SPAM-LIST
-
Upload
saravanakumar-arumugam -
Category
Documents
-
view
302 -
download
1
Transcript of SPAM-LIST
Comparison of DNS blacklists 1
Comparison of DNS blacklistsThe following table lists technical information for a number of DNS blacklists.
Blacklist operator DNS blacklist InformationalURL
Zone Listing goal Nomination Listing lifetime Notes
ARM Research Labs,LLC GBUdb [1]
Truncate [2] truncate.gbudb.net Extremelyconservative list of
single IP4addresses that
produceexclusively
spam/malware asindicated by the
GBUdb IPReuptation system.
Most systemsshould be able to
safely rejectconnections based
on this list.
Automatic: IPs areadded when theGBUdb "cloud"statistics reach a
probability figure thatindicates 95% of
messages produce aspam/malware pattern
match and aconfidence figure that
indicates sufficientdata to trust the
probability data.
Automatic:Continuous while
reputation statisticsremain bad. IPs aredropped quickly if
the statistics improve(within an hour). IPsare dropped within36 hours (typ) if nomore messages are
seen (dead zombie).
Source data isderived from aglobal network
of MessageSniffer [3]
filtering nodes inreal-time.
Truncate data isupdated from
statistics every10 minutes.
invaluement DNSBL [4] ivmSIP [5] N/A(paid access via rsync)
Single IPaddresses whichonly send UBE.Specializing insnowshoe spamand other 'underthe radar' spams
which evade manyother DNSBLs.
Has FP-levelcomparable to
Zen.
Automatic (uponreceipt of a spam to a
real person'smailbox), with
extensive whitelistsand filtering toprevent false
positives
Typically anautomatic expiration11 days after the lastabuse was seen, but
with someexceptions
Spam samplesare always kepton file for each
listing. Removalrequests arequickly andmanually
reviewed andprocessed
without fees.
ivmSIP/24 [6] N/A(paid access via rsync)
lists /24 blocks ofIP addresses whichusually only send
UBE andcontaining at leastseveral addresses
which areconfirmed emitters
of junk mail.
Automatic once atleast several IP
addresses from agiven block are
individually listed onivmSIP, with
extensive whitelistsand filtering toprevent false
positives
expiration timeincreases to many
weeks as the fractionof IP addresses in the/24 block in question
sending junk mailincreases
Removalrequests arequickly andmanually
reviewed andprocessed
without fees.
ivmURI [7] N/A(paid access via rsync)
comparable touribl.com and
surbl.org, this is alist of IP addresses
and domainswhich are used byspammers in theclickable links
found in the bodyof spam messages
Automatic (uponreceipt of a spam to a
real person'smailbox), with
extensive whitelistsand filtering toprevent false
positives
Typically anautomatic expirationseveral weeks afterthe last abuse was
seen.
Spam samplesare always kepton file for each
listing. Removalrequests arequickly andmanually
reviewed andprocessed
without fees.
Comparison of DNS blacklists 2
proxyBL dnsbl [8] dnsbl.proxybl.org Lists all types ofopen (publicly
accessible) proxies
Automated listingthrough crawling of
websites
As long as proxy isverified open(automated)
Time betweenverifications
increasesexponentially inrelation to the
number of timesthe host was
verified an openproxy
UCEPROTECT-Network UCEPROTECTLevel 1
[9] dnsbl-1.uceprotect.net(also free available via rsync
[10])
Single IPaddresses that sendmail to spamtraps
Automatic by acluster of more than
60 trapservers
Automatic expiration7 days after the last
abuse was seen,optionally express
delisting (fee)
UCEPROTECT'sprimary and the
onlyindependent list
UCEPROTECTLevel 2
[11] dnsbl-2.uceprotect.net(also free available via rsync
[10])
Allocations withexceeded
UCEPROTECTLevel 1 listings
Automatic calculatedfrom
UCEPROTECT-Level1
Automatic removalas soon as Level 1listings decrease
below Level 2 listingborder, optionallyexpress delisting
(fee)
Fully dependingon Level 1
UCEPROTECTLevel 3
[12] dnsbl-3.uceprotect.net(also free available via rsync
[10])
ASN's withexcessive
UCEPROTECTLevel 1 listings
Automatic calculatedfrom
UCEPROTECT-Level1
Automatic removalas soon as Level 1listings decrease
below Level 3 listingborder, optionallyexpress delisting
(fee)
Fully dependingon Level 1
Comparison of DNS blacklists 3
Spam and Open RelayBlocking System
(SORBS)
dnsbl [13] dnsbl.sorbs.net Unsolicitedbulk/commercial
email senders
N/A (See individualzones)
N/A (See individualzones)
Aggregate zone(all aggregatesand what they
include are listedon [14])
safe.dnsbl safe.dnsbl.sorbs.net Unsolicitedbulk/commercial
email senders
N/A (See individualzones)
N/A (See individualzones)
"Safe"Aggregate zone
(all zones indnsbl.sorbs.netexcept "recent"
and"escalations")
http.dnsbl http.dnsbl.sorbs.net Open HTTP proxyservers
Feeder servers Until delistingrequested.
socks.dnsbl socks.dnsbl.sorbs.net Open SOCKSproxy servers
Feeder servers Until delistingrequested.
misc.dnsbl misc.dnsbl.sorbs.net Additional proxyservers
Feeder servers Until delistingrequested.
Those notalready listed in
the HTTP orSOCKS
databases
smtp.dnsbl smtp.dnsbl.sorbs.net Open SMTP relayservers
Feeder servers Until delistingrequested.
web.dnsbl web.dnsbl.sorbs.net IP addresses withvulnerabilities thatare exploitable by
spammers (e.g.FormMail scripts)
Feeder servers Until delistingrequested or
Automated Expiry
new.spam.dnsbl new.spam.dnsbl.sorbs.net Hosts that havesent spam to the
admins of SORBSin the last 48 hours
SORBS Admin andSpamtrap
Renewed every 20minutes basedinclusion in on
'spam.dnsbl.sorbs.net'
recent.spam.dnsbl recent.spam.dnsbl.sorbs.net Hosts that havesent spam to the
admins of SORBSin the last 28 days
SORBS Admin andSpamtrap
Renewed every 20minutes basedinclusion in on
'spam.dnsbl.sorbs.net'
Comparison of DNS blacklists 4
old.spam.dnsbl old.spam.dnsbl.sorbs.net Hosts that havesent spam to the
admins of SORBSin the last year
SORBS Admin andSpamtrap
Renewed every 20minutes basedinclusion in on
'spam.dnsbl.sorbs.net'
spam.dnsbl spam.dnsbl.sorbs.net Hosts that haveallegedly sentspam to the
admins of SORBSat any time
SORBS Admin andSpamtrap.
Until 1 year after thelast spam is received
and a request hasbeen made or until
the "fine" is paid forexpress delisting
escalations.dnsbl escalations.dnsbl.sorbs.net Netblocks ofservice providers
believed to supportspammers
SORBS Admin fed. Until delistingrequested and matter
resolved.
Serviceproviders are
added on receiptof a 'third strike'
spam
block.dnsbl block.dnsbl.sorbs.net Hosts demandingthat they never be
tested
Request by host N/A
zombie.dnsbl zombie.dnsbl.sorbs.net Hijacked networks SORBS Admin(manual submission)
Until delistingrequested.
dul.dnsbl dul.dnsbl.sorbs.net Dynamic IPaddress ranges
SORBS Admin(manual submission)
Until delistingrequested.
Not a list ofdial-up IPaddresses
rhsbl rhsbl.sorbs.net Aggregate RHSzones
N/A N/A
badconf.rhsbl badconf.rhsbl.sorbs.net Domains withinvalid A or MXrecords in DNS
Open submission viaautomated testing
page.
Until delistingrequested.
nomail.rhsbl nomail.rhsbl.sorbs.net Domains whichthe owners have
confirmed will notbe used for
sending email
Owner submission Until delistingrequested.
Comparison of DNS blacklists 5
Spamhaus SBL Advisory [15] sbl.spamhaus.org Verified sources ofspam, includingspammers andtheir support
services
Manual From 30 minutes to ayear or more,
depending on issueand resolution
XBL Advisory [16] xbl.spamhaus.org Illegal third-partyexploits (e.g. openproxies and Trojan
Horses)
Third-party (seeNotes) with
automated additions
Varies, under amonth.
Includes theComposite
Blocking Listand parts of the
Not Just AnotherBogus List
PBL Advisory [17] pbl.spamhaus.org Static, dial-up &DHCP IP addressspace that is not
meant to beinitiating SMTP
connections
Manual Unknown Should not beconfused with
the MAPS DULand WirehubDynablocker
lists
SBL+XBL [18] sbl-xbl.spamhaus.org A single lookupfor querying theSBL and XBL
databases
Zen [19] zen.spamhaus.org A single lookupfor querying theSBL, XBL andPBL databases.
The one to use toget all.
ORBITrbl AggressiveRBL
RBL [20] rbl.orbitrbl.com Unsolicitedbulk/Commercialemail senders (/24IP address block)
Feeder servers Until delistingrequested? (Only
When Found to beNon Spam Source)
Aggregate zone
Composite Blocking List CBL [21] cbl.abuseat.org(also free available rsyncaccess, on request [22])
Only IP addressesexhibiting
characteristicsspecific to open
proxies,spamware, and the
like.
large spamtraps Temporary, untilspam stops
Use SpamhausXBL or
Spamhaus Zeninstead; they
include CBL.
Passive Spam Block List PSBL [23] psbl.surriel.com(also free available via rsync
[24])
IP addresses usedto send spam to
trap
spamtraps Temporary, untilspam stops
Intercept - DNS Blacklist(DNSBL)
Intercept [25] intercept.datapacket.net IP addresses usedto send spam to
trap
spamtraps Temporary, untilspam stops
Weighted Private BlockList
WPBL [26] db.wpbl.info IP addresses usedto send UBE to
members
spamtraps Temporary, untilspam stops
SpamCop Blocking List SCBL [27] bl.spamcop.net IP addresses whichhave been used totransmit reported
email to SpamCopusers
users submit Temporary, untilspam stops
Comparison of DNS blacklists 6
SpamRats RATSNOPTR [28] noptr.spamrats.com IP addressesdetected as abusive
at ISP's usingMagicMail
Servers, with noreverse DNS
service
AutomaticallySubmitted
Listed untilremoved, and reverse
DNS configured
RATSDYNA [28] dyna.spamrats.com IP addressesdetected as abusive
at ISP's usingMagicMail
Servers, withnon-conforming
reverse DNSservice (See Best
Practises)indicative ofcompromised
systems
AutomaticallySubmitted
Listed untilremoved, and reverseDNS set to conform
to Best Practises
RATSSPAM [28] spam.spamrats.com IP addressesdetected as abusive
at ISP's usingMagicMailServers, and
manuallyconfirmed as spam
sources
Manually Submitted Listed until removed
SpamCannibal spamcannibal.org [29] bl.spamcannibal.org IP addresses andrelated generic
netblocks that havesent spam.
spamtraps until removalrequested and matterresolved by changing
server DNS ptrrecord to a
non-generic name.
Even if aparticular IP hasnot sent spam, itmay be included
in a genericnetblock which
will providemany falsepositives.
listed=127.0.0.2
IPQuery ipquery.org [30] any.dnsl.ipquery.org Spam sources,relay abusers,backscatterers
Automated, based ontraffic observed
locally, with somehuman supervision
Automatic expiry(varies by type);webpage allows
delisting
Keeps a listinghistory; retains
specimens
Not Just Another BogusList
NJABL DNSBL [31] dnsbl.njabl.org open SMTP relays,multi-stage SMTPopen relays, spamsources, InsecureCGI scripts that
allow openrelaying, and open
proxy servers
spamtraps, testing,testing by trusted
contributors
Varies
Bad host, nocookie
bhnc.njabl.org These hosts havedone things proper
SMTP serversdon't do.
spamtraps until de-listingrequested
Comparison of DNS blacklists 7
Distributed RealtimeBlocking List
drand DRBLnode
[32] spamtrap.drbl.drand.net IP addresses usedto send spam to
traps or members
Automated[de]listing.
Varies from spamtype, rate and other
sophisticated factors.30 s to 1 week.
Hight IPnetwork
aggregatethreshold >=
254.
Junk Email Filter Hostkarma [33] hostkarma.junkemailfilter.comblacklist.hostkarma.com
Detects viruses bybehavior using
fake high MX andtracking non-use
of QUIT
Automated [de]listing Black list Data livesfor 4 days. White list
data lives for 10days.
127.0.0.1=white127.0.0.2=black
127.0.0.3=yellow
RFC-Ignorant.Org DSN (<>) [34] dsn.rfc-ignorant.org(also free available via Rsync
[35])
refusal to acceptbounces (DSN)
Open submission viaautomated testing
page.
Until delistingrequested.
postmaster [36] postmaster.rfc-ignorant.org(also free available via Rsync
[35])
refusal to accepte-mail to
postmaster
abuse [37] abuse.rfc-ignorant.org(also free available via Rsync
[35])
refusal to accepte-mail to abuse
whois [38] whois.rfc-ignorant.org(also free available via Rsync
[35])
bogus whoisinformation
bogusmx [39] bogusmx.rfc-ignorant.org(also free available via Rsync
[35])
bogus MX record
The Abusive HostsBlocking List (AHBL)
dnsbl [40] dnsbl.ahbl.org Aggregate zone,contains UCE/bulk
email senders,open proxies, open
relays,trojaned/infected
machines,comment/trackback
spammers
Feeder systems,manual
Until delistingrequested
Aggregate zone(all aggregatesand what they
include are listedon [41])
rhsbl rhsbl.ahbl.org Domains sendingspam, domains
owned byspammers,
comment spamdomains, spammed
URLs
Manual
ircbl ircbl.ahbl.org Subset of dnsbl,contains only open
proxies,compromised
machines,comment
spammers
Until delistingrequested
Designed for useon IRC servers
tor tor.ahbl.org Current tor relayand exit nodes
Automated N/A
Comparison of DNS blacklists 8
Dronebl dnsbl [42] dnsbl.dronebl.org All-in-one abusivehosts blacklist
Automated listing viadistributed
monitoring points
Permanent untildelisted via website.
Quorum.to ip-dnsbl [43] list.quorum.to. ( orper-subscriber:
[id].list.quorum.to. )
Stop spam fromhosts that send no
legitimate mail(list most
non-mail-sendinghosts).
Listings based on"instant" automated
checks, recipientnomination and traps.
Listings can bechallenged.
Subscribers vote todecide sender status.
Public listfollows standarddnsbl protocol.Subscription
based service ismore capable,but does not
follow standard.
Spamanalysis.org GeoBL [44] User-defined:[*].geobl.spamanalysis.org
Lists hosts knownas being in certain
geographiclocations.
Users set their ownlist of blocked
countries.
Hosts reported asbeing incorrectlylocated may be
delisted.
Allows basicmonitoring,
listed ifA=127.0.0.2 orTXT=blocked
ATLBL ATLBL RBL [45] rbl.atlbl.net World wide abusedetection network
made ofspamtraps/honeypots.
Automatic, as soonas no further abuse is
detected.
Allows simpleDNSBL lookups
of email spamsources.
ATLBL HBL [45] hbl.atlbl.net Listmalware/abuse
sources byhostname and
domain for use inemail and forumspam detection.
World wide abusedetection network
made ofspamtraps/honeypots.
Automatic, as soonas no further abuse is
detected.
Allows simpleDNSBL lookupsof abuse sources.
ATLBL ABL [45] access.atlbl.net World wide abusedetection network
made ofspamtraps/honeypots.
Automatic, as soonas no further abuse is
detected.
Allows simpleDNSBL lookupsof IP addresses
for knownabusive sources
such as SSHbrute force
attack sourcesand other formsof internet crime
and abuse.
Heise ZeitschriftenVerlag GmbH & Co. KG
and hosted by manituGmbH [46]
NiX Spam(nixspam)
[47] ix.dnsbl.manitu.net Lists single IPs (noIP ranges) thatsend spam tospamtraps.
Automated listing dueto spamtrap hits.
Exceptions apply tobounces, NDRs and
whitelisted IPs.
12 hours after lastlisting or until self
delisting
TXT recordsprovide
information oflisting incident -NiX Spam alsoprovides hashes
for fuzzychecksum plugin
(iXhash) forSpamAssassin.
Comparison of DNS blacklists 9
inps.de inps.de-DNSBL [48] dnsbl.inps.de Single IPaddresses
IP addresses can bereported as knownspam sources by
users, additionallyautomated listing ifspam arrives at the
mailservers of inps.de
IP addresses arelisted until they areremoved manuallyvia the website.
A- and TXTrecords are
available foreach entry;
Removal is freeafter 30 days for
automaticadditions and
after 7 days formanual
additions;otherwise
removal fee is atleast EUR 10,00.
External links• Blacklists Compared [49], weekly reports since July 2001• Blacklist Monitor - accuracy and inaccuracy rates of various blacklists [50]
• Spam Links - DNS & RHS Blackhole Lists [51]
• Multiple DNSBL lookup online tool [52]
• Spam Blacklist Removal Instructions for Major ISPs [53]
• Resource that lists hundreds of DNSBL zones. [54]
References[1] http:/ / www. gbudb. com/[2] http:/ / www. gbudb. com/ truncate/[3] http:/ / www. armresearch. com/[4] http:/ / dnsbl. invaluement. com/[5] http:/ / dnsbl. invaluement. com/ ivmsip/[6] http:/ / dnsbl. invaluement. com/ ivmsip24/[7] http:/ / dnsbl. invaluement. com/ ivmuri/[8] http:/ / proxybl. org/[9] http:/ / www. uceprotect. net/ en/ index. php?m=3& s=3[10] http:/ / www. uceprotect. net/ en/ index. php?m=6& s=10[11] http:/ / www. uceprotect. net/ en/ index. php?m=3& s=4[12] http:/ / www. uceprotect. net/ en/ index. php?m=3& s=5[13] http:/ / www. sorbs. net/[14] http:/ / www. sorbs. net/ using. shtml[15] http:/ / www. spamhaus. org/ sbl[16] http:/ / www. spamhaus. org/ xbl[17] http:/ / www. spamhaus. org/ pbl[18] http:/ / www. spamhaus. org[19] http:/ / www. spamhaus. org/ zen[20] http:/ / www. orbitrbl. com[21] http:/ / cbl. abuseat. org/[22] http:/ / www. njabl. org/ rsync. html[23] http:/ / psbl. surriel. com/[24] http:/ / psbl. surriel. com/ howto/[25] http:/ / intercept. datapacket. net/[26] http:/ / www. wpbl. info/[27] http:/ / spamcop. net/ bl. shtml[28] http:/ / www. spamrats. com
Comparison of DNS blacklists 10
[29] http:/ / spamcannibal. org/[30] http:/ / ipquery. org/[31] http:/ / www. njabl. org/ use. html[32] http:/ / www. drbl. ru/[33] http:/ / wiki. junkemailfilter. com/ index. php/ Spam_DNS_Lists[34] http:/ / rfc-ignorant. org/ policy-dsn. php[35] http:/ / www. rfc-ignorant. org/ rsync. php[36] http:/ / rfc-ignorant. org/ policy-postmaster. php[37] http:/ / rfc-ignorant. org/ policy-abuse. php[38] http:/ / rfc-ignorant. org/ policy-whois. php[39] http:/ / rfc-ignorant. org/ policy-bogusmx. php[40] http:/ / www. ahbl. org/[41] http:/ / www. ahbl. org/ services[42] http:/ / dronebl. org/ docs/ howtouse[43] http:/ / www. quorum. to/[44] http:/ / spamanalysis. org/ overview. html[45] http:/ / www. atlbl. com/ en/ about. html[46] http:/ / www. manitu. de/[47] http:/ / www. dnsbl. manitu. net/[48] http:/ / dnsbl. inps. de/ ?lang=en[49] http:/ / www. sdsc. edu/ ~jeff/ spam/ Blacklists_Compared. html[50] http:/ / www. intra2net. com/ en/ support/ antispam/[51] http:/ / spamlinks. net/ filter-dnsbl-lists. htm[52] http:/ / multirbl. valli. org/[53] http:/ / www. rackaid. com/ resources/ spam-blacklist-removal/[54] http:/ / www. moensted. dk/ spam/
Article Sources and Contributors 11
Article Sources and ContributorsComparison of DNS blacklists Source: http://en.wikipedia.org/w/index.php?oldid=432923165 Contributors: Antispamdnsblguy, Ar-wiki, Atanw, Bruns, Bwpach, C.v.wolfhausen,Code-dweller, Drand, Edward, ErikWarmelink, Gelma, Gigs, Gradur, JackSchmidt, Jberkes, Joy, Kalinga, Linuxmagic, Llykstw, MER-C, Madda, Marcperkel, McGeddon, Mild Bill Hiccup,Mtcooper, Myiptest, Narfzorttroz, NightHawk1956, Phatom87, Pkoistin, Stephan Leeds, Steppres, Tabanger, Wolfhesse, Wrs1864, 44 anonymous edits
LicenseCreative Commons Attribution-Share Alike 3.0 Unportedhttp:/ / creativecommons. org/ licenses/ by-sa/ 3. 0/