Comparison of DNS blacklists 1

Comparison of DNS blacklistsThe following table lists technical information for a number of DNS blacklists.

Blacklist operator DNS blacklist InformationalURL

Zone Listing goal Nomination Listing lifetime Notes

ARM Research Labs,LLC GBUdb [1]

Truncate [2] truncate.gbudb.net Extremelyconservative list of

single IP4addresses that

produceexclusively

spam/malware asindicated by the

GBUdb IPReuptation system.

Most systemsshould be able to

safely rejectconnections based

on this list.

Automatic: IPs areadded when theGBUdb "cloud"statistics reach a

probability figure thatindicates 95% of

messages produce aspam/malware pattern

match and aconfidence figure that

indicates sufficientdata to trust the

probability data.

Automatic:Continuous while

reputation statisticsremain bad. IPs aredropped quickly if

the statistics improve(within an hour). IPsare dropped within36 hours (typ) if nomore messages are

seen (dead zombie).

Source data isderived from aglobal network

of MessageSniffer [3]

filtering nodes inreal-time.

Truncate data isupdated from

statistics every10 minutes.

invaluement DNSBL [4] ivmSIP [5] N/A(paid access via rsync)

Single IPaddresses whichonly send UBE.Specializing insnowshoe spamand other 'underthe radar' spams

which evade manyother DNSBLs.

Has FP-levelcomparable to

Zen.

Automatic (uponreceipt of a spam to a

real person'smailbox), with

extensive whitelistsand filtering toprevent false

positives

Typically anautomatic expiration11 days after the lastabuse was seen, but

with someexceptions

Spam samplesare always kepton file for each

listing. Removalrequests arequickly andmanually

reviewed andprocessed

without fees.

ivmSIP/24 [6] N/A(paid access via rsync)

lists /24 blocks ofIP addresses whichusually only send

UBE andcontaining at leastseveral addresses

which areconfirmed emitters

of junk mail.

Automatic once atleast several IP

addresses from agiven block are

individually listed onivmSIP, with

extensive whitelistsand filtering toprevent false

positives

expiration timeincreases to many

weeks as the fractionof IP addresses in the/24 block in question

sending junk mailincreases

Removalrequests arequickly andmanually

reviewed andprocessed

without fees.

ivmURI [7] N/A(paid access via rsync)

comparable touribl.com and

surbl.org, this is alist of IP addresses

and domainswhich are used byspammers in theclickable links

found in the bodyof spam messages

Automatic (uponreceipt of a spam to a

real person'smailbox), with

extensive whitelistsand filtering toprevent false

positives

Typically anautomatic expirationseveral weeks afterthe last abuse was

seen.

Spam samplesare always kepton file for each

listing. Removalrequests arequickly andmanually

reviewed andprocessed

without fees.

Comparison of DNS blacklists 2

proxyBL dnsbl [8] dnsbl.proxybl.org Lists all types ofopen (publicly

accessible) proxies

Automated listingthrough crawling of

websites

As long as proxy isverified open(automated)

Time betweenverifications

increasesexponentially inrelation to the

number of timesthe host was

verified an openproxy

UCEPROTECT-Network UCEPROTECTLevel 1

[9] dnsbl-1.uceprotect.net(also free available via rsync

[10])

Single IPaddresses that sendmail to spamtraps

Automatic by acluster of more than

60 trapservers

Automatic expiration7 days after the last

abuse was seen,optionally express

delisting (fee)

UCEPROTECT'sprimary and the

onlyindependent list

UCEPROTECTLevel 2

[11] dnsbl-2.uceprotect.net(also free available via rsync

[10])

Allocations withexceeded

UCEPROTECTLevel 1 listings

Automatic calculatedfrom

UCEPROTECT-Level1

Automatic removalas soon as Level 1listings decrease

below Level 2 listingborder, optionallyexpress delisting

(fee)

Fully dependingon Level 1

UCEPROTECTLevel 3

[12] dnsbl-3.uceprotect.net(also free available via rsync

[10])

ASN's withexcessive

UCEPROTECTLevel 1 listings

Automatic calculatedfrom

UCEPROTECT-Level1

Automatic removalas soon as Level 1listings decrease

below Level 3 listingborder, optionallyexpress delisting

(fee)

Fully dependingon Level 1

Comparison of DNS blacklists 3

Spam and Open RelayBlocking System

(SORBS)

dnsbl [13] dnsbl.sorbs.net Unsolicitedbulk/commercial

email senders

N/A (See individualzones)

N/A (See individualzones)

Aggregate zone(all aggregatesand what they

include are listedon [14])

safe.dnsbl safe.dnsbl.sorbs.net Unsolicitedbulk/commercial

email senders

N/A (See individualzones)

N/A (See individualzones)

"Safe"Aggregate zone

(all zones indnsbl.sorbs.netexcept "recent"

and"escalations")

http.dnsbl http.dnsbl.sorbs.net Open HTTP proxyservers

Feeder servers Until delistingrequested.

socks.dnsbl socks.dnsbl.sorbs.net Open SOCKSproxy servers

Feeder servers Until delistingrequested.

misc.dnsbl misc.dnsbl.sorbs.net Additional proxyservers

Feeder servers Until delistingrequested.

Those notalready listed in

the HTTP orSOCKS

databases

smtp.dnsbl smtp.dnsbl.sorbs.net Open SMTP relayservers

Feeder servers Until delistingrequested.

web.dnsbl web.dnsbl.sorbs.net IP addresses withvulnerabilities thatare exploitable by

spammers (e.g.FormMail scripts)

Feeder servers Until delistingrequested or

Automated Expiry

new.spam.dnsbl new.spam.dnsbl.sorbs.net Hosts that havesent spam to the

admins of SORBSin the last 48 hours

SORBS Admin andSpamtrap

Renewed every 20minutes basedinclusion in on

'spam.dnsbl.sorbs.net'

recent.spam.dnsbl recent.spam.dnsbl.sorbs.net Hosts that havesent spam to the

admins of SORBSin the last 28 days

SORBS Admin andSpamtrap

Renewed every 20minutes basedinclusion in on

'spam.dnsbl.sorbs.net'

Comparison of DNS blacklists 4

old.spam.dnsbl old.spam.dnsbl.sorbs.net Hosts that havesent spam to the

admins of SORBSin the last year

SORBS Admin andSpamtrap

Renewed every 20minutes basedinclusion in on

'spam.dnsbl.sorbs.net'

spam.dnsbl spam.dnsbl.sorbs.net Hosts that haveallegedly sentspam to the

admins of SORBSat any time

SORBS Admin andSpamtrap.

Until 1 year after thelast spam is received

and a request hasbeen made or until

the "fine" is paid forexpress delisting

escalations.dnsbl escalations.dnsbl.sorbs.net Netblocks ofservice providers

believed to supportspammers

SORBS Admin fed. Until delistingrequested and matter

resolved.

Serviceproviders are

added on receiptof a 'third strike'

spam

block.dnsbl block.dnsbl.sorbs.net Hosts demandingthat they never be

tested

Request by host N/A

zombie.dnsbl zombie.dnsbl.sorbs.net Hijacked networks SORBS Admin(manual submission)

Until delistingrequested.

dul.dnsbl dul.dnsbl.sorbs.net Dynamic IPaddress ranges

SORBS Admin(manual submission)

Until delistingrequested.

Not a list ofdial-up IPaddresses

rhsbl rhsbl.sorbs.net Aggregate RHSzones

N/A N/A

badconf.rhsbl badconf.rhsbl.sorbs.net Domains withinvalid A or MXrecords in DNS

Open submission viaautomated testing

page.

Until delistingrequested.

nomail.rhsbl nomail.rhsbl.sorbs.net Domains whichthe owners have

confirmed will notbe used for

sending email

Owner submission Until delistingrequested.

Comparison of DNS blacklists 5

Spamhaus SBL Advisory [15] sbl.spamhaus.org Verified sources ofspam, includingspammers andtheir support

services

Manual From 30 minutes to ayear or more,

depending on issueand resolution

XBL Advisory [16] xbl.spamhaus.org Illegal third-partyexploits (e.g. openproxies and Trojan

Horses)

Third-party (seeNotes) with

automated additions

Varies, under amonth.

Includes theComposite

Blocking Listand parts of the

Not Just AnotherBogus List

PBL Advisory [17] pbl.spamhaus.org Static, dial-up &DHCP IP addressspace that is not

meant to beinitiating SMTP

connections

Manual Unknown Should not beconfused with

the MAPS DULand WirehubDynablocker

lists

SBL+XBL [18] sbl-xbl.spamhaus.org A single lookupfor querying theSBL and XBL

databases

Zen [19] zen.spamhaus.org A single lookupfor querying theSBL, XBL andPBL databases.

The one to use toget all.

ORBITrbl AggressiveRBL

RBL [20] rbl.orbitrbl.com Unsolicitedbulk/Commercialemail senders (/24IP address block)

Feeder servers Until delistingrequested? (Only

When Found to beNon Spam Source)

Aggregate zone

Composite Blocking List CBL [21] cbl.abuseat.org(also free available rsyncaccess, on request [22])

Only IP addressesexhibiting

characteristicsspecific to open

proxies,spamware, and the

like.

large spamtraps Temporary, untilspam stops

Use SpamhausXBL or

Spamhaus Zeninstead; they

include CBL.

Passive Spam Block List PSBL [23] psbl.surriel.com(also free available via rsync

[24])

IP addresses usedto send spam to

trap

spamtraps Temporary, untilspam stops

Intercept - DNS Blacklist(DNSBL)

Intercept [25] intercept.datapacket.net IP addresses usedto send spam to

trap

spamtraps Temporary, untilspam stops

Weighted Private BlockList

WPBL [26] db.wpbl.info IP addresses usedto send UBE to

members

spamtraps Temporary, untilspam stops

SpamCop Blocking List SCBL [27] bl.spamcop.net IP addresses whichhave been used totransmit reported

email to SpamCopusers

users submit Temporary, untilspam stops

Comparison of DNS blacklists 6

SpamRats RATSNOPTR [28] noptr.spamrats.com IP addressesdetected as abusive

at ISP's usingMagicMail

Servers, with noreverse DNS

service

AutomaticallySubmitted

Listed untilremoved, and reverse

DNS configured

RATSDYNA [28] dyna.spamrats.com IP addressesdetected as abusive

at ISP's usingMagicMail

Servers, withnon-conforming

reverse DNSservice (See Best

Practises)indicative ofcompromised

systems

AutomaticallySubmitted

Listed untilremoved, and reverseDNS set to conform

to Best Practises

RATSSPAM [28] spam.spamrats.com IP addressesdetected as abusive

at ISP's usingMagicMailServers, and

manuallyconfirmed as spam

sources

Manually Submitted Listed until removed

SpamCannibal spamcannibal.org [29] bl.spamcannibal.org IP addresses andrelated generic

netblocks that havesent spam.

spamtraps until removalrequested and matterresolved by changing

server DNS ptrrecord to a

non-generic name.

Even if aparticular IP hasnot sent spam, itmay be included

in a genericnetblock which

will providemany falsepositives.

listed=127.0.0.2

IPQuery ipquery.org [30] any.dnsl.ipquery.org Spam sources,relay abusers,backscatterers

Automated, based ontraffic observed

locally, with somehuman supervision

Automatic expiry(varies by type);webpage allows

delisting

Keeps a listinghistory; retains

specimens

Not Just Another BogusList

NJABL DNSBL [31] dnsbl.njabl.org open SMTP relays,multi-stage SMTPopen relays, spamsources, InsecureCGI scripts that

allow openrelaying, and open

proxy servers

spamtraps, testing,testing by trusted

contributors

Varies

Bad host, nocookie

bhnc.njabl.org These hosts havedone things proper

SMTP serversdon't do.

spamtraps until de-listingrequested

Comparison of DNS blacklists 7

Distributed RealtimeBlocking List

drand DRBLnode

[32] spamtrap.drbl.drand.net IP addresses usedto send spam to

traps or members

Automated[de]listing.

Varies from spamtype, rate and other

sophisticated factors.30 s to 1 week.

Hight IPnetwork

aggregatethreshold >=

254.

Junk Email Filter Hostkarma [33] hostkarma.junkemailfilter.comblacklist.hostkarma.com

Detects viruses bybehavior using

fake high MX andtracking non-use

of QUIT

Automated [de]listing Black list Data livesfor 4 days. White list

data lives for 10days.

127.0.0.1=white127.0.0.2=black

127.0.0.3=yellow

RFC-Ignorant.Org DSN (<>) [34] dsn.rfc-ignorant.org(also free available via Rsync

[35])

refusal to acceptbounces (DSN)

Open submission viaautomated testing

page.

Until delistingrequested.

postmaster [36] postmaster.rfc-ignorant.org(also free available via Rsync

[35])

refusal to accepte-mail to

postmaster

abuse [37] abuse.rfc-ignorant.org(also free available via Rsync

[35])

refusal to accepte-mail to abuse

whois [38] whois.rfc-ignorant.org(also free available via Rsync

[35])

bogus whoisinformation

bogusmx [39] bogusmx.rfc-ignorant.org(also free available via Rsync

[35])

bogus MX record

The Abusive HostsBlocking List (AHBL)

dnsbl [40] dnsbl.ahbl.org Aggregate zone,contains UCE/bulk

email senders,open proxies, open

relays,trojaned/infected

machines,comment/trackback

spammers

Feeder systems,manual

Until delistingrequested

Aggregate zone(all aggregatesand what they

include are listedon [41])

rhsbl rhsbl.ahbl.org Domains sendingspam, domains

owned byspammers,

comment spamdomains, spammed

URLs

Manual

ircbl ircbl.ahbl.org Subset of dnsbl,contains only open

proxies,compromised

machines,comment

spammers

Until delistingrequested

Designed for useon IRC servers

tor tor.ahbl.org Current tor relayand exit nodes

Automated N/A

Comparison of DNS blacklists 8

Dronebl dnsbl [42] dnsbl.dronebl.org All-in-one abusivehosts blacklist

Automated listing viadistributed

monitoring points

Permanent untildelisted via website.

Quorum.to ip-dnsbl [43] list.quorum.to. ( orper-subscriber:

[id].list.quorum.to. )

Stop spam fromhosts that send no

legitimate mail(list most

non-mail-sendinghosts).

Listings based on"instant" automated

checks, recipientnomination and traps.

Listings can bechallenged.

Subscribers vote todecide sender status.

Public listfollows standarddnsbl protocol.Subscription

based service ismore capable,but does not

follow standard.

Spamanalysis.org GeoBL [44] User-defined:[*].geobl.spamanalysis.org

Lists hosts knownas being in certain

geographiclocations.

Users set their ownlist of blocked

countries.

Hosts reported asbeing incorrectlylocated may be

delisted.

Allows basicmonitoring,

listed ifA=127.0.0.2 orTXT=blocked

ATLBL ATLBL RBL [45] rbl.atlbl.net World wide abusedetection network

made ofspamtraps/honeypots.

Automatic, as soonas no further abuse is

detected.

Allows simpleDNSBL lookups

of email spamsources.

ATLBL HBL [45] hbl.atlbl.net Listmalware/abuse

sources byhostname and

domain for use inemail and forumspam detection.

World wide abusedetection network

made ofspamtraps/honeypots.

Automatic, as soonas no further abuse is

detected.

Allows simpleDNSBL lookupsof abuse sources.

ATLBL ABL [45] access.atlbl.net World wide abusedetection network

made ofspamtraps/honeypots.

Automatic, as soonas no further abuse is

detected.

Allows simpleDNSBL lookupsof IP addresses

for knownabusive sources

such as SSHbrute force

attack sourcesand other formsof internet crime

and abuse.

Heise ZeitschriftenVerlag GmbH & Co. KG

and hosted by manituGmbH [46]

NiX Spam(nixspam)

[47] ix.dnsbl.manitu.net Lists single IPs (noIP ranges) thatsend spam tospamtraps.

Automated listing dueto spamtrap hits.

Exceptions apply tobounces, NDRs and

whitelisted IPs.

12 hours after lastlisting or until self

delisting

TXT recordsprovide

information oflisting incident -NiX Spam alsoprovides hashes

for fuzzychecksum plugin

(iXhash) forSpamAssassin.

Comparison of DNS blacklists 9

inps.de inps.de-DNSBL [48] dnsbl.inps.de Single IPaddresses

IP addresses can bereported as knownspam sources by

users, additionallyautomated listing ifspam arrives at the

mailservers of inps.de

IP addresses arelisted until they areremoved manuallyvia the website.

A- and TXTrecords are

available foreach entry;

Removal is freeafter 30 days for

automaticadditions and

after 7 days formanual

additions;otherwise

removal fee is atleast EUR 10,00.

External links• Blacklists Compared [49], weekly reports since July 2001• Blacklist Monitor - accuracy and inaccuracy rates of various blacklists [50]

• Spam Links - DNS & RHS Blackhole Lists [51]

• Multiple DNSBL lookup online tool [52]

• Spam Blacklist Removal Instructions for Major ISPs [53]

• Resource that lists hundreds of DNSBL zones. [54]

References[1] http:/ / www. gbudb. com/[2] http:/ / www. gbudb. com/ truncate/[3] http:/ / www. armresearch. com/[4] http:/ / dnsbl. invaluement. com/[5] http:/ / dnsbl. invaluement. com/ ivmsip/[6] http:/ / dnsbl. invaluement. com/ ivmsip24/[7] http:/ / dnsbl. invaluement. com/ ivmuri/[8] http:/ / proxybl. org/[9] http:/ / www. uceprotect. net/ en/ index. php?m=3& s=3[10] http:/ / www. uceprotect. net/ en/ index. php?m=6& s=10[11] http:/ / www. uceprotect. net/ en/ index. php?m=3& s=4[12] http:/ / www. uceprotect. net/ en/ index. php?m=3& s=5[13] http:/ / www. sorbs. net/[14] http:/ / www. sorbs. net/ using. shtml[15] http:/ / www. spamhaus. org/ sbl[16] http:/ / www. spamhaus. org/ xbl[17] http:/ / www. spamhaus. org/ pbl[18] http:/ / www. spamhaus. org[19] http:/ / www. spamhaus. org/ zen[20] http:/ / www. orbitrbl. com[21] http:/ / cbl. abuseat. org/[22] http:/ / www. njabl. org/ rsync. html[23] http:/ / psbl. surriel. com/[24] http:/ / psbl. surriel. com/ howto/[25] http:/ / intercept. datapacket. net/[26] http:/ / www. wpbl. info/[27] http:/ / spamcop. net/ bl. shtml[28] http:/ / www. spamrats. com

Comparison of DNS blacklists 10

[29] http:/ / spamcannibal. org/[30] http:/ / ipquery. org/[31] http:/ / www. njabl. org/ use. html[32] http:/ / www. drbl. ru/[33] http:/ / wiki. junkemailfilter. com/ index. php/ Spam_DNS_Lists[34] http:/ / rfc-ignorant. org/ policy-dsn. php[35] http:/ / www. rfc-ignorant. org/ rsync. php[36] http:/ / rfc-ignorant. org/ policy-postmaster. php[37] http:/ / rfc-ignorant. org/ policy-abuse. php[38] http:/ / rfc-ignorant. org/ policy-whois. php[39] http:/ / rfc-ignorant. org/ policy-bogusmx. php[40] http:/ / www. ahbl. org/[41] http:/ / www. ahbl. org/ services[42] http:/ / dronebl. org/ docs/ howtouse[43] http:/ / www. quorum. to/[44] http:/ / spamanalysis. org/ overview. html[45] http:/ / www. atlbl. com/ en/ about. html[46] http:/ / www. manitu. de/[47] http:/ / www. dnsbl. manitu. net/[48] http:/ / dnsbl. inps. de/ ?lang=en[49] http:/ / www. sdsc. edu/ ~jeff/ spam/ Blacklists_Compared. html[50] http:/ / www. intra2net. com/ en/ support/ antispam/[51] http:/ / spamlinks. net/ filter-dnsbl-lists. htm[52] http:/ / multirbl. valli. org/[53] http:/ / www. rackaid. com/ resources/ spam-blacklist-removal/[54] http:/ / www. moensted. dk/ spam/

Article Sources and Contributors 11

Article Sources and ContributorsComparison of DNS blacklists  Source: http://en.wikipedia.org/w/index.php?oldid=432923165  Contributors: Antispamdnsblguy, Ar-wiki, Atanw, Bruns, Bwpach, C.v.wolfhausen,Code-dweller, Drand, Edward, ErikWarmelink, Gelma, Gigs, Gradur, JackSchmidt, Jberkes, Joy, Kalinga, Linuxmagic, Llykstw, MER-C, Madda, Marcperkel, McGeddon, Mild Bill Hiccup,Mtcooper, Myiptest, Narfzorttroz, NightHawk1956, Phatom87, Pkoistin, Stephan Leeds, Steppres, Tabanger, Wolfhesse, Wrs1864, 44 anonymous edits

LicenseCreative Commons Attribution-Share Alike 3.0 Unportedhttp:/ / creativecommons. org/ licenses/ by-sa/ 3. 0/