{"id":15,"date":"2010-09-01T14:06:14","date_gmt":"2010-09-01T14:06:14","guid":{"rendered":"http:\/\/blog.danplanet.com\/wordpress\/?p=15"},"modified":"2012-02-09T16:11:46","modified_gmt":"2012-02-09T16:11:46","slug":"a-dnsbl-and-greylisting-hybrid-approach","status":"publish","type":"post","link":"https:\/\/www.danplanet.com\/blog\/2010\/09\/01\/a-dnsbl-and-greylisting-hybrid-approach\/","title":{"rendered":"A DNSBL and Greylisting Hybrid Approach"},"content":{"rendered":"

I have long been a critic of greylisting<\/a> as a method of reducing spam.\u00a0 I recently broke down and implemented it on my servers after a couple of back-to-back blacklisting issues.\u00a0 The problem with DNSBL<\/a> blacklists is that even the “big boys” get their relays listed which causes mail to bounce for some period of time while they resolve the issue.\u00a0 Recently, someone for which I host mail was getting frustrated as my server continued to turn away msn.com and google.com due to their presence on a couple of blacklists.\u00a0 That’s just silly and really hard to explain to someone in a way that doesn’t make it sound like your fault.<\/p>\n

So, I nixed the blacklists and moved to using postgrey<\/a> for greylisting.\u00a0 This process, which is well-documented elsewhere, relies on some required behaviors of the SMTP protocol to turn away spammers that don’t fully implement the protocol.\u00a0 It automatically refuses mail from new and unknown servers in a soft way, asking them to “try again later”.\u00a0 If they do, then their mail is accepted.\u00a0 Most spammers won’t retry, they just move on to the next person.\u00a0 It works very well, but it introduces a delay to the delivery of valid email.\u00a0 Even if you only require that they try again immediately, or after a short period like five minutes, there is no way of communicating that to them.\u00a0 As a result, many servers will wait an hour or even a day before retrying.\u00a0 That really destroys the usefulness of instantaneous email and I hate it.<\/p>\n

Recently I came across a page by a colleague of mine, Dave Hansen.\u00a0 He suggested<\/a> a hybrid approach to the problem, using the best of both systems.\u00a0 He suggested that you first look up the remote server in a DNSBL.\u00a0 If they’re not listed, then you accept their mail; if they are, you greylist them and introduce the delay.\u00a0 This means that most mail (from unlisted servers) flows immediately as expected, and mail from incorrectly-listed machines will get the greylist delay.\u00a0 He has a hacked up version of greylist.pl<\/a> to do this.<\/p>\n

In searching for a permanent way to do this, I came across postfwd<\/a>, the postfix firewall daemon.\u00a0 It allows you to delegate a lot of your policy out to another daemon (like you do with postgrey itself), but with far more control over how those rules are implemented.\u00a0 What I came up with is a script that implements the hybrid approach, but with a few extra features.\u00a0 The remote server is checked against seven blacklists.\u00a0 If it is in two or more of them, then mail is rejected outright, assuming that you wouldn’t be erroneously listed on two at the same time.\u00a0 If it’s listed on one of them, then the server is greylisted (actually delegated back to postgrey itself, which works very well).\u00a0 If it’s not listed at all, then the mail is accepted and everyone is happy.\u00a0 My postfwd config looks like this:<\/p>\n

\n
    &&DNSBLS {\r\n             rbl=zen.spamhaus.org ;    \\\r\n \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 rbl=bl.spamcop.net ;      \\\r\n \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 rbl=dnsbl.sorbs.net ;     \\\r\n\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0  rbl=ix.dnsbl.manitu.net ; \\\r\n     \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 rhsbl=rddn.dnsbl.net.au ; \\\r\n     \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 rhsbl=rhsbl.ahbl.org ;    \\\r\n\u00a0\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 rhsbl=rhsbl.sorbs.net ;   \\\r\n\u00a0\u00a0\u00a0 };\r\n\r\n# DNSBL checks - lookup\r\nid=RBL_QUERY\u00a0 ;\u00a0 &&DNSBLS ;\u00a0 rhsblcount=all ; rblcount=all ; \u00a0\u00a0\\\u00a0\u00a0\u00a0\u00a0\u00a0\r\n    action=set(HIT_dnsbls=$$rhsblcount,HIT_dnsbls+=$$rblcount,DSBL_text=$$dnsbltext)\r\n\r\n# DNSBL checks - evaluation\r\nid=RBL_TOOMANY\u00a0 ;\u00a0 HIT_dnsbls>=2 ;\r\n    action=554 5.7.1 blocked using $$DSBL_count dnsbls, INFO: [$$DSBL_text]\r\n\r\n# Greylist\r\nid=GREYLIST ;\u00a0 action=ask(127.0.0.1:10041)\u00a0 ;\u00a0 HIT_dnsbls>=1<\/pre>\n<\/blockquote>\n
So far, it seems to be working very well and doing exactly what I wanted.\u00a0 I just configure postfix to use postfwd as an external policy server after all my normal checks have been satisfied.\u00a0 I may up the count of blacklists that cause mail to be rejected outright to three or more, just to be safe, but I’ll have to see how many false positives I get over the next week or so.<\/p>\n","protected":false},"excerpt":{"rendered":"
I have long been a critic of greylisting as a method of reducing spam.\u00a0 I recently broke down and implemented it on my servers after a couple of back-to-back blacklisting issues.\u00a0 The problem with DNSBL blacklists is that even the … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[59,60,61],"class_list":["post-15","post","type-post","status-publish","format-standard","hentry","category-miscellaneous","tag-dnsbl","tag-greylisting","tag-postfix"],"yoast_head":"\nA DNSBL and Greylisting Hybrid Approach - Right Angles<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.danplanet.com\/blog\/2010\/09\/01\/a-dnsbl-and-greylisting-hybrid-approach\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"A DNSBL and Greylisting Hybrid Approach - Right Angles\" \/>\n<meta property=\"og:description\" content=\"I have long been a critic of greylisting as a method of reducing spam.\u00a0 I recently broke down and implemented it on my servers after a couple of back-to-back blacklisting issues.\u00a0 The problem with DNSBL blacklists is that even the … Continue reading →\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.danplanet.com\/blog\/2010\/09\/01\/a-dnsbl-and-greylisting-hybrid-approach\/\" \/>\n<meta property=\"og:site_name\" content=\"Right Angles\" \/>\n<meta property=\"article:published_time\" content=\"2010-09-01T14:06:14+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2012-02-09T16:11:46+00:00\" \/>\n<meta name=\"author\" content=\"Dan\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Dan\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.danplanet.com\/blog\/2010\/09\/01\/a-dnsbl-and-greylisting-hybrid-approach\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.danplanet.com\/blog\/2010\/09\/01\/a-dnsbl-and-greylisting-hybrid-approach\/\"},\"author\":{\"name\":\"Dan\",\"@id\":\"https:\/\/www.danplanet.com\/blog\/#\/schema\/person\/0f6920aa6d63cae437bf8b122200287c\"},\"headline\":\"A DNSBL and Greylisting Hybrid Approach\",\"datePublished\":\"2010-09-01T14:06:14+00:00\",\"dateModified\":\"2012-02-09T16:11:46+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.danplanet.com\/blog\/2010\/09\/01\/a-dnsbl-and-greylisting-hybrid-approach\/\"},\"wordCount\":585,\"publisher\":{\"@id\":\"https:\/\/www.danplanet.com\/blog\/#\/schema\/person\/0f6920aa6d63cae437bf8b122200287c\"},\"keywords\":[\"dnsbl\",\"greylisting\",\"postfix\"],\"articleSection\":[\"Miscellaneous\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.danplanet.com\/blog\/2010\/09\/01\/a-dnsbl-and-greylisting-hybrid-approach\/\",\"url\":\"https:\/\/www.danplanet.com\/blog\/2010\/09\/01\/a-dnsbl-and-greylisting-hybrid-approach\/\",\"name\":\"A DNSBL and Greylisting Hybrid Approach - Right Angles\",\"isPartOf\":{\"@id\":\"https:\/\/www.danplanet.com\/blog\/#website\"},\"datePublished\":\"2010-09-01T14:06:14+00:00\",\"dateModified\":\"2012-02-09T16:11:46+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.danplanet.com\/blog\/2010\/09\/01\/a-dnsbl-and-greylisting-hybrid-approach\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.danplanet.com\/blog\/2010\/09\/01\/a-dnsbl-and-greylisting-hybrid-approach\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.danplanet.com\/blog\/2010\/09\/01\/a-dnsbl-and-greylisting-hybrid-approach\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.danplanet.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"A DNSBL and Greylisting Hybrid Approach\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.danplanet.com\/blog\/#website\",\"url\":\"https:\/\/www.danplanet.com\/blog\/\",\"name\":\"Right Angles\",\"description\":\"If they're not right...they're wrong\",\"publisher\":{\"@id\":\"https:\/\/www.danplanet.com\/blog\/#\/schema\/person\/0f6920aa6d63cae437bf8b122200287c\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.danplanet.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/www.danplanet.com\/blog\/#\/schema\/person\/0f6920aa6d63cae437bf8b122200287c\",\"name\":\"Dan\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.danplanet.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/9b73782704be64dd8c030087af2d1ae0c1dc488cad69093ff0366dbaad2de673?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/9b73782704be64dd8c030087af2d1ae0c1dc488cad69093ff0366dbaad2de673?s=96&d=mm&r=g\",\"caption\":\"Dan\"},\"logo\":{\"@id\":\"https:\/\/www.danplanet.com\/blog\/#\/schema\/person\/image\/\"},\"url\":\"https:\/\/www.danplanet.com\/blog\/author\/dan\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"A DNSBL and Greylisting Hybrid Approach - Right Angles","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.danplanet.com\/blog\/2010\/09\/01\/a-dnsbl-and-greylisting-hybrid-approach\/","og_locale":"en_US","og_type":"article","og_title":"A DNSBL and Greylisting Hybrid Approach - Right Angles","og_description":"I have long been a critic of greylisting as a method of reducing spam.\u00a0 I recently broke down and implemented it on my servers after a couple of back-to-back blacklisting issues.\u00a0 The problem with DNSBL blacklists is that even the … Continue reading →","og_url":"https:\/\/www.danplanet.com\/blog\/2010\/09\/01\/a-dnsbl-and-greylisting-hybrid-approach\/","og_site_name":"Right Angles","article_published_time":"2010-09-01T14:06:14+00:00","article_modified_time":"2012-02-09T16:11:46+00:00","author":"Dan","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Dan","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.danplanet.com\/blog\/2010\/09\/01\/a-dnsbl-and-greylisting-hybrid-approach\/#article","isPartOf":{"@id":"https:\/\/www.danplanet.com\/blog\/2010\/09\/01\/a-dnsbl-and-greylisting-hybrid-approach\/"},"author":{"name":"Dan","@id":"https:\/\/www.danplanet.com\/blog\/#\/schema\/person\/0f6920aa6d63cae437bf8b122200287c"},"headline":"A DNSBL and Greylisting Hybrid Approach","datePublished":"2010-09-01T14:06:14+00:00","dateModified":"2012-02-09T16:11:46+00:00","mainEntityOfPage":{"@id":"https:\/\/www.danplanet.com\/blog\/2010\/09\/01\/a-dnsbl-and-greylisting-hybrid-approach\/"},"wordCount":585,"publisher":{"@id":"https:\/\/www.danplanet.com\/blog\/#\/schema\/person\/0f6920aa6d63cae437bf8b122200287c"},"keywords":["dnsbl","greylisting","postfix"],"articleSection":["Miscellaneous"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.danplanet.com\/blog\/2010\/09\/01\/a-dnsbl-and-greylisting-hybrid-approach\/","url":"https:\/\/www.danplanet.com\/blog\/2010\/09\/01\/a-dnsbl-and-greylisting-hybrid-approach\/","name":"A DNSBL and Greylisting Hybrid Approach - Right Angles","isPartOf":{"@id":"https:\/\/www.danplanet.com\/blog\/#website"},"datePublished":"2010-09-01T14:06:14+00:00","dateModified":"2012-02-09T16:11:46+00:00","breadcrumb":{"@id":"https:\/\/www.danplanet.com\/blog\/2010\/09\/01\/a-dnsbl-and-greylisting-hybrid-approach\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.danplanet.com\/blog\/2010\/09\/01\/a-dnsbl-and-greylisting-hybrid-approach\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.danplanet.com\/blog\/2010\/09\/01\/a-dnsbl-and-greylisting-hybrid-approach\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.danplanet.com\/blog\/"},{"@type":"ListItem","position":2,"name":"A DNSBL and Greylisting Hybrid Approach"}]},{"@type":"WebSite","@id":"https:\/\/www.danplanet.com\/blog\/#website","url":"https:\/\/www.danplanet.com\/blog\/","name":"Right Angles","description":"If they're not right...they're wrong","publisher":{"@id":"https:\/\/www.danplanet.com\/blog\/#\/schema\/person\/0f6920aa6d63cae437bf8b122200287c"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.danplanet.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/www.danplanet.com\/blog\/#\/schema\/person\/0f6920aa6d63cae437bf8b122200287c","name":"Dan","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.danplanet.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/9b73782704be64dd8c030087af2d1ae0c1dc488cad69093ff0366dbaad2de673?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/9b73782704be64dd8c030087af2d1ae0c1dc488cad69093ff0366dbaad2de673?s=96&d=mm&r=g","caption":"Dan"},"logo":{"@id":"https:\/\/www.danplanet.com\/blog\/#\/schema\/person\/image\/"},"url":"https:\/\/www.danplanet.com\/blog\/author\/dan\/"}]}},"_links":{"self":[{"href":"https:\/\/www.danplanet.com\/blog\/wp-json\/wp\/v2\/posts\/15","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.danplanet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.danplanet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.danplanet.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.danplanet.com\/blog\/wp-json\/wp\/v2\/comments?post=15"}],"version-history":[{"count":3,"href":"https:\/\/www.danplanet.com\/blog\/wp-json\/wp\/v2\/posts\/15\/revisions"}],"predecessor-version":[{"id":218,"href":"https:\/\/www.danplanet.com\/blog\/wp-json\/wp\/v2\/posts\/15\/revisions\/218"}],"wp:attachment":[{"href":"https:\/\/www.danplanet.com\/blog\/wp-json\/wp\/v2\/media?parent=15"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.danplanet.com\/blog\/wp-json\/wp\/v2\/categories?post=15"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.danplanet.com\/blog\/wp-json\/wp\/v2\/tags?post=15"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}