I’ve blogged about DNSBLs before. They’re DNS-based blacklists of spammer IPs. (To see if 22.214.171.124 was listed in blacklist.example.com, you’d do a DNS lookup for 126.96.36.199.blacklist.example.com. If you get an IP, usually 127.0.0.2, back, it’s listed. If you get an NXDOMAIN, it’s not listed.) Some lists are abysmal, but I found some that are very accurate. I never loved DNSBLs, mainly because you cede way too much control to DNSBL operators — if they list an IP, your mailserver will refuse mail from them. Sometimes people running DNSBLs are vindictive, and other times they’re clueless, so it’s not at all unheard of for legitimate IPs to wind up in blacklists.
I set up policyd-weight on my new mailserver a little bit ago. The reason I’m so crazy about policyd-weight is that it queries multiple DNSBLs and computes a score based. I have it configured so that someone needs to be listed in multiple blacklists before anything happens, so one erroneous listing won’t do any harm.
Over time, I’ve been logging IPs of people emailing my spamtraps, and looking them up in various DNSBLs when they were listed. (Whenever I poked around there, I’d also look up the IPs of mailservers that recently sent me desired mail, and check those; any blacklist listing any non-spam server was summarily removed.) So I set up policyd-weight with this configuration file:
@dnsbl_score = ( # HOST, HIT SCORE, MISS SCORE, LOG NAME 'pbl.spamhaus.org', 3.25, 0, 'DYN_PBL_SPAMHAUS', 'sbl-xbl.spamhaus.org', 4.35, 0, 'SBL_XBL_SPAMHAUS', 'bl.spamcop.net', 3.75, 0, 'SPAMCOP', 'dnsbl.njabl.org', 3.25, 0, 'BL_NJABL', 'ix.dnsbl.manitu.net', 4.35, 0, 'IX_MANITU', 'psbl.surriel.com', 4.25, 0, 'PSBL_SURRIEL', 'list.dnswl.org', -100, 0, 'DNSWL_PASS', 'ubl.unsubscore.com', 3.50, 0, 'UNSUBSCORE', 'dnsbl-2.uceprotect.net', 2.00, 0, 'UCEPROTECT_2', 'b.barracudacentral.org', 4.00, 0, 'BARRACUDA', 'dnsbl.sorbs.net', 2.00, 0, 'SORBS', 'dyna.spamrats.com', 2.00, 0, 'SPAMRATS_DYNA', 'bl.spameatingmonkey.net',2.00, 0, 'SEM_BL', 'bl.mailspike.net', 3.00, 0, 'MAILSPIKE-BLACK', 'wl.mailspike.net', -100, 0, 'MAILSPIKE-WHITE' ); $MAXDNSBLHITS = 5; # If Client IP is listed in MORE # DNSBLS than this var, it gets # REJECTed immediately -- set high due to whitelists on list too $MAXDNSBLSCORE = 9; # alternatively, if the score of # DNSBLs is ABOVE this # level, reject immediately $MAXDNSBLMSG = '550 Your MTA is listed in too many DNSBLs';
It’s worth mentioning that this isn’t even a good configuration. For one, the whitelist (-100 points if you’re listed) should be up top, because policyd-weight seems to stop processing DNSBLs once the threshold (a score of 9, or listing in 5 blacklists) is hit. That would also argue that you’d put your fastest / most accurate blacklists up front. Spamhaus, SpamCop, Manitu, Surriel, and Barracuda Central are all first-rate; I’d move them to the top, right after the whitelist check.
You need 9 points to be listed. I thought this was conservative, and might match maybe a quarter of my spam. If you hit the highest-scoring DNSBLs, you’d still need to be in three DNSBLs before your mail was rejected — you need 9 points and the highest is 4.35. You’ll also note that, towards the end, I threw in some 2-pointers. These are lists that can be a little too aggressive, but they’re safe.
I pointed a couple of my less-used domains’ MX records to this setup. They’re ones that get tons of spam but are either used not at all, or ones that have mailboxes that, in practice, don’t get much mail, and that could afford to lose a few messages to a bad configuration. The results?
I’ve rejected mail from 150 different IPs today alone. And here’s the interesting thing: 100% of spam has been rejected, with zero false positives. This is much better than I expected. I made mailboxes for some spamtraps I have, and not a single one has any mail. I sent myself email from every legitimate service I can think of, and it went right through. And actually, it not only went right through, but it came in with a negative score — policyd-weight gave a “bonus” to people with good configurations, like if a DNS lookup for their HELO string actually matched the connecting IP. And mail from GMail and Apple had the -100 points from being in dnswl.org’s list, too.
My results surely aren’t typical of real-world settings. I’d expect to eventually have some spam slip through the cracks, and I’m a little uneasy about all the checks for HELO matches, etc., that are performed, if only because I haven’t taken the time to fully understand them. But based on a week’s worth of spam to my low-traffic mailserver, this configuration is batting a thousand. I’d planned to set up postfix-policyd to do greylists / spamtraps / blacklists / HELO checks, but thus far, and I’d planned to set up and tune SpamAssassin for mail that was ultimately accepted. And I still will someday. But right now, it’d be pointless. (It’s also worth mentioning that development of policyd-weight stopped two years ago.) But if you’re getting a lot of spam, give policyd-weight a look. It’s worked better than I imagined was possible.