DNS-based blacklistingEdit
This example shows how to add a DNS-based blacklist to the sendmail configuration file. In this case the SBL-XBL list provided by Spamhaus, one of the most reputable and accurate blacklists, is used for the purposes of illustration.
FEATURE(`dnsbl',`sbl-xbl.spamhaus.org',`"554 Rejected " $&{client_addr} " - see http://www.spamhaus.org/ then contact " $&{postmaster_addr}')dnl
To minimize the damage done in the unlikely event of obtaining a false positive the error message that is returned to the client includes the following elements:
- A 554 error code (as described in RFC 821/RFC 2821).
- The connecting IP address found in the blacklist.
- A link to the Spamhaus website where the sender can find out what the blacklisting means, why it occurred, and how to be removed from the blacklist.
- An alternative contact address of the form
postmaster@example.com
that can be used to inform the server administrator, bypassing DNS-based blacklist checks.
This specification depends on a special ruleset that defines the postmaster_addr
macro (see "Store postmaster address"), as well as the modification of the following line in the configuration file:
dnl FEATURE(delay_checks)dnl
Which should be changed to:
FEATURE(`delay_checks', `friend')dnl
After making these changes the Sendmail configuration should be rebuilt and the daemon restarted.
Appropriate entries should be added to the /etc/mail/access
file to ensure that delivery to the postmaster
and abuse
addresses is not blocked by the blacklist:
Spam:abuse@ →FRIEND
Spam:postmaster@ →FRIEND
To test that the blacklisting works correctly, messages can be sent to nelson-sbl-test@crynwr.com and nelson-xbl-test@crynwr.com.
To test that the postmaster address is not being subjected to DNS-based blacklisting (a requirement of RFC 2821) you can connect via telnet from the server to be tested to:
telnet://ns1.crynwr.com
The telnet-based test will try sending mail to "postmaster@example.com", and should the messages should be accepted for delivery.
Efficacy
During a test period of 24 hours in mid-July 2006 on the wincent.dev mail server the DNS-based blacklist described here stopped 261 connection attempts.
For other efficacy statistics see combatting spam.