DNSBL-LH, DNSBL-RH action

<< Click to Display Table of Contents >>

Navigation:  Event and Object Analysis > Capture Results Filtering > Filtration Basics > Rules > Actions >

DNSBL-LH, DNSBL-RH action

Checks if the message addresses belong to the DNSBL lists and sets this tag if they do.

Description

dnsbl-rh - check the IP address in DNSBL-RHSBL.

dnsbl-rh - check the host name in DNSBL-LHSBL.

If one of the addresses is on one of the DNSBL lists, the action increments the value of the specified tag by 1.

The list is always checked completely.

Each address (or host name) included in each DNSBL list increases the tag by 1. I.e. if both the source address and the destination address are on the same DNSBL list, the tag is increased for each hit.

The tag value may be further analysed in filter conditions, and decisions may be taken based on the inclusion of message addresses in DNSBL lists.

Format

<action name="dnsbl-rh"
       address="<address-type>"
       tag="<tag-name>"
       value="<dns-bl domains list>" />
<action name="dnsbl-rh"
       address="<address-type>"
       tag="<tag-name>"
       data="<dns-bl domains list source>" />
<action name="dnsbl-lh"
       address="<address-type>"
       tag="<tag-name>"
       value="<dns-bl domains list>" />
<action name="dnsbl-lh"
       address="<address-type>"
       tag="<tag-name>"
       data="<dns-bl domains list source>" />

The "name" attribute:

The name attribute contains the action name: name="dns".

The "address" attribute:

The address="..." attribute specifies the address type for name resolving. Possible values:

"src" or "client"

Check only source address.

"dst" or "server"

Check only destination address.

"both" or "all" or *

Check both addresses (source and destination).

If this attribute is not specified, the "both" action is assumed (check both addresses).

The "tag" attribute:

The tag="..." attribute specifies the name of the tag to be increased.

The "value" attribute:

The value="..." attribute lists DNSBL domains.

Multiple domains are separated with a comma ','.

Domains may also be specified in the value of the tag <action>dns-bl-domains-list</action>

The "data" attribute:

The data="..." attribute may contain another source for the DNSBL domains list. You can use it to specify long lists instead of specifying them in the value="..." attribute.

Possible values:

data="<extern data name>"

Load the list from the external block in the filter (the <data name="extern-data-name">...</data> tag).

data="extern://<extern data name>"

Load the list from the external block in the filter (the <data name="extern-data-name">...</data> tag). DNSBL domains are separated with commas.

data="file://<full-file-path>"

Load the list from a file. Each DNSBL domain is specified in a new line (no commas required).

Example

<action name="dnsbl-rh" tag="SPAM">
 bl.spamcop.net, vote.drbl.sandy.ru,
 sbl.spamhaus.org, cblplus.anti-spam.org.cn
</action>

Increases the "SPAM" tag if message addresses belong to one of the DNSBL lists. If an address belongs to one of the lists, the "SPAM" value is equal to 1. If the address is on two lists, the "SPAM" value is equal to 2, etc.

In a subsequent check, the value ("SPAM" > 3) would indicate apparent spam, while a lesser value would just arouse suspicion. If both addresses are on the same DNSBL list, the tag is increased by 2.

<action name="dnsbl-rh" address="src" tag="SPAM">
 bl.spamcop.net, vote.drbl.sandy.ru,
 sbl.spamhaus.org, cblplus.anti-spam.org.cn
</action>

Checks only source IP address.

<action name="dnsbl-lh" address="dst" tag="SPAM">
 bl.spamcop.net, vote.drbl.sandy.ru,
 sbl.spamhaus.org, cblplus.anti-spam.org.cn
</action>

Checks only the hostname of the destination.

Example

Checks all message addresses against the DNS-BL list. Mark hits with the SPAM tag. Delete messages with the SPAM tag and accept all other messages.

<?xml version="1.0" encoding="utf-8"?>
<filter name="Message filter" version="1.0">
 <comment>Message filter.</comment>
 
 <table name="main">
   <rule enabled="1">
     <comment>
       Checks all message addresses against the DNS-BL list. Hits
       are to be marked with the SPAM tag.
     </comment>
     <action name="dnsbl-rh"
             address="both" tag="SPAM"
             data="extern://dns-bl-list" />
   </rule>
 
   <rule enabled="1">
     <comment>Delete spam.</comment>
     <match>
       <c name="tag-exist" value="SPAM" />
     </match>
     <action name="drop" />
   </rule>
 
   <rule enabled="1">
     <comment>Accept the rest.</comment>
     <action name="accept" />
   </rule>
 
 </table>
 
 <data name="dns-bl-list">
   bl.spamcop.net,
   vote.drbl.sandy.ru,
   sbl.spamhaus.org,
   cblplus.anti-spam.org.cn
 </data>
 
</filter>