Enabling DNS blacklist filters for SMTP connections
To prevent unsolicited commercial e-mail (UCE), or spam, from entering your system, you can set up Domino® to check whether incoming SMTP connections originate from servers listed in one or more DNS blacklists (DNSBLs). DNSBLs are databases that keep a record of Internet SMTP hosts that are known sources of spam or permit third-party, open relaying.
About this task
When DNS blacklist filters are enabled, for each incoming SMTP connection Domino® performs a DNS query against the blacklists at the specified sites. If a connecting host is found on the list, Domino® reports the event in a console message and in an entry to the Mail Routing Events view of the Notes® Log. Both the console message and log entry provide the host name and IP address of the server, and the name of the site where the server was listed.
In addition to logging the event, you can configure Domino® to reject messages from hosts on the blacklist or to add a special Notes® item to flag messages accepted from hosts on the list.
Specifying the DNS blacklist sites to check
About this task
After you enable the DNS blacklist filters, you can specify the site or sites the SMTP task uses to determine if a connecting host is a "known" open relay or spam source. Specify sites that support IP-based DNS blacklist queries.
If Domino® finds a match for a connecting host in one of the blacklists, it does not continue checking the lists for the other configured sites.
For performance reasons, it is best to limit the number of sites because Domino® performs a DNS lookup to each site for each connection.
You can choose from a number of publicly available and private, paid subscription services that maintain DNS blacklists. When using a public blacklist service, Domino® performs DNS queries over the Internet. In some cases, it may take a significant amount of time to resolve DNS queries submitted to an Internet site. If the network latency of DNS queries made over the Internet results in slowed performance, consider contracting with a private service that allows zone transfer, so that Domino® can perform the required DNS lookups to a local host. During a zone transfer, the contents of the DNS zone file at the service provider are copied to a DNS server in the local network.
Each blacklist service uses its own criteria for adding servers to its list. Blacklist sites use automated tests and other methods to confirm whether a suspected server is sending out spam or acting as an open relay. The more restrictive blacklist sites add servers to their list as soon as they fail the automated tests and regardless of whether the server is verified as a source of spam. Other less restrictive sites list a server only if its administrator fails to close the server to third-party relaying after a specified grace period or if the server plays host to known spammers.
By searching the Internet, you can find Internet sites that provide periodic reports on the number of entries in various DNS blacklist services.
Hosts that are exempt from DNS blacklist checks
About this task
Specifying how Domino® handles connections from hosts found in a DNS blacklist
About this task
You can configure Domino® to take the following actions when it finds a connecting host on one of the blacklists:
- Log only
- Log and tag message
- Log and reject message
In each case, the server records the following information in the Notes® log: the host's IP address and host name (if a reverse DNS lookup can determine this information) and the name of the site that listed the host.
When
tagging messages, Domino® adds
a special Note item to messages received from hosts found on a blacklist.
After Domino® determines that
a connecting host is on the blacklist, it adds the Note item, $DNSBLSite
,
to each message it accepts from the host before depositing the message
in MAIL.BOX. The value of a $DNSBLSite
item
is the blacklist site in which the host was found. Administrators
can use the $DNSBLSite
note item to provide custom
handling of messages received from hosts listed in a blacklist. For
example, you can test for the presence of the item through the use
of formula language in an agent or view and provide conditional handling
of messages that contain the item, such as moving the messages to
a special database.
When considering what action to take when Domino® finds a host on the blacklist, choose an action that's consistent with the policies of the DNS blacklist site you use. For instance, if the service you use is very restrictive, its blacklist may include "false positives"; that is, it may blacklist hosts that are not known sources of spam. As a result, if you take the action of rejecting mail from any host found on the blacklist, it could prevent the receipt of important messages.
Use restraint when taking action, particularly if you use the blacklist of a more restrictive site. The action you select applies to each of the specified blacklist sites. That is, you cannot configure Domino® to deny connections for hosts found on one site's list and log the event only for hosts found on another site's list.
DNS blacklist statistics
About this task
The SMTP task maintains statistics that track the total number of connecting hosts that were found on the combined DNSBL of all sites combined, as well as how many were found on the DNSBL of each configured site. Because the statistics are maintained by the SMTP task, they are cumulative for the life of the task only and are lost when the task stops.
You can view the statistics from
the Domino® Administrator
or by using the SHOW STAT SMTP command from the
server console. You can further expand the statistics to learn the
number of times a given IP address is found on one of the configured
DNSBLs. To collect the expanded information, you set the variable SMTPExpandDNSBLStats
in
the NOTES.INI file on the server. Because of
the large numbers generated by the expanded set of statistics, Domino® does not record the expanded
statistics by default.
Changing the default error message
Procedure
%s
to represent a denied host's
IP address and the DNSBL site where the host was found. Refer to the
table in the following procedure for more information.To enable DNS blacklist filters
About this task
Make sure you already have a Configuration Settings document for the server(s) to be configured.
Procedure
- From the Domino® Administrator, click the Configuration tab and expand the Messaging section.
- Click Configurations.
- Select the Configuration Settings document for the mail server or servers where you want to enable DNS blacklist filters, and click Edit Configuration.
- Click the tab.
- Complete the following fields in the DNS Blacklist Filters
section, and then click Save & Close:
Table 1. DNS Blacklist Filters fields Field
Enter
DNS Blacklist filters
Choose one:
- Enabled - When Domino® receives an SMTP connection request, it checks whether the connecting host is listed in the blacklist at the specified sites.
- Disabled - Domino® does not check whether a connecting host is on the blacklist.
DNS Blacklist sites
If DNS blacklist filters are enabled, specify the DNSBL sites to check when Domino® receives an SMTP connection request.
Desired action when connecting host is found in a DNS Blacklist
Choose one:
- Log - When Domino® finds that a connecting host is on the blacklist, it accepts messages from the host and records the host name and IP address of the connecting server and the name of the site where the server was listed.
- Log and tag message - When Domino® finds
that a connecting host is on the blacklist, it accepts messages from
the hosts, logs the host name and IP address of the connecting server,
and the name of the site where the server was listed, and adds the Notes® item $
DNSBLSite
to each accepted message. - Log and reject message - When Domino® finds that a connecting host is on the blacklist, it rejects the connection and returns a configurable error message to the host.
Custom SMTP error response for rejected messages
Enter the text of the error message Domino® returns when denying a connection because it found the host in the DNS blacklist. The default error message indicates that the connection was denied for policy reasons.
You can use the format specifier
%s
to specify the IP address of the denied host and the DNS blacklist site where Domino® found the host listed. For example, if you enter the following:Your host %s was found in the DNS Blacklist at %s
whenever Domino® denies a connection, it returns an error to the host, in which it replaces the first instance of
%s
with the IP address of the host, and the second instance with the DNS blacklist site name. - Reload the SMTP task, or update the SMTP configuration to put changes into effect.