[RPZ] RPZ and spam

Vernon Schryver vjs at rhyolite.com
Sat Jan 12 23:22:42 UTC 2013 

A response policy zone is useful for denaturing evil URLs in spam,
but used only by a DNS server is less effective or ineffective for
rejecting, quarantining, or marking spam.  Mail from legitimate or
unknown mail systems but containing bad URLs is made safer with an
RPZ that invalidates bad domain names with "CNAME ." policies, but
the spam is still delivered to user mailboxes.

However, RPZ can be used by spam filters that can check URLs in
messages against DNSBLs.  If your spam filter can check domains
found in URLs in message bodies or SMTP envelopes and SMTP client
IP addresses, then it should be able to reject, mark, quarentine,
or otherwise filter using the RPZ as if it were a DNSBL.

My mail system is now using `dccm ... -B.,224.0.0.0,name ...` to check
all domain names found in mail with the rpz.spamhaus.org RPZ.
https://www.google.com/search?q=spamhaus+rpz

That -B argument specifies a DNSBL name lookup in the usual fashion
but as "www.example.com." instead of "www.example.com.dbl.spamhaus.org"
and to look for 224.0.0.0 instead of 127.0.0.x.  As far as dccm is
concerned, it has been told that the DNS root is a DNSBL.

I also use something like this in the BIND named.conf file

    response-policy {
        zone "rpz.spamhaus.org" policy cname bad-rpz.rhyolite.com;
    };

and this in the rhyolite.com zone file

    bad-rpz.rhyolite.com.   A 224.0.0.0

to cause the rpz.spamhaus.org RPZ to redefine all listed names to
224.0.0.0 instead of NXDOMAIN.

A final detail is that I had to modify dccm to allow a null or "."
DNSBL base.  That change is in versions 2.3.144 and 1.3.144 of the
DCC software.


I've learned something else in this exercise.  It is that RPZ cannot
replace all DNSBLs for spam filtering.  Many of the Spamhaus DNSBLs
are useful for detecting spam, but not suitable for imposing the DNS
death penalty of a response policy zone.  There are many domains that
you don't want your mail systems to listen to, but that have other
traffic that you want.


Vernon Schryver    vjs at rhyolite.com

More information about the DNSfirewalls mailing list