What is a DNSBL?

A Domain Name System Blacklist is an effort to stop email spamming. It is a “blacklist” of locations on the Internet reputed to send email spam. The locations consist of IP addresses which are most often used to publish the addresses of computers or networks linked to spamming. As their name implies, the lists are based on the Internet’s Domain Name System, which converts complicated, numerical IP address such as 140.239.191.10 into domain names like example.net, making the lists much easier to read, use, and search. If the maintainer of a DNS Blacklist has in the past received spam of any kind from a specific domain name, that server would be “blacklisted” and all messages sent from it would be either flagged or rejected from all sites that use that specific list.

A DNSBL is a software mechanism, rather than a specific list or policy. There are dozens of DNSBLs in existence, which use a wide array of criteria for listing and delisting of addresses. These may include listing the addresses of zombie computers or other machines being used to send spam, ISPs who willingly host spammers, or those which have sent spam to a honeypot system.

Although modern DNS Blacklists are rarely used as educational tools, their function as an email blocker and filter still serves as their primary purpose to this day. Many email systems operators and users consider DNSBLs a valuable tool to share information about sources of spam. Most mail server software can be configured to reject or flag messages which have been sent from a site listed on one or more such lists.

DNS Blacklists can vary greatly from one to the other because they all have their own lists that are populated based on what does or doesn’t meet their own standards and criteria for what a spammer is. Some are stricter than others, some only list sites for a set amount of time from the date the last piece of spam was received by the maintainer versus others that are manually maintained, and still others not only block IP addresses, but also entire ISP’s known to harbor spammers. This results in some lists working better than others because they are maintained by services with a greater level of trustworthiness and credibility than competing lists might have.

Many MTAs like Exim, Sendmail, and Postfix can be configured to absolutely block or (less commonly) to accept email based on a DNSBL listing. This is the oldest usage form of DNSBLs. Depending on the specific MTA, there can be subtle distinctions in configuration that make list types useful or pointless because of how the MTA handles multiple DNSBLs. A drawback of using the direct DNSBL support in most MTAs is that sources not on any list require checking all of the DNSBLs being used with relatively little utility to caching the negative results. In some cases this can cause a significant slowdown in mail delivery.

DNSBLs can be used in rule based spam analysis software like Spamassassin where each DNSBL has its own rule. Each rule has a specific positive or negative weight which is combined with other types of rules to score each message. This allows for the use of rules that act (by whatever criteria are available in the specific software) to “whitelist” mail that would otherwise be rejected due to a DNSBL listing or due to other rules. This can also have the problem of heavy DNS lookup load for no useful results, but it may not delay mail as much because scoring makes it possible for lookups to be done in parallel and asynchronously while the filter is checking the message against the other rules.

Some DNSBLs have been created for uses other than filtering email for spam, but rather for demonstration, informational, rhetorical, and testing control purposes. Examples include the “No False Negatives List,” “Lucky Sevens List,” “Fibonacci’s List,” various lists encoding GeoIP information, and random selection lists scaled to match coverage of another list, useful as a control for determining whether that list’s effects are distinguishable from random rejections.

Users can decide on which DNS Blacklist works best for them depending on what their specific security needs are. Less lenient lists might allow more spam to get through, but might not block non-spam messages that have been misidentified on lists that have stricter guidelines for what goes on or what is left off of it. To help facilitate this, DNS Blacklists that are intended for use by the public will usually have a specific, published policy detailing what a listing means and must adhere to the criteria laid out in it in order to not only attain public confidence in their services, but to sustain it as well.

You can read more about DNSBL here

How to Remove IP Address from Blacklist