Cisco Email Security Appliance

Is SenderBase on the ESA another DNS RBL?

Document ID: 117910

Updated: Jul 10, 2014

Contributed by Nasir Shakour and Enrico Werner, Cisco TAC Engineers.



Is SenderBase another DNSBL?

SenderBase is no ordinary DNSBL.  In the anti-spam community, there are many DNS-based blacklists.  A technique developed over ten years ago, DNS-based blacklists provide a way of adding a standardized API (application programming interface) to a widely distributed database.  Because network devices, such as mail servers, all have a DNS client application built-in (sometimes called a 'resolver'), using the DNS to look up information about IP addresses is a very natural operation for most systems.  The idea of DNS-based blacklists is to provide an easy way for a widely distributed community of users to efficiently query an IP-oriented list without having to worry about database replication, authentizcation, or more complex APIs. 

The strategy for most DNS-based blacklists is to state some description of a blacklist (e.g., "systems which are known to be open relays") and then allow anyone to query the list to see if an IP address is on the list.  If the address appears, then the list owner asserts that the IP address has met the qualifications to be on the list.  In other words, DNS-based blacklists are "yes/no" answers---you either are on the list, or you are not.

DNS-based blacklists are generally managed by volunteers (although there are a few which are available on a for-pay subscription basis).  They also tend to be very idiosyncratic in their operation.  As volunteer-run projects, they are operated by individuals or groups who feel very strongly about the problem of spam and generally tend to err on the side of blocking legitimate mail.  Enterprises who have chosen to use DNS-based blacklists either find them minimally effective for reducing spam (i.e., it's hard to get on the list and the list updates are not timely) or they find that these lists generate a very high false positive rate (i.e., it's too easy to get on the list).

SenderBase was created to both reduce the problem of idiosyncratic behavior in DNS-based blacklists and to give the network manager the opportunity to make their own decisions about how conservative or how aggressively they will use the list.  With proper use of SenderBase, in conjunction with an ESA's throttling capabilities, the rate of false positives can be dropped dramatically at the same time that a large proportion of spam is kept out of the corporate network. 

Updated: Jul 10, 2014
Document ID: 117910