirrors') located around the world. The DNSBL server IP addresses change frequently as servers are added or removed from the pool, but the DNS zone always knows where to find them.
 Never set your anti-spam filter to query the IP addresses of Spamhaus zone DNS servers, as these can change at any time. Always query only the advertized zones themselves: SBL, XBL, PBL, or preferably the combined Zen zone. |
| How can I use the Spamhaus zones (ZEN or SBL, XBL, PBL) if I don't run my own mail server? |
|
DNS Blocking Lists are designed to work most effectively during SMTP "realtime" transmission, enabling spam to be rejected early in the transaction before it burdens servers, disks and mail queues. Because the SMTP transmission is terminated before the spam can be transmitted, this also results in a "Delivery Status Notification" (error message) which notifies the sender's server of the rejection and provides a fail-safe in case of errors. Ideally you should ask your ISP or IT admin to use Spamhaus Zen on their mail server.
But, even if your mail isn't filtered at the server, you can still use DNSBLs, including SBL and XBL, with your Windows POP3 mail client (like Outlook, OE, Eudora, T-bird, etc.). Options include:
For Windows
- SpamPal Now: sourceforge.net/projects/spampal (freeware)
- MailWasher (free and Pro versions; be sure to disable bounces!)
- jwSpamSpy (German)
- Mailshell Anti-Spam Desktop
- Breath! Based on the popular unix open-source SpamAssassin with DNSBL support.
- K9 (freeware - Bayesian filtering based, but has a neat "Advanced feature" to use SBL/XBL as part of the Bayesian statistics)
- SmarterTools SmarterMail (free and pay versions; includes SpamAssassin ability)
- Spamihilator
For Mac
- Junkmatcher integrates with OS X Mail.app.
- Spamsweep
- Spamlinks.net has links to more spam filtering tools for Mac mail clients, and some for linux.
Setting up any one of those to work in conjunction with your mail client is fairly easy; they have instructions...you can do it! But do not configure any such software to "bounce" spam - such backscatter invariably ends up sending your spam to an innocent third party, as most "From" addresses are forged. A word of caution: the sbl-xbl.spamhaus.org zone may work better for client-level filters than zen.spamhaus.org, as explained in the PBL FAQ.
Advanced users with access to procmail on a shell server may wish to investigate the highly effective SpamBouncer, which supports Spamhaus lists, and optionally other DNSBLs. |
| Are there any other DNSBL uses that could help? |
|
Using the data in the SBL and XBL portions of our zones can be used to prevent blog and guestbook spam and abuse. Also, some Apache webserver plugins like mod_spamhaus and this Squid DNSBL redirector can be used to ban blocklisted visitors to ones website.
Note that reading the FAQ on the XBL is a must before trying these techniques. |
| Can I use the Spamhaus DNSBL in my own applications? How? |
|
You can query the SBL and XBL to prevent things such as blog-comment and guestbook spamming, click-fraud, and automated email address harvesting. You do this by programming your application(s) to query our DNS server(s) to determine whether a specific IP is on one of our blocklists. You can use such queries to stop posts from users who use IPs on the SBL or XBL to connect to your web site, or to block comment and guestbook posts that contain URIs hosted on IPs listed in the SBL or XBL.
There are open-sourced code bases available in Perl and PHP for performing DNS queries. You can find these by searching the Web. Two useful web sites that have code to perform DNS lookups are on PHP.net and The Code Cave.
If you prefer to brew your own code, below is the information you will need:
- ZONE =
zen.spamhaus.org
- PROTOCOL & PORT =
UDP/53
- QUERY SYNTAX =
<REVIP>.zen.spamhaus.org, where "<REVIP>" is the IP you are querying, reversed.
For example, if you want to check 192.168.25.1, you would query 1.25.168.192.zen.spamhaus.org.
- RESPONSE CODES
Whenever possible, we encourage applications to query zen.spamhaus.org and then parse the return code(s) to determine whether to block an IP. This prevents unnecessary queries and speeds processing on your application. If your application cannot parse return codes, you can query sbl.spamhaus.org to determine whether an IP is on the SBL, and xbl.spamhaus.org to determine whether an IP is on the XBL. Either of these zones returns 127.0.0.2 if the IP is on that blocklist.
WARNING! Do not block users using IPs listed on the PBL from accessing Web-based applications. The PBL is not a list of "spamming IP addresses"; treating IPs on it as if they all belong to spammers will result in blocking large numbers of legitimate users. Consult the Spamhaus FAQ on the PBL for more information on what the PBL is and how it works.
|
|
