Exchange Server 2003 introduces a new feature: the ability to integrate Real-Time Block Lists (RBLs)—aka DNS block lists—into your Exchange environment. Exchange implements this feature by letting you configure connection-filter rules that incorporate RBLs. Typically, you'll use an external list maintained by a third-party RBL provider such as Distributed Server Boycott List (http://www.dsbl.org), Mail Abuse Prevention System (MAPS—http://www.mail-abuse.org), or Domain Name System Real-time Black List—DNSRBL (http://www.dnsrbl.com). However, you can also create your own RBL. Creating a simple DNS block list can be an excellent means for testing RBLs and getting a feel for how best to use them in your organization. Let's look at how block lists work and step through the process of creating a test list that you can use in your Exchange 2003 environment.
Block List Basics
The standard RBL operates as a DNS zone that filters out the IP addresses of known spam originators according to set criteria (e.g., multiple recipients have reported the address as a spam source, the source is a dial-up subnet of an ISP from which all dial-up subnets are blocked). These criteria can differ from one RBL provider to another, so you'll want to test RBLs before implementing them so that you can find lists that use criteria appropriate to your environment.
To catch spam, the RBL consumer (i.e., Exchange) reverse maps the IP address of an incoming message, then creates a DNS query that contains the address. Exchange passes the query to connection-filter rules that you configure and apply to each SMTP virtual server that deals with external messaging traffic for your organization. Each rule is associated with an RBL, which the rule queries to determine whether the incoming message's IP address belongs to a known spam source. Exchange 2003 lets you use multiple RBLs by associating each list with a separate connection filter.
If the RBL lists the source address as a spam source or another problematic source (e.g., an open relay), the RBL returns a DNS A record (also called a host record) that contains a "status code" IP address. This status code indicates the incoming IP address's source type (e.g., open relay, confirmed spam source). The default code is 127.0.0.1, but RBL providers can use other codes (e.g., 127.0.0.2, 127.0.0.9) to specify the type of source; Table 1 lists some source types. Be aware that status codes vary according to RBL provider (e.g., one provider might use 127.0.0.4 to indicate an open relay, whereas another provider might use that code to indicate a confirmed spam source), and each RBL might assign a different code to the same IP address. You can configure a connection-filter rule to block messages from systems that return specific status codes, or you can configure the rule to match any return code. When the rule encounters a source address that returns a status code from the RBL, the rule instructs Exchange to drop the connection and generate a nondelivery report (NDR).
Setting Up DNS
Creating your own RBL is simple; you just need to set up DNS properly. First, set up an Exchange test server to function as a test spam server and assign it an IP address. I used the address 10.10.2.227 and placed my test spam server in an organization called bottom.tst. Next, use the Microsoft Management Console (MMC) DNS snap-in on a DNS test server to create a new forward lookup zone for your test RBL. As Figure 1 shows, I created a zone called MyBlockList.tst.
Next, you need to configure the RBL to include a node that identifies the test spam server's IP address. (If you use a third-party RBL, the provider supplies you with its DNS zone suffix so you can perform queries against that provider's RBL.) From the DNS snap-in, right-click the MyBlockList.tst object and select New Domain from the context menu. Create a new zone (domain) for the first octet of the IP address. Repeat the domain-creation process to create a subzone for the second octet within the first octet, a subzone for the third octet within the second octet, and a subzone for the fourth octet within the third octet. (Figure 2 shows this process at the third octet.)
Now, you need to create a host (A) record that identifies the IP address as a spam source. When queried, the record will return the status code address 127.0.0.1. Right-click the fourth octet (227) and select New Host from the context menu. Give the host record an IP address of 127.0.0.1, as Figure 3 shows.
The DNS portion of the job is complete. Now, a reverse query of a message coming from the sample spam node (10.10.2.227) will return a positive host record result of 127.0.0.1 and causes an appropriately configured connection filter to drop the connection from the spam server. The next job is to configure an Exchange connection filter to do just that.