  |
|
How do I set this service up? On Unix?
How do I set this service up? On Windows?
With what domain should I connect the zones locally?
How can I use Rbldnsd and BIND together?
What kind of rbldnsd dataset types should I use?
On the rsync server I don't see a combined zen zone file...
How do I test to see if my setup is working?
I need to test the Datafeed service first, before ordering it
What is the application process?
I need to see the Service Agreement contract text before applying for the service
Who do I contract the Datafeed service from?
Why is there a charge for this service?
Does the pricing change?
Service Restrictions
I don't need this service, I got a Barracuda instead...
| How do I set this service up? On Unix? |
|
The Datafeed service can be installed on nearly any Unix-based machine (Linux, FreeBSD, OpenBSD, NetBSD, Mac OS X, Solaris, Tru64, HPUX, AIX, Irix, etc.). The memory and CPU requirements are usually modest, so that old PCs are typically up to the task. An Internet bandwidth of at least 512 kbps is required.
The service utilizes 2 free programs, Rsync and Rbldnsd.
Both of them are usually also available as packages for the various operating systems. Nowadays, rsync is often part of the base distribution.
SERVICE INSTALLATION MANUAL
Spamhaus supplies an Installation Manual (PDF) with the Datafeed service, giving instructions for how to install and set the Datafeed up. The manual covers:
1. installing rsync
2. installing rbldnsd and prepare it for running
3. configuring your local DNS resolver
4. configuring your mail servers
(Manual is supplied only after you apply for the Datafeed service, or a free trial of the datafeed service) |
| How do I set this service up? On Windows? |
|
The Datafeed service can be installed on a machine running Microsoft Windows 2000, Windows XP or Windows 2003.
An Internet bandwidth of at least 512 kbps is required.
The service utilizes two free programs, Rsync and Rbldnsd. These have been ported by ITeF!x Consulting to run under Windows. A package named Wrbldnsd contains both programs. Datafeed users have to download the "Spamhaus Edition".
SERVICE INSTALLATION MANUAL
An Installation Guide is available.
RUNNING UNDER WINDOWS MAIL SERVERS
Most modern Microsoft Windows mail servers (MTAs) such as Exchange 2003/2007 and Lotus Domino include options to query DNSBLs (a/k/a RBLs, blocklists, IP-blacklists). When running the Datafeed service, one configures these MTAs to point their queries at the local wrbldnsd server.
One may still be able to use the Datafeed service with older MTA software by using some third party add-on software. ORFilter seems to be a free-to-use front-end DNSBL filter that can be used with older e-mail systems. Fluffy can also be used as a front-end for older e-mail systems with low traffic. However, it looks as if it has not been maintained for a while (January 2004) and that it is not designed to handle large volumes of mail traffic. It is also free-to-use. |
| With what domain should I connect the zones locally? |
|
While it is technically possible (by using forwarding in your DNS resolver) to run the sbl, pbl, xbl local zones under the spamhaus.org domain, we recommend to use a different domain for your local zones. By doing so, you will be sure that queries really stay local rather than being sent to the Spamhaus public servers as a consequence of a configuration error.
The preferred solution is that of running the Spamhaus zones under a local domain unreachable from the rest of the Internet. For instance, you can use a local domain called "dnsbl", referring to the zones as "sbl.dnsbl", "pbl.dnsbl", "xbl.dnsbl" in your mail servers. With a Bind DNS resolver, this can be done be defining in named.conf
zone "dnsbl" {
type forward;
forward only;
forwarders {
1.2.3.4;
};
};
where 1.2.3.4 is the IP address of the rbldnsd server (on the same or on another host).
|
| How can I use Rbldnsd and BIND together? |
|
You can run rbldnsd on the same system/IP as an existing BIND 9.x DNS server acting as resolver in your network. For instance, the rbldnsd option "-b 127.0.0.1/54" tells rbldnsd to listen on the IP address 127.0.0.1, UDP port 54.
You then configure the BIND server your mail server(s) use, to forward queries for the Spamhaus DNSBLs to rbldnsd by adding the following to named.conf:
zone "dnsbl" {
type forward;
forward only;
forwarders {
127.0.0.1 port 54;
};
};
This port forwarding option is not supported in BIND 8.x. (For BIND 8.x, you need to dedicate an IP address to rbldnsd and configure BIND to not listen on that IP - by telling it which IPs to listen on). |
| What kind of rbldnsd dataset types should I use? |
|
Rbldnsd defines a few different dataset types.
To optimize performance and memory usage, we recommend Datafeed users to choose ip4set for SBL, ip4trie for PBL and ip4tset for XBL.
However, using ip4tset will result in a return code 127.0.0.4 for all XBL listings. In the majority of cases this is acceptable, but if you need to distinguish between the different XBL return codes you should use ip4set also for XBL.
Public mirrors are required to use ip4set for all zones.
|
| On the rsync server I don't see a combined zen zone file... |
|
The combined 'zen' zone (which we publish to reduce the global DNS traffic on our public nameservers) does not exist as a file. The sbl, pbl and xbl files can be combined into a single "zen" zone by running rbldnsd in this way:
rbldnsd (options) \
zen.dnsbl:ip4set:sbl \
zen.dnsbl:ip4trie:pbl \
zen.dnsbl:ip4tset:xbl
That is, the combined zone is built 'on the fly' by rbldnsd from the three files. Datafeed users may choose to run the individual zones, the combined zone, or both. Since all queries are local, the performance advantage of the combined zone is usually negligible unless your mail traffic is really massive.
|
| How do I test to see if my setup is working? |
|
Once you have set up your local DNSBL system and configured your mail server or SpamAssassin tools to use query it, you can test to see if the Spamhaus blocking is working by sending an email (any email) to: nelson-sbl-test@crynwr.com (you must send the email from the mail server which you wish to test). The Crynwr system robot will answer you to tell you if your server is correctly blocking SBL-listed IPs or not.
Similar tests are available for PBL and XBL.
|
| I need to test the Datafeed service first, before ordering it |
|
If you're not sure how well the Spamhaus DNSBLs will perform to reduce incoming spam on your network, and your email traffic is too high to test zen.spamhaus.org using our free public DNS mirrors, you can test the Datafeed service for 30 days, free of charge and with no obligations, by selecting "I want to test this service" from the Datafeed Price Calculator before completing the Datafeed Application Form.
(to get to the Datafeed Application Form, you need to first select your Organization Type and Total Email Users from the Datafeed Price Calculator) |
| What is the application process? |
|
The application process is designed to allow organizations to initiate an application without committing to taking the service or making a payment until they are first satisfied with the service and have agreed to the contract terms. The process is:
1) Use the Price Calculator to find the correct price for your organization, based on the total number of Email Users you provide service for.
2) Fill out the Datafeed Application form.
Your application is then submitted to us for approval (we need to ensure we don't grant access to the Datafeed to organizations involved in spamming). This can take a few hours. Once approved, your Application is passed to an Authorized Datafeed Vendor (independent contractor) licensed by The Spamhaus Project to supply access to and manage the Datafeed service (the service is sold and supplied to you directly by the Authorized Datafeed Vendor, not by The Spamhaus Project).
The Authorized Datafeed Vendor will then contact you directly to set up your Datafeed subscription. (note that until you sign the contractor's Service Agreement contract you are not committing to anything) |
| I need to see the Service Agreement contract text before applying for the service |
|
Spamhaus offers the Datafeed service only to reputable qualified organizations (ISPs, companies, universities, government networks), we need to know who you are before offering you access to our data.
The Datafeed Service Agreement is between you and a 3rd party contractor (Authorized Datafeed Vendor) authorized by Spamhaus to sell and manage the Datafeed service. The Authorized Datafeed Vendor's Agreement therefore is only made available to you once you first complete the Datafeed Application Form which is first vetted by Spamhaus to ensure the application is bona-fide.
Completing the Application form does not commit you to anything. |
| Who do I contract the Datafeed service from? |
|
The Datafeed service is sold and supplied by Authorized Datafeed Vendors licensed by The Spamhaus Project to sell access to realtime data in return for managing the data synchronization service and its infrastructure. Contracts and annual subscriptions therefore are between you and the Authorized Datafeed Vendor.
The Spamhaus Project is responsible for vetting your Datafeed application (to weed out any suspect applications by spam firms attempting to gain access to the data and to disallow supply of the service to companies engaged in spam service or support activities). Once approved by Spamhaus' DNSBL team, your application is passed to a suitable Authorized Datafeed Vendor who will then take care of setting up your Datafeed subscription.
The details of the Authorized Datafeed Vendors are not released until after Spamhaus has approved your application. |
| Why is there a charge for this service? |
|
In 2004 Spamhaus introduced the Datafeed service to replace the former free but simple Rsync service. The change from free to subscription-based became necessary in 2004 in order to handle the exponential growth of the service. A few thousand networks take synchronized transfers of the Spamhaus DNSBL data, it is therefore a resource-intensive service that demanded its own separate and independent management, servers and technical support infrastructure.
To guarantee the availability of the service, provide support and maintain the equipment and redundency behind it, Spamhaus decided in 2004 to move the provision of the service to authorized Datafeed contractors who manage, sell and support the Datafeed service.
The announcement of the service change, and reasons for moving it to a charged annual subscription, was made in our 2004 document outlining the future of Spamhaus: Futureproofing Spamhaus. |
| Does the pricing change? |
|
Yes, but not often. Our only pricing change took place on January 1st, 2007. Sign-ups and renewals after this date are billed at the new rates.
Pricing can be calculated by using our Datafeed Price calculator. |
| Service Restrictions |
|
Spamhaus evaluates every Datafeed service application to ensure the applicant is bona fide and is not involved in the provision or support of spam services.
Service Refusal
The Datafeed service is refused to any ISP with excessive SBL listings, bad enough to be listed in the Spamhaus 'TOP 10 Worst Spam ISPs' chart. Spamhaus considers an ISP whose spam control practices are so bad that the ISP is listed in our "TOP 10" to be "knowingly facilitating spam operations (for profit)". The consensus is that such ISPs should be putting far greater efforts into reducing the spam problems they cause and that it is hypocritical to attempt to reduce incoming spam to their own customers much of which is caused by them in the first place.
|
| I don't need this service, I got a Barracuda instead... |
|
The main part of spam filtering done by devices such as the Barracuda is in fact DNSBL ("External Blocklist") filtering using the Spamhaus DNSBLs; SBL, XBL and PBL. So if you are using a Barracuda or similar spam filter appliance and you don't have a Datafeed subscription from an authorized Datafeed vendor then you're almost certainly using our DNSBL service by querying Spamhaus's free public DNSBL servers.
What follows, is that if your email volume is big enough that you need a Barracuda or similar spam filter appliance, then you certainly CAN NOT use our free public DNSBL servers.
Because our public DNSBL servers get heavily abused by companies with spam filter appliances, Spamhaus has implemented a control system on the public DNSBL servers to flag and firewall those users. Please ensure that if you are using Spamhaus DNSBLs in any part of your corporate or high-volume spam filtering setup, you have a Datafeed subscription in place first. |
|
