Recipe 7.22. Using a DNS Block List on Exchange Server 2003ProblemYou wish to use a DNS-based block list (DNSBL) to help filter and reject incoming spam. SolutionUsing a graphical user interface
DiscussionDNSBL support is a new feature in Exchange Server 2003 that can have tremendous impact on reducing the amount of spam that enters your organization. There are literally hundreds of blocklists being run around the world; before using any of them, do some research to find out their purpose, listing criteria, delisting criteria, and maintenance policies. Some return multiple result codes to allow you to combine queries for multiple lists into one aggregated zone and still know which source list caused the hit. As an example, on such a list a return value of 127.0.0.1 might signify that the host was added to the list by one source, while 127.0.0.2 was from a second source. DNSBLs can produce a performance hit on busy systems; they are making one DNS query for every configured DNSBL for every incoming SMTP connection, subject to normal DNS caching. If these queries are to servers outside of your network and over your WAN, the delay could add up (as could the bandwidth). It is generally best to use as few DNSBLs as possible. You should always program an exception for RFC-required role accounts such as postmaster@domain and abuse@domain (see Recipe 7.24 for details) so that external senders who are trying to send mail through to your users can contact you. You might also consider putting up a web site that explains which block lists you use and ways to request whitelisting and referring to that page's URL in a custom error message. Depending on the number of block lists you query and your traffic volume, you may want to look into the possibility of creating your own DNSBL and feeding by concatenating the data from several block lists together. Doing so has many benefits:
Recipe 10.7 has more details on creating a custom DNSBL. See AlsoRecipe 10.7 for creating a custom DNSBL, Chapter 10 of the Exchange Server 2003 Transport and Routing Guide, Chapter 8 of Secure Messaging with Microsoft Exchange Server 2003 (Microsoft Press), and MS KB 823866 (How to configure connection filtering to use Realtime Block Lists and how to configure recipient filtering in Exchange 2003) |