Lotus Notes Spam :: The End of DNS Blacklists

4.2

I hate to discourage the use of any technique that can stop spam, but I think DNS blacklists should no longer be used by Lotus Domino (IBM Domino) email administrators.

What are DNS blacklists? They are usually free services that list the IP addresses of machines that have sent some amount of spam. Generally, they are updated daily, but not always. Getting off the list if you are a legitimate sender is difficult, and sometimes there are no clear explanations on different DNS Blacklist sites as to how to get off of them. Adding to this problem, some enterprising RBL site managers are trying to charge a fee to get off of the list.

Here is how Wikipedia defines a DNS Blacklist: http://en.wikipedia.org/wiki/DNSBL

The best of these is the SpamHaus project, which has the cleanest and most reliable list. It was the only list that we ever recommended. If you must use a list, we prefer this one, as it has the lowest incident of false positives.

Until SpamSentinel version 6, we used these DNS Blacklists in conjunction with our spam blocking, and redirected these blocks to the user quarantine, which would then show up on the daily report, and can be released to the user's mailbox. We preferred this method over the popular "do not accept the message" approach which sent the message back to the sender, because end users could never get those messages, unless they knew there was a problem and they contact the sender, who then had to send the email from a personal account to get it through the DNS Blacklist filter. That caused too much pain for most corporate customers.

A picture named M2

The problem with DNS Blacklists now is that spammers are effectively using proxy servers to continuously vary the source IP address of a machine that sends spam. These IP proxies are most likely a home computer without anti-virus software that has been compromised and is sending out giant gobs of spam to thousands of people. Usually the owner of the computer has no idea that this is happening. The result of this IP proxying is that the same spam message, sent to 10 internal users, could come from 10 different IP addresses. This is the spammers' response to DNS blacklists, besides one devilish lawsuit from a company known as e360 that tried to shutdown Spamhaus.

So, I would check your Domino server configuration document in the Name & Address book, looking for the Configuration document for your server or the All Servers global document. Disable the DNS Blacklist filters and save the document. I usually restart my Domino session after this change to be sure it is disabled.

Open NAB and click on "Configurations"	Disable DNS Blacklist filters:

Comments

12 - I disagree. Spam filters can be very effective if we know how to use them. I personally suggest spamhaus.org

It is a very good DNS BL site.

Posted by Jay At 10:50:16 AM On 08/20/2008 | - Website - |

11 - I took your advice and removed my DNS Blacklist filtering. I immediately started receiving dozens of rejection notices from undeliverable mail - that I had never sent! This means that my email address is being spoofed - not unusual these days - but I don't want to delete these spurious emails all the time. My Blacklist is back on.

Posted by Howard Katz At 07:44:04 AM On 04/10/2008 | - Website - |

10 - There are many (hundreds?) or DNS blocklists. Some are responsible, some list everyone and the kitchen sink.

Anyone who use DNS blocklists need to be sure they know the listing and delisting criterial for each. And keep up with information, and not use old lists that list the whole IP4 space (i.e. like ORBS did the other day).

I am not aware of any reputable lists that charge for removal. Some charge a fee for manual/expedited removal (I think UCEPROTECT is asking for 50 euro to cover the cost for early removal), but normally you get delisted after you taken care of the issue that caused you to be listed.

Lists like ASPEWS are not (or should not be) used outside pure hobbyist systems, if even there. But Spamhaus ZEN is a great list.

The biggest benefit with dropping the connection at the SMTP level (using a DNS blocklist) will save a ton of work for the server. Most studies show (IIRC)that properly implemented DNS blocklists stop about 80-90% of the spam. Since spam is 90% of the traffic today, we are talking about a reduction in work for the Domino server/SpamSentinel software of 70-80%. So if you today recieve and process 10,000 email a day, you are looking at processing (and potentially storing in a quarantaine folder) about 40,000 email. Quite a difference.

@Frank Harris in #7: I am not aware of many companies being blacklisted by the big/reputable blocklists without reason. In most cases there are actually good reasosn, like backscatter, zombied computers that actually do send out spam, or using a "dirty" provider.
It is also easier to get out of a handful of public blocklists than thousands of private lists, and there are tools that let you check if/where you are listed. Is there a tool that let me check if I am blocked by SpamSentinel? Or is SpamSentinel sending back a bounce for blocked mail? That could be backscatter and cause the customer to be listed at backscatterer.org, for example.

@Jerome in #8: Which blocklists are forcing you to pay "a lot"? None that I know. I know USEPROTECT charge 50 euro if you don't want to wait the 7 days they normally use for delisting. See that as a waiting period similar to when you buy a handgun, you have to wait for a certain number of days before you get to buy the gun, so that background checks can be performed...
Also, you say "a few people without public procedures pass judgments that are near impossible to appeal".
If the lists are bad, people will not use them. So it is a self-regulating process.
In most cases you don't need to appeal, you just fix the problem. I am (somewhat) active in nanae (news.admin.net-abuse.email) and read alot there and in the moderated sister group nanabl (news.admin.net-abuse.blocklisting). I see very few complainers that actually have a valid point. In most cases they are hosted on bad/spam friendly networks, and very few are actually listed in blocklists than are used.

Posted by Karl-Henry Martinsson At 06:23:04 PM On 03/28/2008 | - Website - |

9 - I agree with one exception. Blacklist can produce false positives but really have positive impact on load. Especially when our SMTP server have limited bandwidth and ratio rejected/accepted messages is high as on our server (we have over 90% rejected connections). Then disabling DNS blacklist does mean that our load on line will be 10 times bigger which is of course unacceptable.

Until this general problem will not be solved we must stick to DNS blacklist. Is not acceptable to process 90% messages just for auto deleting on arrival.

I would like to see any solution where message is rejected before is processed:

- delay few seconds after initial HELO. Most bots won't wait and drop line
- reject message on invalid RCPT without sending non-delivery report

Posted by eduard At 03:26:58 AM On 03/27/2008 | - Website - |

8 - Great job franck, thanks for all clarification to Domino/Notes users. It is not Domino job to do that. Plus managing personal blacklist is really easy but using public blacklist can become instable (many IP ranges can be blacklisted and you cannot take that range ut of the blacklist site without paying a lot.
Also Domino is using DNSBL such a way that if all BL are down, you do not receive mails anymore. Emoticon

Posted by Jérôme Deniau At 05:39:39 PM On 03/26/2008 | - Website - |

7 - As with all systems, Email filtering is in a constant state of evolution. I agree with Frank's presentation. I have had multiple clients that were Blacklisted for no definable reason, and the removal process was painful.

Email is now a critical part of any business, and failure to receive that one Email could mean the loss of an opportunity. Even more critical is the negative stigma presented to others because you are "on the list".

Good job Frank.

Posted by Frank Harris At 02:34:01 PM On 03/26/2008 | - Website - |

6 - I am glad you stepped up and criticized black lists. Conceptually such lists make sense, but the implementation is flawed: a few people without public procedures pass judgments that are near impossible to appeal. Unlike dictatorships this is done with good intent, mind you. Alternate DNS approaches (reverse, SPF, etc.) and deeper message-based analysis is the only safe way to filter spam in my opinion.

Posted by Francois Koutchouk At 11:50:34 AM On 03/26/2008 | - Website - |

5 - We run all our servers with spamhaus for a DNS blacklist and reject the message. I can't imagine running a mail server today without it. Is the new version of SS rejecting connections similar to how Domino blocks connections in a DNSBL? If so maybe we should consider that. If not then we'd need to throw more hardware at it just to process all the spam! For the very few false positives we've seen, the benefits of using the DNSBL far outweigh the problems caused, in my experience.

Posted by RichG At 11:33:45 AM On 03/26/2008 | - Website - |

4 - Hi Frank, Thank You very much, but what about DNS Whitelists?

Posted by Marco Foellmer At 11:28:22 AM On 03/26/2008 | - Website - |

3 - I disagree, at least partly. When using a blacklist through the Domino config, messages are dropped during the smtp transfer. This means that your mail server will never take responsibility for the message and its up to the sending mail server to let the sender know it didn't go through. It also cuts down on the mail you take into your system in the first place. DNS blacklists should defiantly be used with caution, but rejecting mail during smtp transfer is the way to go!

Posted by Matthew At 11:25:29 AM On 03/26/2008 | - Website - |

2 - I've only use Spamhaus with your software and no problems until now.

Posted by Ivo At 11:18:42 AM On 03/26/2008 | - Website - |