Recommended exim blocklists to fight spam (DNS RBL blocklists)

S

SEO Guru

Verified User
Joined
Feb 14, 2013
Messages
39
[UNOFFICIAL - Community] Recommended exim blocklists to fight spam

If you want to improve blocking incoming spam emails on your DirectAdmin servers you need to set up blocklists for exim. These blocklists are being queried by your server when when you receive an email. By defaut your DirectAdmin installation uses 2 blocklists, Spamhaus and Barracudacentral. They are both very reliable but also a bit on the softer end, where they block less spam to reduce the amount of false positives. Setting up more blocklists will increase the amount of blocked spam coming to your server but might also have more false positives if you pick a blocklist that is too aggressive.

How to configure exim to use blocklists

/etc/exim.conf configuration (installation Q3 2023). It doesn't matter if your configuration looks slightly different.

Bash: 
RBL_DNS_LIST=\
       b.barracudacentral.org : \
       zen.spamhaus.org

You can add extra blocklists by creating a new file to override the settings in /etc/exim.conf which you should not edit, your changes might be lost some day. You create a new file: /etc/exim.strings.conf.custom

Bash: 
RBL_DNS_LIST==bl.spamcop.net : b.barracudacentral.org : zen.spamhaus.org

Note: the assignment of RBL_DNS_LIST is different from /etc/exim.conf if you look at = and ==

Bash: 
cd /usr/local/directadmin/custombuild
./build set eximconf yes
./build exim_conf

#RHEL
systemctl restart exim

Make sure you restart exim after you change the configuration.

You can monitor the blocking by checking the exim rejectlog

Bash: 
cat /var/log/exim/rejectlog | grep 'Email blocked by'

My experiences with the following blocklists:

bl.spamcop.net ✅
Very trustworthy and operating for many years. They tend to block a good amount of spam besides Spamhaus and Barracudacentral. The amount of false positives is very low. This one is a must for your setup.

"Spamcop.net is one of the oldest DNSBL’s of the many that are offered today. Their services were first publicly offered in 1992, and continue on to this day. On January 4, 2007 IronPort agreed to become a division of Cisco Systems, making SpamCop a Cisco service. While SpamCop is primarily a DNSBL, they also offer other services as well, such as email filtering, in which you can have SpamCop behave as an email delivery pre-filter.

SpamCop uses many of the same techniques as other DNSBL’s, such as spamtraps, honeypots, open relays, open proxies, whitelists, and blacklist ranges. However, the primary method by which SpamCop gathers it’s listing data is from end users. End users are encouraged to forward copies of their spam into the SpamCop system. These emails are then analyzed; if the email meets certain criteria, the IP address of the sending SMTP server will be listed in SpamCops DNSBL."

psbl.surriel.com ?
Blocks roughly the same amount of spam that SpamCop does. Both are pretty comparable. False positives are very low. Its not as “enterprise” as Spamhaus, Barracudacentral and SpamCop (they are backed by big companies) but they do operate since 2004.

"The Passive Spam Block List works in a really simple way. If one of the spamtraps receives email from a certain IP address, then that IP address gets listed. After a certain time the IP address times out and is automatically dropped from the list. However, if the IP address contains a real mail server, most likely one of the users of the mail server is going to notice the listing and will remove the mail server from the PSBL.
This way, mail servers should be listed on the PSBL for a short time, while spam zombies could stay listed for long times. Because of this the PSBL helps stop spam, while not unduly punishing the users of real mail servers that got abused once."

------
Other blocklists that I have not used myself but from what I read on different websites and forums they do have some reputation. Not all of them are exclusively spam blocklists.

xbl.spamhaus.org, Spamhaus has various separate lists
spam.spamrats.com
mail.bl.blocklist.de / imap.bl.blocklist.de / bl.blocklist.de
hostkarma.junkemailfilter.com
ix.dnsbl.manitu.net
combined.rbl.msrbl.net
spam.dnsbl.sorbs.net (lot of people complained that they flag email too fast, this one probably has the most false positives but might also block a fair amount of unknown spammers)

-> bl.mxrbl.com (this person is also active on DA forum, this is a relatively more aggressive blocklist than Spamhaus and Barracudacentral. Probably knows more of the unknown spam which is not yet flagged by the bigger RBLs. Will definitely help you block more spam)

Always do your own research before adding a blocklist to your exim configuration!

------
Good to mention that most of the RBL websites look very dated and not used anymore but don't let that mislead you.

------
You should also consider reading the following DirectAdmin official documentation about exim and fighting spam.

General information | Directadmin Docs

DirectAdmin Knowledge Base
docs.directadmin.com

Filtering incoming spam | Directadmin Docs

DirectAdmin Knowledge Base
docs.directadmin.com

Preventing outgoing spam | Directadmin Docs

DirectAdmin Knowledge Base
docs.directadmin.com

Configuring and customizing Exim | Directadmin Docs

DirectAdmin Knowledge Base
docs.directadmin.com

Perfect E-Mail Setup | Directadmin Docs

DirectAdmin Knowledge Base
docs.directadmin.com
 
Last edited:
Compliments, very nice and clear guide! (y)

Maybe a comment about abuseat.
SEO Guru said:
cbl.abuseat.org ✅
Very trustworthy blocklist which is a division of Spamhaus.
Click to expand...
CBL ceased to exist as seperate RBL and went over to spamhaus completely. At a certain time the cbl will stay but the abuseat.org domain part will stop completely in the near future so it's better to switch over now. It was a very good list.

There it ends for me, and this is my reason/experience for this decision.
Personally I removed zen.spamhaus.org because of too many false positives. In 2 periods they checked the very original sender instead of the sending MTA, so they found the users dynamic ISP ip, which ofcourse caused false blacklisting. Because these ip's (at least from our country) are in the Spamhaus list by default.
So I stopped using it, then after some time I put them back in again for usage. And after some time, the same issue happened again. Same bug, again looking at originating sender ip instead of mta ip causing spam blocks, so I stopped using Spamhaus again.

A rather new negative experience is that they already put domains which never send mail before on some list, causing issues ofcourse. Experienced this myself on a freshly installed VPS (we normally use servers) and I was able to get that domain of the list and next month the domain was back on the list, couldn't get it off and they were not prepared to help me or provide further information as reason or whatever.
While that domain or vps wasn't on any blacklist and was even new, had been parked and never had mailed before.
Point of interest, that domain was only admin domain and for nameservers of this vps and didn't even send out mail except maybe some system mails to some users, as all our servers do too. The few customers which were on there temporarily didn't send spam either.
That was the 3rd time I had issues with Spamhaus so my experience was good in the past, but changed over the years to negative and not using Spamhaus anymore for these reasons, especially the last experience with them.

Barracudacentral and for sure Spamcop are very good.

The mxrbl (from @mxroute) also is a very great list, blocks loads of spammers and bots. Mxroute himself is great with mail related things.
Only downside of this list is that it blocks complete netblocks a bit fast, causing good servers to be blocked too, sometimes a bit too much. For only this reason I stopped using this, because I don't want to whitelist all kinds of valid ip's myself and I got complaints of a couple of customers that important mail got blocked.

Thanks for the surriel.com tip, will have a look at that and maybe for some of the others mentioned too!
 
Is Mailspike still present? I just checked and I found their website at mailspike.io but I just ran an nslookup for bl.mailspike.net and got no results. So I wonder if they still work or have a temporary DNS issue.

I'm trying "imap" and "mail" from the "blocklist.de" now and the psbl.surriel.com which you pointed to.
 
johannes said:
Here is a good comparison about positive
Click to expand...
Watch out with that list. Because I see all 3 UCEPROTECT lists on that list and they are known blacklist scammers.
You can get on those lists really for nothing, and there is no way to get of without payment. They get a higher score than Spamcop and inaccuracy of 0% which can't be true because the false posive's they often have.
We get serveral times a year on one of their lists while not being on any other list in the world, for no reason at all. So I would strongly advise to ignore the Uceprotect lists and not use them.

So i don't know who is creating that list, but only the fact that UCEPROTECT is on there with such high score, gives me doubts about the accuracy of that list.
Also because mailspike is still on there while they don't have DNS entry or A record which I just discovered in my previous post.

Never heard of the highest scorers (DCC and GBUDB.com Truncate) either. Did you ever heard of them, experience with them?
 
Richard G said:
Compliments, very nice and clear guide!

Maybe a comment about abuseat.

CBL ceased to exist as seperate RBL and went over to spamhaus completely. At a certain time the cbl will stay but the abuseat.org domain part will stop completely in the near future so it's better to switch over now. It was a very good list.

There it ends for me, and this is my reason/experience for this decision.
Personally I removed zen.spamhaus.org because of too many false positives. In 2 periods they checked the very original sender instead of the sending MTA, so they found the users dynamic ISP ip, which ofcourse caused false blacklisting. Because these ip's (at least from our country) are in the Spamhaus list by default.
So I stopped using it, then after some time I put them back in again for usage. And after some time, the same issue happened again. Same bug, again looking at originating sender ip instead of mta ip causing spam blocks, so I stopped using Spamhaus again.

A rather new negative experience is that they already put domains which never send mail before on some list, causing issues ofcourse. Experienced this myself on a freshly installed VPS (we normally use servers) and I was able to get that domain of the list and next month the domain was back on the list, couldn't get it off and they were not prepared to help me or provide further information as reason or whatever.
While that domain or vps wasn't on any blacklist and was even new, had been parked and never had mailed before.
Point of interest, that domain was only admin domain and for nameservers of this vps and didn't even send out mail except maybe some system mails to some users, as all our servers do too. The few customers which were on there temporarily didn't send spam either.
That was the 3rd time I had issues with Spamhaus so my experience was good in the past, but changed over the years to negative and not using Spamhaus anymore for these reasons, especially the last experience with them.

Barracudacentral and for sure Spamcop are very good.

The mxrbl (from @mxroute) also is a very great list, blocks loads of spammers and bots. Mxroute himself is great with mail related things.
Only downside of this list is that it blocks complete netblocks a bit fast, causing good servers to be blocked too, sometimes a bit too much. For only this reason I stopped using this, because I don't want to whitelist all kinds of valid ip's myself and I got complaints of a couple of customers that important mail got blocked.

Thanks for the surriel.com tip, will have a look at that and maybe for some of the others mentioned too!
Click to expand...
Richard G said:
Is Mailspike still present? I just checked and I found their website at mailspike.io but I just ran an nslookup for bl.mailspike.net and got no results. So I wonder if they still work or have a temporary DNS issue.

I'm trying "imap" and "mail" from the "blocklist.de" now and the psbl.surriel.com which you pointed to.
Click to expand...

Thanks for you detailed reply.

I did not know about cbl.abuseat.org. I will remove them from the list as zen.spamhaus.org is already there. I think because I configured cbl.abuseat.org as the very first rbl they might catch spam that would otherwise be catched by zen.spamhaus.org. Personally I do not find many false positives when using zen.spamhaus.org, im struggling to find actually when I look at the rejectlog. But maybe your server(s) get more spam than mine?

Will remove mailspike, as said I did not use that one myself but found it, their website is still in use but they RBL service isn't anymore.

psbl.surriel.com is pretty good, also mentioned quite a few times on other forums and websites.
 
Last edited:
SEO Guru said:
But maybe your server(s) get more spam than mine?
Click to expand...
If I understand correctly, the CBL part will keep existing but at Spamhaus, maybe they will create a cbl.spamhaus.org or something like that, but I can be wrong, I'm not native English.

I don't think that we get more spam than you do. But as said this were periodic issues. Couple of years ago this happened. Then I didn't use them for some time and started to use them again and they were in fact good, like you also experienced. And then a second time the same issue happened, at least for a certain period but for me that was reason enough to stop using them again and then definately, because I don't wanted to put some RBL on and of every time.
I was thinking of enabling them again, until my experience with the new domain and the new vps we had temporarily for moving servers, so we temporarily put some account backups there and a new domain as admin domain to get things to work correctly. Rest of the story I told. So for me, Spamhaus is end of story.

As for mailspike, it's odd because it is/was a good system, it's still mentioned at their website, so hence I was thinking it might be a temporary DNS issue at first, but it looks they are stopped because it's already some time like that.

SEO Guru said:
psbl.surriel.com is pretty good, also mentioned quite a few times on other forums and websites.
Click to expand...
Yep, thanks gain for that tip! If satisfied, I'll surely copy that one to other servers, together with the imap and mail from blocklist.de.
 
johannes said:
Mailspike is still mentioned on
Click to expand...
Yes that is what we said too in post 3 and 6 and 7. Which is why I thought it might be a temporary DNS issue, but it's already for a bit longer time. But I can't find anything on Google that they would have stopped either, so it's very odd.

The ip check on their site also still works. But I can't imagine the RBL to work if the bl.mailspike.net can't be found in DNS.
 
Stije said:
Too many false positives.
Click to expand...
Yes probably due to the complete netblocks which I mentioned in the downside of using this list. Unfortunately for this reason I had to stop using this myself too. But I do still use it in my Mailwasher Pro at home as pre-selection for anti spam. :)
 
You must log in or register to reply here.
Back
Top