Monday, November 23, 2009

Understanding DNSBL Filtering

SkyHi @ Monday, November 23, 2009
A DNSBL (commonly known as a 'Blocklist") is a database that is queried in realtime by Internet mail servers for the purpose of obtaining an opinion on the origin of incoming email. The role of a DNSBL such as Spamhaus' SBL/XBL/PBL Advisory system is to provide an opinion, to anyone who asks, on whether a particular IP Address meets Spamhaus' own policy for acceptance of inbound email.

Basic DNSBL flow:



The policy of the Receiver governs whether a message is blocked or not

Every Internet network that chooses to implement spam filtering is, by doing so, making a policy decision governing acceptance and handling of inbound email. The Receiver unilaterally makes the choices on whether to use DNSBLs, which DNSBLs to use, and what to do with an incoming email if the email message's originating IP Address is "listed" on the DNSBL. The DNSBL itself, like all spam filters, can only answer whether a condition has been met or not.




Points to note are:

1. The Receiver makes a policy decision to accept, tag or reject the message based on, amongst other things, whether the Sender's IP Address is listed on a Spamhaus DNSBL.

2. The Receiver is asking Spamhaus a question ("is this IP listed on a Spamhaus database?"). Spamhaus replies automatically to the Receiver's question.

3. Spamhaus has no control over how the Receiver chooses to handle incoming email from IPs which are listed on a Spamhaus database.

4. Instead of rejecting messages that do not pass the Spamhaus test, many Receivers tag such messages. Tagged messages are then either placed in a 'Junk' mailbox or are put through further, more processor-intensive spam filters (such as SpamAssassin, etc.).

5. Spamhaus does however recommend that networks using the Spamhaus DNSBLs reject (bounce) rather than simply trash incoming emails from IP Addresses listed on a Spamhaus database. The reason for this is that rejecting email (with a hard '5**' during the SMTP phase and before the email body is accepted) maintains the fundemental rule of email deliverability: If an email can not be delivered *always let the Sender know*.


The Rights of a Sender -versus- the Rights of a Receiver

The Internet is a network of private networks. Each network sets its own policy for what email it will or will not accept. In the following diagram, the end of the Sender's private network and the beginning of the Receiver's private network are marked (A) and (B). This diagram demonstrates that no 'blocking' of email occurs either on the exit from the Sender's network, the Sender's connection into the Public Internet, or even at the entrance to the Receiving network. DNSBLs are used by the Receiver's private mail server and from within the Receiver's private network.



A common misconception is that an email Sender whose IP address is listed on a DNSBL is 'blocked' from sending out email. In fact Senders are in no way prevented by DNSBLs from sending email. The Spamhaus DNSBLs are used only by receiving mail systems on private networks and are used voluntarily.

Spamhaus does not tell a 3rd-party mail system what to do with an item of email, the 3rd-party mail system asks Spamhaus for an opinion and Spamhaus responds to that request with its opinion. In effect the receiving mail server asks the Spamhaus DNSBL "Does this Sender's IP Address exist on the Spamhaus database?", the Spamhaus DNSBL simply responds with a "Yes" if present or, if not present does not respond at all (no response means "we have no opinion on that IP Address").