A word on DNS blacklists.

There seems to be some disagreement regarding use of DNS blacklists (“DNSBLs”) among some members of the Internet community (pro-DNSBL here and slightly con here for example)

This is fine, they’re both valuable notices and opinions. What bothers me a little is the seeming lack of understanding (mostly from commenters) of how they work in practice, how they’re actually implemented on mailservers and the reasons for listing. Interestingly these arguments seem to rear up only when someone’s fave domain / service gets listed on a widely used blacklist.

Any blacklist entry is just a simple DNS A/TXT record, nothing more. It’s not going to hunt you down and eat your brain. They even go away after a while and life goes on.

But seriously…

Like any service, there will be good examples and not-so-good examples. The arguments against seem to focus on

  • “Political listings!!eleventyone!” cries (often accompanied by accusations of censorship/ulterior motive on the part of the DNSBL maintainers)

Some are indeed poorly maintained and have contained spite listings (ORBS from the old days was a frequently cited example, SORBS is often accused of same; I don’t necessarily agree, I think it’s just too broad and poorly maintained) but the bigger names – Spamhaus, what was MAPS (now owned by Trend Micro?) in particular need to be impartial and accountable as they have paying customers.

Even the other “big names” – NJABL and DSBL to name two need some level of openness if they’re going to be widely used and taken seriously – and in these cases I think they do. In the case of gmail.com, look at the listing and their stated processes – frankly it looks pretty clear that it’s purely a technical decision; someone at Google allowed the box to relay mail for clients it’s shouldn’t, which is hard to fuck up these days but still possible if you’re not paying attention.

A tester found this and submitted it, and it tested positive. Simple as that. No politics or such involved. Do folks believe Google should get a free pass on this because they’re Google? Not me – that’d be doing them (Google) a disservice. Open SMTP relaying is a security issue and it’s imperative to let folks know, especially the maintainers of the service.

  • “They’re ineffective”

So, what’s the alternative? Legislation hasn’t cut it, nor will it. Bayesian filtering is OK, but as implemented isn’t a panacea or useful on it’s own. Rule / regexp based filtering is too prone to false negatives as well as positives. Challenge-response mechanisms? Fsck off, they generate more noise than the spam itself. I can pull up plenty of examples with not too much effort

DNS blacklists at least cut down on obvious junk from the “known” spam systems / networks, misconfigured proxies, botnets and zombies. Your own choices of scoring/filtering can take care of the rest. Ask any DNSBL using provider – and there’s a lot of them (including mine as well as my own systems)

  • “They can’t be trusted”

This is a daft argument. Really – I suppose proponents of such arguments don’t allow DNS either? You’re never quite sure if a packet is spoofed / poisoned or not. Why do you trust Verisign / Thawte to sign that SSL cert? Is that PGP key really Phil Zimmermans?

But they all have policies and best-practice documents. Verisign are trusted because they’ve shown themselves to be so over time (plus contracts to ensure same I’d imagine) and they check their documents throroughly. DNS has DNSSEC for the paranoid, and the roots are distributed and maintained professionally. PGP – ever heard of “web of trust” or key-signing parties? Noone is forcing you to trust a key owned by someone unmet…

Noone with a half-clue is going to implement or add a DNS blacklist or any security feature without at least looking at the consequences and practical realities of said action. They’re going to Read The Fucking Manual or Check The Fucking Policy first, at least you’d hope. If they’ve got users and customers, they’re going to notify them via policy that this is going to take place (for ISPs, make it clear in the terms at signup if need be)

Again, DNSBL maintainers are reliant on their record as good citizens otherwise noone’s going to use them. They publish policies and guidelines for use so even the most inept excuse for a sysadmin can use them and user can understand why they’re there. They publish the listings with appropriate information regarding how and why a listing exists. What more accountability can you ask for without a contract?

I personally like some lists – not all, my Anti-Spam pages and some of my wiki documents outline what I prefer and use. They cut out a lot of spam – not all of it, but as mentioned a lot of it (Spamhaus rejects a LOT of crap) and surprisingly I’ve not had a false positive in recent memory – and I check my logs carefully (viva pflogsumm!). I’ve also been at this spam-fighting game for around 10 years (NANAE posts going back to ’97ish) and remember some of the bigger players when they were just starting up!

My point, in summary: They’re not a panacea but they’re not inherently evil, political or a censorship tool. They’re just DNS records!

On their own, they do little – it’s HOW and WHERE they’re implemented that matters. Poor choices will lead to poor results and vice versa. Use them wisely if you choose to!

Don’t go apportioning blame where it’s not deserved – the blacklist doesn’t set your local policy and blacklist (non)usage, you/your sysadmin does.

DNSBL operators just provide a tool and instructions on how to use it, along with relevant support information and policies. If you don’t like them – don’t use them (or don’t use the parts you don’t want, most are fairly modular now) if you do, go for it – but be aware of the consequences.