Brief DBL false positive


Spamhaus are rolling out a new subzone of the DBL, for domains whose webservers have been compromised and used to host spam landing pages, often via mass compromises of their management control panels. There was a brief mistake that caused all of .net to be listed in the new subzone, meaning that mail sent with URLs in it that used hostnames in .net may have been rejected or spam-foldered by early adopters or careless users of the DBL.
If you’re using one of the reputation services that wraps many different sorts of listing in a single zone, differentiating between different listing reasons by return code, you should be aware of what all the subzones are and what listings of each type mean. Unless the blacklist operator has a published policy about what sort of sublists might be added in the future, you should never configure your mailservers to take action on any returned value, rather you should check for specific return values and ignore any response that you don’t explicitly intend to use.
If your MTA supports it, logging unrecognized responses and alerting based on them is a good idea – both so you know when a new category is added, and so you know if you’ve been blocked from accessing the blacklist, or the blacklist has been shut down and is listing the entire Internet. It’s not unusual for blacklists to see very high query volumes for months or years after they’ve been shut down, presumably from users who are using the data as part of  a scoring system and who haven’t noticed that it’s no longer providing any useful data.

About the author

1 comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • I also remember a while back somebody wrote a “How to shut down a DNSBL gracefully” BCP document, although I’m not sure how much that helps, since the kind of folks who would shut down a DNSBL ungracefully aren’t likely to read a BCP document.
    …and frankly, I can understand that. It seems that a lot of DNSBLs are born from anger — “I’m going to build something to fix all of this spam” — and then after some amount of time of taking abuse from listees and users alike, there’s a temptation to do a Cartman “screw YOU guys, nyeah, nyeah”.
    So, yeah, should probably still have an infrastructure monitoring piece to regularly check whether any part of your antispam solution has gone all wrong.

By steve

Recent Posts


Follow Us