My own RBL

Today I was trying to figure out how to block spammers' IPs from using my smtp servers. Regardless of your point of view on IP blocking I figure this was an interesting exercise so I'm posting what I found and how I went about finding it.

Exchange 2007 has this functionality where it can check an RBL (I'm not going to spell it out because people can't agree on what it means) before sending a message. The idea is that Exchange knows where the email is coming from (the IP that connected to Exchange's SMTP server) and can basically pass that by a list before accepting the message to see if the IP looks like a "known spammer". This gets all-kinds-of-fun because people who run mail servers for a living have all had an experience where one of their servers is flagged as a "known spammer" and they have to jump through hoops to get their server's IP off someone's list. The lists usually update frequently (if you're not reported to a list within 24 hours your IP usually drops off the list) so a lot of people (and a lot of people's anti-spam programs/boxes) rely on these to cut down on spam.

I thought, as someone who is rather against this practice having had servers I have run be listed on an RBL before, I would rather only block the IPs *I* choose to block and for the amount of time *I* choose to block them. I figured I would search for a program (Microsoft usually supplies me with these type of things) that would set up a list for me that my mail servers could query and I would call it a day. I was surprised when I found vague links to Microsoft Antigen, Exchange itself and Microsoft Forefront. Antigen, as far as I can tell has been absorbed into Forefront in its current iteration and neither Exchange nor Forefront are what I would call "easy" to setup and configure correctly, at least not as easy as I was imagining this project. So I googled my problem and found a nifty little linux app named rbldns. I would've just slapped that on a linux test box but none were handy so I read about it instead. Turns out this program is just a lightweight DNS server...interesting.

So after much thought and a few more specific google searches I figured out what an RBL list really is! What is an RBL list really? It's a DNS server, but it's a very specifically formatted DNS zone that gets you what you want. Here's the meat and potatoes to get you going:

There's an address for the DNS server of the RBL list, that's just the DNS name of your, well, DNS server.

There's a DNS suffix. This is the zone you create your RBL records in. So if my domain were josh.com, hosting www.josh.com, etc. I would create a zone on my DNS server and call it "rbl.josh.com", this is the DNS suffix.

You may see where I'm going with this by now. Your email server queries your RBL server (read: DNS) before accepting a message to see whether the IP connecting to your mail server is there. If it is, the mail server says, sorry, with an error message that's normally configurable but should basically say, "you're a known spammer, if you disagree, contact me here".

Here's the trick. Say I know that 10.20.0.5 is a known spammer and I want to put them on my "RBL", I put it in quotes here because it's more just a "BL" that I manually update, but that's neither here nor there. I go to my dns server to my "rbl.josh.com" zone from before and create the A record (forward lookup) "5.0.20.10.rbl.josh.com" and point it at "127.0.0.1". This is because when a mail server queries an RBL list for an IP, it queries for the IP octets in reverse order followed by the DNS suffix. If it finds that in the RBL list pointing to 127.0.0.1 (or really anything non-routable in theory), then it drops messages from that sender. If it doesn't, it allows the sender to continue the session with the smtp server and send their message on its merry way.

Anyway, this probably isn't so exciting for most folks but I found it interesting and if you need to block specific IPs, this is a really cheap way to do it. It's also really efficient if you have multiple servers that all should have the same block list and you don't trust the big RBL names. If you need me to clarify anything please post a response and I'll do my best to get back to you. I hope this helps those of you in the situation I was in. Oh yeah, one more thing, if you want to block, say the whole class C in the above example, just create the record for "*.0.20.10.rbl.josh.com" and point it to "127.0.0.1". Good luck and happy list-keeping!