The SURBL and URIBL Lists in Janet

Download as PDFDownload as PDF

The SURBL and URIBL Lists in Janet

Janet has taken out subscriptions for both the multi.surbl.org and the multi.uribl.com lists on behalf of all Janet customer organisations. This allows Janet to replicate the lists and make them available to all organisations on Janet.

The details of each list can be found at:

http://www.surbl.org/

http://www.uribl.com

How to use the Janet SURBL and URIBL lists

If your organisation has a Janet connection and wishes to use SURBL, you need only set the zone where the lookups are made, following the documentation for your e-mail server product, to:

            multi.surbl.dnsbl.ja.net

and to use URIBLs:

multi.uribl.dnsbl.ja.net

gold.uribl.dnsbl.ja.net

black.uribl.dnsbl.ja.net

If your organisation uses either or both of the SURBL and URIBL as part of an imported spam update, i.e. embedded in spamassassin or some other antispam method with regular updates, you can access the mirrors under their original names but you will need to configure your nameserver to forward your queries for the zone to the Janet feed.

To access the Janet mirrors of SURBL and/or URIBL as multi.surbl.org and/or multi.uribl.com, you should put static forwarding in your nameservers to forward all queries for the lists to the Janet nameservers as detailed below:

ns0.mail-abuse.ja.net.         128.86.8.120

ns1.mail-abuse.ja.net.         194.83.56.228

ns2.mail-abuse.ja.net.         194.83.56.244

ns3.mail-abuse.ja.net.         194.82.174.180

The current list of nameservers can be obtained at any time by querying the addresses of ns.mail-abuse.ja.net. Janet will ensure that ns.mail-abuse.ja.net always has an up to date list of the nameservers serving the DNSBL mirrors it offers.

Conditions of use

Eligibility and charges

There is no charge to organisations with a Janet connection for use of the Janet SURBL and URIBL feeds.

Both SURBL and URIBL themselves reserve the right to restrict direct access to their nameservers. They may require heavy users to set up a transfer arrangement, for which their distribution contractors make a charge.

Access control

To ensure that Janet resources remain available to Janet organisations, the zones are served by dedicated nameservers, configured to respond only to queries which come from within Janet. Resolvers within Janet that have been seen to be using the lookup service are checked to ensure that they do not forward requests from outside Janet.

You MUST take whatever precautions are necessary to prevent access through your network from outside Janet.

Specifically, the DNS resolvers under your control MUST NOT accept recursive DNS queries from outside your own network for data in the zones within dnsbl.ja.net. Note that it is ordinary good practice to prevent all such recursive lookups from outside.

The Janet operators will record the IP address of each resolver (or perhaps e-mail server) making lookups from the zone, and will test it from time to time to confirm that it correctly rejects recursive queries.

• If it does indeed reject them, no action will be taken and it will be allowed to continue to lookup data from the zone.

• If it permits access which it should not, the Janet operators will attempt to contact the person responsible for the IP address concerned, and will then help them to correct the faulty configuration. They may suggest workarounds if it proves difficult.

• If for any reason it is not possible to implement a secure arrangement within a reasonable period, the operators will bar access to the zones from the IP address concerned.

• If you believe you may have been barred, contact the Janet Service Desk.

Some networks may include DNS forwarders for internal use which are not themselves resolvers and are not the DNS clients known to the Janet nameservers. It is the responsibility of the organisation operating such a forwarder to ensure that it is not available for use from outside Janet; again, normal good practice is to make such a forwarder accessible only from within your own network.