Comparison of DNS blacklists
The following table lists technical information for a number of DNS blacklists.
|Blacklist operator||DNS blacklist||Informational URL||Zone||Listing goal||Nomination||Listing lifetime||Notes||Collateral Listings||Notifies upon listing|
|ARM Research Labs, LLC GBUdb||Truncate||||truncate.gbudb.net||Extremely conservative list of single IP4 addresses that produce exclusively spam/malware as indicated by the GBUdb IP Reputation system. Most systems should be able to safely reject connections based on this list.||Automatic: IPs are added when the GBUdb "cloud" statistics reach a probability figure that indicates 95% of messages produce a spam/malware pattern match and a confidence figure that indicates sufficient data to trust the probability data.||Automatic: Continuous while reputation statistics remain bad. Warning: Produces false positives, and has no remedy/removal process. IPs are dropped quickly if the statistics improve (within an hour). IPs are dropped within 36 hours (typ) if no more messages are seen (dead zombie).||Source data is derived from a global network of Message Sniffer filtering nodes in real-time. Truncate data is updated from statistics every 10 minutes.||no||no|
(paid access via rsync)
|Single IP addresses which only send UBE. Specializing in snowshoe spam and other 'under the radar' spams which evade many other DNSBLs. Has FP-level comparable to Zen.||Automatic (upon receipt of a spam to a real person's mailbox), with extensive whitelists and filtering to prevent false positives||Typically an automatic expiration 11 days after the last abuse was seen, but with some exceptions||Spam samples are always kept on file for each listing. Removal requests are manually reviewed and processed without fees.||no||no|
(paid access via rsync)
|lists /24 blocks of IP addresses which usually only send UBE and containing at least several addresses which are confirmed emitters of junk mail. Collateral listings are kept to a minimum because subsections are often carved from /24 listings when spammers and legit senders share the same /24 block.||Automatic once at least several IP addresses from a given block are individually listed on ivmSIP, with extensive whitelists and filtering to prevent false positives||expiration time increases to many weeks as the fraction of IP addresses in the /24 block in question sending junk mail increases||Removal requests are quickly and manually reviewed and processed without fees.||yes||no|
(paid access via rsync)
|comparable to uribl.com and surbl.org, this is a list of IP addresses and domains which are used by spammers in the clickable links found in the body of spam messages||Automatic (upon receipt of a spam to a real person's mailbox), with extensive whitelists and filtering to prevent false positives||Typically an automatic expiration several weeks after the last abuse was seen.||Spam samples are always kept on file for each listing. Removal requests are quickly and manually reviewed and processed without fees.||no||no|
|proxyBL||dnsbl||||dnsbl.proxybl.org||Lists all types of open (publicly accessible) proxies||Automated listing through crawling of websites||As long as proxy is verified open (automated)||Time between verifications increases exponentially in relation to the number of times the host was verified an open proxy||yes||no|
|UCEPROTECT-Network||UCEPROTECT Level 1||||dnsbl-1.uceprotect.net
(also free available via rsync )
|Single IP addresses that send mail to spamtraps||Automatic by a cluster of more than 60 trapservers ||Automatic expiration 7 days after the last abuse was seen, optionally express delisting for a small fee.||UCEPROTECT's primary and the only independent list||no||no|
|UCEPROTECT Level 2||||dnsbl-2.uceprotect.net
(also free available via rsync )
|Allocations with exceeded UCEPROTECT Level 1 listings||Automatic calculated from UCEPROTECT-Level 1||Automatic removal as soon as Level 1 listings decrease below Level 2 listing border, optionally express delisting (for a fee)||Fully depending on Level 1||yes||no|
|UCEPROTECT Level 3||||dnsbl-3.uceprotect.net
(also free available via rsync )
|ASN's with excessive UCEPROTECT Level 1 listings||Automatic calculated from UCEPROTECT-Level 1||Automatic removal as soon as Level 1 listings decrease below Level 3 listing border, optionally express delisting (fee)||Fully depending on Level 1||yes||no|
|Spam and Open Relay Blocking System (SORBS)||dnsbl||||dnsbl.sorbs.net||Unsolicited bulk/commercial email senders||N/A (See individual zones)||N/A (See individual zones)||Aggregate zone (all aggregates and what they include are listed on SORBS)||yes||no|
|safe.dnsbl||safe.dnsbl.sorbs.net||Unsolicited bulk/commercial email senders||N/A (See individual zones)||N/A (See individual zones)||"Safe" Aggregate zone (all zones in dnsbl.sorbs.net except "recent" and "escalations")||yes||no|
|http.dnsbl||http.dnsbl.sorbs.net||Open HTTP proxy servers||Feeder servers||Until delisting requested.||yes||no|
|socks.dnsbl||socks.dnsbl.sorbs.net||Open SOCKS proxy servers||Feeder servers||Until delisting requested.||yes||no|
|misc.dnsbl||misc.dnsbl.sorbs.net||Additional proxy servers||Feeder servers||Until delisting requested.||Those not already listed in the HTTP or SOCKS databases||yes||no|
|smtp.dnsbl||smtp.dnsbl.sorbs.net||Open SMTP relay servers||Feeder servers||Until delisting requested.||yes||no|
|web.dnsbl||web.dnsbl.sorbs.net||IP addresses with vulnerabilities that are exploitable by spammers (e.g. FormMail scripts)||Feeder servers||Until delisting requested or Automated Expiry||yes||no|
|new.spam.dnsbl||new.spam.dnsbl.sorbs.net||Hosts that have sent spam to the admins of SORBS in the last 48 hours||SORBS Admin and Spamtrap||Renewed every 20 minutes based inclusion in on 'spam.dnsbl.sorbs.net'||yes||no|
|recent.spam.dnsbl||recent.spam.dnsbl.sorbs.net||Hosts that have sent spam to the admins of SORBS in the last 28 days||SORBS Admin and Spamtrap||Renewed every 20 minutes based inclusion in on 'spam.dnsbl.sorbs.net'||yes||no|
|old.spam.dnsbl||old.spam.dnsbl.sorbs.net||Hosts that have sent spam to the admins of SORBS in the last year||SORBS Admin and Spamtrap||Renewed every 20 minutes based inclusion in on 'spam.dnsbl.sorbs.net'||yes||no|
|spam.dnsbl||spam.dnsbl.sorbs.net||Hosts that have allegedly sent spam to the admins of SORBS at any time||SORBS Admin and Spamtrap.||Until 1 year after the last spam is received and a request has been made or until the "fine" is paid for express delisting||yes||no|
|escalations.dnsbl||escalations.dnsbl.sorbs.net||Netblocks of service providers believed to support spammers||SORBS Admin fed.||Until delisting requested and matter resolved.||Service providers are added on receipt of a 'third strike' spam||yes||no|
|block.dnsbl||block.dnsbl.sorbs.net||Hosts demanding that they never be tested||Request by host||N/A||yes||no|
|zombie.dnsbl||zombie.dnsbl.sorbs.net||Hijacked networks||SORBS Admin (manual submission)||Until delisting requested.||yes||no|
|dul.dnsbl||dul.dnsbl.sorbs.net||Dynamic IP address ranges||SORBS Admin (manual submission)||Until delisting requested.||Not a list of dial-up IP addresses||yes||no|
|rhsbl||rhsbl.sorbs.net||Aggregate RHS zones||N/A||N/A||yes||no|
|badconf.rhsbl||badconf.rhsbl.sorbs.net||Domains with invalid A or MX records in DNS||Open submission via automated testing page.||Until delisting requested.||yes||no|
|nomail.rhsbl||nomail.rhsbl.sorbs.net||Domains which the owners have confirmed will not be used for sending email||Owner submission||Until delisting requested.||yes||no|
|Spamhaus||SBL Advisory||||sbl.spamhaus.org||Verified sources of spam, including spammers and their support services, per policy||Manual||From five minutes to a year or more, depending on issue and resolution||rarely (escalation)||yes (partial)|
|XBL Advisory||||xbl.spamhaus.org||Illegal third-party exploits (e.g. open proxies, email spambots, malware download sites
|Third-party with automated additions||Varies, under a month, self removal via Composite Blocking List lookup.||Consists of the Composite Blocking List||no||no|
|PBL Advisory||||pbl.spamhaus.org||Addresses not meant to be initiating SMTP connections, such as residential dynamic IPs||Manual, by providers controlling the IPs or by Spamhaus PBL Team||self-removal (see spamhaus web site)||Should not be confused with the MAPS DUL and Wirehub Dynablocker lists||no||no|
|SBL+XBL||||sbl-xbl.spamhaus.org||A single lookup for querying the SBL and XBL databases||per component list||per component list|
|Zen||||zen.spamhaus.org||A single lookup for querying the SBL, XBL and PBL databases.||Preferred list to check all Spamhaus listings with one query.||per component list||per component list|
|Composite Blocking List||CBL||||cbl.abuseat.org
(also free available rsync access, on request see FAQ )
|Only IP addresses exhibiting characteristics specific to open proxies, spamware, malware downloaders, botnets and the like.||Automatic: large spamtraps, production mail servers and other detecton methods.||less than a month after last listable event, self-removal via CBL lookup.||Use Spamhaus XBL or Spamhaus Zen instead; they include CBL.||no||no|
|Passive Spam Block List||PSBL||||psbl.surriel.com
(also free available via rsync )
|IP addresses used to send spam to trap||spamtraps||Temporary, until spam stops||no||no|
|Intercept - DNS Blacklist (DNSBL)||Intercept||||intercept.datapacket.net||IP addresses used to send spam to trap||spamtraps||Temporary, until spam stops||no||no|
|Weighted Private Block List||WPBL||||db.wpbl.info||IP addresses used to send UBE to members||spamtraps||Temporary, until spam stops||no||no|
|SpamCop Blocking List||SCBL||||bl.spamcop.net||IP addresses which have been used to transmit reported email to SpamCop users||users submit||Temporary, until spam stops, has self removal||no||yes (partial)|
|SpamRats||RATSNOPTR||||noptr.spamrats.com||IP addresses detected as abusive at ISP's using MagicMail Servers, with no reverse DNS service||Automatically Submitted||Listed until removed, and reverse DNS configured||yes||no|
|RATSDYNA||||dyna.spamrats.com||IP addresses detected as abusive at ISP's using MagicMail Servers, with non-conforming reverse DNS service (See Best Practises) indicative of compromised systems||Automatically Submitted||Listed until removed, and reverse DNS set to conform to Best Practises||yes||no|
|RATSSPAM||||spam.spamrats.com||IP addresses detected as abusive at ISP's using MagicMail Servers, and manually confirmed as spam sources||Manually Submitted||Listed until removed||yes||no|
|SpamCannibal||spamcannibal.org||||bl.spamcannibal.org||IP addresses and related generic netblocks that have sent spam.||spamtraps||until removal requested and matter resolved by changing server DNS ptr record to a non-generic name.||Even if a particular IP has not sent spam, it may be included in a generic netblock which will provide many false positives. listed=127.0.0.2||yes||no|
|Distributed Realtime Blocking List||drand DRBL node||||spamtrap.drbl.drand.net||IP addresses used to send spam to traps or members||Automated [de]listing.||Varies from spam type, rate and other sophisticated factors. 30 s to 1 week.||High IP network aggregate threshold >= 254.||yes||no|
|Junk Email Filter||Hostkarma||||hostkarma.junkemailfilter.com
|Detects viruses by behavior using fake high MX and tracking non-use of QUIT||Automated [de]listing||Black list Data lives for 4 days. White list data lives for 10 days.||127.0.0.1=white 127.0.0.2=black 127.0.0.3=yellow||yes||no|
|Dronebl||dnsbl||||dnsbl.dronebl.org||All-in-one abusive hosts blacklist||Automated listing via distributed monitoring points||Permanent until delisted via website.||yes||no|
|Quorum.to||ip-dnsbl||||list.quorum.to. ( or per-subscriber: [id].list.quorum.to. )||Stop spam from hosts that send no legitimate mail (list most non-mail-sending hosts).||Listings based on "instant" automated checks, recipient nomination and traps.||Listings can be challenged. Subscribers vote to decide sender status.||Public list follows standard dnsbl protocol. Subscription based service is more capable, but does not follow standard.||yes||no|
|Spamanalysis.org||GeoBL||||User-defined: [*].geobl.spamanalysis.org||Lists hosts known as being in certain geographic locations.||Users set their own list of blocked countries.||Hosts reported as being incorrectly located may be delisted.||Allows basic monitoring, listed if A=127.0.0.2 or TXT=blocked||yes||no|
|Heise Zeitschriften Verlag GmbH & Co. KG, hosted by manitu GmbH||NiX Spam (nixspam)||||ix.dnsbl.manitu.net||Lists single IPs (no IP ranges) that send spam to spamtraps. Lists mailhosts, rather than domains, and thus blocks entire hosting providers and ISPs.||Automated listing due to spamtrap hits. Exceptions apply to bounces, NDRs and whitelisted IPs.||12 hours after last listing or until self delisting||TXT records provide information of listing incident - NiX Spam also provides hashes for fuzzy checksum plugin (iXhash) for SpamAssassin.||no||yes (for ISPs/ESPs on request)|
|inps.de||inps.de-DNSBL||||dnsbl.inps.de||Single IP addresses||IP addresses can be reported as known spam sources by users, additionally automated listing if spam arrives at the mailservers of inps.de||IP addresses are listed until they are removed manually via the website.||A- and TXT records are available for each entry; Removal is free after 30 days for automatic additions and after 7 days for manual additions; otherwise removal fee is at least EUR 10,00.||maybe||no|
|blocklist.de ||dnsbl||||bl.blocklist.de||IP-Addresses who Attacks other Server/Honeypots over ssh, imap, smtp, ftp, web, rfi, sqli, ddos....||Automatic: over Honeypots and with over 515 Users and 630 Servers from blocklist.de via Fail2Ban or own scripts||Automatic: 48 Hours after the last Attack. But earlier remove is available over the Delist-Link||Services is free! Source data is from Honeypot-Systems and over 515 User with 630 Servern there reports Attacks with Fail2Ban||no||yes|
|SRN:SurGATE Reputation Network||SRN||||srnblack.surgate.net||Spam sources, relay abusers||Feeder servers||Automatic expiry (varies by type); webpage allows delisting||Removal requests are quickly and manually reviewed and processed without fees.||yes||no|
|s5h.net Internet Services||s5h.net||||all.s5h.net||Spam sources from email, forums, referrer spam and dictionary attacks||Traps||Twelve months unless ISPs request removal earlier||By request. ISPs can provide request exclusion||yes||no|
|MegaRBL||RBL||||rbl.megarbl.net||IP addresses used to send spam to traps||spamtraps, in order to avoid abusive reports (Competitors, false positive, etc...) only MegaRBL team can add an IP to the list.||Until delisting requested.||Removal requests are quickly and manually reviewed and processed without fees.||no||yes|
"Collateral Listings" - Deliberately listing non-offending IP addresses, in order to coerce ISPs to take action against spammers under their control.
"Notifies upon listing" - Warns the owner of the IP/Domain when they list an IP. (so owners can take action to fix the problem)
- "armresearch.com". armresearch.com. Retrieved 2012-05-06.
- UCEPROTECT® firstname.lastname@example.org. "UCEPROTECT®-Network - Germanys first Spam protection database". Uceprotect.net. Retrieved 2012-05-06.
- Simpson, Ken. "Getting Onto a Blacklist Without Sending Any Spam". MailChannels Anti-Spam Blog. MailChannels Corporation. Retrieved 16 September 2011.
- "sorbs.net". sorbs.net. Retrieved 2012-05-06.
- "The Cbl Faq". Cbl.abuseat.org. 2006-12-31. Retrieved 2012-05-06.
- RBL Check, RBL Check, Multiple & Real-Time
- Blacklists Compared, weekly reports since July 2001 (no new reports since 13th September 2014)
- Intra2net Blacklist Monitor, tracking more than 40 blacklists and giving weekly reports on hits and false positives
- Instant Multiple DNSBL Check Test, Open-to-use, Multiple DNSBL Check Test
- Multi-RBL Checking Tool, Multi-RBL Checker Tool (Check to see if your IP is showing up one or more RBLs)
- RBLTracker DNSBL Monitoring, Automated, Real-Time Black List Monitoring Service.
- SpamAssassin rule statistics, SpamAassassin's rule ham/spam ratios over time.
- List of all RBLs, Information about all existing blacklists including discontinued blacklists.
- Mail Server Blacklist Monitor, Blacklist monitoring service checking 150 blacklists, can be used freely.