HOWTO: Query Spamhaus Safely

You'll recall me warning recently that using Spamhaus data to protect your mail server is a bad idea if you're using open or public DNS resolvers. TL;DR? Spamhaus is worried about too much traffic via public channels but blocking is implemented in a way that makes it effectively intermittent and potentially confusing. You could be fine for weeks and then suddenly you start bouncing all inbound mail accidentally. Or you could be querying a resolver that never shows ANY bad IPs to block, losing you out on the good spam filtering benefit that you were hoping for.

Here's what to do about that.
  1. No matter how you implement DNSBL usage, check your logs periodically. In the case of Spamhaus, look for the "127.255.255" response codes. That will indicate that your attempt to query Spamhaus data is being blocked, so you've got a problem. That problem is probably interfering with the delivery of legitimate mail. 
  2. Test and make sure you are getting a response proving use of Spamhaus data. If you're a unix nerd, type "host 2.0.0.127.zen.spamhaus.org [IP address of your DNS server]" from the command line on your mail server. Make sure you get responses that say 127.0.0.2, 127.0.0.4, 127.0.0.10. That shows that your DNS resolver can get through to Spamhaus (at least for test entries). If you never get any response other than NXDOMAIN, it means your resolver isn't able to get data from Spamhaus and you'll never block a single piece of spam that way. Either the DNS server is not able to connect where it needs to, or you've typo'd something in your configuration. (Google Public DNS seems to only give NXDOMAIN responses to Spamhaus query attempts, for example.)
  3. Install and run your own DNS resolver (server) locally. This used to be a bit sketch back in the day. The common DNS software "bind" was such a magnet for exploits in the past that it drove me to stop hosting my own DNS. Things are slightly better today. There's a great caching DNS resolver called Unbound that will do exactly what you need. I've had smart friends like Tim Wicinski and John Levine tell me it is safe and that it works well, and I'm happily using it myself nowadays. 
  4. Sign up for the Spamhaus Data Query service. They provide you with what amounts to an API key (a little short bit of text that will be unique to your queries) and you query the DNSBL via "[key].zen.dq.spamhaus.net" instead of "zen.spamhaus.org" --  allowing Spamhaus to see this traffic as you and you alone, not grouping any usage data together with that of a whole ISP or all users of a public resolver. Spamhaus offers a 30 day free trial of DQS access and say that an annual subscription to the Spamhaus data for commercial use starts at $250/year. Spamhaus also clarified for me that they provide free access for lower volume non-commercial use.
The point of this is so that Spamhaus sees your query traffic as from you and not all grouped together with all the traffic from your ISP or from a public DNS resolver. This makes you less likely to hit their unpublished query traffic limits through no fault of your own. (It does not, however, provide a free license to query Spamhaus millions of times a day.)

Which of these steps should you follow? All of them.

No comments:

Post a Comment

Comments policy: Al is always right. Kidding, mostly. Be polite, and you're welcome to join in, even if it's a differing viewpoint.