Comparison of DNS blacklists

Comparison of DNS blacklists

The following table lists technical information for a number of DNS blacklists.
Blacklist operator DNS blacklist Informational URL Truncate Zone Listing goal Nomination Listing lifetime Notes

ARM Research Labs, [1] LLC GBUdb

[2]

truncate.gbudb.net

Extremely conservative list of single IP4 addresses that produce exclusively spam/malware as indicated by the GBUdb IP Most systems should be able to safely reject connections based on this list.

Automatic: IPs are added when the GBUdb "cloud" statistics reach a probability figure that indicates 95% of messages produce a spam/malware pattern match and a indicates sufficient data to trust the probability data.

Automatic: Continuous while reputation statistics remain bad. IPs are dropped quickly if the statistics improve (within an hour). IPs are dropped within 36 hours (typ) if no more messages are seen (dead zombie).

Source data is derived from a global network of Message [3] Sniffer filtering nodes in real-time. Truncate data is updated from statistics every 10 minutes.

Reuptation system. confidence figure that

invaluement DNSBL

[4]

ivmSIP

[5]

N/A (paid access via rsync)

Single IP addresses which only send UBE. Specializing in snowshoe spam and other 'under the radar' spams which evade many other DNSBLs. Has FP-level comparable to Zen.

Automatic (upon real person's mailbox), with extensive whitelists and filtering to prevent false positives

Typically an 11 days after the last abuse was seen, but with some exceptions

Spam samples are always kept on file for each listing. Removal requests are quickly and manually reviewed and processed without fees.

receipt of a spam to a automatic expiration

ivmSIP/24

[6]

N/A (paid access via rsync)

lists /24 blocks of IP addresses which usually only send UBE and several addresses which are confirmed emitters of junk mail.

Automatic once at least several IP addresses from a given block are ivmSIP, with extensive whitelists and filtering to prevent false positives

expiration time increases to many weeks as the fraction of IP addresses in the sending junk mail increases

Removal requests are quickly and manually reviewed and processed without fees.

containing at least individually listed on /24 block in question

ivmURI

[7]

N/A (paid access via rsync)

comparable to uribl.com and surbl.org, this is a list of IP addresses and domains which are used by spammers in the clickable links found in the body of spam messages

Automatic (upon real person's mailbox), with extensive whitelists and filtering to prevent false positives

Typically an several weeks after the last abuse was seen.

Spam samples are always kept on file for each listing. Removal requests are quickly and manually reviewed and processed without fees.

receipt of a spam to a automatic expiration

Comparison of DNS blacklists

2
dnsbl.proxybl.org Lists all types of open (publicly accessible) proxies Automated listing through crawling of websites As long as proxy is verified open (automated) Time between verifications increases exponentially in relation to the number of times the host was verified an open proxy

proxyBL

dnsbl

[8]

UCEPROTECT-Network UCEPROTECT Level 1

[9]

dnsbl-1.uceprotect.net (also free available via rsync

Single IP mail to spamtraps

Automatic by a 60 trapservers

Automatic expiration UCEPROTECT's 7 days after the last abuse was seen, optionally express delisting (fee) primary and the only independent list

addresses that send cluster of more than

[10])

UCEPROTECT Level 2

[11]

dnsbl-2.uceprotect.net (also free available via rsync

Allocations with exceeded UCEPROTECT Level 1 listings

Automatic calculated from UCEPROTECT-Level 1

Automatic removal as soon as Level 1 listings decrease below Level 2 listing border, optionally express delisting (fee)

Fully depending on Level 1

[10])

UCEPROTECT Level 3

[12]

dnsbl-3.uceprotect.net (also free available via rsync

ASN's with excessive UCEPROTECT Level 1 listings

Automatic calculated from UCEPROTECT-Level 1

Automatic removal as soon as Level 1 listings decrease below Level 3 listing border, optionally express delisting (fee)

Fully depending on Level 1

[10])

Comparison of DNS blacklists

3
dnsbl.sorbs.net Unsolicited bulk/commercial email senders N/A (See individual zones) N/A (See individual zones)

Spam and Open Relay Blocking System (SORBS)

dnsbl

[13]

Aggregate zone (all aggregates and what they include are listed on [14])

safe.dnsbl

safe.dnsbl.sorbs.net

Unsolicited bulk/commercial email senders

N/A (See individual zones)

N/A (See individual zones)

"Safe" Aggregate zone (all zones in dnsbl.sorbs.net except "recent" and "escalations")

http.dnsbl

http.dnsbl.sorbs.net

Open HTTP proxy servers

Feeder servers

Until delisting requested.

socks.dnsbl

socks.dnsbl.sorbs.net

Open SOCKS proxy servers

Feeder servers

Until delisting requested.

misc.dnsbl

misc.dnsbl.sorbs.net

Additional proxy servers

Feeder servers

Until delisting requested.

Those not already listed in the HTTP or SOCKS databases

smtp.dnsbl

smtp.dnsbl.sorbs.net

Open SMTP relay servers

Feeder servers

Until delisting requested.

web.dnsbl

web.dnsbl.sorbs.net

IP addresses with vulnerabilities that are exploitable by spammers (e.g. FormMail scripts)

Feeder servers

Until delisting requested or Automated Expiry

new.spam.dnsbl

new.spam.dnsbl.sorbs.net

Hosts that have sent spam to the admins of SORBS in the last 48 hours

SORBS Admin and Spamtrap

Renewed every 20 minutes based inclusion in on 'spam.dnsbl.sorbs.net'

recent.spam.dnsbl

recent.spam.dnsbl.sorbs.net

Hosts that have sent spam to the admins of SORBS in the last 28 days

SORBS Admin and Spamtrap

Renewed every 20 minutes based inclusion in on 'spam.dnsbl.sorbs.net'

Comparison of DNS blacklists

4
old.spam.dnsbl.sorbs.net Hosts that have sent spam to the admins of SORBS in the last year SORBS Admin and Spamtrap Renewed every 20 minutes based inclusion in on 'spam.dnsbl.sorbs.net'

old.spam.dnsbl

spam.dnsbl

spam.dnsbl.sorbs.net

Hosts that have allegedly sent spam to the admins of SORBS at any time

SORBS Admin and Spamtrap.

Until 1 year after the last spam is received and a request has been made or until the "fine" is paid for express delisting

escalations.dnsbl

escalations.dnsbl.sorbs.net

Netblocks of service providers believed to support spammers

SORBS Admin fed.

Until delisting requested and matter resolved.

Service providers are added on receipt of a 'third strike' spam

block.dnsbl

block.dnsbl.sorbs.net

Hosts demanding that they never be tested

Request by host

N/A

zombie.dnsbl

zombie.dnsbl.sorbs.net

Hijacked networks

SORBS Admin (manual submission)

Until delisting requested. Until delisting requested. Not a list of dial-up IP addresses

dul.dnsbl

dul.dnsbl.sorbs.net

Dynamic IP address ranges

SORBS Admin (manual submission)

rhsbl

rhsbl.sorbs.net

Aggregate RHS zones

N/A

N/A

badconf.rhsbl

badconf.rhsbl.sorbs.net

Domains with invalid A or MX records in DNS

Open submission via automated testing page. Owner submission

Until delisting requested.

nomail.rhsbl

nomail.rhsbl.sorbs.net

Domains which the owners have confirmed will not be used for sending email

Until delisting requested.

Comparison of DNS blacklists

5
sbl.spamhaus.org Verified sources of spam, including spammers and their support services Manual From 30 minutes to a year or more, depending on issue and resolution

Spamhaus

SBL Advisory

[15]

XBL Advisory

[16]

xbl.spamhaus.org

Illegal third-party exploits (e.g. open Horses)

Third-party (see Notes) with

Varies, under a month.

Includes the Composite Blocking List and parts of the Not Just Another Bogus List

proxies and Trojan automated additions

PBL Advisory

[17]

pbl.spamhaus.org

Static, dial-up & DHCP IP address space that is not meant to be initiating SMTP connections

Manual

Unknown

Should not be confused with the MAPS DUL and Wirehub Dynablocker lists

SBL+XBL

[18]

sbl-xbl.spamhaus.org

A single lookup for querying the SBL and XBL databases

Zen

[19]

zen.spamhaus.org

A single lookup for querying the SBL, XBL and PBL databases.

The one to use to get all.

ORBITrbl Aggressive RBL

RBL

[20]

rbl.orbitrbl.com

Unsolicited bulk/Commercial email senders (/24 IP address block)

Feeder servers

Until delisting requested? (Only When Found to be Non Spam Source)

Aggregate zone

Composite Blocking List

CBL

[21]

cbl.abuseat.org (also free available rsync access, on request [22])

Only IP addresses exhibiting characteristics specific to open proxies, spamware, and the like.

large spamtraps

Temporary, until spam stops

Use Spamhaus XBL or Spamhaus Zen instead; they include CBL.

Passive Spam Block List

PSBL

[23]

psbl.surriel.com (also free available via rsync

IP addresses used to send spam to trap IP addresses used to send spam to trap

spamtraps

Temporary, until spam stops

[24])
Intercept - DNS Blacklist (DNSBL) db.wpbl.info Intercept

[25]

intercept.datapacket.net

spamtraps

Temporary, until spam stops

Weighted Private Block List

WPBL

[26]

IP addresses used to send UBE to members

spamtraps

Temporary, until spam stops

SpamCop Blocking List

SCBL

[27]

bl.spamcop.net

IP addresses which have been used to transmit reported email to SpamCop users

users submit

Temporary, until spam stops

Comparison of DNS blacklists

6
noptr.spamrats.com IP addresses detected as abusive at ISP's using MagicMail Servers, with no reverse DNS service Automatically Submitted Listed until removed, and reverse DNS configured

SpamRats

RATSNOPTR

[28]

RATSDYNA

[28]

dyna.spamrats.com

IP addresses detected as abusive at ISP's using MagicMail Servers, with non-conforming reverse DNS service (See Best Practises) indicative of compromised systems

Automatically Submitted

Listed until removed, and reverse DNS set to conform to Best Practises

RATSSPAM

[28]

spam.spamrats.com

IP addresses detected as abusive at ISP's using MagicMail Servers, and manually confirmed as spam sources

Manually Submitted

Listed until removed

SpamCannibal

spamcannibal.org

[29]

bl.spamcannibal.org

IP addresses and related generic netblocks that have sent spam.

spamtraps

until removal

Even if a

requested and matter particular IP has resolved by changing not sent spam, it server DNS ptr record to a non-generic name. may be included in a generic netblock which will provide many false positives. listed=127.0.0.2

IPQuery

ipquery.org

[30]

any.dnsl.ipquery.org

Spam sources, relay abusers, backscatterers

Automated, based on traffic observed locally, with some human supervision

Automatic expiry (varies by type); webpage allows delisting Varies

Keeps a listing history; retains specimens

Not Just Another Bogus List

NJABL DNSBL

[31]

dnsbl.njabl.org

open SMTP relays, multi-stage SMTP open relays, spam sources, Insecure CGI scripts that allow open relaying, and open proxy servers

spamtraps, testing, testing by trusted contributors

Bad host, no cookie

bhnc.njabl.org

These hosts have done things proper SMTP servers don't do.

spamtraps

until de-listing requested

Comparison of DNS blacklists

7
spamtrap.drbl.drand.net IP addresses used to send spam to traps or members Automated [de]listing. Varies from spam type, rate and other sophisticated factors. 30 s to 1 week. Hight IP network aggregate threshold >= 254.

Distributed Realtime Blocking List

drand DRBL node

[32]

Junk Email Filter

Hostkarma

[33]

hostkarma.junkemailfilter.com Detects viruses by Automated [de]listing Black list Data lives 127.0.0.1=white blacklist.hostkarma.com behavior using fake high MX and tracking non-use of QUIT for 4 days. White list 127.0.0.2=black data lives for 10 days. 127.0.0.3=yellow

RFC-Ignorant.Org

DSN (<>)

[34]

dsn.rfc-ignorant.org (also free available via Rsync

refusal to accept bounces (DSN)

Open submission via automated testing page.

Until delisting requested.

[35])
postmaster

[36]

postmaster.rfc-ignorant.org (also free available via Rsync

refusal to accept e-mail to postmaster refusal to accept e-mail to abuse

[35])
abuse

[37]

abuse.rfc-ignorant.org (also free available via Rsync

[35])
whois

[38]

whois.rfc-ignorant.org (also free available via Rsync

bogus whois information

[35])
bogusmx

[39]

bogusmx.rfc-ignorant.org (also free available via Rsync

bogus MX record

[35])
The Abusive Hosts Blocking List (AHBL) dnsbl

[40]

dnsbl.ahbl.org

Aggregate zone, contains UCE/bulk email senders, open proxies, open relays, trojaned/infected machines, comment/trackback spammers

Feeder systems, manual

Until delisting requested

Aggregate zone (all aggregates and what they include are listed on [41])

rhsbl

rhsbl.ahbl.org

Domains sending spam, domains owned by spammers, comment spam domains, spammed URLs

Manual

ircbl

ircbl.ahbl.org

Subset of dnsbl, contains only open proxies, compromised machines, comment spammers

Until delisting requested

Designed for use on IRC servers

tor

tor.ahbl.org

Current tor relay and exit nodes

Automated

N/A

Comparison of DNS blacklists

8
dnsbl.dronebl.org All-in-one abusive Automated listing via hosts blacklist distributed monitoring points Permanent until delisted via website.

Dronebl

dnsbl

[42]

Quorum.to

ip-dnsbl

[43]

list.quorum.to. ( or per-subscriber: [id].list.quorum.to. )

Stop spam from hosts that send no legitimate mail (list most non-mail-sending hosts).

Listings based on "instant" automated checks, recipient

Listings can be challenged. Subscribers vote to

Public list follows standard dnsbl protocol. Subscription based service is more capable, but does not follow standard.

nomination and traps. decide sender status.

Spamanalysis.org

GeoBL

[44]

User-defined: [*].geobl.spamanalysis.org

Lists hosts known as being in certain geographic locations.

Users set their own list of blocked countries.

Hosts reported as being incorrectly located may be delisted.

Allows basic monitoring, listed if A=127.0.0.2 or TXT=blocked

ATLBL

ATLBL RBL

[45]

rbl.atlbl.net

World wide abuse detection network made of spamtraps/honeypots.

Automatic, as soon detected.

Allows simple of email spam sources.

as no further abuse is DNSBL lookups

ATLBL HBL

[45]

hbl.atlbl.net

List malware/abuse sources by hostname and domain for use in email and forum spam detection.

World wide abuse detection network made of spamtraps/honeypots.

Automatic, as soon detected.

Allows simple of abuse sources.

as no further abuse is DNSBL lookups

ATLBL ABL

[45]

access.atlbl.net

World wide abuse detection network made of spamtraps/honeypots.

Automatic, as soon detected.

Allows simple of IP addresses for known abusive sources such as SSH brute force attack sources and other forms of internet crime and abuse.

as no further abuse is DNSBL lookups

Heise Zeitschriften Verlag GmbH & Co. KG and hosted by manitu [46] GmbH

NiX Spam (nixspam)

[47]

ix.dnsbl.manitu.net

Lists single IPs (no Automated listing due IP ranges) that send spam to spamtraps. to spamtrap hits. Exceptions apply to bounces, NDRs and whitelisted IPs.

12 hours after last listing or until self delisting

TXT records provide information of listing incident NiX Spam also provides hashes for fuzzy checksum plugin (iXhash) for SpamAssassin.

Comparison of DNS blacklists

9
dnsbl.inps.de Single IP addresses IP addresses can be reported as known spam sources by users, additionally automated listing if spam arrives at the mailservers of inps.de IP addresses are listed until they are removed manually via the website. A- and TXT records are available for each entry; Removal is free after 30 days for automatic additions and after 7 days for manual additions; otherwise removal fee is at least EUR 10,00.

inps.de

inps.de-DNSBL

[48]

External links
Blacklists Compared [49], weekly reports since July 2001 Blacklist Monitor - accuracy and inaccuracy rates of various blacklists [50] Spam Links - DNS & RHS Blackhole Lists [51] Multiple DNSBL lookup online tool [52] Spam Blacklist Removal Instructions for Major ISPs [53] Resource that lists hundreds of DNSBL zones. [54]

References
[1] [2] [3] [4] [5] [6] http:/ / www. gbudb. com/ http:/ / www. gbudb. com/ truncate/ http:/ / www. armresearch. com/ http:/ / dnsbl. invaluement. com/ http:/ / dnsbl. invaluement. com/ ivmsip/ http:/ / dnsbl. invaluement. com/ ivmsip24/

[7] http:/ / dnsbl. invaluement. com/ ivmuri/ [8] http:/ / proxybl. org/ [9] http:/ / www. uceprotect. net/ en/ index. php?m=3& s=3 [10] http:/ / www. uceprotect. net/ en/ index. php?m=6& s=10 [11] http:/ / www. uceprotect. net/ en/ index. php?m=3& s=4 [12] http:/ / www. uceprotect. net/ en/ index. php?m=3& s=5 [13] http:/ / www. sorbs. net/ [14] http:/ / www. sorbs. net/ using. shtml [15] http:/ / www. spamhaus. org/ sbl [16] http:/ / www. spamhaus. org/ xbl [17] http:/ / www. spamhaus. org/ pbl [18] http:/ / www. spamhaus. org [19] http:/ / www. spamhaus. org/ zen [20] http:/ / www. orbitrbl. com [21] http:/ / cbl. abuseat. org/ [22] http:/ / www. njabl. org/ rsync. html [23] http:/ / psbl. surriel. com/ [24] http:/ / psbl. surriel. com/ howto/ [25] http:/ / intercept. datapacket. net/ [26] http:/ / www. wpbl. info/ [27] http:/ / spamcop. net/ bl. shtml [28] http:/ / www. spamrats. com

Comparison of DNS blacklists

[29] [30] [31] [32] [33] [34] [35] [36] [37] [38] [39] [40] [41] [42] [43] [44] [45] [46] [47] [48] [49] [50] [51] [52] [53] [54] http:/ / spamcannibal. org/ http:/ / ipquery. org/ http:/ / www. njabl. org/ use. html http:/ / www. drbl. ru/ http:/ / wiki. junkemailfilter. com/ index. php/ Spam_DNS_Lists http:/ / rfc-ignorant. org/ policy-dsn. php http:/ / www. rfc-ignorant. org/ rsync. php http:/ / rfc-ignorant. org/ policy-postmaster. php http:/ / rfc-ignorant. org/ policy-abuse. php http:/ / rfc-ignorant. org/ policy-whois. php http:/ / rfc-ignorant. org/ policy-bogusmx. php http:/ / www. ahbl. org/ http:/ / www. ahbl. org/ services http:/ / dronebl. org/ docs/ howtouse http:/ / www. quorum. to/ http:/ / spamanalysis. org/ overview. html http:/ / www. atlbl. com/ en/ about. html http:/ / www. manitu. de/ http:/ / www. dnsbl. manitu. net/ http:/ / dnsbl. inps. de/ ?lang=en http:/ / www. sdsc. edu/ ~jeff/ spam/ Blacklists_Compared. html http:/ / www. intra2net. com/ en/ support/ antispam/ http:/ / spamlinks. net/ filter-dnsbl-lists. htm http:/ / multirbl. valli. org/ http:/ / www. rackaid. com/ resources/ spam-blacklist-removal/ http:/ / www. moensted. dk/ spam/

10

Article Sources and Contributors

11

Article Sources and Contributors

Comparison of DNS blacklists Source: http://en.wikipedia.org/w/index.php?oldid=432923165 Contributors: Antispamdnsblguy, Ar-wiki, Atanw, Bruns, Bwpach, C.v.wolfhausen, Code-dweller, Drand, Edward, ErikWarmelink, Gelma, Gigs, Gradur, JackSchmidt, Jberkes, Joy, Kalinga, Linuxmagic, Llykstw, MER-C, Madda, Marcperkel, McGeddon, Mild Bill Hiccup, Mtcooper, Myiptest, Narfzorttroz, NightHawk1956, Phatom87, Pkoistin, Stephan Leeds, Steppres, Tabanger, Wolfhesse, Wrs1864, 44 anonymous edits

License
Creative Commons Attribution-Share Alike 3.0 Unported http:/ / creativecommons. org/ licenses/ by-sa/ 3. 0/