TIP: Block Spam from domains on the South Africa ISPA Spam Hall of Shame using DNSBL

April 22, 2012 at 09:30 AM | categories: Postfix, Howto, Exim, Email, Linux, Tips, Security | View Comments

The South Africa Internet service providers association (ISPA) maintains a list of known spammers dubbed the Spam Hall of Shame. The list is contains both domains as well as email addresses, this list is published on a webpage without downloadable formats.

I extract the data from this web page and publish it in a DNSBL ispa.rbl.baruwa.net, i use this DNSBL in my SAAS mail security product. So anyone should be able to use it in a similar way to the other DNSBL's like spamhaus and spamcop etc.

Command line checking

You can check if a domain is on the list using the normal command line utilities

Using host:

host amazingresults.co.za.ispa.rbl.baruwa.net


amazingresults.co.za.ispa.rbl.baruwa.net has address

Using dig:

dig amazingresults.co.za.ispa.rbl.baruwa.net


;amazingresults.co.za.ispa.rbl.baruwa.net. IN A

amazingresults.co.za.ispa.rbl.baruwa.net. 1993 IN A

Checking the TXT output:

host -t txt amazingresults.co.za.ispa.rbl.baruwa.net


amazingresults.co.za.ispa.rbl.baruwa.net descriptive text 
"Domain amazingresults.co.za is listed in the ISPA Hall of Shame,


Usage of the DNSBL in various MTA's is described below.


Add the following to your rcpt acl (acl_check_rcpt:).

drop    message       = REJECTED - $dnslist_text
        dnslists      = ispa.rbl.baruwa.net/$sender_address_domain


Add to smtpd_recipient_restrictions after permit_mynetworks in your main.cf file

reject_rhsbl_client ispa.rbl.baruwa.net,
reject_rhsbl_sender ispa.rbl.baruwa.net,


Add to your mc file and rebuild the cf

FEATURE(rhsbl,`ispa.rbl.baruwa.net',`"550 Mail from domain " $`'&{RHS} " refused.
Domain is listed in the ISPA Hall of Shame -  http://ispa.org.za/spam/hall-of-shame/"')

How the data is extracted

The data is extracted using an automated custom web crawler written using Scrapy in Python. The crawler extracts both the domains and the email addresses, the domains are processed and added to the DNSBL, the emails addresses get processed and added to the email blacklists on our SAAS platform.


Some of these domains have resorted to using third party senders, which means the smtp envelope is no longer the one listed on the hall of shame, i have written a followup post which describes how you can identify and flag as spam these messages that bypass the SMTP time DNSBL checks.

blog comments powered by Disqus