dnswl.org

The query must always go to the zone "list.dnswl.org" in standard DNSBL format, ie with a reversed dotted quad IP address. To query whether the IP address "1.2.3.4" is listed, the query would thus be

4.3.2.1.list.dnswl.org

The list contains the standard test entry of 127.0.0.2, which you can also test manually

matthias:~ > host 2.0.0.127.list.dnswl.org
2.0.0.127.list.dnswl.org has address 127.0.10.0

The return codes are structured as 127.0.x.y, with "x" indicating the category of an entry and "y" indicating how trustworthy an entry has been judged.

Categories (127.0.X.y):

• 2 - Financial services
• 3 - Email Service Providers
• 4 - Organisations (both for-profit [ie companies] and non-profit)
• 5 - Service/network providers
• 6 - Personal/private servers
• 7 - Travel/leisure industry
• 8 - Public sector/governments
• 9 - Media and Tech companies
• 10 - some special cases
• 11 - Education, academic
• 12 - Healthcare
• 13 - Manufacturing/Industrial
• 14 - Retail/Wholesale/Services
• 15 - Email Marketing Providers

Trustworthiness / Score (127.0.x.Y):

• 0 = none - only avoid outright blocking (eg Hotmail, Yahoo mailservers, -0.1)
• 1 = low - reduce chance of false positives (-1.0)
• 2 = medium - make sure to avoid false positives but allow override for clear cases (-10.0)
• 3 = high - avoid override (-100.0).

The scores in parantheses are typical SpamAssassin scores.

You can download dnswl.org data in rbldnsd, Postfix and BIND formats using rsync. Examples:

• rbldnsd: rsync --times rsync1.dnswl.org::dnswl/rbldnsd-* /some/path/
• Postfix: rsync --times rsync1.dnswl.org::dnswl/postfix-* /some/path/
• BIND: rsync --times rsync1.dnswl.org::dnswl/bind-* /some/path/
• Notes/Domino: rsync --times rsync1.dnswl.org::dnswl/notes-* /some/path/
• generic: rsync --times rsync1.dnswl.org::dnswl/generic-* /some/path/

It's usually sufficient to download the data once or twice a day, since it does not change fast. Please do not schedule the download at the full or half hour, but use some random minute.

Please note that as of version 3.2.0, the rules below are included in the SpamAssassin default package. The distribution package for 3.2.0 had a bug that prevented the rules from actually firing (the __RCVD_IN_DNSWL part was missing), but this has been fixed in subsequent versions.

header __RCVD_IN_DNSWL          eval:check_rbl('dnswl-firsttrusted', 'list.dnswl.org.')

header RCVD_IN_DNSWL_LOW        eval:check_rbl_sub('dnswl-firsttrusted', '127.0.\d+.1')
describe RCVD_IN_DNSWL_LOW      Sender listed at http://www.dnswl.org/, low trust
tflags RCVD_IN_DNSWL_LOW        nice net

header RCVD_IN_DNSWL_MED        eval:check_rbl_sub('dnswl-firsttrusted', '127.0.\d+.2')
describe RCVD_IN_DNSWL_MED      Sender listed at http://www.dnswl.org/, medium trust
tflags RCVD_IN_DNSWL_MED        nice net

header RCVD_IN_DNSWL_HI         eval:check_rbl_sub('dnswl-firsttrusted', '127.0.\d+.3')
describe RCVD_IN_DNSWL_HI       Sender listed at http://www.dnswl.org/, high trust
tflags RCVD_IN_DNSWL_HI         nice net

score RCVD_IN_DNSWL_LOW         -1
score RCVD_IN_DNSWL_MED         -10
score RCVD_IN_DNSWL_HI          -100

There are two files that can be used by Postfix. The first file, postfix-dnswl-header, can be used to insert a header indicating the whitelisting. The second file, postfix-dnswl-permit, can be used to override eventual blacklistings ('reject_rbl_client').

The quickest way to use dnswl.org data to override blacklisting is by applying the following in your /etc/postfix/main.cf:

smtpd_recipient_restrictions = ...
     reject_unauth_destination,
     ...
     check_client_access cidr:/etc/postfix/postfix-dnswl-permit,
     ...

Note that reject_unauth_destination must should come before the check_client_access to ensure you do not become an open relay for the whitelisted networks.

See the rsync topic on how to get the postfix-* files.

Special thanks to the helpful comments and hints in this thread on the postfix-users mailinglist.

Lotus Notes/Domino can use a list of IP addresses which should be whitelisted – whitelisted in a sense that it overrides blocklist entries and other functions. dnswl.org produces data in the required format (see above for rsync'ing the data, or download it from http://www.dnswl.org/data/).

Chris Linfoot shows how to actually use the data in his blog at http://chris-linfoot.net/d6plinks/CWLT-6P9CX5. He also helped get the data in the right format. Thanks!

A special "hack" for Sendmail is available at http://ist.uwaterloo.ca/~dkeenan/docs/sendmail-whitelist.html which exempts whitelisted addresses from blacklisting.

Similar to the hack above, open-sendmail has a FEATURE(`anfi/rsdnsbl') to achieve roughly the same: http://open-sendmail.sourceforge.net/.

The configuration for Exim is probably the most straightforward we have seen so far:

   accept  domains      = +local_domains
           dnslists      = list.dnswl.org
           logwrite      = $sender_host_address is whitelisted

See http://www.immerda.ch/index.php/ServerMailSpamAntivir#Whitelisting for more details.

The following config snippit scans an email for spam unless the sending ip is a medium or high trust level in dnswl.org:

   warn
   ! dnslists = list.dnswl.org&0.0.0.2
   spam = nobody:true

If you rsync the rbldnsd-format locally, you can set it up as follows (assuming you have a working rbldnsd setup):

/path/to/rbldnsd -f list.dnswl.org:ip4set:/path/to/rbldnsd-dnswl

Of course you may add more options to rbldnsd, eg specify a user to run as, chroot directory, IP address to bind to etc. - refer to the rbldnsd documentation.

Spamikaze is an automated spam block system that can also consider whitelists to minimize the risk of false positives.

The Spamikaze website shows how to configure the system in general. In order to use dnswl.org data with Spamikaze, change your spamikaze/config file:

[Mail]
...
WhitelistZones = ... list.dnswl.org

mutt

color index     red      default   ~h^X-DNSWL:.No$
color index     yellow   default   ~h^X-DNSWL:.none
color index     blue     default   ~h^X-DNSWL:.low
color index     cyan     default   ~h^X-DNSWL:.med
color index     green    default   ~h^X-DNSWL:.hi

DynaStop is a package for Exim which allows various types of filtering based on IP addresses. It uses dnswl.org data to exclude "known good" mailservers eg from greylisting.

By default, DynaStop puts a customized format of dnswl.org data in /usr/exim/DynaStop.Whitelist.conf; updates are available from http://tanaya.net/DynaStop/DynaStop.WhiteList.conf

SpamTestBuddy is a simple spam-scoring tool, built to be included through procmail. As of version 0.95 (2007-09-27) SpamTestBuddy supports DNS-based whitelists, and comes with dnswl.org rules pre-configured.

In order to use dnswl.org data with the SurgeMail server, add the following entry to surgemail.ini:

g_orbs_list name="list.dnswl.org" action="accept" stamp="3=dnswl_high~2=dnswl_medium~1=dnswl_low~0=dnswl_none"

The following config snippet will exclude all dnswl.org-listed hosts from greylisting:

dnsrbl "DNSWL" list.dnswl.org 127.0.0.0/16
racl whitelist dnsrbl "DNSWL"

The milter-greylist developers work on a possibility to exclude only certain scores (the "x" in 127.0.x.y) from greylisting. Thanks to Greg Troxel for bringing this up.

Add "list.dnswl.org" to the "whitelist_zones" config file and add a line "dns_whitelist_soft" to the plugins file.

Hanno Hecker has provided a "dnswl" plugin with a locally rsync'd DB, available at http://svn.perl.org/qpsmtpd/contrib/vetinari/dnswl

A combination of greylisting, SpamAssassin, SpamProbe, image spam filters, DNSWL and virus filtering built around Postfix: http://www.chaosreigns.com/spam/.