Comparison of DNS blacklists
The following table lists technical information for a number of DNS blacklists.
|Blacklist operator||DNS blacklist||Informational URL||Zone||Listing goal||Nomination||Listing lifetime||Notes||Collateral Listings||Notifies upon listing|
|ARM Research Labs, LLC GBUdb||Truncate||||truncate.gbudb.net||Extremely conservative list of single IP4 addresses that produce exclusively spam/malware as indicated by the GBUdb IP Reputation system. Most systems should be able to safely reject connections based on this list.||Automatic: IPs are added when the GBUdb "cloud" statistics reach a probability figure that indicates 95% of messages produce a spam/malware pattern match and a confidence figure that indicates sufficient data to trust the probability data.||Automatic: Continuous while reputation statistics remain bad. Warning: Produces false positives, and has no remedy/removal process. IPs are dropped quickly if the statistics improve (within an hour). IPs are dropped within 36 hours (typ) if no more messages are seen (dead zombie).||Source data is derived from a global network of Message Sniffer filtering nodes in real-time. Truncate data is updated from statistics every 10 minutes.||no||no|
(paid access via rsync)
|Single IP addresses which only send UBE. Specializing in snowshoe spam and other 'under the radar' spams which evade many other DNSBLs. Has FP-level comparable to Zen.||Automatic (upon receipt of a spam to a real person's mailbox), with extensive whitelists and filtering to prevent false positives||Typically an automatic expiration 11 days after the last abuse was seen, but with some exceptions||Spam samples are always kept on file for each listing. Removal requests are manually reviewed and processed without fees.||no||no|
(paid access via rsync)
|lists /24 blocks of IP addresses which usually only send UBE and containing at least several addresses which are confirmed emitters of junk mail. Collateral listings are kept to a minimum because subsections are often carved from /24 listings when spammers and legit senders share the same /24 block.||Automatic once at least several IP addresses from a given block are individually listed on ivmSIP, with extensive whitelists and filtering to prevent false positives||expiration time increases to many weeks as the fraction of IP addresses in the /24 block in question sending junk mail increases||Removal requests are quickly and manually reviewed and processed without fees.||yes||no|
(paid access via rsync)
|comparable to uribl.com and surbl.org, this is a list of IP addresses and domains which are used by spammers in the clickable links found in the body of spam messages||Automatic (upon receipt of a spam to a real person's mailbox), with extensive whitelists and filtering to prevent false positives||Typically an automatic expiration several weeks after the last abuse was seen.||Spam samples are always kept on file for each listing. Removal requests are quickly and manually reviewed and processed without fees.||no||no|
|proxyBL||dnsbl||||dnsbl.proxybl.org||Lists all types of open (publicly accessible) proxies||Automated listing through crawling of websites||As long as proxy is verified open (automated)||Time between verifications increases exponentially in relation to the number of times the host was verified an open proxy||yes||no|
|UCEPROTECT-Network||UCEPROTECT Level 1||||dnsbl-1.uceprotect.net
(also free available via rsync )
|Single IP addresses that send mail to spamtraps||Automatic by a cluster of more than 60 trapservers ||Automatic expiration 7 days after the last abuse was seen, optionally express delisting for a small fee.||UCEPROTECT's primary and the only independent list||no||no|
|UCEPROTECT Level 2||||dnsbl-2.uceprotect.net
(also free available via rsync )
|Allocations with exceeded UCEPROTECT Level 1 listings||Automatic calculated from UCEPROTECT-Level 1||Automatic removal as soon as Level 1 listings decrease below Level 2 listing border, optionally express delisting (for a fee)||Fully depending on Level 1||yes||no|
|UCEPROTECT Level 3||||dnsbl-3.uceprotect.net
(also free available via rsync )
|ASN's with excessive UCEPROTECT Level 1 listings||Automatic calculated from UCEPROTECT-Level 1||Automatic removal as soon as Level 1 listings decrease below Level 3 listing border, optionally express delisting (fee)||Fully depending on Level 1||yes||no|
|Spam and Open Relay Blocking System (SORBS)||dnsbl||||dnsbl.sorbs.net||Unsolicited bulk/commercial email senders||N/A (See individual zones)||N/A (See individual zones)||Aggregate zone (all aggregates and what they include are listed on SORBS)||yes||no|
|safe.dnsbl||safe.dnsbl.sorbs.net||Unsolicited bulk/commercial email senders||N/A (See individual zones)||N/A (See individual zones)||"Safe" Aggregate zone (all zones in dnsbl.sorbs.net except "recent" and "escalations")||yes||no|
|http.dnsbl||http.dnsbl.sorbs.net||Open HTTP proxy servers||Feeder servers||Until delisting requested.||yes||no|
|socks.dnsbl||socks.dnsbl.sorbs.net||Open SOCKS proxy servers||Feeder servers||Until delisting requested.||yes||no|
|misc.dnsbl||misc.dnsbl.sorbs.net||Additional proxy servers||Feeder servers||Until delisting requested.||Those not already listed in the HTTP or SOCKS databases||yes||no|
|smtp.dnsbl||smtp.dnsbl.sorbs.net||Open SMTP relay servers||Feeder servers||Until delisting requested.||yes||no|
|web.dnsbl||web.dnsbl.sorbs.net||IP addresses with vulnerabilities that are exploitable by spammers (e.g. FormMail scripts)||Feeder servers||Until delisting requested or Automated Expiry||yes||no|
|new.spam.dnsbl||new.spam.dnsbl.sorbs.net||Hosts that have sent spam to the admins of SORBS in the last 48 hours||SORBS Admin and Spamtrap||Renewed every 20 minutes based inclusion in on 'spam.dnsbl.sorbs.net'||yes||no|
|recent.spam.dnsbl||recent.spam.dnsbl.sorbs.net||Hosts that have sent spam to the admins of SORBS in the last 28 days||SORBS Admin and Spamtrap||Renewed every 20 minutes based inclusion in on 'spam.dnsbl.sorbs.net'||yes||no|
|old.spam.dnsbl||old.spam.dnsbl.sorbs.net||Hosts that have sent spam to the admins of SORBS in the last year||SORBS Admin and Spamtrap||Renewed every 20 minutes based inclusion in on 'spam.dnsbl.sorbs.net'||yes||no|
|spam.dnsbl||spam.dnsbl.sorbs.net||Hosts that have allegedly sent spam to the admins of SORBS at any time||SORBS Admin and Spamtrap.||Until 1 year after the last spam is received and a request has been made or until the "fine" is paid for express delisting||yes||no|
|escalations.dnsbl||escalations.dnsbl.sorbs.net||Netblocks of service providers believed to support spammers||SORBS Admin fed.||Until delisting requested and matter resolved.||Service providers are added on receipt of a 'third strike' spam||yes||no|
|block.dnsbl||block.dnsbl.sorbs.net||Hosts demanding that they never be tested||Request by host||N/A||yes||no|
|zombie.dnsbl||zombie.dnsbl.sorbs.net||Hijacked networks||SORBS Admin (manual submission)||Until delisting requested.||yes||no|
|dul.dnsbl||dul.dnsbl.sorbs.net||Dynamic IP address ranges||SORBS Admin (manual submission)||Until delisting requested.||Not a list of dial-up IP addresses||yes||no|
|rhsbl||rhsbl.sorbs.net||Aggregate RHS zones||N/A||N/A||yes||no|
|badconf.rhsbl||badconf.rhsbl.sorbs.net||Domains with invalid A or MX records in DNS||Open submission via automated testing page.||Until delisting requested.||yes||no|
|nomail.rhsbl||nomail.rhsbl.sorbs.net||Domains which the owners have confirmed will not be used for sending email||Owner submission||Until delisting requested.||yes||no|
|Spamhaus||SBL Advisory||||sbl.spamhaus.org||Verified sources of spam, including spammers and their support services||Manual||From 30 minutes to a year or more, depending on issue and resolution||yes||no|
|XBL Advisory||||xbl.spamhaus.org||Illegal third-party exploits (e.g. open proxies and Trojan Horses)||Third-party (see Notes) with automated additions||Varies, under a month.||Includes the Composite Blocking List and parts of the Not Just Another Bogus List||yes||no|
|PBL Advisory||||pbl.spamhaus.org||Static, dial-up & DHCP IP address space that is not meant to be initiating SMTP connections||Manual||Unknown||Should not be confused with the MAPS DUL and Wirehub Dynablocker lists||yes||no|
|SBL+XBL||||sbl-xbl.spamhaus.org||A single lookup for querying the SBL and XBL databases||yes||no|
|Zen||||zen.spamhaus.org||A single lookup for querying the SBL, XBL and PBL databases.||The one to use to get all.||yes||no|
|ORBITrbl Aggressive RBL||RBL||||rbl.orbitrbl.com||Unsolicited bulk/Commercial email senders (/24 IP address block)||Feeder servers||Until delisting requested? (Only When Found to be Non Spam Source)||Aggregate zone||yes||no|
|Composite Blocking List||CBL||||cbl.abuseat.org
(also free available rsync access, on request see FAQ )
|Only IP addresses exhibiting characteristics specific to open proxies, spamware, botnets and the like.||Automatic: large spamtraps and production mail servers||Temporary, until spam stops||Use Spamhaus XBL or Spamhaus Zen instead; they include CBL.||yes||no|
|Passive Spam Block List||PSBL||||psbl.surriel.com
(also free available via rsync )
|IP addresses used to send spam to trap||spamtraps||Temporary, until spam stops||yes||no|
|Intercept - DNS Blacklist (DNSBL)||Intercept||||intercept.datapacket.net||IP addresses used to send spam to trap||spamtraps||Temporary, until spam stops||yes||no|
|Weighted Private Block List||WPBL||||db.wpbl.info||IP addresses used to send UBE to members||spamtraps||Temporary, until spam stops||yes||no|
|SpamCop Blocking List||SCBL||||bl.spamcop.net||IP addresses which have been used to transmit reported email to SpamCop users||users submit||Temporary, until spam stops||yes||no|
|SpamRats||RATSNOPTR||||noptr.spamrats.com||IP addresses detected as abusive at ISP's using MagicMail Servers, with no reverse DNS service||Automatically Submitted||Listed until removed, and reverse DNS configured||yes||no|
|RATSDYNA||||dyna.spamrats.com||IP addresses detected as abusive at ISP's using MagicMail Servers, with non-conforming reverse DNS service (See Best Practises) indicative of compromised systems||Automatically Submitted||Listed until removed, and reverse DNS set to conform to Best Practises||yes||no|
|RATSSPAM||||spam.spamrats.com||IP addresses detected as abusive at ISP's using MagicMail Servers, and manually confirmed as spam sources||Manually Submitted||Listed until removed||yes||no|
|SpamCannibal||spamcannibal.org||||bl.spamcannibal.org||IP addresses and related generic netblocks that have sent spam.||spamtraps||until removal requested and matter resolved by changing server DNS ptr record to a non-generic name.||Even if a particular IP has not sent spam, it may be included in a generic netblock which will provide many false positives. listed=127.0.0.2||yes||no|
|IPQuery||ipquery.org||||any.dnsl.ipquery.org||Spam sources, relay abusers, backscatterers||Automated, based on traffic observed locally, with some human supervision||Automatic expiry (varies by type); webpage allows delisting||Keeps a listing history; retains specimens||yes||no|
|Distributed Realtime Blocking List||drand DRBL node||||spamtrap.drbl.drand.net||IP addresses used to send spam to traps or members||Automated [de]listing.||Varies from spam type, rate and other sophisticated factors. 30 s to 1 week.||High IP network aggregate threshold >= 254.||yes||no|
|Junk Email Filter||Hostkarma||||hostkarma.junkemailfilter.com
|Detects viruses by behavior using fake high MX and tracking non-use of QUIT||Automated [de]listing||Black list Data lives for 4 days. White list data lives for 10 days.||127.0.0.1=white 127.0.0.2=black 127.0.0.3=yellow||yes||no|
|The Abusive Hosts Blocking List (AHBL)||dnsbl||||dnsbl.ahbl.org||Aggregate zone, contains UCE/bulk email senders, open proxies, open relays, trojaned/infected machines, comment/trackback spammers||Feeder systems, manual||Until delisting requested||Aggregate zone (all aggregates and what they include are listed on AHBL)||yes||no|
|rhsbl||rhsbl.ahbl.org||Domains sending spam, domains owned by spammers, comment spam domains, spammed URLs||Manual||yes||no|
|ircbl||ircbl.ahbl.org||Subset of dnsbl, contains only open proxies, compromised machines, comment spammers||Until delisting requested||Designed for use on IRC servers||yes||no|
|tor||tor.ahbl.org||Current tor relay and exit nodes||Automated||N/A||yes||no|
|Dronebl||dnsbl||||dnsbl.dronebl.org||All-in-one abusive hosts blacklist||Automated listing via distributed monitoring points||Permanent until delisted via website.||yes||no|
|Quorum.to||ip-dnsbl||||list.quorum.to. ( or per-subscriber: [id].list.quorum.to. )||Stop spam from hosts that send no legitimate mail (list most non-mail-sending hosts).||Listings based on "instant" automated checks, recipient nomination and traps.||Listings can be challenged. Subscribers vote to decide sender status.||Public list follows standard dnsbl protocol. Subscription based service is more capable, but does not follow standard.||yes||no|
|Spamanalysis.org||GeoBL||||User-defined: [*].geobl.spamanalysis.org||Lists hosts known as being in certain geographic locations.||Users set their own list of blocked countries.||Hosts reported as being incorrectly located may be delisted.||Allows basic monitoring, listed if A=127.0.0.2 or TXT=blocked||yes||no|
|Heise Zeitschriften Verlag GmbH & Co. KG, hosted by manitu GmbH||NiX Spam (nixspam)||||ix.dnsbl.manitu.net||Lists single IPs (no IP ranges) that send spam to spamtraps.||Automated listing due to spamtrap hits. Exceptions apply to bounces, NDRs and whitelisted IPs.||12 hours after last listing or until self delisting||TXT records provide information of listing incident - NiX Spam also provides hashes for fuzzy checksum plugin (iXhash) for SpamAssassin.||no||yes (for ISPs/ESPs on request)|
|inps.de||inps.de-DNSBL||||dnsbl.inps.de||Single IP addresses||IP addresses can be reported as known spam sources by users, additionally automated listing if spam arrives at the mailservers of inps.de||IP addresses are listed until they are removed manually via the website.||A- and TXT records are available for each entry; Removal is free after 30 days for automatic additions and after 7 days for manual additions; otherwise removal fee is at least EUR 10,00.||maybe||no|
|blocklist.de ||dnsbl||||bl.blocklist.de||IP-Addresses who Attacks other Server/Honeypots over ssh, imap, smtp, ftp, web, rfi, sqli, ddos....||Automatic: over Honeypots and with over 515 Users and 630 Servers from blocklist.de via Fail2Ban or own scripts||Automatic: 48 Hours after the last Attack. But earlier remove is available over the Delist-Link||Services is free! Source data is from Honeypot-Systems and over 515 User with 630 Servern there reports Attacks with Fail2Ban||no||yes|
|SRN:SurGATE Reputation Network||SRN||||srnblack.surgate.net||Spam sources, relay abusers||Feeder servers||Automatic expiry (varies by type); webpage allows delisting||Removal requests are quickly and manually reviewed and processed without fees.||yes||no|
|s5h.net Internet Services||s5h.net||||all.s5h.net||Spam sources from email, forums, referrer spam and dictionary attacks||Traps||Twelve months unless ISPs request removal earlier||By request. ISPs can provide request exclusion||Yes||No|
"Collateral Listings" - blacklists IP addresses that do not send spam, in order to "blackmail" ISPs to take action against real spammers under their control.
"Notifies upon listing" - Warns the owner of the IP/Domain when they list an IP (so owners can take action to fix the problem)
Observe Caution 
||The neutrality of this section is disputed. (August 2012)|
Most blacklists were established by angry victims hoping to rid spam from our world. Not all of them necessarily care about the damage of "false positives" (for example - compare how many of them choose to warn a provider when they blacklist them (none), or how many deliberately choose "collateral damage" (blacklisting innocent parties of an ISP to "encourage" that ISP to take action against their guilty customers) (most).
When reading the above "Listing goals", "Nomination" procedure, "lifetime" and "notes" - take everything with a grain of salt. Many list providers do not actively follow their own procedure, or lack the resources to do so properly, or pretend to have "de-list" procedures when in fact they don't, or refuse, or refer victims to other lists. Many more providers have configurations unsuitable to rely upon (grouping different kinds of what they consider "abuse" into single categories, making it impossible for companies who do not "infringe" many of the list rules to be removed, because they may still infringe one unimportant one).
There are also some operators who engage in malicious listings as well, and some who choose to blacklist the entire world (e.g. DNSBL) or otherwise damage your servers (e.g. DSBL) when they go out of business (illustrating some cases of their lack of commitment to preventing harm to their users).
- "armresearch.com". armresearch.com. Retrieved 2012-05-06.
- UCEPROTECT® email@example.com. "UCEPROTECT®-Network - Germanys first Spam protection database". Uceprotect.net. Retrieved 2012-05-06.
- Simpson, Ken. "Getting Onto a Blacklist Without Sending Any Spam". MailChannels Anti-Spam Blog. MailChannels Corporation. Retrieved 16 September 2011.
- "sorbs.net". sorbs.net. Retrieved 2012-05-06.
- "The Cbl Faq". Cbl.abuseat.org. 2006-12-31. Retrieved 2012-05-06.
- "ORBS Lawsuit". Phorums.com.au. Retrieved 2012-05-06.
- "We announced in January 2010 that we would start returning 127.0.0.2 to all queries". Dnsbl.info. 2009-12-31. Retrieved 2012-05-06.
- "Nonexistant nameserver stop-using-dsbl.dsbl.org". Dsbl.org. 2008-05-21. Retrieved 2012-05-06.