Spamhaus DBL

Over the last few months I’ve gotten an increasing number of questions about the Spamhaus DBL. So it’s probably time to do a blog post about it.

Last year I wrote about the DBL:

DBL is the Domain Block List. It lists domains and not IP addresses. I’ll be honest, I don’t have as much experience with the DBL as with other lists, but I have had a few clients on the DBL.

  • DBL is tied into the CSS.
  • You can get on the DBL without the sending IP being on CSS.
  • DBL makes no judgement on the source of the mail, only the content of the mail

With more clients being on the list, I have a little more information about it.

DBL listings are generated both by automated tools and by manual entries from the Spamhaus folks. Automated listings are the ones most closely tied to CSS listings.

From my perspective, the goal of the DBL is to block domains found in spam being sent from many IP addresses in a way that makes it difficult to address with standard IP based blocks. I believe that the automated DBL listings are generated based on domains found in the content of the email rather than domains found in the headers. However, most of the DBL users match against any domain in the message including those in the headers.

The automated DBL listings are usually the root domain, but it is possible some of the manual listings are more specific and list subdomains.

There is an automated delisting process, but there are limits to the number of times you can delist. Too many delistings and you need to send email and be manually delisted. This can take quite more than 24 hours, in some cases. If you are listed on both the CSS and the DBL you need to ask for delisting for both.

If your domain is on the DBL but your IPs are not on the CSS then then I suggest looking at the possibility that someone is putting your links in spam. It could be web server compromise hosting phishing. Or, if you’re an ESP, maybe a customer  grabbed a tracking link and is using it in mail sent through another provider.

As with all listings, identifying the underlying reason for the listing and fixing the problem is crucial to staying off the list. If you’ve not fixed the problem, the listing will come back. And, eventually, you won’t be able to delist automatically.

Related Posts

Microsoft using Spamhaus Lists

An on the ball reader sent me a note today showing a bounce message indicating microsoft was rejecting mail due to a Spamhaus Blocklist Listing.
5.7.1 Client host [10.10.10.10] blocked using Spamhaus. To request removal from this list see http://www.spamhaus.org/lookup.lasso (S3130). [VE1EUR03FT043.eop-EUR03.prod.protection.outlook.com]
The IP in question is listed on the CSS, which means at a minimum Microsoft is using the SBL. I expect they’re actually using the ZEN list. ZEN provides a single lookup for 3 different lists: the SBL, XBL and PBL. The XBL is a list of virus infected machines and the PBL is a list of IPs that the IP owners state shouldn’t be sending email. Both of these lists are generally safe to use. If MS is using the SBL, it’s very likely they’re using the other two as well.
 

Read More

What kind of mail do filters target?

All to often we think of filters as a linear scale. There’s blocking on one end, and there’s an inbox on the other. Every email falls somewhere on that line.
Makes sense, right? Bad mail is blocked, good mail goes to the inbox. The bulk folder exists for mail that’s not bad enough to block, but isn’t good enough to go to the inbox.
Once we get to that model, we can think of filters as just different tolerances for what is bad and good. Using the same model, we can see aggressive filters block more mail and send more mail to bulk, while letting less into the inbox. There are also permissive filters that block very little mail and send most mail to the inbox.
That’s a somewhat useful model, but it doesn’t really capture the full complexity of filters. There isn’t just good mail and bad mail. Mail isn’t simply solicited or unsolicited. Filters take into account any number of factors before deciding what to do with mail.

Read More

New blocklisting process

There is a new type of blocking designed to interrupt the ability of users to click and visit phishing sites.
DNS Response Policy Zones allows companies running recursive resolvers to create a zone that will not resolve specific domains. This is a second layer of filtering, if a spammer manages to get an email with a malicious link into the inbox then the ISP can still protect the user from becoming a victim from the scam. For more detailed information about RPZ, check out the helpful slides published by ISC.
Two blocklists announced this morning that they were publishing lists in RPZ format so ISPs can import the data into their DNS recursive resolver. SURBL is currently offering their list as RPZ. Spamhaus is currently running a beta for the DBL in a RPZ format. If you’re a current DBL user, talk to Spamhaus about checking out their new format.
 
 
 

Read More