Declude email security - Call 866 332 5833
Toll Free 1.866.332.5833

        Declude
 
Blacklist Archives
Free Tools & Resources
Outbreak Monitor
Email Tools
  Declude

You take the IP address of the mail server, turn it around, and query a "DNS zone", to come up with something like "2.0.0.127.relays.example.com". If the mail server is listed in the spam database you queried, it will return an answer indicating that the mail server is listed.

Normally, your anti-spam software will handle this for you. However, if you are curious, or interesting in writing anti-spam software, or setting up your own DNS-based spam database, here's how it works.

DNS query format

This is pretty simple. You just take the IP address, reverse it, and add it to the DNS zone you are querying. For example, if you want to see if 192.168.100.1 is listed in the relays.example.com zone, you would look up the A record for 1.100.168.192.relays.example.com.

The IP address is reversed to more easily allow ranges of IP addresses to be listed. For example, reversing the IP address makes it very easy to add "192.168.x.x" to the database (by adding "*.168.192.relays.example.com" to the DNS server).

DNS answer format

This is pretty simple, too. If the IP address is not listed in the spam database, the DNS server will report that the A record is non-existent. If the IP is listed in the database, it will return an A record with a specific value, the default being 127.0.0.2. So, looking up the A record for 1.100.168.192.relays.example.com would probably return 127.0.0.2 if 192.168.100.1 was listed in the database (but, an answer of 127.0.0.3, for example, would also mean that 192.168.100.1 was listed). If you run a spam database, be sure to document what IPs you may return.

TXT Records

These are technically optional, but highly recommended, as they provide details about why the IP was listed. In addition to the A record for IP.IP.IP.IP.relays.example.com, there should be a corresponding TXT record. The anti-spam software, seeing a valid A record, will automatically look up the TXT record as well.

For example, the A record for 1.100.168.192.relays.example.com might return 127.0.0.2 (meaning that 192.168.100.1 is listed in the spam database). Then, there should also be a TXT record for 1.100.168.192.relays.example.com that might say "The IP address 192.168.100.1 is blocked; see http://example.com/results.htm?ip=192.168.100.1".

The anti-spam software can use the TXT record for many different purposes. The main two uses are in an "X-RBL-Warning: " header that can be added to the E-mail for end-user filtering, or to be be used in SMTP responses if the SMTP transaction is still in process.

Multiple databases in one zone

The ip4r lookups can have multiple types of entries, by returning different IPs. For example, some spam databases have both "inputs" (mail servers that accept E-mail that will be relayed, possibly through another server) and "outputs" (mail servers that output mail, either sent through it, or via another mail server).

One way to do this is to have two separate zones (inputs.example.com that returns 127.0.0.2 for a match, and outputs.example.com that also returns 127.0.0.2 for a match).

However, to reduce network traffic, it's usually better to combine them into one zone. To do this, different values can be returned during a query. For example, the "inputs" could be listed on relays.example.com returning 127.0.0.2, while "outputs" would be listed on relays.example.com returning 127.0.0.3.

So what happens when an IP is listed in two databases on the same zone (both "inputs" and "outputs", for example)? The proper way (at this time) for this to be handled is for the DNS server to return just one answer -- the people running the test need to determine which the more appropriate answer would be. This is the "proper" way simply because it is supported by all anti-spam programs that use DNS-based databases, and few (if any) support the alternate method.

The alternate method (and technically better, although harder to implement on the client side) is to return multiple A records. In the case of a mail server listed in the inputs and outputs databases, the server would return 2 A records: 127.0.0.2 and 127.0.0.3. This is good because it lets you know exactly which test(s) failed, but is not supported by most anti-spam programs.

Testing a DNS-based database.

To test a DNS-based database, you can look up the IP address 127.0.0.2. All DNS-based databases should have this entry listed, for testing purposes.

For example, if you aren't sure if relays.example.com is working, you can use nslookup to look up the A record for 2.0.0.127.relays.example.com, and you should get back "127.0.0.2" (or possibly another result, such as 127.0.0.3). If you don't have nslookup, you can ping the address ("ping 2.0.0.127.relays.example.com"); an answer of "Unknown host" or something similar would indicate that the spam database is not working.

It is important for DNS-based spam databases to have the 127.0.0.2 test entry, so that anti-spam software developers can easily test the software. Also, maintainers of DNS-based anti-spam databases (such as us) need to make sure that the zones are still working. Without the 127.0.0.2 test entry, it is difficult-to-impossible to determine if a spam database is working.

CNAMEs

Do NOT use these.

A spam database should not use CNAMEs. These will cause problems with many anti-spam programs.

When a CNAME is used, instead of "2.0.0.127.relays.example.com" producing a response of "127.0.0.2", the spam database will respond with two answers: One saying that "2.0.0.127.relays.example.com" is really "somethingelse.relays.example.com", and that "somethingelse.relays.example.com" has an IP of 127.0.0.2. Although it may be easier to maintain a spam database this way, it just won't work with most anti-spam programs.

Terms

  • DNSBL - "DNS BLacklist". This refers to any DNS-based spam database. It usually refers to ip4r blacklists, but can also refer to RHSBL blacklists.
  • ip4r - A term referring to reversing the 4-byte IP address to use in DNS lookups (IE looking up 127.0.0.2 at 2.0.0.127.relays.example.com).
  • RBL - "Realtime BLacklist". RBL is a service mark of MAPS. Anywhere that "RBL" is used in a context not referring to MAPS RBL, the term "DNSBL" should be used instead.
  • RHSBL - "Right-Hand Side BLacklist". This is similar to ip4r databases, except that it works by looking up the domain in the "right-hand side" of the "MAIL FROM:" address in the SMTP envelope. For example, if you receive mail from "user@example_2.com" from 127.0.0.2, using ip4r you would look up 2.0.0.127.relays.example.com, but using RHSBL you would look up example_2.com.relays.example.com.


  CONTACT | CAREERS | DIRECTIONS | PRIVACY STATEMENTS
Copyright 2009 DECLUDE Inc. All Rights Reserved
Declude a division of DNSstuff Enterprise.



To be removed from our mailing list please click here