User Tools

Site Tools


No ai soldati italiani all'estero




Rigacci.Org usa energia elettrica da fonti rinnovabili, grazie al gruppo di acquisto Merci Dolci.

Merci Dolci - Energia Rinnovabile

Software libero!

Petizione contro i brevetti software

Faunalia: Soluzioni GIS professionali



How to run a private DNSBL for SpamAssassin

Here we will present a recipe to create a personal Domain Name System-based Blackhole List to be used with SpamAssassin. This will enable you to assign a custom SPAM score to mails coming from specific IP addresses (at the moment only IPv4 addresses).

We will use the well-known mechanism of DNSBLs, so that the general-purpose DNS server software Bind9 and SpamAssassin are used, just with some specific configuration. This allows us to combine our blackhole list with the traditional ones provided by e.g. and

Configure the DNS

Dynamic updates using an HMAC-MD5 key

Our DNSBL zone will be updated dynamically on our DNS server using a Python script; to allow only authenticated queries we create a DNS key. To generate the key we run the command:

dnssec-keygen -a HMAC-MD5 -b 512 -n USER bl-rigacci-org_rndc-key

Notice that bl-rigacci-org_rndc-key is the username associated with the key. Two file will be created: one with the .key and one with the .private extension. Get the secret from the generated private file:

cat Kbl-rigacci-org_rndc-key.+157+27575.private
Key: rg2aizg+T6XkKkmpI42K7g==

Now create a file name /etc/bind/bl-rigacci-org_rndc-key containing the secret, be sure to set the file into 640 mode and owned by bind:bind:

key "bl-rigacci-org_rndc-key" {
        algorithm hmac-md5;
        secret "rg2aizg+T6XkKkmpI42K7g==";

The dynamic zone

Your DNS server will manage a dynamic zone dedicated to the DNSBL service. Create a file /var/cache/bind/ owned by bind:bind:

$TTL 900     ; 15 minutes   IN SOA (
                1       ; serial
                3600    ; refresh (1 hour)
                600     ; retry (5 minutes)
                432000  ; expire (5 days)
                10      ; minimum (10 seconds)


$TTL 900        ; 15 minutes

Add that zone to /etc/bind/named.conf.local. Suppose that is your secondary DNS server, this is the snippet required:

// Dynamic update zone for DNS Blackhole List.
zone "" {
    type master;
    allow-update {;; };
    allow-transfer {;; };
    file "";
    max-journal-size 500k;
include "/etc/bind/bl-rigacci-org_rndc-key";

Configure SpamAssassin

To add a check against our DNSBL, just edit /etc/spamassassin/ and add a section like this:

header     LOCAL_CUSTOM_DNSBL    eval:check_rbl('bl-rigacci','')
describe   LOCAL_CUSTOM_DNSBL    Entries listed in RBL
score      LOCAL_CUSTOM_DNSBL    100.0

You can customize the score (default SPAM score is 5.0 in SpamAssassin) to match your requirements.

Python script to manage the dynamic zone

Finally we need a script to add, remove or query IP address into the DNSBL zone. We have written a dnsbl-tool (use this one if you have the python3-dnspython 2.0.0 library dnsbl-tool_0.4.0) which can be used as follow:

dnsbl-tool -a
Adding record type "A" for
dnsbl-tool -q
Address is listed: =>
dnsbl-tool -r
Removing record type "A" for

To query the entire zone from the DNS server, you can request an AXFR (zone transfer). For doing that, you must do it from an IP address listed into the allow-transfer declared into named.conf.local:

dig -tAXFR
doc/appunti/linux/sa/spamassassin_private_dnsbl.txt · Last modified: 2021/10/08 10:45 by niccolo