Subscribe to RSS News Feed
About Spamhaus  |  Press Office  |  FAQs   
Changes in Spamhaus DBL DNSBL return codes

2014-06-15 13:35:15 GMT, by The Spamhaus DBL Team
Recent News Articles

Stop spammers from exploiting your webserver!

Second arrest in response to DDoS attack on Spamhaus

New IPv6 CIDR searching tools released: grepcidrs

Changes in Spamhaus DBL DNSBL return codes

Summer Break arrives early for Malware & Botnet Gang

Spamhaus launches CERT Insight Portal

The Spamhaus Policy Block List now covers One Billion IP addresses

Resilans Incident Report


Older News Articles:
Spamhaus News INDEX

Spamhaus engineers have been busy developing new data for the Spamhaus Domain Block List (DBL) during the past several months. Our efforts have produced several specialized subsets of the DBL data set which will provide Spamhaus DBL users with better protection against spam as well as against other cyber threats (bots and malware) which are targeting ordinary internet users every day. This new data makes DBL more effective and versatile yet maintains DBL's goal for near zero false positives and widespread usability in production environments.

The first addition covers domains used in relation to malware, similar to malware IP addresses which we already list in Spamhaus Botnet Controller List (BCL) but with the focus on domain names. These domains are involved in spreading malware ("droppers") or controlling botnets ("command and control" a/k/a C&C, C2). Users contacting these domains may either get infected or may already be infected with malicious software. By deploying this subset of the DBL it is possible to prevent users from becoming infected or to find users that are already infected (for example, through the use of a DNS Response Policy Zone (RPZ)).

The second new data set covers legitimate domains hosting websites that have been compromised or otherwise abused by spammers. By compromising existing websites, often through outdated versions of popular Content Management System (CMS) packages such as Joomla or Wordpress, spammers try to use the good reputation of legitimate domains and IP addresses to improve the delivery of their spam and prolong the lifespan of the spam's payload and landing sites. Once a web server or CMS is compromised, spammers place a file on that website to redirect visitor's browsers to the spammer's website. The URL to those redirection files is then sent out in spam.

Administrators can take advantage of this new DBL data by carefully using the return codes for each distinct data set. We will be adding the new return codes to all Spamhaus DNSBL mirrors beginning on July 1st, 2014. The new return codes for DBL listings are highlighted in yellow in this table:

Return CodesTypeNote
127.0.1.2spam domain
127.0.1.3spammed redirector / url shortener(Phased out on January 7th, 2015)
127.0.1.4phish domain
127.0.1.5malware domain
127.0.1.6Botnet C&C domain
127.0.1.102abused legit spam
127.0.1.103abused legit redirector / url shortener
127.0.1.104abused legit phish
127.0.1.105abused legit malware
127.0.1.106abused legit botnet C&C
127.0.1.255IP queries prohibited!

A complete reference of the DBL return codes can be found in the Spamhaus DBL FAQ.

If you are using Spamhaus DBL data for spam filtering or any other purpose, please ensure that your application or software uses the new return codes correctly. Many applications will not care about the newer codes and will simply accept and act on any return code. Some applications may be sensitive to specific return codes and you should check that and configure your application appropriately for your usage of those new DBL data set return codes.

In particular, administrators using DBL return code data should note the replacement of 127.0.1.3 for spammed redirector / url shortener domains with 127.0.1.103. We are making this change so that people who prefer to treat the new "abused legit" listings differently than dedicated spam, malware and bot domains will have a single return code range to differentiate the codes easily. For instance, Postfix works with ranges; see "reject_rbl_client". While it is possible to specify a list of individual return codes, such a configuration is longer, more prone to errors and more prone to require correction if new codes are released in the future. The 127.0.1.3 return code will still be available as a legacy until January 7th, 2015. Now would be a good time to update ones checking routines.

IMPORTANT: We will begin pushing the new DBL return codes (yellow in the table above) to our DNSBL mirrors and datafeeds on July 1st, 2014.



Spamhaus Information

Press Office
Spamhaus News Index
Spamhaus in the media
About Spamhaus
Spamhaus Official Statements
Article Information

Permanent link to this news article:
Changes in Spamhaus DBL DNSBL return codes
http://www.spamhaus.org/news/article/713/changes-in-spamhaus-dbl-dnsbl-return-codes

Subscribe to RSS News Feed
Spamhaus News Quotes

Permission to quote from or reproduce Spamhaus News articles is granted automatically providing you state the source as Spamhaus and link to the news record.
© 1998-2014 The Spamhaus Project Ltd. All rights reserved.
Legal  |  Privacy