Recipe 10.7. Creating a Custom DNS Block ListProblemYou need to create a custom DNS block list (DNSBL) instead of (or in addition to) using a third-party DNSBL service. SolutionUsing a graphical user interfaceTo create the block list, do the following:
DiscussionThe idea behind DNSBLs is simple: when your server gets an inbound piece of mail, it can query a DNSBL server for the IP address of the sending server. If the IP address belongs to a known spammer, to an address block reserved for dial-up users, or some other range of IPs from which legitimate mail is unlikely to originate, the DNSBL server will return an address; if the IP address isn't on the list, the query will fail. Based on this go/no-go indication, Exchange can then decide whether to drop the connection or to accept the message. There are several popular and well-maintained DNSBL services such as SpamHaus and SpamCop. Most mail administrators who use DNSBLs use third-party lists, although those at larger sites will often download the zone data and run it on a local nameserver. You are free to create and maintain your own list if you prefer. This gives you a greater degree of control over the contents of the DNSBL, since some third-party services use rather relaxed standards to decide who is spamming. DNSBLs by themselves aren't a complete anti-spam solution, especially given that a large percentage of current spam is sent by hijacked Windows machines connected to various ISPs; their IP addresses don't fall into a contiguous block, and there's little value in banning hundreds or thousands of individual client IPs. DNSBLs are instead useful as an additional protective layer to be relied on after other measures. Managing a large amount of blocklist data through the GUI can become quickly cumbersome, especially if it changes on a frequent basis. You may want to look into other methods of managing DNS data: direct import of DNS zone files; use of the dnscmd.exe utility to programmatically update data in dynamic DNS zones; or using the MicrosoftDNS_Server, MicrosoftDNS_Zone, and MicrosoftDNS_ResourceRecord WMI classes. Although the details of these methods are out of the scope of this recipe, Matt Larson, Cricket Liu, and Robbie Allen provide a thorough reference to the many facets of running a Windows-based DNS server in their book DNS on Windows Server 2003, also available from O'Reilly. See AlsoRecipe 7.22 for configuring SMTP connection filtering to use a DNSBL, Chapter 10 of the Exchange Server 2003 Transport and Routing Guide, MS KB 823866 (How to configure connection filtering to use Realtime Block Lists and how to configure recipient filtering in Exchange Server 2003), and Chapter 8 of Secure Messaging with Microsoft Exchange Server 2003 (Microsoft Press) |