Technical overview of IRISRBL Service (Reputation Block List)

How to use the IRISRBL Service
Currently, all e-mail relay programs allow the configuration of blacklists (DNSBLs) at different levels of the SMTP protocol, rejecting any attempted SMTP transfer from IPs included in these lists. It is also possible to integrate IRISRBL at other levels of anti-spam defence such as, greylisting or Spamassassin and, therefore, you should use the appropriate documentation for their configuration.

If you are an institution connected to RedIRIS and wish to use IRISRBL, simply read the IRISRBL Service Conditions of Use, decide which of the two zones you wish to use, notify this to RedIRIS, wait for confirmation and configure your e-mail relay in the usual way with the IRISRBL zone. You are recommended to include an error message in the configuration of the kind shown below (example for postfix):

strong.dnsbl.rediris.es 550 Service unavailable; IP 1.2.3.4 has been blocked using RedIRIS Reputation Service (IRISRBL). You have to send an email to postmaster@su-institucion.es.+info http://www.rediris.es/irisrbl/dnsbl.html

It is very important that you replace su-institucion.es with the domain of your institution where the postmaster@su-institucion.es inbox is located. This "postmaster@su-institucion.es" contact point is essential in order to be able to exclude an IP address due to a false positive. Obviously, this inbox must never be filtered. It is also possible to insert a URL with a form to have the sender contact the postmaster (see the example of RedIRIS contact form).

Another option for using the IRISRBL service is to download the RedIRIS IRISRBL zones and use them locally.

Technical description

Presentation of the IRISRBL Service [pdf - 8G] at the Oviedo Symposium in November 2007.

RedIRIS collects the different data sources that comprise the IRISRBL (Reputation Block List) in different ways:

  • CBL is synchronised every 30 minutes.
  • SORBS-DUL is synchronised every 60 minutes.
  • ListasBlancas (whitelists) are loaded every 10 minutes.
  • Spamtraps are loaded every 15 minutes.
All these zones are aggregated and served in two DNS zones. The update processes of these zones are completely transparent to client lookups, allowing the service to continue responding without interruption.

Access Control

To guarantee availability of resources for the RedIRIS Community, the zones served are configured to respond only to lookups from e-mail relays of the institutions that apply for access. The resolvers of the RedIRIS institutions will be checked to ensure that they do not forward requests from outside RedIRIS.

Zone transfers

The IRISRBL (Reputation Block List) Service, in addition to allowing lookups via DNS, enables an institution to have its own copy of the IRISRBL database for local lookups. Those interested in these zones should contact RedIRIS.

Availability

RedIRIS has arranged the resources necessary to offer the service with maximum guarantees. When the service was designed, the number of interested institutions and the possible rhythm of lookup traffic was not known. If necessary, RedIRIS will increase the resources to guarantee the service.

Composition of the IRISRBL Service

IRISRBL is a product generated in RedIRIS that contains around 15 million IPs generated in real time and constructed by aggregating the following data sources:
  • CBL (Composite Block List). This is a list of the IPs of extensive spamtrap networks. It helps to block e-mails from compromised IPs (open Proxy Server, virus, trojans) that are currently the main source of illegal spam. IRISRBL synchronises it every 30 minutes. It is very similar to the spamhaus XBL zone. In the IRIS-BL reputation list, the response code is 127.0.0.1.
    +info

  • DUL-SORBS. Dynamic range of IPs of providers the managers of which consider they should not send electronic mail directly. IRISRBL synchronises it daily. It is similar to the spamhaus PBL zone.
    In the IRIS-BL reputation list, the response code is 127.0.0.14. +info

  • VIRBL. This is a small list of virus sending IPs. IRISRBL synchronises it every 30 minutes. In the IRIS-BL reputation list, the response code is 127.0.0.3. +info

  • RedIRIS Spamtraps. List generated by RedIRIS' own spamtraps systems. These systems collect IPs that send 2 spam messages in one hour and they are eliminated after 32 days. IRISRBL synchronises it in real time.
    In the IRIS-BL reputation list, the response code is 127.0.0.11.

  • RedIRIS White List. List of "good" IPs that are excluded should they appear in the overall IRISRBL list. This prevents IPs listed in the whitelist from being included in IRISRBL.
    +info

  • RedIRIS Ranges. IP ranges assigned to institutions connected to RedIRIS. No IP of the RedIRIS ASNs will be included in the IRISRBL zone.

All these data sources are grouped and mixed in two zones:
  • weak.dnsbl.rediris.es zone with a soft policy that contains the following data sources:
    CBL + VIRBL - RedIRIS Whitelist - RedIRIS Ranges
  • strong.dnsbl.rediris.es zone with a strong policy that contains the IPs contained in the weak.dnsbl.rediris.es zone plus another two data sources: DUL-SORBS and RedIRIS Spamtraps, with which this zone is made up of:

    CBL + VIRBL - RedIRIS Whitelist - RedIRIS Ranges + DUL-SORBS + RedIRIS Spamtraps

If you want to know if an IPv4 a.b.c.d is included in the IRIS-BL reputation list, look for the record A (address) of the domain d.c.b.a.strong.dnsbl.rediris.es. If the search is successful in IRIS-BL it will generate a return code:

127.0.0.1 for the CBL IPs
127.0.0.3 for the VIRBL IPs
127.0.0.11 for the Spamtraps IPs
127.0.0.14 for the SORBS-DUL IPs

Installation of IRISRBL for the different products

Following is a summary of the IRISRBL configuration for the different types of e-mail servers that are used in the Community. To ensure correct IRISRBL configuration, the documentation for each product should be reviewed. If you find any errors in these notes, please contact RedIRIS to have them corrected.

Note: If IRISRBL is the only blacklist (DNSbl) that you have configured, it is not necessary to configure checks i RedIRIS ListaBlanca (Whitelist). Only if you are using another DNSbl is it recommended to use this whitelist.

Exchange 2003

Exchange 2003 supports DNSBLs without additional software through the Microsoft configuration designated "connection filtering".
To use the strong zone, you should configure two connection filters with: 

Display name 'IRISRBL'
DNS Suffix of Provider 'strong.dnsbl.rediris.es' 
Custom Error Message '$0 in strong.dnsbl.rediris.es has been blocked using RedIRIS Reputation Service,IRISRBL. If you had problems delivering mail, contact postmaster@su-institucion.es'
+info

Exim

In the ACL section of the configuration file there is a reference for 'acl_check_rcpt' that includes DNSBL as follows: 

begin acl:
# (possibly other ACLs)
acl_check_rcpt:
# (other rules as documented)
deny message   = $sender_host_address in $dnslist_domain\n\
          $dnslist_text
     dnslists  = strong.dnsbl.rediris.es 
# (rules for other DNSBLs, may be deny or warn)
accept
# (other ACLs)

+info. At http://www.exim.org/exim-pdf-current/doc/spec.pdf there are references to the ACLs.

Postfix

Version 2.x is normally configured including DNSBL in the 'smtpd_recipient_restrictions' directive of the file main.cf , entering something like the following: Version 2.x is normally configured including DNSBL tests in the 'smtpd_recipient_restrictions' list of the main configuration file:

default_rbl_reply = $client_address in $rbl_domain
smtpd_recipient_restrictions =
     # Enable white list for postmaster: 
     check_recipient_access hash:/etc/postfix/recipient_checks,
     # (other restrictions as required)
      reject_rbl_client strong.dnsbl.rediris.es,
     # (other restrictions as required)
     permit

+info.

qmail

There are no DNSBL directives for qmail, but there are associated programs such as tcpserver and rblsmtpd that can manage the SMTP connection for qmail. The configuration is: 

rblsmtpd -r strong.dnsbl.rediris.es qmail-smtpd

There are additional options and scripts to start the elements sequentially. rblsmtpd performs lookups to TXT records in the strong zone in place of doing so by A records.

+info. There is a tutorial at http://www.thedjbway.org/djbrbl/rblsmtpd.html.

sendmail

DNSBL is a 'FEATURE' in sendmail.



FEATURE(`dnsbl', `strong.dnsbl.rediris.est',
     `$&{client_addr} "  in strong.dnsbl.rediris.es has been blocked using RedIRIS Reputation Service,IRISRBL. If you had problems delivering mail, contact postmaster@su-institucion.es'"')
+info Applications

In many applications (IRONPORT, SPAMINA etc.) it is possible to include the use of the IRISRBL list. There are too many models to draw up a list.

Spamassassin

You only have to modify the URIDNSBL plugin to check URIs against the IRISRBL zone:

# Use SBL from IRISRBL  zone:
uridnsbl        URIBL_SBL   strong.dnsbl.rediris.es.       TXT
+info

References