Obtaining good list of DNSBL sites to subscribe to
From Notes_Wiki
Home > Security tips > Obtaining good list of DNSBL sites to subscribe to
To obtain good list of DNSBL sites to subscribe to use:
- (Optional) Find bad IPs for searching in various blacklists using:
- Open https://www.spamhaus.org/rokso/ and find out some spam IPs. Go to "Top 10 Rokso spammers" and for any of them click on "current SBL listings". Example IP 198.37.115.163
- If you have access to mail server already subscribing to a few blacklists search for 'blocked using' in /var/log/maillog*
- Example lines:
- Mar 6 16:52:16 mail postfix/smtpd[8996]: NOQUEUE: reject: RCPT from unknown[185.143.223.160]: 554 5.7.1 Service unavailable; Client host [185.143.223.160] blocked using sbl-xbl.spamhaus.org; https://www.spamhaus.org/sbl/query/SBL442610 / https://www.spamhaus.org/sbl/query/SBL420772; from=<uej22j3y801ty@quadriennalediroma.org> to=<avoid@sunilsanjay.com> proto=ESMTP helo=<[185.143.223.170]>
- Feb 18 12:45:51 mail postfix/smtpd[16640]: NOQUEUE: reject: RCPT from m2.hs9.in[192.249.121.194]: 554 5.7.1 Service unavailable; Client host [192.249.121.194] blocked using ix.dnsbl.manitu.net; Your e-mail service was detected by mail.ixlab.de (NiX Spam) as spamming at Tue, 18 Feb 2020 06:51:24 +0100. Your admin should visit http://www.dnsbl.manitu.net/lookup.php?value=192.249.121.194; from=<Finance@msagarwal.com> to=<rahul@sunilsanjay.com> proto=ESMTP helo=<m2.hs9.in>
- Example lines:
- (Optional) Query appropriate blacklist for the IP and see that result is 127.0.0.2
- dig 163.115.37.198.sbl-xbl.spamhaus.org
- Go to various blacklists and try to find above IP or your current ISP IP or other relevant IP in them
- https://whatismyipaddress.com/blacklist-check
- https://www.dnsbl.info/dnsbl-list.php
- https://mxtoolbox.com/blacklists.aspx (Or https://mxtoolbox.com/problem/blacklist/#/blacklist and click on blacklist in left panel)
- Copy all the domain names to a text file.
- See which domain names are repeated on various sites using:
- cat domains.txt | sed $'s/[ \t]//g' | sort | uniq -c | sort
- Example output with sites appearing on both whatismyipaddress.com and dnsbl.info is:
- #2 all.s5h.net - Blocks some useful sites
- 2 b.barracudacentral.org
- 2 bl.spamcop.net
- 2 bogons.cymru.com
- 2 cbl.abuseat.org
- #2 dnsbl-1.uceprotect.net Commented on 2020-05-05 as blocking railtelindia.com 'Client host [203.153.43.130] blocked using dnsbl-1.uceprotect.net; IP...3.43.130 is UCEPROTECT-Level 1 listed'
- #2 dnsbl-2.uceprotect.net Commented on 2020-08-28 as blocking cgg, indiamart and a few other customers
- #2 dnsbl-3.uceprotect.net Commented on 2020-04-28 blocking cgg.gov.in 'Client host [112.133.222.124] blocked using dnsbl-3.uceprotect.net; Your ISP RAILTEL-AS-IN RailTel Corporation of India Ltd., Internet Service Provider, New Delhi, IN/AS24186 is UCEPROTECT-Level3 listed for hosting a total of 104 abusers.
- 2 dnsbl.dronebl.org
- 2 dnsbl.inps.de
- #2 dnsbl.sorbs.net - Blocks gmail
- #2 dnsbl.spfbl.net - Blocks many important contacts
- 2 duinv.aupads.org
- 2 dul.dnsbl.sorbs.net
- 2 http.dnsbl.sorbs.net
- #2 ips.backscatterer.org - Blocks many importanat contacts
- 2 korea.services.net
- 2 misc.dnsbl.sorbs.net
- 2 pbl.spamhaus.org
- 2 proxy.bl.gweep.ca
- 2 psbl.surriel.com
- 2 relays.bl.gweep.ca
- 2 relays.nether.net
- #2 sbl.spamhaus.org
- 2 smtp.dnsbl.sorbs.net
- 2 socks.dnsbl.sorbs.net
- #2 spam.dnsbl.sorbs.net - Blocks gmail
- 2 spamsources.fabel.dk
- #2 ubl.unsubscore.com - Blocks O365
- 2 web.dnsbl.sorbs.net
- #2 xbl.spamhaus.org
- 2 zen.spamhaus.org
- 2 zombie.dnsbl.sorbs.net
- Consider following additional lists for subscription
- combined.rbl.msrbl.net
- dsn.rfc-ignorant.org
- ix.dnsbl.manitu.net,
- sbl-xbl.spamhaus.org
- Start by subscribing to these blacklists on email servers
- Observe new configuration for next as many hours as possible for false positives using
- tail -f /var/log/maillog | grep 'blocked using'
- Send many test emails from gmail, yahoo etc. to the new servers to ensure that famous domains are not blocked
- (Optional) It makes sense to create exceptions (mynetwork) between various email servers under same administration. So that if users forward bounce emails they get delivered to email administrator properly.
Refer:
- Blocking SPAM at MTA level in postfix
- CentOS 7.x Configure Postfix to block spam
- CentOS 7.x Configure or optimize new Zimbra installation
- https://unix.stackexchange.com/questions/145299/simple-sed-replacement-of-tabs-mysteriously-failing
Home > Security tips > Obtaining good list of DNSBL sites to subscribe to