This article applies to:
- Trustwave MailMarshal (SEG)
Question:
- What is ZEN?
- How is ZEN different from other blocklists such as SBL and XBL?
Information:
The ZEN blocklist provided by Spamhaus is a master list that rolls up several types of checks. A key part of the ZEN DNSBL is the Policy Block List (PBL), which is a database of dynamic and end-user IP address which are not authorized to send SMTP email directly. Zen is a combination of this new PBL list, along with the well-established SBL and XBL lists.
When used wisely, ZEN can be an effective part of anti-spam configuration.
Difference between ZEN and other blocklists such as SBL and XBL
ZEN is a combination of the familiar SBL and XBL blocklists, along with the PBL list. ZEN, or more specifically the PBL, is quite different from more traditional DNSBLs like SBL and XBL. Failure to use ZEN as advised by Spamhaus could result in significant false positives.
Traditionally, DNSBLs contain known spam sources - IP addresses that, if found in any Received header, indicate that the message ultimately originated from a known spam source. The PBL is quite different. It aims to list all dynamically assigned IP addresses which have not been authorized to send email directly.
For more information see:
http://www.spamhaus.org/zen
IMPORTANT: Use ZEN as advised by Spamhaus
It is important to note that the PBL is intended to be used on connecting IP addresses only. The list’s purpose is to block email traffic coming directly from listed dynamic IP addresses. Email traffic coming from a dynamic IP address via an authorized MTA should, in theory, be allowed.
For spam filters like MailMarshal that parse Received headers, Spamhaus issues a word of caution: parsing the Received lines and validating the IP addresses of previous hops could lead to significant false positive issues.
Usage Options
Using ZEN at the MailMarshal Receiver:
A natural place to use ZEN is at the Receiver. This is due to the fact that the PBL specifically targets dynamic IP addresses which send email directly to their target server (for instance your server).
- Open MailMarshal Configurator or MailMarshal (SEG) 10 Management Console.
- Navigate to Policy Elements | Reputation Services.
- Check that Spamhaus Zen is listed (it is available by default in current versions of SEG). If it is not, add zen.spamhaus.org as a domain name to validate against.
- Create or enable a Receiver Rule which uses the DNSBLs listed in the Reputation Services list. In current versions a rule is present but not enabled by default.
- Commit configuration.
Using ZEN with the MailMarshal Engine:
Increased caution should be used if enabling ZEN as a Content (Engine) rule. As mentioned above the MailMarshal Engine parses the header for IP addresses. In order to avoid false positives, you may wish to apply ZEN to the most recent Received line only.
Modify your existing Spamhaus.xml (by default, located in the Config folder under MailMarshal install folder), or create a new XML file specifically for the ZEN blocklist.
- If you are using Engine rules you should not duplicate the lookups from Receiver rules. Although current versions of SEG cache DNS results, there is no need to re-query even locally.
Recommended Usage
To maximize the efficiency and accuracy of ZEN we should aim to:
- Minimize the number of DNS calls made
- Validate only the appropriate IP addresses against each list.
One way to achieve this is to use two Eval statements in the Spamhaus category script. One invokes the PBL and one invokes the SBL/XBL.
If using current versions of SEG, use the following Eval statements:
<Eval Name="SpamhausZEN_PBL" Enabled="true" Score="60" Type="DNSLookup" Description="IP Listed on Spamhaus ZEN (PBL)" LookUpRetry="1" Data="zen.spamhaus.org" ProcessFirstIPs="1" Expect="127.0.0.10-127.0.0.11" Except="DNSBlacklistExclusions" />
<Eval Name="SpamhausZEN_SBLXBL" Enabled="true" Score="60" Type="DNSLookup" Description="IP Listed on Spamhaus ZEN (SBL or XBL)" LookUpRetry="1" Data="zen.spamhaus.org" Expect="127.0.0.2-127.0.0.8" Except="DNSBlacklistExclusions" />
Note: Ensure there are NO SPACES in the Expect= string. Otherwise it will not be parsed correctly. (The default installation of MailMarshal 6.2.0.2977 includes spaces in this string; they should be removed.)
Expect="127.0.0.10-127.0.0.11" is used to limit the Eval to trigger only if the response from ZEN is in the range from 127.0.0.10 and 127.0.0.11 – this range indicates that the IP was listed on the PBL. The “Expect =” functionality in only available in MailMarshal from version 6.2 onwards.
If using MailMarshal 6.1 or any older version, use the following Evals:
<Eval Name="SpamhausZEN" Enabled="true" Score="60" Type="DNSLookup" Description="IP Listed on Spamhaus ZEN" LookUpRetry="2" Data="zen.spamhaus.org" ProcessFirstIPs ="1" Except="DNSBlacklistExclusions" />
<Eval Name="SpamhausSBLXBL" Enabled="true" Score="60" Type="DNSLookup" Description="IP Listed on Spamhaus SBL-XBL" LookUpRetry="2" Data="sbl-xbl.spamhaus.org" SkipFirstIPs="1" Except="DNSBlacklistExclusions" />
Note: SkipFirstIPs ="1" configures MailMarshal to skip the first (i.e. most recent) IP found in the header. ProcessFirstIPs ="1" configures MailMarshal to check only the first IP found in the header.
In the above example, SpamhausZEN validates the first IP address only against zen.spamhaus.org. This is the correct configuration for the PBL, but could lead to false negatives (missed spam) for IPs listed on the XBL or SBL. For this reason we need a second Eval to utilize SBL-XBL.
SpamhausSBLXBL validates all except the first IP against sbl-xbl.spamhaus.org.
Even though we’ve used two Eval statements, no extra or unnecessary DNS lookups are performed.