SpamAssassin includes rule for the use of dnswl.org out of the box, as do many commercial and free products. Sometimes, the use of dnswl.org is not really visible to the users, since that filtering is applied at earlier stages.
For specific setups, you will find some hints on how to implement dnswl.org data in order to gain the most benefit from doing so.
You may use dnswl.org data to filter however you like, but our general recommendations are:
| Skip greylisting for all listed IPs (none – high) | All listed hosts are expected to pass greylisting so you are only avoiding delays, not affecting what gets blocked. |
| Skip blacklisting for all listed IPs (none – high) | All listed hosts are known to send legitimate email and should not be blacklisted. |
| Skip spam filtering for medium and high ranked IPs. | These are trusted to send spam rarely enough that they are not worth filtering. |
| Never skip virus filtering. | |
Caveat: Greylisting some freemail providers may increase the chance that bulk detectors (Razor/Pyzor/DCC etc) catch some additional spam.
Technical details on how to use dnswl.org
- Query format
- Return codes
- SpamAssassin
- Postfix
- Sendmail
- Exim
- rbldnsd
- BIND
- Spamikaze
- mutt
- SpamTestBuddy
- SurgeMail
- milter-greylist
- qpsmtpd
- Example setups
How to query DNSWL
The query must always go to the zone “list.dnswl.org” in standard DNSBL format, ie with a reversed dotted quad IP address. To query whether the IP address “1.2.3.4” is listed, the query would thus be
4.3.2.1.list.dnswl.org
The list contains the standard test entry of 127.0.0.2, which you can also test manually
matthias:~ > host 2.0.0.127.list.dnswl.org 2.0.0.127.list.dnswl.org has address 127.0.10.0
Return codes
The return codes are structured as 127.0.x.y, with “x” indicating the category of an entry and “y” indicating how trustworthy an entry has been judged.
Categories (127.0.X.y):
- 2 – Financial services
- 3 – Email Service Providers
- 4 – Organisations (both for-profit [ie companies] and non-profit)
- 5 – Service/network providers
- 6 – Personal/private servers
- 7 – Travel/leisure industry
- 8 – Public sector/governments
- 9 – Media and Tech companies
- 10 – some special cases
- 11 – Education, academic
- 12 – Healthcare
- 13 – Manufacturing/Industrial
- 14 – Retail/Wholesale/Services
- 15 – Email Marketing Providers
- 20 – Added through Self Service without specific category
Trustworthiness / Score (127.0.x.Y):
- 0 = none – only avoid outright blocking (eg large ESP mailservers, -0.1)
- 1 = low – reduce chance of false positives (-1.0)
- 2 = medium – make sure to avoid false positives but allow override for clear cases (-10.0)
- 3 = high – avoid override (-100.0).
The scores in parantheses are typical SpamAssassin scores.
Special return code 127.0.0.255
In cases where your nameserver issues more than 100’000 queries / 24 hours, you may be blocked from further queries. The return code “127.0.0.255” indicates this situation. In this situation, you have the following options:
- You are sure you are far below 100k queries – then you are likely blocked because you are using a “big” nameserver that is used by many others as well. Within DNS, we can not reliably detect individual users “behind” such a nameserver. Your best option is to set up your own local resolver (which should do full resolution, and not just forward to the same “big” nameserver).
- You are legitimately above 100k queries – you can get a subscription for dnswl.org data and run your local copy of the zone. See here for more details.
- You can turn off your queries to dnswl.org
SpamAssassin Configuration
Please note that as of version 3.2.0, the rules below are included in the SpamAssassin default package. The distribution package for 3.2.0 had a bug that prevented the rules from actually firing (the __RCVD_IN_DNSWL part was missing), but this has been fixed in subsequent versions.
header __RCVD_IN_DNSWL eval:check_rbl('dnswl-firsttrusted', 'list.dnswl.org.')
tflags __RCVD_IN_DNSWL nice net
header RCVD_IN_DNSWL_NONE eval:check_rbl_sub('dnswl-firsttrusted', '^127\.0\.\d+\.0$')
describe RCVD_IN_DNSWL_NONE Sender listed at http://www.dnswl.org/, no trust
tflags RCVD_IN_DNSWL_NONE nice net
header RCVD_IN_DNSWL_LOW eval:check_rbl_sub('dnswl-firsttrusted', '^127\.0\.\d+\.1$')
describe RCVD_IN_DNSWL_LOW Sender listed at http://www.dnswl.org/, low trust
tflags RCVD_IN_DNSWL_LOW nice net
header RCVD_IN_DNSWL_MED eval:check_rbl_sub('dnswl-firsttrusted', '^127\.0\.\d+\.2$')
describe RCVD_IN_DNSWL_MED Sender listed at http://www.dnswl.org/, medium trust
tflags RCVD_IN_DNSWL_MED nice net
header RCVD_IN_DNSWL_HI eval:check_rbl_sub('dnswl-firsttrusted', '^127\.0\.\d+\.3$')
describe RCVD_IN_DNSWL_HI Sender listed at http://www.dnswl.org/, high trust
tflags RCVD_IN_DNSWL_HI nice net
score RCVD_IN_DNSWL_LOW -1
score RCVD_IN_DNSWL_MED -10
score RCVD_IN_DNSWL_HI -100
Postfix Configuration
Versions of Postfix prior to Postfix 2.8 require a special file format in order to support whitelists. With Postfix 2.8, two new acccess methods have been implemented: permit_dnswl_client and postscreen_dnsbl_sites.
postscreen_dnsbl_sites allows to weigh black/whitelists. For weighted scores above postscreen_dnsbl_threshold, the message will be rejected. Example configuration:
postscreen_dnsbl_sites = highqualityblacklist.example.com*2 lowerqualityblacklist.example.net list.dnswl.org*-5
This example will allow all mail through if it is listed in list.dnswl.org, even if the blacklists combined give a hit. The weights can of course be adjusted and combined with numerous black/whitelsits. If you want to restrict the whitelisting to those with score “low”, “med” and “hi”, you can use the following pattern:
postscreen_dnsbl_sites = ... list.dnswl.org=127.0.[0..255].[1..3]*-5
permit_dnswl_client is used in the smtpd_recipient_restrictions with a syntax similar to postscreen_dnsbl_sites. Example to allow all whitelisted clients to connect (ie, full override of blacklisting):
smtpd_recipient_restrictions = permit_dnswl_client list.dnswl.org, reject_rbl_client someblacklist.example.com, permit_mynetworks, reject_unauth_destination
To override only for “low”, “med” and “hi”:
smtpd_recipient_restrictions = permit_dnswl_client list.dnswl.org=127.0.[0..255].[1..3], reject_rbl_client someblacklist.example.com, permit_mynetworks, reject_unauth_destination
Sendmail
open-sendmail has a FEATURE(`anfi/rsdnsbl’): http://open-sendmail.sourceforge.net/.
Exim
The configuration for Exim is probably the most straightforward we have seen so far:
accept domains = +local_domains
dnslists = list.dnswl.org
logwrite = $sender_host_address is whitelisted
See http://www.immerda.ch/index.php/ServerMailSpamAntivir#Whitelisting for more details.
The following config snippet scans an email for spam unless the sending ip is a medium or high trust level in dnswl.org:
warn ! dnslists = list.dnswl.org&0.0.0.2 spam = nobody:true
rbldnsd Configuration
If you rsync the rbldnsd-format locally, you can set it up as follows (assuming you have a working rbldnsd setup):
/path/to/rbldnsd -f list.dnswl.org:ip4set:/path/to/rbldnsd-dnswl
Of course you may add more options to rbldnsd, eg specify a user to run as, chroot directory, IP address to bind to etc. – refer to the rbldnsd documentation.
BIND Configuration
Spamhaus has a good explanation on how to use rbldnsd and BIND in a combined setup here.
In order to use the rsync’ed BIND formatted file, adapt the following snippet to your needs in named.conf:
zone "list.dnswl.example.org" {
type master;
file "list.dnswl.example.org.zone";
allow-query{ (use a suitable list); };
allow-update{ none; };
};
Spamikaze
Spamikaze is an automated spam block system that can also consider whitelists to minimize the risk of false positives.
The Spamikaze website shows how to configure the system in general. In order to use dnswl.org data with Spamikaze, change your spamikaze/config file:
[Mail] ... WhitelistZones = ... list.dnswl.org
mutt
Put this in your ~/.muttrc you’ll get everything colorized by dnswl rank:
color index red default ~h^X-DNSWL:.No$ color index yellow default ~h^X-DNSWL:.none color index blue default ~h^X-DNSWL:.low color index cyan default ~h^X-DNSWL:.med color index green default ~h^X-DNSWL:.hi
This works if you use the Postfix tweaking above, but you can trigger on other tokens (eg those provided by SpamAssassin).
SpamTestBuddy
SpamTestBuddy is a simple spam-scoring tool, built to be included through procmail. As of version 0.95 (2007-09-27) SpamTestBuddy supports DNS-based whitelists, and comes with dnswl.org rules pre-configured.
SurgeMail / Netwinsite
In order to use dnswl.org data with the SurgeMail server, add the following entry to surgemail.ini:
g_orbs_list name="list.dnswl.org" action="accept" stamp="3=dnswl_high~2=dnswl_medium~1=dnswl_low~0=dnswl_none"
milter-greylist
The following config snippet will exclude all dnswl.org-listed hosts from greylisting:
dnsrbl "DNSWL" list.dnswl.org 127.0.0.0/16 racl whitelist dnsrbl "DNSWL"
The milter-greylist developers work on a possibility to exclude only certain scores (the “x” in 127.0.x.y) from greylisting. Thanks to Greg Troxel for bringing this up.
qpsmtpd
Add “list.dnswl.org” to the “whitelist_zones” config file and add a line “dns_whitelist_soft” to the plugins file.
Hanno Hecker has provided a “dnswl” plugin with a locally rsync’d DB, available athttp://svn.perl.org/qpsmtpd/contrib/vetinari/dnswl
Example setups
A combination of greylisting, SpamAssassin, SpamProbe, image spam filters, DNSWL and virus filtering built around Postfix:http://www.chaosreigns.com/spam/.