Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How the firewall verifies the source IP address against the SBL server to check if it is spam



Article ID: KB24876 KB Last Updated: 14 Jun 2012Version: 1.0
This article provides information how a firewall verifies the source IP address, against the SBL server, to check if it is spam.


  • The DNS configured on the firewall is

  • The IP address of the SMTP (incoming), which has to be checked for spam, is a.b.c.d.

The SBL process is as follows:

  1. The firewall will check the local white and black list (IP, domain).

  2. If the IP address is not listed, the firewall will send a query to to request for the record of d.c.b.a. <hash>. (the communication is always between the firewall and the configured DNS; in this case, it is

  3. d.c.b.a. <hash>. will be considered as the sub-domain/host of by

  4. If has cached information (a record), it will reply; else will query the authoritative DNS of (recursive query).

  5. Necessary intelligence is built in the Juniper authoritative DNS to understand, whether the query is for a record of existing sub-domain (for example, or to check the spam IP in the database.

    1. If the query is actually for the sub-domain, DNS will check the zone file and provide the IP address of the domain/sub-domain (for example, address record of =

    2. The DNS will pick only the d.c.b.a IP and forward it to a 3rd party anti-spam database to check whether the IP address is part of the anti-spam list. The <hash> value will be used for authentication.

  6. If the result of point 5(b) is true, authoritative DNS will reply to and then to the firewall with the 127.0.0.x IP as a record of the d.c.b.a domain. <hash>. and the firewall will act accordingly ( - spam).

  7. 7. If the result of point 5(b) is false, the DNS will replay cannot find d.c.b.a. <hash>., which will be considered as NXDOMAIN by the firewall (NXDOMAIN -spam status is unknown, or spam license has expired).
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search