Changes in Spamhaus DBL DNSBL return codes

Spamhaus engineers have been busy developing new data for the Spamhaus Domain Block List (DBL) during the past several months. Our efforts have produced several specialized subsets of the DBL data set which will provide Spamhaus DBL users with better protection against spam as well as against other cyber threats (bots and malware) which are targeting ordinary internet users every day. This new data makes DBL more effective and versatile yet maintains DBL's goal for near zero false positives and widespread usability in production environments.

The first addition covers domains used in relation to malware, similar to malware IP addresses which we already list in Spamhaus Botnet Controller List (BCL) but with the focus on domain names. These domains are involved in spreading malware ("droppers") or controlling botnets ("command and control" a/k/a C&C, C2). Users contacting these domains may either get infected or may already be infected with malicious software. By deploying this subset of the DBL it is possible to prevent users from becoming infected or to find users that are already infected (for example, through the use of a DNS Response Policy Zone (RPZ)).

The second new data set covers legitimate domains hosting websites that have been compromised or otherwise abused by spammers. By compromising existing websites, often through outdated versions of popular Content Management System (CMS) packages such as Joomla or Wordpress, spammers try to use the good reputation of legitimate domains and IP addresses to improve the delivery of their spam and prolong the lifespan of the spam's payload and landing sites. Once a web server or CMS is compromised, spammers place a file on that website to redirect visitor's browsers to the spammer's website. The URL to those redirection files is then sent out in spam.

Administrators can take advantage of this new DBL data by carefully using the return codes for each distinct data set. We will be adding the new return codes to all Spamhaus DNSBL mirrors beginning on July 1st, 2014. The new return codes for DBL listings are highlighted in yellow in this table:

A complete reference of the DBL return codes can be found in the Spamhaus DBL FAQ.

If you are using Spamhaus DBL data for spam filtering or any other purpose, please ensure that your application or software uses the new return codes correctly. Many applications will not care about the newer codes and will simply accept and act on any return code. Some applications may be sensitive to specific return codes and you should check that and configure your application appropriately for your usage of those new DBL data set return codes.

In particular, administrators using DBL return code data should note the replacement of 127.0.1.3 for spammed redirector / url shortener domains with 127.0.1.103. We are making this change so that people who prefer to treat the new "abused legit" listings differently than dedicated spam, malware and bot domains will have a single return code range to differentiate the codes easily. For instance, Postfix works with ranges; see "reject_rbl_client". While it is possible to specify a list of individual return codes, such a configuration is longer, more prone to errors and more prone to require correction if new codes are released in the future. The 127.0.1.3 return code will still be available as a legacy until January 7th, 2015. Now would be a good time to update ones checking routines.

IMPORTANT: We will begin pushing the new DBL return codes (yellow in the table above) to our DNSBL mirrors and datafeeds on July 1st, 2014.