Comparison of DNS blacklists
From Wikipedia, the free encyclopedia
The following table lists technical information for a number of DNS blacklists.
| Blacklist operator | DNS blacklist | Informational URL | Zone | Listing goal | Nomination | Listing lifetime | Notes | |
|---|---|---|---|---|---|---|---|---|
| invaluement DNSBL | ivmSIP | [1] | N/A (accessed via rsync) |
Single IP's which only send UBE. Specializing in snowshoe spam and other 'under the radar' spams which evade many other DNSBLs. Has FP-level comparable to Zen. | Automatic (upon receipt of a spam to a real person's mailbox), with extensive whitelists and filtering to prevent false positives | Typically an automatic expiration 11 days after the last abuse was seen, but with some exceptions | Spam samples are always kept on file for each listing. Removal requests are quickly and manually reviewed and processed without fees. | |
| ivmSIP/24 | [2] | N/A (accessed via rsync) |
lists /24 blocks of IPs which usually only send UBE and where at least several IPs in that block are confirmed emitters of only spam. | Automatic once at least several IPs from that block are individually listed on ivmSIP, with extensive whitelists and filtering to prevent false positives | expiration time grows into many weeks as the number of IPs sending spam from the /24 block increases | Removal requests are quickly and manually reviewed and processed without fees. | ||
| ivmURI | [3] | N/A (accessed via rsync) |
comparable to uribl.com and surbl.org, this is a list of IPs and domains which are used by spammers in the clickable links found in the body of spam messages | Automatic (upon receipt of a spam to a real person's mailbox), with extensive whitelists and filtering to prevent false positives | Typically an automatic expiration several weeks after the last abuse was seen. | Spam samples are always kept on file for each listing. Removal requests are quickly and manually reviewed and processed without fees. | ||
| proxyBL | dnsbl | [4] | dnsbl.proxybl.org | Lists all types of open (publicly accessible) proxies | Automated listing through crawling of websites | As long as proxy is verified open (automated) | Time between verifications increases exponentially in relation to the number of times the host was verified an open proxy | |
| UCEPROTECT-Network | UCEPROTECT Level 1 | [5] | dnsbl-1.uceprotect.net | Single IP's that send mail to Spamtraps | Automatic by a cluster of more than 60 trapservers | Automatic expiration 7 days after the last abuse was seen, optionally express delisting (fee) | UCEPROTECT's primary and the only independent list | |
| UCEPROTECT Level 2 | [6] | dnsbl-2.uceprotect.net | Allocations with exceeded UCEPROTECT Level 1 listings | Automatic calculated from UCEPROTECT-Level 1 | Automatic removal as soon as Level 1 listings decrease below Level 2 listing border, optionally express delisting (fee) | Fully depending on Level 1 | ||
| UCEPROTECT Level 3 | [7] | dnsbl-3.uceprotect.net | ASN's with excessive UCEPROTECT Level 1 listings | Automatic calculated from UCEPROTECT-Level 1 | Automatic removal as soon as Level 1 listings decrease below Level 3 listing border, optionally express delisting (fee) | Fully depending on Level 1 | ||
| Spam and Open Relay Blocking System (SORBS) | dnsbl | [8] | dnsbl.sorbs.net | Unsolicited bulk/commercial email senders | N/A (See individual zones) | N/A (See individual zones) | Aggregate zone (all aggregates and what they include are listed on [9]) | |
| safe.dnsbl | safe.dnsbl.sorbs.net | Unsolicited bulk/commercial email senders | N/A (See individual zones) | N/A (See individual zones) | "Safe" Aggregate zone (all zones in dnsbl.sorbs.net except "recent" and "escalations") | |||
| http.dnsbl | http.dnsbl.sorbs.net | Open HTTP proxy servers | Feeder servers | Until delisting requested. | ||||
| socks.dnsbl | socks.dnsbl.sorbs.net | Open SOCKS proxy servers | Feeder servers | Until delisting requested. | ||||
| misc.dnsbl | misc.dnsbl.sorbs.net | Additional proxy servers | Feeder servers | Until delisting requested. | Those not already listed in the HTTP or SOCKS databases | |||
| smtp.dnsbl | smtp.dnsbl.sorbs.net | Open SMTP relay servers | Feeder servers | Until delisting requested. | ||||
| web.dnsbl | web.dnsbl.sorbs.net | IP addresses with vulnerabilities that are exploitable by spammers (e.g. FormMail scripts) | Feeder servers | Until delisting requested or Automated Expiry | ||||
| new.spam.dnsbl | new.spam.dnsbl.sorbs.net | Hosts that have sent spam to the admins of SORBS in the last 48 hours | SORBS Admin and Spamtrap | Renewed every 20 minutes based inclusion in on 'spam.dnsbl.sorbs.net' | ||||
| recent.spam.dnsbl | recent.spam.dnsbl.sorbs.net | Hosts that have sent spam to the admins of SORBS in the last 28 days | SORBS Admin and Spamtrap | Renewed every 20 minutes based inclusion in on 'spam.dnsbl.sorbs.net' | ||||
| old.spam.dnsbl | old.spam.dnsbl.sorbs.net | Hosts that have sent spam to the admins of SORBS in the last year | SORBS Admin and Spamtrap | Renewed every 20 minutes based inclusion in on 'spam.dnsbl.sorbs.net' | ||||
| spam.dnsbl | spam.dnsbl.sorbs.net | Hosts that have sent spam to the admins of SORBS at any time | SORBS Admin and Spamtrap. | Until delisting requested or matter resolved | ||||
| escalations.dnsbl | escalations.dnsbl.sorbs.net | Netblocks of service providers believed to support spammers | SORBS Admin fed. | Until delisting requested and matter resolved. | Service providers are added on receipt of a 'third strike' spam | |||
| block.dnsbl | block.dnsbl.sorbs.net | Hosts demanding that they never be tested | Request by host | N/A | ||||
| zombie.dnsbl | zombie.dnsbl.sorbs.net | Hijacked networks | SORBS Admin (manual submission) | Until delisting requested. | ||||
| dul.dnsbl | dul.dnsbl.sorbs.net | Dynamic IP address ranges | SORBS Admin (manual submission) | Until delisting requested. | Not a list of dial-up IP addresses | |||
| rhsbl | rhsbl.sorbs.net | Aggregate RHS zones | N/A | N/A | ||||
| badconf.rhsbl | badconf.rhsbl.sorbs.net | Domains with invalid A or MX records in DNS | Open submission via automated testing page. | Until delisting requested. | ||||
| nomail.rhsbl | nomail.rhsbl.sorbs.net | Domains which the owners have confirmed will not be used for sending email | Owner submission | Until delisting requested. | ||||
| Spamhaus | SBL Advisory | [10] | sbl.spamhaus.org | Verified sources of spam, including spammers and their support services | Manual | From 30 minutes to a year or more, depending on issue and resolution | ||
| XBL Advisory | [11] | xbl.spamhaus.org | Illegal third-party exploits (e.g. open proxies and Trojan Horses) | Third-party (see Notes) with automated additions | Varies, under a month. | Includes the Composite Blocking List and parts of the Not Just Another Bogus List | ||
| PBL Advisory | [12] | pbl.spamhaus.org | All Static, dialup & DHCP IP address space that is not meant to be initiating SMTP connections | Manual | Unknown | Should not be confused with the MAPS DUL and Wirehub Dynablocker lists | ||
| SBL+XBL | [13] | sbl-xbl.spamhaus.org | A single lookup for querying the SBL and XBL databases | |||||
| Zen | [14] | zen.spamhaus.org | A single lookup for querying the SBL, XBL and PBL databases. | The one to use to get all. | ||||
| ORBITrbl Aggressive RBL | RBL | [15] | rbl.orbitrbl.com | Unsolicited bulk/Commercial email senders (Block Class C IP Block) | Feeder servers | Until delisting requested? (Only When Found to be Non Spam Source) | Aggregate zone | |
| Composite Blocking List | CBL | [16] | cbl.abuseat.org | Only IPs exhibiting characteristics specific to open proxies, spamware, etc. | large spamtraps | Temporary, until spam stops | Use Spamhaus XBL or Spamhaus Zen instead; they include CBL. | |
| Passive Spam Block List | PSBL | [17] | psbl.surriel.com | IP addresses which send spam to trap | spamtraps | Temporary, until spam stops | ||
| Intercept - DNS Blacklist (DNSBL) | Intercept | [18] | intercept.datapacket.net | IP addresses which send spam to trap | spamtraps | Temporary, until spam stops | ||
| Weighted Private Block List | WPBL | [19] | db.wpbl.info | IP addresses which send UBE to members | spamtraps | Temporary, until spam stops | ||
| SpamCop Blocking List | SCBL | [20] | bl.spamcop.net | IP addresses which have transmitted reported email to SpamCop users | users submit | Temporary, until spam stops | ||
| SpamRats | RATSNOPTR | [21] | noptr.spamrats.com | IP addresses detected as abusive at ISP/Telcos using MagicMail Servers, with no reverse DNS | Automatically Submitted | Listed until removed, and reverse DNS configured | ||
| RATSDYNA | [22] | dyna.spamrats.com | IP addresses detected as abusive at ISP/Telcos using MagicMail Servers, with non-conforming reverse DNS (See Best Practises) indicative of a compromised PC | Automatically Submitted | Listed until removed, and reverse DNS set to conform to Best Practises | |||
| RATSSPAM | [23] | spam.spamrats.com | IP addresses detected as abusive at ISP/Telcos using MagicMail Servers, and manually confirmed as a Spam Source | Manually Submitted | Listed until removed | |||
| SpamCannibal | spamcannibal.org | [24] | bl.spamcannibal.org | ip addresses and related generic netblock that have sent spam to local mail hosts | spamtraps | until removal requested and matter resolved | listed=127.0.0.2 | |
| Distributed Sender Blackhole List | list.DSBL.org | [25] | list.dsbl.org | all single hop relays | tested by trusted testers (database crashed and is currently empty (2008-06-05) | until de-listing requested | explanation of test methods | |
| multihop.DSBL.org | multihop.dsbl.org | the outputs of multihop relays | tested by trusted testers | until de-listing requested | explanation of test methods | |||
| unconfirmed.DSBL.org | unconfirmed.dsbl.org | all the output servers | tested by untrusted and anonymous testers | until de-listing requested | explanation of test methods | |||
| Not Just Another Bogus List | NJABL DNSBL | [26] | dnsbl.njabl.org | SMTP open relays, Multi-stage SMTP open relays, spam sources, Insecure CGI scripts that allow open relaying, open proxy servers | spamtraps, testing, testing by trusted contributors | Varies | ||
| Bad host, no cookie | bhnc.njabl.org | These hosts have done things proper SMTP servers don't do. | spamtraps | until de-listing requested | ||||
| Distributed Realtime Blocking List | drand DRBL node | [27] | spamtrap.drbl.drand.net | IP addresses which send spam to trap, IP addresses which send UBE to members. | Automated [de]listing. | Varies from spam type, rate and other sophisticated factors. 30s-1w. | Hight IP network aggregate threshold >= 254. | |
| Dynamic Realtime Blocking List | RU RBL | [28] | db.rurbl.ru | IP addresses which send spam or viruses to mail server with special sensors. | Automated [de]listing. | Varies from spam or virus pushing characteristics. 5s - 20min. | explanations | |
| Junk Email Filter | Hostkarma | [29] | hostkarma.junkemailfilter.com blacklist.hostkarma.com |
Detects viruses by behavior using fake high MX and tracking non-use of QUIT. | Automated [de]listing | Black list Data lives for 4 days. White list data lives for 10 days. | 127.0.0.1=white 127.0.0.2=black 127.0.0.3=yellow | |
| RFC-Ignorant.Org | DSN (<>) | [30] | dsn.rfc-ignorant.org | refusal to accept bounces (DSN) | Open submission via automated testing page. | Until delisting requested. | ||
| postmaster | [31] | postmaster.rfc-ignorant.org | refusal to accept e-mail to postmaster | |||||
| abuse | [32] | abuse.rfc-ignorant.org | refusal to accept e-mail to abuse | |||||
| whois | [33] | whois.rfc-ignorant.org | bogus whois information | |||||
| bogusmx | [34] | bogusmx.rfc-ignorant.org | bogus MX record | |||||
| The Abusive Hosts Blocking List (AHBL) | dnsbl | [35] | dnsbl.ahbl.org | Aggregate zone, contains UCE/bulk email senders, open proxies, open relays, trojaned/infected machines, comment/trackback spammers | Feeder systems, manual | Until delisting requested | Aggregate zone (all aggregates and what they include are listed on [36]) | |
| rhsbl | rhsbl.ahbl.org | Domains sending spam, domains owned by spammers, comment spam domains, spammed URLs | Manual | |||||
| ircbl | ircbl.ahbl.org | Subset of dnsbl, contains only open proxies, compromised machines, comment spammers | Until delisting requested | Designed for use on IRC servers | ||||
| tor | tor.ahbl.org | Current tor relay and exit nodes | Automated | N/A | ||||
| Dronebl | dnsbl | [37] | dnsbl.dronebl.org | All-in-one abusive hosts blacklist | Automated listing via distributed monitoring points | Permanent until delisted via website. | ||
| Quorum.to | ip-dnsbl | [38] | ( Per-subscriber: [id].list.quorum.to. ) | Stop spam from hosts that send no legitimate mail (list most non-mail-sending hosts). | Listings based on "instant" automated checks, recipient nomination and traps. | Listings can be challenged. Subscribers vote to decide sender status. | Does not follow the "nxdomain=no block" dnsbl standard. All queries receive a coded link in a TXT record, to provide feedback. | |
| Spamanalysis.org | GeoBL | [39] | User-defined: [*].geobl.spamanalysis.org | Lists hosts known as being in certain geographic locations. | Users set their own list of blocked countries. | Hosts reported as being incorrectly located may be delisted. | Allows basic monitoring, listed if A=127.0.0.2 or TXT=blocked |
[edit] External links
- Blacklists Compared, weekly reports since July 2001
- DNSBL Statistics - A controversial[40][41][42] comparison of several popular DNSBL's.
- Spam Links - DNS & RHS Blackhole Lists
- Spam Links - Dead DNS and RHS Blackhole Lists
- Multiple DNSBL lookup online tool
