Intelligent Message Filter, Content Filter, can do more...

WinDeveloper IMF Tune
WinDeveloper IMF Tune

Real-Time Block Lists in Exchange 2003

Alexander Zammit

Alexander Zammit Photo

Software Development Consultant. Involved in the development of various Enterprise software solutions. Today focused on Blockchain and DLT technologies.

  • Published: Oct 12, 2006
  • Category: Anti-Spam
  • Votes: 5.0 out of 5 - 6 Votes
Cast your Vote
Poor Excellent

Real-Time Block Lists identify hosts from which spam and other unwanted emails are distributed. Our journey will cover understanding how RBLs work, some tips on selecting the list provider, and Exchange 2003 configuration.

Exchange 2003 supports blocking spam through RBLs out of the box. Today we take a closer look at this filtering service. We see how RBLs work and how to configure these in Exchange.

In the Exchange 2003 documentation you will see RBL standing for Real-time Black List. However this acronym also stands for other similar definitions. The Mail Abuse Prevention System (MAPS) was the first providing such a service and defined RBL as Real-time Blackhole List.

Apart for RBL you may also meet other acronyms such as XBL and SBL. Different naming may indicate differing list generation processes or listing criteria. However all have a common goal, identifying hosts used for the delivery of spam and other unwanted emails.

RBL Basics

RBL providers identify hosts to be listed by proactively scanning the internet or through reporting from ISPs and users. Misconfigured machines acting as open relays or open proxies are quickly discovered by both spammers and list providers. Zombie machines are netted either through their open backdoors or on starting spam distribution. Cooperative ISPs may also contribute to RBLs. These supply their range of dynamically allocated IPs forcing such hosts to only submit emails through their servers.

Setting up an RBL is not that difficult. The challenging part is maintenance. Tracking hosts under spammer control is a continuous chase. New machines get infected, unknowingly joining the army of zombies. Misconfigured servers provide new open relays whilst other configurations are corrected. The ability to handle such a dynamic landscape is what makes all the difference between RBLs. A well maintained RBL should have a fast and reliable mechanism for verifying, adding and removing host listing.

It is worth underlining the last point. RBLs are not all the same. Trusting an RBL that is not properly managed generates false positives and loss of legitimate emails. For example RBLs that rely heavily on user reporting, without adequate verification, may be easily abused.

How RBLs Work

A good starting point for anyone interested in RBLs is the DNSstuff site. Using their Spam Database Lookup tool allows to quickly submit an IP to various RBL providers. Apart for seeing RBLs in action, we may also verify our own servers. Here is an example:

DNSstuff

The list of RBL providers is long. Some well known names include SpamHaus, SpamCop and MAPS (today part of TrendMicro).

RBLs are hosted within DNS servers. Thus an RBL lookup boils down to a DNS query. The DNS is populated with A (host) records for each IP to be blocked. Constructing a query requires combining the list provider DNS suffix with the IP to be verified as follows:
<Reversed IP>.<RBL DNS suffix>

As an example, to query SpamHaus we could use the suffix:
sbl-xbl.spamhaus.org

To verify the IP 12.34.56.78, we would then query for:
78.56.34.12.sbl-xbl.spamhaus.org

If the IP is not listed, the query fails and the email is allowed to go through, as far as RBL filtering is concerned. Otherwise the DNS server returns a result of the type:
127.0.0.x

The last digit may provide additional information on the type of RBL match. The possible values and their meaning are defined by the RBL provider. For example SpamHaus defines 127.0.0.2 to identify hosts listed on their SBL and describes this as "Direct UBE sources, verified spam services and ROKSO spammers". On the other hand 127.0.0.4 to 127.0.0.6, identify hosts on their XBL listing exploited machines.

User Comments - Page 1 of 1

shawn 7 Jun 2011 11:37
Exchange 2011 Real-time Block Lists
A real-time block list (RBL) is a method of stopping spammers from being able to send out large quantities of distasteful spam. A real-time block list is managed and maintained by an organization (company, non-profit, or volunteers) who track spam activity and create a list of known violators. Violations can include SMTP configurations to being caught sending spam. Once you are on their list, you can typically request removal. Some site will publish email addresses and all messages received to that email address is spam.
When a computer connects to your Exchange server, Exchange will query the specified real-time block list. If the address is on that list, Exchange will generate an error and refuse the message. The server that was trying to send the spam is then responsible to generate a non-delivery report and send it the sender. This will eventually lock up the sending server until their open relay is detected and resolved.
For a list of real-time block lists, please refer to the Wikipedia article:
http://en.wikipedia.org/wiki/Comparison_of_DNS_blacklists
Setup
The process is the same for Exchange 2008 and Exchange 2010.
To setup a RBL, open Exchange Management Console – the GUI, and under Organization Configuration select Hub Transport. Select the Anti-Spam tab and right click IP Block List Providers selecting Properties. You can add lists and set them up here.

www.internetworkconsulting.net


Alexander Zammits 14 Aug 2009 01:27
Please always check the site of the RBL provider for configuration details.

For example changes at spamhaus today recommand the use of:
zen.spamhaus.org

Instead of:
sbl-xbl.spamhaus.org
Copyright © 2005 - 2024 All rights reserved. ExchangeInbox.com is not affiliated with Microsoft Corporation