How to Use Domain-Based Blacklist Zones

General Concepts

If someone presents you with:

MAIL FROM: <foo@example.tld>

then you should do a lookup on example.tld.dsn.rfc-ignorant.org, and bounce or reject as you see fit.

The following is a quick reference for adding domain-based DNSBL support to popular packages (if you don't see yours, figure it out and send admin@rfc-ignorant.org a description of how to use it):

Sendmail

The standard dnsbl package in sendmail is useful for "standard" DNS-based blacklists, where you want to compare IP addresses. Unfortunately, it doesn't work at all when you want to do comparisons based on the right-hand-side of the address.

That's where rhsbl.m4 comes in. It is designed to be copied into cf/feature, and be referenced just like you would dnsbl, except that lookups will have the right-hand-side of the address attached to the lookup. (NOTE: Sendmail 8.11.x and lower will have to replace the string "dnsbl" with the string "host" in the rules, as it is designed to work with current 8.12 betas.)

For example, you might use (these lines are wrapped for readability, but that won't work in real life, you have been warned):

FEATURE(rhsbl,`dsn.rfc-ignorant.org',`"550 Mail from domain " $`'&{RHS} " refused. MX of domain do not accept bounces. This violates RFC 821/2505/2821 - see http://www.rfc-ignorant.org/"')

FEATURE(rhsbl,`postmaster.rfc-ignorant.org',`"550 Mail from domain " $`'&{RHS} " refused. MX of domain does not have a working postmaster address - see http://www.rfc-ignorant.org/"')

Also available is a revised dnsbl.m4 which allows for a fourth argument `h', which will toggle hostname lookups on. This is useful so that you could reject based on the hostname of the connecting machine, say, for rejecting servers where <postmaster@servername> doesn't work, or where <abuse@servers_main_domain> doesn't work. (See disclaimers about dnsbl.m4 at http://www.megacity.org/software.html.)

Essentially, since you're working with domain names in these zones, there's two potential places you care about: Does the sender meet some criteria (as determined by rhsbl.m4), and does the machine connecting to you meet some criteria (as defined by the revised dnsbl.m4). Which ones you use are up to you.

Exim4

provided by nico Erfurth <masta@perlgolf.de>

Put the following lines in your ACL (acl_smtp_rcpt is the best for this).

deny message = $sender_address_domain is listed in $dnslist_domain ($dnslist_text) dnslists = dsn.rfc-ignorant.org/$sender_address_domain : \ postmaster.rfc-ignorant.org/$sender_address_domain

You can add other RBLs too, domain based should use the rbl.domain.tld/$sender_address_domain syntax, for ip4r-based blacklists just use the rbl.domain.tld.

Exim3

provided by Philip Hazel <ph10@cus.cam.ac.uk>

It is possible to make use of rfc-ignorant.org from Exim, but in the current 3.xx releases, the error message that is given when a message is rejected is

550 rejected: cannot route to sender <x@example.tld>

which, although in some sense true, is not very helpful.

QMail

provided by Ask Bjoern Hansen <ask@develooper.com>

Ask has done some experimental work with mating qmail and the domain based dnsbls. His work can be found at http://develooper.com/code/qpsmtpd/.

Postfix

provided by Ralf Hildebrandt <Ralf.Hildebrandt@charite.de>

It is possible to make use of rfc-ignorant.org from Postfix. With the release of Postfix-2.0, you simply use:

smtpd_sender_restrictions = reject_rhsbl_sender dsn.rfc-ignorant.org

For the WHOIS zone, it is also possible, if you don't want to block whole ccTLDs, to do:

reject_rhsbl_sender whois.rfc-ignorant.org=127.0.0.5

By default, such mail is rejected using the text in $default_rbl_reply:

default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using $rbl_domain${rbl_reason?; $rbl_reason}

SurgeMail

provided by SurgeMail Support <SurgeMail-Support@netwinsite.com> (Requires SurgeMail 1.5c or later)

Set in surgemail.ini, for example:

g_from_bl name="dsn.rfc-ignorant.org" stamp="Domain does not accept bounces, see http://www.rfc-ignorant.org" g_from_bl name="postmaster.rfc-ignorant.org" stamp="Domain has no working postmaster address, see http://www.rfc-ignorant.org"

Mercury/32

provided by Daniel Jungersen <danjel@jungersen.dk>

You can enter the values manually in the GUI, or you can "copy-paste" directly into "ms_spam.mer" found in the same folder as the .exe file. As always, I recommend that you shut down M/32 when changing the setupfiles directly.

***************** ms_spam.mer content **************** Begin Name: rfc_abuse Enabled: Y QueryType: Blacklist QueryForm: Domain Hostname: abuse.rfc-ignorant.org Strictness: Range 127.0.0.4 - 127.0.0.4 Action: Reject Parameter: Blocked - See http://rfc-ignorant.org/ End Begin Name: rfc_postmaster Enabled: Y QueryType: Blacklist QueryForm: Domain Hostname: postmaster.rfc-ignorant.org Strictness: Range 127.0.0.3 - 127.0.0.3 Action: Reject Parameter: Blocked - See http://rfc-ignorant.org/ End Begin Name: rfc_dsn Enabled: Y QueryType: Blacklist QueryForm: Domain Hostname: dsn.rfc-ignorant.org Strictness: Normal Action: Reject Parameter: Blocked by http://rfc-ignorant.org/ End Begin Name: rfc_whois Enabled: Y QueryType: Blacklist QueryForm: Domain Hostname: whois.rfc-ignorant.org Strictness: Range 127.0.0.5 - 127.0.0.7 Action: Reject Parameter: Blocked - See http://rfc-ignorant.org/ End

You can of course use one, some or all setup's just as you like. Also, you can set the action and parameter, as you like.

$Id: how_to_domain.php,v 1.19 2006/04/04 14:21:20 dredd Exp $