Starting in early November 2014, we took some additional measures to enforce the query limit on our free nameserver infrastructure of 100’000 queries per 24 hours per organisation. As a result, some people may get a “blocked” result in their spamfilter setup.
In SpamAssassin, this is shown by a “RCVD_IN_DNSWL_BLOCKED” rule in the spam report, and likely a link to https://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block which is generic to all DNSxL with similar limits.
Get an rsync subscription if you are doing more than 100k queries per day yourself.
Why am I blocked?
In order to ensure free access to the vast majority of users, and in order to avoid overloading the often donated resources, many black- and whitelists have limits on how much the public infrastructure may be used. At dnswl.org, we set the limit at 100’000 queries per 24 hours. With the caching of DNS records, this equals about 300’000 to 500’000 emails.
Why has this suddenly changed?
We do not have a strict enforcement which would block a query source immediately once it passes 100’000 queries. There is usually a relatively lax enforcement, and when feasible we try to contact the operator before we block it. However, this is often difficult since there is no identification needed to use the services.
Also, some users are using a shared, third-party nameserver. This is fine as long as all the users of such a nameserver combined stay below 100’000 queries. As soon as a user joins such a nameserver with a different useage pattern or overall higher volume, it may consistently bypass the 100’000 mark and may thus become blocked some time in the future.
Starting in early November 2014, we got more coverage of logs from our various public nameserver mirrors, so we now see (some heavy) users which had gone unnoticed before.
What do I do now?
First, find out what is actually being blocked:
- If you are using a shared nameserver (eg Google’s 126.96.36.199/188.8.131.52), they are likely blocked.
- If you are using a local nameserver, see whether it’s configured to do full name resolution, or if it simply forwards queries to a shared nameserver which is then blocked.
The easiest way to find out if a particular nameserver is blocked is by asking:
$ dig -t txt amiblocked.dnswl.org
This should return (among other lines, omitted here for clarity):
;; ANSWER SECTION: amiblocked.dnswl.org. 86347 IN TXT "no" ;; Query time: 36 msec ;; SERVER: 10.0.1.1#53(10.0.1.1)
The “ANSWER SECTION” should return either “no” or “yes”, and the “SERVER” line indicates which nameserver provided this answer. Be sure to run this on the box(es) where your spamfilter resides, and if possible using the same user account as used for the spamfilter.
If you are legitimately doing more than 100’000 queries per 24 hours, you must get a subscription to download the rsync file for local useage. If you can not afford a subscription, and / or if you are active in the email or the anti-spam community, please contact email@example.com for a “community” subscription.
OK, so I’ll evade the block!
We can’t stop this from happening. But we will eventually detect those playing games, eg those moving nameserver IPs around. Our goal is not to chase, our goal is to keep the infrastructure – part of which is donated – free to use for the vast majority of users.
But using a shared nameserver improves caching!
In theory, this is correct. In the real world, there will always be free-riders who hide behind such shared nameservers.