Download now! eBook Now Available: Using Farsight Passive DNS for Incident Response

← Farsight Blog

Successfully Rejecting Spam and Other Unwanted Email with Newly Observed Domains and RPZ

By

RSS

For around two decades, I have run mail services for some friends and family. This includes a variety of anti-spam techniques. (Years ago, I did professional mail service migrations and consulting, mail server software development, and taught Exim and Postfix workshops.) This blog article briefly highlights my use of a Farsight Security Newly Observed Domains RPZ feed as another method to stop some spam and other unwanted email before other blacklists or filters know about the senders. I have been using it now for over a year. The servers protected by the service normally get around 7,600 inbound SMTP connections per day, of which roughly 1,000 messages per day get blocked by the RPZ service.

About Farsight RPZ

RPZ or Response Policy Zones are used to provide alternate responses to DNS queries. Using standard DNS master zone file format, simple rules are defined to create a DNS firewall, which can be used to block or redirect clients, based on DNS names or IP addresses associated with DNS names.

These Response Policy Zones can be implemented in an RPZ-capable nameserver like BIND9, Unbound with Farsight Security's FastRPZ add-on, Infoblox DNS Firewall, or BlueCat DNS firewall. It doesn't require any mail server configuration changes.

Farsight Security offers Response Policy Zones which contain firewall rules for domains that were newly observed by its' DNS sensor network. These Newly Observed Domains (or NOD) are usually brand new domains or domains that just started getting queried for by users. The zones are provided for different time periods: 5 minutes, 10 minutes, 30 minutes, 1 hour, 3 hours, 12 hours, and 24 hours.

Using RPZ to Block Spam and Other Unwanted Email

I use the 24-hour feed with the hope that other reputation services will have had a chance to assess and block any bad domains by the time an entry expires. I don't know of any legitimate emails we have missed that would have been sent to my mail server with a one-day-old domain.

A recent 24-hour zone snapshot contained 262,825 unique domain names that were recently observed. The zones also have DNS wildcards to match hostnames under the domain names too. Using IXFR, the zones get frequent updates.

When a matching name is looked up, the rules will return a NXDOMAIN, effectively making it so the domain doesn't exist from the point of view of the mail server. This is a light-weight addition as it can reject emails before fully received and bypass filtering or other checks.

On my mail server, for a three-day period this month, an RPZ feed was used to reject 2,979 spam emails. This represented only 42 unique names (out of many thousands in the RPZ feeds).

The rejected emails are assumed to be spam or other unwanted messages as they were rejected early via Postfix sender address checks (domain not found) and not via other anti-spam heuristics. One of the ideas of using the short-term Farsight Security RPZ feeds is to allow other detection and reputation systems to identify the mail senders as unwanted, once the Farsight zone expires. As an example, shortly after the domain names were no longer in the RPZ feeds, several later emails associated with a few of the same names were rejected via matching against the spammer's client IP using the bl.spamcop.net and zen.spamhaus.org DNS-based blackhole lists.

As I wrote this blog, I saw a small burst of attempted spam as logged by the BIND named nameserver:

  11-Sep-2019 16:43:16.867 rpz: info: client 127.0.0.1#54273 (mail.amercianstudy.xyz): view internet: rpz QNAME NXDOMAIN rewrite mail.amercianstudy.xyz via mail.amercianstudy.xyz.24h.rpz.dns-nod.net
  11-Sep-2019 16:43:16.882 rpz: info: client 127.0.0.1#54272 (mail.amercianstudy.xyz): view internet: rpz QNAME NXDOMAIN rewrite mail.amercianstudy.xyz via mail.amercianstudy.xyz.24h.rpz.dns-nod.net
  11-Sep-2019 16:43:16.894 rpz: info: client 127.0.0.1#54271 (mail.amercianstudy.xyz): view internet: rpz QNAME NXDOMAIN rewrite mail.amercianstudy.xyz via mail.amercianstudy.xyz.24h.rpz.dns-nod.net
  11-Sep-2019 16:43:16.905 rpz: info: client 127.0.0.1#54268 (mail.amercianstudy.xyz): view internet: rpz QNAME NXDOMAIN rewrite mail.amercianstudy.xyz via mail.amercianstudy.xyz.24h.rpz.dns-nod.net
  11-Sep-2019 16:43:16.906 rpz: info: client 127.0.0.1#54267 (mail.amercianstudy.xyz): view internet: rpz QNAME NXDOMAIN rewrite mail.amercianstudy.xyz via mail.amercianstudy.xyz.24h.rpz.dns-nod.net
  11-Sep-2019 16:43:16.907 rpz: info: client 127.0.0.1#54266 (mail.amercianstudy.xyz): view internet: rpz QNAME NXDOMAIN rewrite mail.amercianstudy.xyz via mail.amercianstudy.xyz.24h.rpz.dns-nod.net

A single log example from Postfix is:

  Sep 11 16:43:16 nb3 postfix/smtpd[22890]: NOQUEUE: reject: RCPT from crater.example.org[AA.BB.CC.DD]: 450 4.1.8 <378-41-589943-102-reed=example.org@mail.amercianstudy.xyz>: Sender address rejected: Domain not found; from=<378-41-589943-102-reed=example.org@mail.amercianstudy.xyz> to=<reed@example.net> proto=ESMTP helo=<crater.example.org>

Conclusion

As I review my logs periodically, I see that the DNS firewall has been frequently triggered over this past year. While this is a small use case, it has rejected hundreds of thousands of spam and other unwanted emails (most likely before other reputation systems know about them). You may find NOD as an interesting or useful addition to your anti-spam toolkit.

For more information about Farsight Security's Newly Observed Domains, visit here.

Jeremy C. Reed is a Senior Quality Assurance Engineer with Farsight Security, Inc.

← Blog Home