ZyXEL Communications ZyWall USG 2000 User Manual page 590

Chapter 35 Anti-Spam
• As long as the replies are indicating the IP addresses do not match entries on
the DNSBL lists, the ZyWALL waits until it receives at least one reply for each IP
address.
• If the ZyWALL receives a DNSBL reply that one of the IP addresses is in the
DNSBL list, the ZyWALL immediately classifies the e-mail as spam and takes the
anti-spam policy's configured action for spam. The ZyWALL does not wait for
any more DNSBL replies.
• If the ZyWALL receives at least one non-spam reply for each of an e-mail's
routing IP addresses, the ZyWALL immediately classifies the e-mail as
legitimate and forwards it.
• Any further DNSBL replies that come after the ZyWALL classifies an e-mail as
spam or legitimate have no effect.
• The ZyWALL records DNSBL responses for IP addresses in a cache for up to 72
hours. The ZyWALL checks an e-mail's sender and relay IP addresses against
the cache first and only sends DNSBL queries for IP addresses that are not in
the cache.
Here is an example of an e-mail classified as spam based on DNSBL replies.
Figure 398 DNSBL Spam Detection Example
4
The ZyWALL receives an e-mail that was sent from IP address a.a.a.a and relayed
1
by an e-mail server at IP address b.b.b.b. The ZyWALL sends a separate query to
each of its DNSBL domains for IP address a.a.a.a. The ZyWALL sends another
separate query to each of its DNSBL domains for IP address b.b.b.b.
DNSBL A replies that IP address a.a.a.a does not match any entries in its list (not
2
spam).
590
IPs: a.a.a.a
b.b.b.b
1
2
a.a.a.a?
b.b.b.b?
3
ZyWALL USG 2000 User's Guide
DNSBL A
DNSBL B
DNSBL C