Using Windows 2000 DNS Server as a DNS Blacklist/Blocklist

[Troy Forsythe]

I have searched high and low and have yet to see a clear concise
answer to the question of whether a Windows 2000 DNS Server could be
used to host a DNS Blacklist/Blocklist service. I already subscribe
to publicly available blocklists and they do a good job of keeping our
SPAM down. My greatest remaining problem is dealing with the hordes
of virus infected emails coming in. We have AV software which
catches, and then automatically deletes infected messages. When time
permits I also try and track down the source of the infection using
SMTP logs and notify the associated abuse department. However I find
that many times my complaint is not acted upon, or it may take quite
some time (weeks) before the problem is addressed. I would like to
create a DNS blacklist that I host locally, that I can update with the
IP address of systems which I know are infected. Then I could
instruct Exchange 2003 to simply drop the connection from these known
infected hosts rather than accepting the virus infected email. I have
thought about using Global Deny IP lists instead of a DNSBL but there
is one drawback. The global deny list works, and quite well
especially if combined with a programmatic tool to add/delete members
from the list but the connecting system is simply dropped, it is not
notified that there was a problem. DNSBLs on the other hand return an
error code to the attempted sender. Granted I understand that a virus
SMTP agent would not accept these errors, but it would be helpfull
that if the client actually tried to send legitamte email, they would
recieve a warning back from the DNSBL system stating that delivery
failed because of known virus infection.

Here is what I have:
Windows 2000 SP3 Server hosting DNS for the local domain
Exchange 2003 on a seperate Windows 2000 SP3 box hosting email for the
local domain


Here is what I would like to have happen:

'Host A' sends infected email to our domain
Antivirus system picks up on infection deletes email
Administrator tracks down source IP address related to infected
message
Administrator adds IP address to DNSBL residing on local WIndows 2000
DNS server
'Host A' attempts to send infected email
Exchange queries local DNSBL, finds IP exists, returns error message
like the following:

550 5.x.x Sender denied, known virus infected host. If you feel this
is an error or if the virus infection has been cleaned contact
xxxxxxxx to have your system removed from our block list.

Does anyone know if this is possible?
Could anyone show me the proper format for the DNS entries that would
need to be made for this to work?

Thanks,
Troy Forsythe

 

[Kevin D. Goodknecht Sr. [MVP]]

In

I have searched high and low and have yet to see a clear concise
answer to the question of whether a Windows 2000 DNS Server could be
used to host a DNS Blacklist/Blocklist service. I already subscribe
to publicly available blocklists and they do a good job of keeping our
SPAM down. My greatest remaining problem is dealing with the hordes
of virus infected emails coming in. We have AV software which
catches, and then automatically deletes infected messages. When time
permits I also try and track down the source of the infection using
SMTP logs and notify the associated abuse department. However I find
that many times my complaint is not acted upon, or it may take quite
some time (weeks) before the problem is addressed. I would like to
create a DNS blacklist that I host locally, that I can update with the
IP address of systems which I know are infected. Then I could
instruct Exchange 2003 to simply drop the connection from these known
infected hosts rather than accepting the virus infected email. I have
thought about using Global Deny IP lists instead of a DNSBL but there
is one drawback. The global deny list works, and quite well
especially if combined with a programmatic tool to add/delete members
from the list but the connecting system is simply dropped, it is not
notified that there was a problem. DNSBLs on the other hand return an
error code to the attempted sender. Granted I understand that a virus
SMTP agent would not accept these errors, but it would be helpfull
that if the client actually tried to send legitamte email, they would
recieve a warning back from the DNSBL system stating that delivery
failed because of known virus infection.

Here is what I have:
Windows 2000 SP3 Server hosting DNS for the local domain
Exchange 2003 on a seperate Windows 2000 SP3 box hosting email for the
local domain


Here is what I would like to have happen:

'Host A' sends infected email to our domain
Antivirus system picks up on infection deletes email
Administrator tracks down source IP address related to infected
message
Administrator adds IP address to DNSBL residing on local WIndows 2000
DNS server
'Host A' attempts to send infected email
Exchange queries local DNSBL, finds IP exists, returns error message
like the following:

550 5.x.x Sender denied, known virus infected host. If you feel this
is an error or if the virus infection has been cleaned contact
xxxxxxxx to have your system removed from our block list.

Does anyone know if this is possible?
Could anyone show me the proper format for the DNS entries that would
need to be made for this to work?

The problem with your solution is that you will be block SMTP servers that
could also be delivering legitimate e-mail, blocking the SMTP server will
block the legitimate mail as well.
Blocking senders won't work either because many of these viruses and trojans
will falsify the from line, as well. So, you may not really know exactly who
the sender was.
I know what your are going through, right now there is one sender that lives
in Lubbock Tx that has an infected machine, I can't block the SMTP server
because I know for a fact that I recieve a lot of legitimate email from it.
The sender can't be tracked from the "from" line because the virus doesn't
use the actual senders address and the sender is on a Dynamic connection
because the sender's IP keeps changing. About all I can do is contact his or
her ISP and track them down by the IP and alert them of their infected
machine.

 

[Dr.X]

....

Does anyone know if this is possible?
Could anyone show me the proper format for the DNS entries that would
need to be made for this to work?

Thanks,
Troy Forsythe

I know it is possible. I use one myself to block direct to mx spam/virus.
I came here once asking the same thing and this crowd helped quite a bit.

The format would be d.c.b.a.bl.yourdomain.com
where d.c.b.a is reversed IP address. bl is just a sub domain.

you can use dnscmd (Michael Snyder reminded me of it's existance) to add and
remove ip addresses in the zone from a batch file.
Then just query the server as you would any other block list.

I'm not sure how much volume MS dns can handle since I only had about a
hundred mail servers querying it, but for that little bit it runs great.

Good luck,
Dr.X

 

[Ace Fekay [MVP]]

In

...

I know it is possible. I use one myself to block direct to mx
spam/virus.
I came here once asking the same thing and this crowd helped quite a
bit.

The format would be d.c.b.a.bl.yourdomain.com
where d.c.b.a is reversed IP address. bl is just a sub domain.

you can use dnscmd (Michael Snyder reminded me of it's existance) to
add and remove ip addresses in the zone from a batch file.
Then just query the server as you would any other block list.

I'm not sure how much volume MS dns can handle since I only had about
a hundred mail servers querying it, but for that little bit it runs
great.

Good luck,
Dr.X

Hope it's not too overwhelming....

GFI's Mail Essentials is now offering a freeware version of their software
that handles RBLs:
www.gfi.com

Exchange 2003 can now handle RBLs:
823866 - How to configure connection filtering to use Realtime Block Lists
(RBLs) and how to configure recipient filtering in E:
http://support.microsoft.com/?kbid=823866

Implementing and Configuring Blacklist Support in Exchange Server 2003:
http://www.msexchange.org/tutorials/Blacklist_Support_Exchange_2003.html

Using Real-Time Blackhole Lists (RBL) to Filter Email From Your Exchange
Server:
http://www.nemx.com/solutions/rbl_popup.asp

You may want to take a look at the new IMF for Exchange 2003. This link has
numerous links as well to learn more about it and where to download it.
Using Microsoft Exchange Intelligent Message Filter:
http://www.msexchange.org/tutorials/Microsoft-Exchange-Intelligent-Message-Filter.html

Do-It-Yourself Test RBLs for Exchange 2003 [pay subscription]:
http://www.winnetmag.com/MicrosoftE...eID/42315/MicrosoftExchangeOutlook_42315.html

How do I use the Mail RSS [Mail Relay Spam Stopper]:
http://work-rss.mail-abuse.org/rss/exchange.html

Some other links:
MAPS RBL Usage:
http://mail-abuse.org/rbl/

Open Relay Database - Welcome to the ORDB.org - the Open Relay DataBase.:
http://www.ordb.org/

Troubleshooter Using Exchange 2003's RBL Feature (but have to pay for this):
http://www.winnetmag.com/MicrosoftExchangeOutlook/Article/ArticleID/40384/40384.html

Enterprise Spam Filters - numerous products for Exchange:
http://216.239.39.104/search?q=cach...7/38277.pdf+guide+to+use+the+RBL+filter&hl=en

RBL - Power Without Accountability [Anti-RBL article and lawsuits against
RBLs]:
http://www.ifn.net/classic/rblstory.htm


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================

 

[Troy Forsythe]

The problem with your solution is that you will be block SMTP servers that

could also be delivering legitimate e-mail, blocking the SMTP server will
block the legitimate mail as well.
Blocking senders won't work either because many of these viruses and trojans
will falsify the from line, as well. So, you may not really know exactly who
the sender was.
I know what your are going through, right now there is one sender that lives
in Lubbock Tx that has an infected machine, I can't block the SMTP server
because I know for a fact that I recieve a lot of legitimate email from it.
The sender can't be tracked from the "from" line because the virus doesn't
use the actual senders address and the sender is on a Dynamic connection
because the sender's IP keeps changing. About all I can do is contact his or
her ISP and track them down by the IP and alert them of their infected
machine.

Kevin,

Thanks for your reply. Yes I understand that there is the possibility
that I could block an ISP's SMTP server, although I think that the
risk for that is minimal. Here is why, given my current understanding
of how these viruses work (and please jump in if you have information
contrary to this)

Most of the mass mailing viruses are using their own SMTP engines
meaning that the IP address that is shown in the header should be the
infected machine, or an open relay, both of which I do not want to
accept mail from. Even if an infected user attempts to send a
legitmate message this should then use their ISP SMTP server which
would have a different IP, and thus should not be blocked. Also
messages sent this way should not be infected because the virus SMTP
engine is not generating the email (this point I'm not sure of, anyone
have any certain details?)

Since I can manually add IP's to the DNSBL, I can do a name resolution
before hand to see if the name returned seems to indicate an end user
station or if it appears to be an actual ISP SMTP server (MX lookups
could also be done to improve the accuracy of this). I conceed that
the system is not perfect, and you're absolutly right that valid mail
could get denied, but I guess I was hoping that the message returned
to the user via the DNSBL (in the form of an NDR) would have enough
info in it that they would understand why their message was rejected
and then use other means to contact us so that we can correct the
situation.

Your situation with the user in Tx that is infected is indeed an
aggravating one. It's too bad there isn't a better way.

Thanks for your comments.

 

[Troy Forsythe]

...

I know it is possible. I use one myself to block direct to mx spam/virus.
I came here once asking the same thing and this crowd helped quite a bit.

The format would be d.c.b.a.bl.yourdomain.com
where d.c.b.a is reversed IP address. bl is just a sub domain.

you can use dnscmd (Michael Snyder reminded me of it's existance) to add and
remove ip addresses in the zone from a batch file.
Then just query the server as you would any other block list.

I'm not sure how much volume MS dns can handle since I only had about a
hundred mail servers querying it, but for that little bit it runs great.

Good luck,
Dr.X

I have seen some information about setting up entries as your
suggested but perhaps I'm missing something. Here is the part that
confuses me; Windows 2000 DNS does not allow '.' in the host names (at
least from the console) so the only way to enter in this format is to
create a new zone for each host and name the zone as you suggested.
If that is in fact true, once the zone is created what entries do I
need under that zone? Don't I need some sort of host record?

 

[Ace Fekay [MVP]]

In

I have seen some information about setting up entries as your
suggested but perhaps I'm missing something. Here is the part that
confuses me; Windows 2000 DNS does not allow '.' in the host names (at
least from the console) so the only way to enter in this format is to
create a new zone for each host and name the zone as you suggested.
If that is in fact true, once the zone is created what entries do I
need under that zone? Don't I need some sort of host record?

Hostnames can't be created with a dot in them. They are just a hostname.
What exactly are you trying to create, if I may ask?

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================

 

[Troy Forsythe]

Ace thanks for your reply. I understand that I cannot use '.' in a
hostname, which is why I am confused about Dr. X's earlier suggestion
which I've quoted below

-------snip
I know it is possible. I use one myself to block direct to mx
spam/virus.
I came here once asking the same thing and this crowd helped quite a
bit.

The format would be d.c.b.a.bl.yourdomain.com
where d.c.b.a is reversed IP address. bl is just a sub domain.

you can use dnscmd (Michael Snyder reminded me of it's existance) to
add and
remove ip addresses in the zone from a batch file.
Then just query the server as you would any other block list.

I'm not sure how much volume MS dns can handle since I only had about
a
hundred mail servers querying it, but for that little bit it runs
great.

Good luck,
Dr.X
----snip

So at this point I am still confused.

For example if I want to add 192.168.1.1 to my DNSBL (I know it's a
Private address) would I create a zone named
1.1.168.192.bl.mydomain.com? And if so, under that zone what entries
do I need?

Any clarification is appreciated,
Troy.

 

[Ace Fekay [MVP]]

In

Ace thanks for your reply. I understand that I cannot use '.' in a
hostname, which is why I am confused about Dr. X's earlier suggestion
which I've quoted below

-------snip
I know it is possible. I use one myself to block direct to mx
spam/virus.
I came here once asking the same thing and this crowd helped quite a
bit.

The format would be d.c.b.a.bl.yourdomain.com
where d.c.b.a is reversed IP address. bl is just a sub domain.

you can use dnscmd (Michael Snyder reminded me of it's existance) to
add and
remove ip addresses in the zone from a batch file.
Then just query the server as you would any other block list.

I'm not sure how much volume MS dns can handle since I only had about
a
hundred mail servers querying it, but for that little bit it runs
great.

Good luck,
Dr.X
----snip

So at this point I am still confused.

For example if I want to add 192.168.1.1 to my DNSBL (I know it's a
Private address) would I create a zone named
1.1.168.192.bl.mydomain.com? And if so, under that zone what entries
do I need?

Any clarification is appreciated,
Troy.

I believe in his example:

The format would be d.c.b.a.bl.yourdomain.com
where d.c.b.a is reversed IP address. bl is just a sub domain.

He's saying under the 'yourdomain.com' zone, create a child zone called
'bl', then under that zone, create a blank host entry, which is the (same as
parent) entry, and give it the reversed IP. Actually never did it this way,
and would use GFI or some other free solution.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroup so all
can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================

 

[Jonathan de Boyne Pollard]

DX> The format would be d.c.b.a.bl.yourdomain.com
DX> where d.c.b.a is reversed IP address. bl is just a sub domain.

TF> I have seen some information about setting up entries as your
TF> suggested but perhaps I'm missing something. Here is the part
TF> that confuses me; Windows 2000 DNS does not allow '.' in the
TF> host names (at least from the console) so the only way to enter
TF> in this format

The labels in the aforementioned format do not contain '.'s.

TF> is to create a new zone for each host and name the zone as
TF> you suggested. If that is in fact true, [...]

It isn't. "d", "c", "b", and "a" are, of course, just subdomains. There is
no necessity for them to be "zone" apices in their own right.