Over on another list, people were grousing that it's impossible to shut down a DNSBL because no matter what you do, clueless people with dusty mail configurations will keep hammering on it. You can list nothing, or list everything, or put in long delays, or return delegations to name servers on nonexistent networks, or return text records with obscene insults, but they will keep hammering. I know this from personal experience as I have tried to get people to stop querying misspelled versions of my korea.services.net BL.
While most Postfix users are skilled, sophisticated mail administrators, some aren't. It's really easy to do defensive testing of BLs before you use them: look up 127.0.0.2 and check that you an A record with an address in 127/8, and look up 127.0.0.1 and check that you get nothing. Then if the answers are OK you use the DNSBLs, if not you don't. You don't need to check very often; in my prototype I check once a week. It looks to me like it would be easy to do these checks in dnsblog each time it starts. That's probably more often than is ideal (how long does it typically run?) but it's way better than letting people hammer on dead BLs. It also makes mail servers marginally more robust since they won't reject all the mail when the operator of a defunct BL gets exasperated and lists the world. Does this sound reasonable? Is there a better way to do it? R's, John
