Monday, September 17, 2012

Exchange's IMF and DNSBL

MS Exchange server has a feature which allows it to filter out spam email by asking special DNSBL services if the sender is not blacklisted.

Those services can be added via Exchange's GUI. In the version of 2003 it will be: "Exchange System Manager -> Global Settings -> Message Delivery -> Properties -> Connection Filtering". There's the list.

To know which server to add

In an email client open a spam email source code and/or look for the email's headers. Locate a "Received:" header line which contents the IP of the last SMTP node which sent this email to your server (usually it's one of the top header rows).

Open this site http://mxtoolbox.com/blacklists.aspx in a browser and enter that discovered IP from the headers in the query.

If the sender IP is listed on a DNSBL it knows, that will be shown.

Open the DNSBL web site and look for the DNSBL URI request suffix (can be tricky, but if the service is free it should be there somewhere).

For example, for the DNSBL service WPBL the URI will be db.wpbl.info

Using the Exchange GUI settings add this URI to the list.

Repeat  those steps some more times to add the most efficient DNSBL filters to the list

Good DNSBL servers are: PSBL (psbl.surriel.com), Barracuda (b.barracudacentral.org), Spamhous (zen.spamhaus.org), MailSpike (bl.mailspike.net), etc.

False positive

Beware, if a DNSBL server lists a ligit SMTP service. Try to do the steps above, using some valid email senders IP. If you found a server is listed on a DNSBL, exclude that DNSBL from adding to the Exchange list.

These two services often give false positive blocking: Backscatterer (ips.backscatterer.org), Sorbs (spam.dnsbl.sorbs.net)

How to made a request manually.

Say, we want to check, is a sender with this IP 173.232.2.221 is blacklisted using the DNSBL service WPBL.

First, create a PTR-like notation of the IP address, i.e. reverse all the numbers. In this case it will be 221.2.232.173

Add it to the DNSBL URI suffix. Together it will be
221.2.232.173.db.wpbl.info

Issue a DNS A request, like:
host 221.2.232.173.db.wpbl.info
If the IP is listed, the result will be like
221.2.232.173.db.wpbl.info has address 127.0.0.2

If it's not, the request will return an error.

Some DNSBL servers could also code different meanings in the returned fictional address (i.e. the last number in the returned IP address tells the story). Look in server's home site for descriptions and more info.


No comments:

Post a Comment