Front cover - IBM Redbooks

lookup is used) and IP address of the server, as well as the name of the site
where the server was listed.
In addition to logging the event, you can configure Domino to reject messages
from hosts on the blacklist or to add a special Notes item ($DNSBLSite) to flag
messages accepted from hosts on the list.
Specifying the DNS blacklist sites
After you enable the DNS blacklist filters, you can specify the site or sites the
SMTP task uses to determine if a connecting host is a “known” open relay or
spam source. Specify sites that support IP-based DNS blacklist queries.
If Domino finds a match for a connecting host in one of the blacklists, it does not
continue checking the lists for the other configured sites. For performance
reasons, it's best to limit the number of sites because Domino performs a DNS
lookup to each site for each connection.
You can choose from a number of publicly available and private, paid
subscription services that maintain DNS blacklists. When using a public blacklist
service, Domino performs DNS queries over the Internet. In some cases, it may
take a significant amount of time to resolve DNS queries submitted to an Internet
site. If the network latency of DNS queries made over the Internet results in
slowed performance, consider contracting with a private service that allows zone
transfer, so that Domino can perform the required DNS lookups to a local host.
During a zone transfer, the contents of the DNS zone file at the service provider
are copied to a DNS server in the local network.
Each blacklist service uses its own criteria for adding servers to its list. Blacklist
sites use automated tests and other methods to confirm whether a suspected
server is sending out spam or acting as an open relay. The more restrictive
blacklist sites add servers to their list as soon as they fail the automated tests
and regardless of whether the server is verified as a source of spam. Other less
restrictive sites list a server only if its administrator fails to close the server to
third-party relaying after a specified grace period or if the server plays host to
known spammers.
By searching the Internet, you can find Internet sites that provide periodic reports
on the number of entries in various DNS blacklist services.
Hosts that are exempt from DNS blacklist checks
To avoid unnecessary DNS lookups, Domino performs DNS blacklist checks only
on hosts that are subject to relay checks, as specified in the SMTP inbound relay
restrictions. Any host that is authorized to relay is exempt from blacklist checks.
For example, by default, Domino enforces the inbound relay restrictions only for
external hosts (Router/SMTP → Restrictions and Controls → SMTP Inbound
Chapter 11. Domino/Notes 6 security features 517