antispamActivatingConfiguring
Anti-Spam > Real-Time Black List Filter
The Anti-Spam > RBL Filter page only allows configuration of Real-Time Black List filtering if the Anti-Spam Service is not enabled.
|
|
|
The RBL Filter configuration screen was previously located under Security Services in the left navigation pane. Now find it under the Anti-Spam menu group. The Anti-Spam service is an advanced superset of the standard SonicOS RBL Filtering. Therefore when Anti-Spam is turned on, RBL Filtering is automatically disabled. If Anti-Spam is not enabled, you can configure the settings on the RBL Filter page. |
SMTP Real-Time Black List (RBL) is a mechanism for publishing the IP addresses of SMTP
spammers use. There are a number of organizations that compile this information both for free: http://www.spamhaus.org
, and for profit: http://www.mail-abuse.com
. A well-maintained list of RBL services and their efficacy can be found at:
http://www.sdsc.edu/~jeff/spam/cbc.html
|
|
|
SMTP RBL is an aggressive spam filtering technique that can be prone to false-positives because it is based on lists compiled from reported spam activity. The SonicOS implementation of SMTP RBL filtering provides a number of fine-tuning mechanisms to help ensure filtering accuracy. |
RBL list providers publish their lists using DNS. Blacklisted IP addresses appear in the database of the list provider's DNS domain using inverted IP notation of the SMTP server in question as a prefix to the domain name. A response code from 127.0.0.2 to 127.0.0.9 indicates some type of undesirability:
For example, if an SMTP server with IP address 1.2.3.4 has been blacklisted by RBL list provider sbl-xbl.spamhaus.org, then a DNS query to 4.3.2.1.sbl-xbl.spamhaus.org will provide a 127.0.0.4 response, indicating that the server is a known source of spam, and the connection will be dropped.
|
|
|
Most spam today is known to be sent from hijacked or zombie machines running a thin SMTP server implementation.Unlike legitimate SMTP servers, these zombie machines rarely attempt to retry failed delivery attempts. Once the delivery attempt is blocked by the SonicWALL RBL filter, no subsequent delivery attempts for that same piece of spam will be made. |
When Enable Real-time Black List Blocking is enabled on the Anti-Spam > RBL Filter page, inbound connections from hosts on the WAN, or outbound connections to hosts on the WAN are checked against each enabled RBL service with a DNS request to the DNS servers configured under RBL DNS Servers .
The RBL DNS Servers menu allows you to specify the DNS servers. You can choose Inherit Settings from WAN Zone or Specify DNS Servers Manually . If you select Specify DNS Servers Manually , enter the DNS server addresses in the DNS Server fields.
The DNS responses are collected and cached. If any of the queries result in a blacklisted response, the server will be filtered. Responses are cached using TTL values, and non-blacklisted responses are assigned a cache TTL of 2 hours. If the cache fills up, then cache entries are discarded in a FIFO (first-in-first-out) fashion.
The IP address check uses the cache to determine if a connection should be dropped. Initially, IP addresses are not in the cache and a DNS request must be made. In this case the IP address is assumed innocent until proven guilty, and the check results in the allowing of the connection. A DNS request is made and results are cached in a separate task. When subsequent packets from this IP address are checked, if the IP address is blacklisted, the connection will be dropped.
Adding RBL Services
You can add additional RBL services in the Real-time Black List Services section.
To add an RBL service, click the Add button. In the Add RBL Domain window, you specify the RBL domain to be queried, enable it for use, and specify its expected response codes. Most RBL services list the responses they provide on their Web site, although selecting Block All Responses is generally acceptable.
Statistics are maintained for each RBL Service in the RBL Service table, and can be viewed with a mouseover of the (statistics) icon to the right on the service entry.
User-Defined SMTP Server Lists
The User Defined SMTP Server Lists section allows for Address Objects to be used to construct a white-list (explicit allow) or black-list (explicit deny) of SMTP servers. Entries in this list will bypass the RBL querying procedure. For example, to ensure that you always receive SMTP connections from a partner site's SMTP server, create an Address Object for the server using the Add button, click the edit icon in the Configure column of the RBL User White List row , and add the Address Object . The table will be updated, and that server will always be allowed to make SMTP exchanges.
The System > Diagnostics page also provides a Real-time Black List Lookup feature that allows for SMTP IP addresses (or RBL services, or DNS servers) to be specifically tested.
For a list of known spam sources to use in testing, refer to: