Using the DNS Blackhole List (DNSBL).

Summary:

EMF has the capability to check each incoming network connection against publicly-available lists of open relay sites (servers), and refuse connection if the connecting site is on the list. The lists of open relays are called DNS "blackhole lists", maintained by several subscription sites on the Internet. The default site specified in the EMF webadmin is mail-abuse.org (MAPS).

DNSBLs were formerly known as RBLs (Realtime Blackhole Lists) in previous versions of EMF.

Symptom:

Your EMF server is having to process a large amount of spam email. Spammers use open relays to send their spam.

Detailed Information:

1. How exactly does DNSBL work?

EMF performs a DNS query for a hostname, which is formed by taking the IP address of the suspect SMTP client (in reverse dotted quad order) and appending the DNSBL domain name, e.g., blackholes.mail-abuse.org (MAPS).

For example, if EMF gets a connection from host 10.20.30.40 and the DNSBL check is enabled, EMF will perform an A-record DNS query, e.g., for host 40.30.20.10.blackholes.mail-abuse.org on your DNS server. If the host is found, it is considered to be on the black hole list.

The DNS server that is queried is the same one that your EMF relay service is configured to use for SMTP routing. EMF does not query a special DNS server for DNSBL information; it uses the same DNS server(s) that you have configured your EMF SMTP relay services to use.

It is your responsibility to arrange it so that when the SMTP relay queries the DNS, the DNSBL information is available from that DNS server. (If the information is not available, no hosts will be blocked due to DNSBL membership.

There are two ways to make DNSBL information available in your DNS server from the MAPS site. These correspond to the inquiry (query) mode and transfer mode, using the terminology from the MAPS web site.

In the "inquiry mode", you would configure your DNS server such that whenever a query is made on the DNSBL domain (blackholes.mail-abuse.org), that query is forwarded (delegated) to a DNS server hosted by MAPS.

In the "transfer mode", you would arrange a zone DNS transfer from MAPS, so that the blackholes.mail-abuse.org domain information is available locally on your DNS server.

Other DNSBL services have similar arrangements.

After obtaining your subscription from MAPS, you should have MAPS provide specific instructions to you to set up your DNS server for the query or transfer method.

Relevant EMF events are:

Event ID 1047 - Info / Trace - "DNSBL query"
Event ID 1048 - Warning / Normal - "Host found on the blackhole list"
Event ID 1049 - Info / Trace - "Host was not found on the blackhole list"

(NOTE: events 1048 and 1049 will include in the event details the IP being tested.)

2. Which Blackhole listings does EMF use?

The default DNSBL site: Mail Abuse Prevention System LLC (MAPS), at http://www.mail-abuse.org/, and the service we use is RBL. The mode you select (Query or Transfer) depends on how you wish to administer your DNS server, as discussed above.

MAPS offers at least 4 related services: RBL, RSS, DUL, and RBL+, which is a combination of the first 3. (Please go to the MAPS site for descriptions of these services.) Although only RBL has been tested and is officially supported by Tumbleweed, we know, and have some customers successfully using RBL+, by making a one line change in the EMF database (see next paragraph for the change).

That said, according to MAPS all 4 services behave in exactly the same manner, and the only difference between the services is the "zone" as MAPS calls it, or the service Hostname (also called the "RBL Hostname"). The Zone (or RBL Hostname) for the RBL service is "blackholes.mail-abuse.org". EMF uses a default value for the RBL Hostname of blackholes.mail-abuse.org. However, this value can be overridden by adding a row to the RelayConfigValues table within the EMFMail database, such that the [keyName] column is RBL Hostname and the [ansiStringValue] is some.other.hostname. (EMF 5.6 added a UI Set Up option called Configuration Editor, which can be used to modify the RelayConfigValues table; see the EMF Admin Guide for more details.)

For example, if you wanted to use the RSS service from MAPS, you may change the value of 'RBL Hostname' to be 'relays.mail-abuse.org'. Please see the MAPS site for all relevant RBL Hostnames.

We need to reiterate that Tumbleweed has not done any testing with the changing of this value, and you are on your own doing it, but we do not know of any reason why it wouldn't work.

3. Do we have to subscribe to one of these services?

Yes, you need to subscribe, e.g. to MAPS, separately from your EMF license. To subscribe to MAPS, go to http://www.mail-abuse.org/.

4. Does DNSBL use a lot of system resources, in other words will we start seeing performance problems?

The DNSBL check is a forward DNS (port 53) A-record lookup, and therefore an insignificant performance hit.

5. How do we turn the option on?

To turn on DNSBL for a specific IP, go to EMF webadmin > Setup > Relays > Network Connections, and set the DNSBL column to "Perform". DNSBL is performed by the Inbound Relay for inbound connections only. So, to do DNSBL checking of external SMTP clients, you would want to enable this option on the "Default" row, and possibly on other rows in the Network Connections table, that correspond to networks (IP addresses) outside of your organization.

6. How do we test that it's working?

You need a valid subscription to do a test, and have configured your DNS server for Query or Transfer mode (if you have chosen Transfer mode, you also must have a "zone transfer" from MAPS to make the MAPS blackhole information available on your own DNS server). If you haven't subscribed and set up your DNS server, your DNS server won't find any of the hosts under the query domain blackholes.mail-abuse.org.

After subscription and DNS setup have been established, the DNSBL can be tested, using the same DNS server that your EMF relay is configured to use, by doing an nslookup for this host:

2.0.0.127.blackholes.mail-abuse.org

If this host is NOT found, then you can be almost certain that you're not getting any RBL hosts found in your DNS queries (it's not working). If you have subscribed, and feel it should be working, you need to contact MAPS.

To test, open a command line window and type in:

DOS> nslookup
> server DNS-server-used-by-EMF
> set type=A
> 2.0.0.127.blackholes.mail-abuse.org

and then see if you get an "A Record" returned, or if you get a "domain/host not found" message. You could use "set type=ANY" on the second line instead of "set type=A".

If your setup is not working, please contact the vendor (e.g., MAPS).

7. What do the users see when DNSBL is working?

7a. Recipient.

By default, the recipient of a DNSBL blocked message sees nothing - the message is never accepted by EMF, and nothing is delivered to the recipient. In EMF 6.0, a relay configuration option was introduced UI called Accept messages from clients listed in RBL, which overrides the default behavior, and delivers the message to the recipient. EMF 6.1.1 added support for multiple DNSBL sites specified in the relay setup, each with Accept or Reject options.

7b. Sender.

In EMF 6.0 and later, the inbound EMF SMTP relay will return a 554 SMTP response to the SMTP client when their IP address is found on the DNSBL (and then wait for the client to send the QUIT command). So, a 554 error is returned to the message sender.

Previous to EMF 6.0, EMF drops the client TCP connection immediately. The original sender of a DNSBL blocked message will probably get a non-delivery report indicating that your EMF server refused the message. This nondel depends on the server in the delivery chain that was trying to connect to EMF - it is that server's job to send back the non-delivery report (perhaps after several retry attempts -- the precise action taken depends on how that SMTP server is configured).

In EMF 6.0, a configuration parameter was added to restore the pre-EMF 6.0 behavior, which was to drop the connection. If you want the old behavior, add a row with [keyName] = Silently Close Connection On RBL Match and [intValue] = 1 to the RelayConfigValues table in the EMFMail database. To revert to the new behavior, set intValue = 0. As mentioned above in item (2), EMF 5.6 added a UI Set Up option called Configuration Editor, which can be used to modify the RelayConfigValues table; see the EMF Admin Guide for more details.

7c. EMF Administrator.

The EMF administrator will see events in the event log as described in item (1) above.

NOTE that DNSBL will not work if your firewall is acting as an SMTP relay, and is not passing traffic on SMTP port 25. DNSBL cannot be used in this case because the sending IP into EMF will always be the firewall, not the original external IP on the internet.

8. Can I configure EMF to use a DNSBL service other than MAPS?

Yes, in EMF 5.6 or higher, you can specify another DNSBL service under Setup/Relays.

As of EMF 6.1.1, EMF supports checking multiple DNSBLs for blacklisted clients. Up to three servers can be entered on the Setup > Relay Settings page with a different action associated to each server. The relay checks the servers consecutively from the top. If the IP is not found on the first server, the IP is checked against the second and then the third if not found on the second. If the IP is found on one of the servers, EMF proceeds according to the configured response for the server. See the online help for configuration information.

Resolution:

You should subscribe to a DNSBL site, and then turn on DNSBL checking in the EMF Relay Setup.

Additional Info:

DNSBL has a sister technique called RDNS (Reverse DNS) lookup, also supported by EMF. For more information, see related article Specifying RDNS in EMF on the right.