Configuring DNS Blackhole List support in a Symantec SMTP product

Article:TECH81061  |  Created: 2003-01-03  |  Updated: 2007-01-02  |  Article URL http://www.symantec.com/docs/TECH81061
Article Type
Technical Solution

Environment

Issue



This page provides instructions for configuring a Symantec SMTP product to use a DNS Blackhole List provider.

A version of one of the following Symantec SMTP products is installed:
--Symantec Mail Security for SMTP 4.0
--Symantec AntiSpam for SMTP Gateways 3.1
--Symantec AntiVirus for SMTP Gateways 3.0

Symptoms
Configuring DNS Blackhole List support in a Symantec SMTP product This page provides instructions for configuring a Symantec SMTP product to use a DNS Blackhole List provider. A version of one of the following Symantec SMTP products is installed: --Symantec Mail Security for SMTP 4.0 --Symantec AntiSpam for SMTP Gateways 3.1 --Symantec AntiVirus for SMTP Gateways 3.0



Solution



Symantec SMTP products are not limited to using only the MAPS Blackhole List. DNS Blackhole List (DNSBL) services are available now. A change to the user interface provides access to enable/disable generic DNSBL antispam verification.

To configure blocking by DNSBL antispam lists
  1. Open the Symantec AntiVirus for SMTP Gateways or Symantec AntiSpam for SMTP administration screen.
  2. Click Blocking Policy.
  3. Click Anti-Spam.
    You will see a window on the right titled: Anti Spam.
  4. Scroll down until you see the "Blocking by DNSBL antispam lists" heading, as in the image below. Make settings changes here, and click Save Changes when completed.
    This sample image is not from an actual working system, so these settings may not work in your environment.


    Note: It is sometimes necessary to stop and restart the Symantec AntiVirus for SMTP Gateways, Symantec AntiSpam for SMTP or the Symantec Mail Security service for the changes to take effect.


    The Blocking by DNSBL anitspam lists graphic contains entries in the DNSBL domain name boxes that are examples; do not use these names when configuring the list.


How to specify the DNSBL services
You must specify the domain names of DNS-based antispam services to use. Populate the DNSBL domain name field with the DNSBL service you want to use.

Enabling DNSBL
Enable individual DNSBL domains by selecting the check box next to the DNSBL domain name field.

Maximum number of domains
Three separate DNSBL domains supported. Each DNSBL domains supported with Individual control sets for each service, supported by selecting the "Identify spam by return codes" check box.

Return codes
You can select the appropriate return codes expected for a positive response (for example, when the domain was found). The first positive response stops additional DNSBL queries to the corresponding black list.

When you select the "Identify spam by return codes" check box, a text entry box appears for you to enter an A Record response, which is limited to one per line. If the query to the DNSBL service returns a code that is in the return code text entry box for that service, then the mail will be considered as spam and treated according to the message disposition set for spam.

The first DNSBL service queried that returns a match with the supplied A Record response (for that specific service) will take precedence over the rest of the DNSBL services provided, thus stopping additional queries. Return code data will be stored in the SAVSMTP.cfg, SASSMTP.cfg or SMSSMTP.cfg file. The following is the process:
  • The DNS servers will be queried in the order they appear in the user interface.
  • The default behavior is to treat any A Record response as positive if there is no return code entered (treat as spam).
  • If the A Record text entry boxes are blank, Symantec AntiVirus for SMTP Gateways or Symantec AntiSpam for SMTP assumes that the email is spam without checking with the DNSBL service for a response.
  • The only wild card allowed is the asterisk (*) by itself in the return code field. An asterisk (*) would mean that any return code is a positive response. Service providers do have different return codes but each one of their lists uses one of those codes.

Usage
Return codes are provided by the DNSBL vendor when you register with the service. The return codes should be in the form of w.x.y.z just like a regular IP address. Most of the providers use the 127.x.y.z scheme for the their return code format. The most popular is 127.0.0.2.

Example: The imaginary brightmail.org DNSBL service, dnsbl.brightmail.org uses the following return codes:
  • free.dnsbl.brightmail.org - Returns -127.0.0.2
  • fee.dnsbl.brightmail.org - Returns - 127.0.0.3
  • all.dnsbl.brightmail.org - Returns - 127.0.1.5

For example, if we received mail from a computer with an IP address w.x.y.z, the DNSBL request would be in the form of z.y.x.w.service domain where service domain is the domain of the DNSBL service provider (the same domain entered in the antispam page).

The only wild card allowed is the asterisk (*) by itself. An asterisk (*) would mean that any return code is a positive response. Service providers (Brightmail.org as an example) do have different return codes but each one of their lists uses one of those codes.

To prevent a server query from generating two responses, some service providers use a positive and negative response code. Others will use the "record not found" responses from DNS to mean that the mail host is not in their list.

If you are not using your own DNSBL service (meaning you do not have your own DNSBL server and lists), then you must ask the DNSBL service provider for the positive return codes. If you have your own DNSBL server that you populate yourself, then you can use anything you want, you may want to use 127.0.0.2 as a positive return code.

How to locate DNSBL providers
Many search engines will return a good listing of available DNSBL providers if the search term DNSBL Providers is searched upon.

The following are a few examples of DNSBL providers:
http://www.mail-abuse.com
http://www.spamhaus.org
http://www.dsbl.org


Note: Support on how to configure Symantec AntiVirus for SMTP Gateways or Symantec AntiSpam for SMTP to work with DNSBL providers is limited to the instructions within the software, the manual, and this document. No further support is offered or provided by Symantec.


About the Antispam exception list
The exception list provides the Administrator with a way to exclude domains from processing by the DNSBL service. You can configure Symantec AntiVirus for SMTP Gateways or Symantec AntiSpam for SMTP to accept email from specific domains listed by a DNSBL service while continuing to block the rest of the list. The "Excluding by antispam white list" is dependent on having the DNSBL verification enabled.

DNSBL white list
The Antispam page contains a new section entitled "Excluding by antispam white list.” To exclude domains from DNSBL lookup administrators can enter the domain in the "Excluding by antispam white list.”

The "Bypass spam detection for the following domains" field includes a check box that enables the DNSBL exception functionality. The default install setting for "Excluding by antispam white list" is disabled (not selected). When enabled, all envelope sender addresses processed using DNSBL lookup.

About error checking
Error checking is done through the following methods:
  • All domains not preceded with the @ character will generate an error message when the user presses Save Changes.
  • Clicking Try Again in response to the error message, returns you to the AntiSpam page.


    Note: If you click Back and not Try Again, you can edit the improperly formatted entry without losing other changes made to the page.

  • Incorrectly formatting a domain results in no changes saved.

When DNSBL is processed
  • Enabling DNSBL and "Excluding by antispam white list" causes examination of the envelope only for the scanned email.
    When the envelope sender matches a domain entered in the exception list, DNSBL processing bypassed.
  • Enabling DNSBL and disabling "Excluding by antispam white list" means incoming email processed using DNSBL.
  • Disabling DNSBL and "Excluding by antispam white list" means no DNSBL processing.

Note: Symantec SMTP products use the source IP address of the incoming connection when doing a DNSBL. Changing the IP address from the original sever affects the DNSBL lookup. Some firewalls and software applications change the IP address. If DNSBL is not catching senders on the DNBSL list check to see if the IP address is being changed.






Legacy ID



2003040313441554


Article URL http://www.symantec.com/docs/TECH81061


Terms of use for this information are found in Legal Notices