MAPS (Mail Abuse Prevention System) RBL (Realtime Blackhole List). The MAPS RBL is a system for creating intentional network outages ("blackholes") for the purpose of limiting the transport of known-to-be-unwanted mass e-mail. The MAPS RBL is a subscription system, such that no one is ever denied connectivity to a non-RBL-subscriber. If your network seems to have been blackholed by us, be aware that the places you cannot reach have deliberately chosen not to exchange traffic with you. We are not the network's police force, but rather, a method to identify likely spam origin.
FEATURE(rbl)
You may test the RBL checking against addresses 127.0.0.2 (will be listed on the RBL) and 127.0.0.1 (will not). The following dialog shows how to run Sendmail in address test mode to do this:FEATURE(dnsbl)
$ sendmail -bt -C /config/to/test/sendmail.cf
> .D{client_addr}127.0.0.1
> Basic_check_relay <>
rewrite: ruleset 192 input: < >
rewrite: ruleset 192 returns: OK
> .D{client_addr}127.0.0.2
> Basic_check_relay <>
rewrite: ruleset 192 input: < >
rewrite: ruleset 192 returns: $# error $@ 5 . 7 . 1 $: "Mail from " 127 . 0 . 0 . 2 " refused; see http://www.mail-abuse.org/cgi-bin/lookup?127.0.0.2"
> CTRL/D
The blackholes.mail-abuse.org zone has five name servers, three in the U.S. and two in Europe. We will be adding more over time. (Naturally, the operators of these name servers have each signed our indemnification and license agreement.) Since the default mail transport action if no MAPS RBL name server is reachable at the time mail is being processed is to forward it normally, there is no direct denial of service on your inbound mail if the MAPS RBL is ever down or unreachable. There is however an indirect denial of service opportunity in that spammers will be able to steal service from you more easily during any MAPS RBL access outages.
For this reason, we expect large busy sites to request stealth slave status. This is almost like a normal DNS slave service relationship, except that these servers will not be listed in the NS RRset of the zone, so they will never be targets of third party MAPS RBL (DNS) queries. In order to cause such servers to be queried by your mail relays, you must configure the recursive name servers listed in your resolv.conf files as zone slaves. (It is normally a bad idea to mix authoritative and nonauthoritative data in the same name server, but this is a specified exception to that rule.) In order to meet the terms of our license and indemnification agreement, you will have to run a modern name server such as BIND 8.x so that you can restrict downstream zone transfer access. In BIND 8.x, the configuration syntax you'll need will look something like:
zone "blackholes.mail-abuse.org" {
type slave;
file "sec/blackholes.mail-abuse.org";
allow-transfer { none; };
masters { 204.152.184.74; };
};