Obtaining good list of DNSBL sites to subscribe to

From Notes_Wiki

Home > Security tips > Obtaining good list of DNSBL sites to subscribe to

To obtain good list of DNSBL sites to subscribe to use:

  1. (Optional) Find bad IPs for searching in various blacklists using:
    1. Open https://www.spamhaus.org/rokso/ and find out some spam IPs. Go to "Top 10 Rokso spammers" and for any of them click on "current SBL listings". Example IP 198.37.115.163
    2. If you have access to mail server already subscribing to a few blacklists search for 'blocked using' in /var/log/maillog*
      Example lines:
      Mar 6 16:52:16 mail postfix/smtpd[8996]: NOQUEUE: reject: RCPT from unknown[185.143.223.160]: 554 5.7.1 Service unavailable; Client host [185.143.223.160] blocked using sbl-xbl.spamhaus.org; https://www.spamhaus.org/sbl/query/SBL442610 / https://www.spamhaus.org/sbl/query/SBL420772; from=<uej22j3y801ty@quadriennalediroma.org> to=<avoid@sunilsanjay.com> proto=ESMTP helo=<[185.143.223.170]>
      Feb 18 12:45:51 mail postfix/smtpd[16640]: NOQUEUE: reject: RCPT from m2.hs9.in[192.249.121.194]: 554 5.7.1 Service unavailable; Client host [192.249.121.194] blocked using ix.dnsbl.manitu.net; Your e-mail service was detected by mail.ixlab.de (NiX Spam) as spamming at Tue, 18 Feb 2020 06:51:24 +0100. Your admin should visit http://www.dnsbl.manitu.net/lookup.php?value=192.249.121.194; from=<Finance@msagarwal.com> to=<rahul@sunilsanjay.com> proto=ESMTP helo=<m2.hs9.in>
  2. (Optional) Query appropriate blacklist for the IP and see that result is 127.0.0.2
    dig 163.115.37.198.sbl-xbl.spamhaus.org
  3. Go to various blacklists and try to find above IP or your current ISP IP or other relevant IP in them
  4. Copy all the domain names to a text file.
  5. See which domain names are repeated on various sites using:
    cat domains.txt | sed $'s/[ \t]//g' | sort | uniq -c | sort
  6. Example output with sites appearing on both whatismyipaddress.com and dnsbl.info is:
    #2 all.s5h.net - Blocks some useful sites
    2 b.barracudacentral.org
    2 bl.spamcop.net
    2 bogons.cymru.com
    2 cbl.abuseat.org
    #2 dnsbl-1.uceprotect.net Commented on 2020-05-05 as blocking railtelindia.com 'Client host [203.153.43.130] blocked using dnsbl-1.uceprotect.net; IP...3.43.130 is UCEPROTECT-Level 1 listed'
    #2 dnsbl-2.uceprotect.net Commented on 2020-08-28 as blocking cgg, indiamart and a few other customers
    #2 dnsbl-3.uceprotect.net Commented on 2020-04-28 blocking cgg.gov.in 'Client host [112.133.222.124] blocked using dnsbl-3.uceprotect.net; Your ISP RAILTEL-AS-IN RailTel Corporation of India Ltd., Internet Service Provider, New Delhi, IN/AS24186 is UCEPROTECT-Level3 listed for hosting a total of 104 abusers.
    2 dnsbl.dronebl.org
    2 dnsbl.inps.de
    #2 dnsbl.sorbs.net - Blocks gmail
    #2 dnsbl.spfbl.net - Blocks many important contacts
    2 duinv.aupads.org
    2 dul.dnsbl.sorbs.net
    2 http.dnsbl.sorbs.net
    #2 ips.backscatterer.org - Blocks many importanat contacts
    2 korea.services.net
    2 misc.dnsbl.sorbs.net
    2 pbl.spamhaus.org
    2 proxy.bl.gweep.ca
    2 psbl.surriel.com
    2 relays.bl.gweep.ca
    2 relays.nether.net
    #2 sbl.spamhaus.org
    2 smtp.dnsbl.sorbs.net
    2 socks.dnsbl.sorbs.net
    #2 spam.dnsbl.sorbs.net - Blocks gmail
    2 spamsources.fabel.dk
    #2 ubl.unsubscore.com - Blocks O365
    2 web.dnsbl.sorbs.net
    #2 xbl.spamhaus.org
    2 zen.spamhaus.org
    2 zombie.dnsbl.sorbs.net
  7. Consider following additional lists for subscription
    • combined.rbl.msrbl.net
    • dsn.rfc-ignorant.org
    • ix.dnsbl.manitu.net,
    • sbl-xbl.spamhaus.org
  8. Start by subscribing to these blacklists on email servers
  9. Observe new configuration for next as many hours as possible for false positives using
    tail -f /var/log/maillog | grep 'blocked using'
  10. Send many test emails from gmail, yahoo etc. to the new servers to ensure that famous domains are not blocked
  11. (Optional) It makes sense to create exceptions (mynetwork) between various email servers under same administration. So that if users forward bounce emails they get delivered to email administrator properly.


Refer:


Home > Security tips > Obtaining good list of DNSBL sites to subscribe to