Enabling DNS blacklist filters for SMTP connections

To prevent unsolicited commercial e-mail (UCE), or spam, from entering your system, you can set up Domino® to check whether incoming SMTP connections originate from servers listed in one or more DNS blacklists (DNSBLs). DNSBLs are databases that keep a record of Internet SMTP hosts that are known sources of spam or permit third-party, open relaying.

About this task

When DNS blacklist filters are enabled, for each incoming SMTP connection Domino® performs a DNS query against the blacklists at the specified sites. If a connecting host is found on the list, Domino® reports the event in a console message and in an entry to the Mail Routing Events view of the Notes® Log. Both the console message and log entry provide the host name and IP address of the server, and the name of the site where the server was listed.

In addition to logging the event, you can configure Domino® to reject messages from hosts on the blacklist or to add a special Notes® item to flag messages accepted from hosts on the list.

Specifying the DNS blacklist sites to check

About this task

After you enable the DNS blacklist filters, you can specify the site or sites the SMTP task uses to determine if a connecting host is a "known" open relay or spam source. Specify sites that support IP-based DNS blacklist queries.

If Domino® finds a match for a connecting host in one of the blacklists, it does not continue checking the lists for the other configured sites.

For performance reasons, it is best to limit the number of sites because Domino® performs a DNS lookup to each site for each connection.

You can choose from a number of publicly available and private, paid subscription services that maintain DNS blacklists. When using a public blacklist service, Domino® performs DNS queries over the Internet. In some cases, it may take a significant amount of time to resolve DNS queries submitted to an Internet site. If the network latency of DNS queries made over the Internet results in slowed performance, consider contracting with a private service that allows zone transfer, so that Domino® can perform the required DNS lookups to a local host. During a zone transfer, the contents of the DNS zone file at the service provider are copied to a DNS server in the local network.

Each blacklist service uses its own criteria for adding servers to its list. Blacklist sites use automated tests and other methods to confirm whether a suspected server is sending out spam or acting as an open relay. The more restrictive blacklist sites add servers to their list as soon as they fail the automated tests and regardless of whether the server is verified as a source of spam. Other less restrictive sites list a server only if its administrator fails to close the server to third-party relaying after a specified grace period or if the server plays host to known spammers.

By searching the Internet, you can find Internet sites that provide periodic reports on the number of entries in various DNS blacklist services.

Hosts that are exempt from DNS blacklist checks

About this task

To avoid unnecessary DNS lookups, Domino® performs DNS blacklist checks only on hosts that are subject to relay checks, as specified in the SMTP inbound relay restrictions. Any host that is authorized to relay is exempt from blacklist checks. For example, by default, Domino® enforces the inbound relay restrictions only for external hosts (on the Router/SMTP > Restrictions and Controls > SMTP Inbound Controls tab, the setting Perform Anti-Relay enforcement for these connecting hosts). If the default setting is used, internal hosts are not subject to relay controls and thus are also exempt from blacklist checks.

Specifying how Domino® handles connections from hosts found in a DNS blacklist

About this task

You can configure Domino® to take the following actions when it finds a connecting host on one of the blacklists:

  • Log only
  • Log and tag message
  • Log and reject message

In each case, the server records the following information in the Notes® log: the host's IP address and host name (if a reverse DNS lookup can determine this information) and the name of the site that listed the host.

When tagging messages, Domino® adds a special Note item to messages received from hosts found on a blacklist. After Domino® determines that a connecting host is on the blacklist, it adds the Note item, $DNSBLSite, to each message it accepts from the host before depositing the message in MAIL.BOX. The value of a $DNSBLSite item is the blacklist site in which the host was found. Administrators can use the $DNSBLSite note item to provide custom handling of messages received from hosts listed in a blacklist. For example, you can test for the presence of the item through the use of formula language in an agent or view and provide conditional handling of messages that contain the item, such as moving the messages to a special database.

When considering what action to take when Domino® finds a host on the blacklist, choose an action that's consistent with the policies of the DNS blacklist site you use. For instance, if the service you use is very restrictive, its blacklist may include "false positives"; that is, it may blacklist hosts that are not known sources of spam. As a result, if you take the action of rejecting mail from any host found on the blacklist, it could prevent the receipt of important messages.

Use restraint when taking action, particularly if you use the blacklist of a more restrictive site. The action you select applies to each of the specified blacklist sites. That is, you cannot configure Domino® to deny connections for hosts found on one site's list and log the event only for hosts found on another site's list.

DNS blacklist statistics

About this task

The SMTP task maintains statistics that track the total number of connecting hosts that were found on the combined DNSBL of all sites combined, as well as how many were found on the DNSBL of each configured site. Because the statistics are maintained by the SMTP task, they are cumulative for the life of the task only and are lost when the task stops.

You can view the statistics from the Domino® Administrator or by using the SHOW STAT SMTP command from the server console. You can further expand the statistics to learn the number of times a given IP address is found on one of the configured DNSBLs. To collect the expanded information, you set the variable SMTPExpandDNSBLStats in the NOTES.INI file on the server. Because of the large numbers generated by the expanded set of statistics, Domino® does not record the expanded statistics by default.

Note: Domino® uses IP version 4 (IPv4) addresses when querying DNS blacklist sites to find out if a connecting host is listed. If the connecting host has an IP version 6 (IPv6) address, Domino® skips the DNSBL check for that host.

Changing the default error message

Procedure

When denying a blacklisted host, Domino® returns to it a default SMTP response, which includes the remote host's IP address and the blacklist site that listed the host. You can customize this response in the Custom error message for denied hosts field in the Configuration Settings document. The text of a customized response can include the string format specifier %sto represent a denied host's IP address and the DNSBL site where the host was found. Refer to the table in the following procedure for more information.

To enable DNS blacklist filters

About this task

Make sure you already have a Configuration Settings document for the server(s) to be configured.

Procedure

  1. From the Domino® Administrator, click the Configuration tab and expand the Messaging section.
  2. Click Configurations.
  3. Select the Configuration Settings document for the mail server or servers where you want to enable DNS blacklist filters, and click Edit Configuration.
  4. Click the Router/SMTP > Restrictions and Controls > SMTP Inbound Controls tab.
  5. Complete the following fields in the DNS Blacklist Filters section, and then click Save & Close:
    Table 1. DNS Blacklist Filters fields

    Field

    Enter

    DNS Blacklist filters

    Choose one:

    • Enabled - When Domino® receives an SMTP connection request, it checks whether the connecting host is listed in the blacklist at the specified sites.
    • Disabled - Domino® does not check whether a connecting host is on the blacklist.

    DNS Blacklist sites

    If DNS blacklist filters are enabled, specify the DNSBL sites to check when Domino® receives an SMTP connection request.

    Desired action when connecting host is found in a DNS Blacklist

    Choose one:

    • Log - When Domino® finds that a connecting host is on the blacklist, it accepts messages from the host and records the host name and IP address of the connecting server and the name of the site where the server was listed.
    • Log and tag message - When Domino® finds that a connecting host is on the blacklist, it accepts messages from the hosts, logs the host name and IP address of the connecting server, and the name of the site where the server was listed, and adds the Notes® item $DNSBLSite to each accepted message.
    • Log and reject message - When Domino® finds that a connecting host is on the blacklist, it rejects the connection and returns a configurable error message to the host.

    Custom SMTP error response for rejected messages

    Enter the text of the error message Domino® returns when denying a connection because it found the host in the DNS blacklist. The default error message indicates that the connection was denied for policy reasons.

    You can use the format specifier %s to specify the IP address of the denied host and the DNS blacklist site where Domino® found the host listed. For example, if you enter the following:

    Your host %s was found in the DNS Blacklist at %s

    whenever Domino® denies a connection, it returns an error to the host, in which it replaces the first instance of %s with the IP address of the host, and the second instance with the DNS blacklist site name.

  6. Reload the SMTP task, or update the SMTP configuration to put changes into effect.