Chapter 32 Email Security
ZyWALL ATP Series User’s Guide
564
DNSBL
• The Zyxel Device checks only public sender and relay IP addresses, it does not check private IP
addresses.
• The Zyxel Device sends a separate query (DNS lookup) for each sender or relay IP address in the
email’s header to each of the Zyxel Device’s DNSBL domains at the same time.
• The DNSBL servers send replies as to whether or not each IP address matches an entry in their list. Each
IP address has a separate reply.
• As long as the replies are indicating the IP addresses do not match entries on the DNSBL lists, the Zyxel
Device waits until it receives at least one reply for each IP address.
• If the Zyxel Device receives a DNSBL reply that one of the IP addresses is in the DNSBL list, the Zyxel
Device immediately classifies the email as spam and takes the email security policy’s configured
action for spam. The Zyxel Device does not wait for any more DNSBL replies.
• If the Zyxel Device receives at least one non-spam reply for each of an email’s routing IP addresses,
the Zyxel Device immediately classifies the email as legitimate and forwards it.
• Any further DNSBL replies that come after the Zyxel Device classifies an email as spam or legitimate
have no effect.
• The Zyxel Device records DNSBL responses for IP addresses in a cache for up to 72 hours. The Zyxel
Device checks an email’s sender and relay IP addresses against the cache first and only sends DNSBL
queries for IP addresses that are not in the cache.
Here is an example of an email classified as spam based on DNSBL replies.
Figure 365
DNSBL Spam Detection Example
1
The Zyxel Device receives an email that was sent from IP address a.a.a.a and relayed by an email server
at IP address b.b.b.b. The Zyxel Device sends a separate query to each of its DNSBL domains for IP
address a.a.a.a. The Zyxel Device sends another separate query to each of its DNSBL domains for IP
address b.b.b.b.
2
DNSBL A replies that IP address a.a.a.a does not match any entries in its list (not spam).
DNSBL A
DNSBL B
DNSBL C
IPs: a.a.a.a
b.b.b.b
1
2
a.a
.a.
a N
ot
sp
am
3
4
a.a
.a.
a?
b.b
.b.
b?
a.a
.a.a
?
b.b
.b.b
?
a.a.a.a?
b.b.b.b?
b.b
.b.b
Sp
am