I use sendmail and M4 for mailserver configuration. If you're not a sendmail expert, don't even consider doing it the old way -- upgrade to M4 -- you'll never look back.

Warning!
It is extremely important that you realize the following: When are using a DNSRBL, you are giving complete control of your email system to somebody else. I want to scare you by saying this.

As an example, in my sample below, you'll see that I utilized an osirusoft DNSRBL. The guy who ran it got slammed by the spammers (DOS attack), and (rightfully) got digusted. However, he took out his anger by setting his RBL to indicate that everybody was listed, thus blocking all email for many hours. Details: boston.com article (about 2/3 way down, read about Joe Jared). Millions of innocent people aound the world got their mail returned as spam from this. Putting it lightly, I got a lot of customer complaints from Joe's action. (I thought my end was having a problem until I read about it some weeks later.)

Also bear in mind that if a DNSRBL is slow to respond to queries it will severely slow down your servers ability to process mail. A few seconds here and there doesn't sound like much, but if your server were to wait to 10 seconds for each of 3 blocklists, each email will take 30 seconds to accept. Remember that outgoing email is checked too, thus a a single majordomo/mailman email to 500 users will be bogged down and take over 4 hours to deliver all.

There are a lot of DNSRBL's out there. Some are unabashedly extreme (e.g. blocklisting all of China and Korea too), others extremely careful, and everything in between. Be sure you read their policy statement before utilizing any. If you are not willing/able to accept a bunch of "false positives" (AKA incidental rejections), don't hook up to even a good sounding list. I would strongly recommend that you only use a paid professional service as you then have a gaurantee of responsiblity/answerability. I use MAPS and would recommend it to anyone; at US$200/year it's worth every penny.

First time only

• Be sure you're not using a DNS forwarder. (Check your /etc/named/named.conf)
• Check that your system is sufficiently up-to-date. I know this stuff works in 8.12.6. I think it went in as of 8.11, and can be worked in to 8.10 -- check the sendmail.org website first if your system is older. (You're probably best off to just upgrade.)
• If you don't already have these, add the following to your .mc file. (You probably have the former, you may not have the latter):
  FEATURE(access_db, `hash -o -T /etc/mail/access')
FEATURE(blacklist_recipients)
• Get 'rhsbl.m4' and copy it in to /usr/share/sendmail/cf/feature/. Details at http://www.rfc-ignorant.org/, click on "Domain Based Zones".
• If you haven't made yourself a sendmail-restart script, I recommend doing so.

• edit your .mc file, adding the following:
  FEATURE(dnsbl, `ipwhois.rfc-ignorant.org', `"550 Mail from " $&{client_addr} " rejected due to bad WHOIS info on IP of your SMTP server - see http://www.rfc-ignorant.org/tools/lookup.php?domain="$&{client_addr}')
FEATURE(rhsbl, `dsn.rfc-ignorant.org', `"550 Mail from " $`'&{RHS} " rejected as MX of domain do not accept bounces - see http://www.rfc-ignorant.org/"')
FEATURE(dnsbl, `relays.ordb.org', `"550 Mail from " $&{client_addr} " rejected; see http://ordb.org/lookup/?host="$&{client_addr}')
FEATURE(dnsbl, `spamsites.relays.osirusoft.com', `"550 Mail from " $&{client_addr} " rejected; see (spamsites) http://relays.osirusoft.com/cgi-bin/rbcheck.cgi?addr="$&{client_addr}')
FEATURE(dnsbl, `spamhaus.relays.osirusoft.com', `"550 Mail from " $&{client_addr} " rejected; see (spamhaus) http://relays.osirusoft.com/cgi-bin/rbcheck.cgi?addr="$&{client_addr}')
FEATURE(dnsbl, `spews.relays.osirusoft.com', `"550 Mail from " $&{client_addr} " rejected; see (spews) http://relays.osirusoft.com/cgi-bin/rbcheck.cgi?addr="$&{client_addr}')
FEATURE(dnsbl, `list.dsbl.org', `"550 Mail from " $&{client_addr} " rejected; see http://dsbl.org/listing.php?ip="$&{client_addr}')

• Remake .cf file and re-start sendmail:
  make <your-.mc-file>
diff sendmail.cf <your-.mc-file>
cp <your-.mc-file> sendmail.cf
sendmail-restart


When you get a piece of spam email, look through the received headers, and find the IP address of the creep that gave it to your server. Cut-n-paste that address into the form at the URL above. The sites it lists that have that address blocked are obviously good candidates.

Warning, warning, warning! Be sure to visit their policies page before adding them to your list of blocklists (see "blackholes.five-ten.sg.com" in my table below).

Another comparison tool is my Vintners.net mail handling statistics page. Click on "add detail to report" and it will show a breakdown of percentage of blocked email by blocklist for that day.

Note that I have used the following, blocklists but have discontinued them:

bl.spamcop.net	I very much approve of their automated and unbiased methods, and they are very effective, however... Their lookups take forever -- sending an email in your client via smtp takes more than a minute. I bring them back in occasionally, at last check they are back out.
multihop.dsbl.org	I approve of their unbiased methods, but, they've blocked ATTBI.COM. I have no quibbles with the correctness of this action, it's simply that I've got paying customers on ATT cable modems.
blackholes.five-ten-sg.com	These guys are extremely effective -- using them will pretty much eliminate spam, however... Their methods are unrepentantly heavy-handed. They have the gall to just blocklist China -- all of China. And all of Chile and Korea too. I have a customer (I kid you not) who visited Chile this year and he was unable to email via his home domain due to this guy.
rbl-plus.mail-abuse.org	This is a paid subscription service. For my tiny operation (hosting a couple dozen domains) MAPS costs US$200/year. It's worth it.