User Tools

Site Tools


This is an old revision of the document!

How to use a private DNSBL with SpamAssassin

Here we will present a recipe to create a personal Domain Name System-based Blackhole List to be used with SpamAssassin. This will enable you to assign a custom SPAM score to mails coming from specific IP addresses (at the moment only IPv4 addresses).

We will use the well-known mechanism of DNSBLs, so that the general-purpose DNS server software Bind9 and SpamAssassin is used, just with some specific configuration. This allows us to combine our blackhole list with the traditional ones provided by e.g. and

Configure the DNS


$TTL 900     ; 15 minutes   IN SOA (
                1       ; serial
                3600    ; refresh (1 hour)
                600     ; retry (5 minutes)
                432000  ; expire (5 days)
                10      ; minimum (10 seconds)


$TTL 900        ; 15 minutes

Generate the DNS key:

dnssec-keygen -a HMAC-MD5 -b 512 -n USER bl-rigacci-org_rndc-key

Get the secret from the generated private file:

cat Kbl-rigacci-org_rndc-key.+157+27575.private
Key: rg2aizg+T6XkKkmpI42K7g==


Be sure to set the file into 640 mode and owned by bind:bind.

key "bl-rigacci-org_rndc-key" {
        algorithm hmac-md5;
        secret "rg2aizg+T6XkKkmpI42K7g==";


Suppose that is your secondary DNS server:

// Dynamic update zone for DNS BlockList.
zone "" {
    type master;
    allow-update {;; };
    allow-transfer {;; };
    file "";
    max-journal-size 500k;
include "/etc/bind/bl-rigacci-org_rndc-key";

Configure SpamAssassin

doc/appunti/linux/sa/spamassassin_private_dnsbl.1581957291.txt.gz · Last modified: 2020/02/17 17:34 by niccolo