Comparison of DNS blacklists

From Wikipedia, the free encyclopedia

The following table lists technical information for assumed reputable[by whom?] DNS blacklists used for blocking spam.

Blacklist operator DNS blacklist Zone Listing goal Nomination Listing lifetime Notes Collateral listings Notifies upon listing
Abusix combined combined.mail.abusix.zone Aggregate zone Aggregate zone Aggregate Zone Single lookup that contains results from black, exploit and policy lists No No
black black.mail.abusix.zone Lists individual IP addresses that have sent mail to spam traps, and some manually-added address blocks. Mostly automatic with some manual additions For automated, listings 5.6 days after last event. Manual additions are permanent. No No (but planned)
exploit exploit.mail.abusix.zone Lists IP addresses behaving in a way that indicates they are compromised, infected, proxies, or VPN or TOR exit nodes. Automatic 5.6 days after last event No No (but planned)
policy dynamic.mail.abusix.zone Lists IP addresses that should not be connecting directly to MX, such as residential IP addresses etc. Automatic Permanent (until delist requested) Lists ranges that have generic or templated rDNS. Individual IP addresses can be delisted immediately via web. No No
dblack dblack.mail.abusix.zone Lists domains seen in spam hitting traps. Automatic 5.6 days after last event Can be used as an RHSBL and a URIBL. No No (but planned)
nod nod.mail.abusix.zone Lists domains that are newly observed (first use). Automatic 25 hours Based on historical passive DNS data, lists domains first seen in the wild within the last 25 hours). No No
shorthash shorthash.mail.abusix.zone Lists short URLs (SHA-1 hashed) seen in traps. Automatic 5.6 days after last event Created to handle popular shorteners that are misused to hide domains from blacklisting No No
diskhash diskhash.mail.abusix.zone Lists URLs of online drive services (SHA-1 hashed) seen in traps. Automatic 5.6 days after last event Current only listing Google Drive and Yandex Disk URLs that are used to avoid domain blacklisting. No No
ARM Research Labs, LLC GBUdb Truncate truncate.gbudb.net Extremely conservative list of single IP4 addresses that produce exclusively spam/malware as indicated by the GBUdb IP Reputation system. Most systems should be able to safely reject connections based on this list. Automatic: IP addresses are added when the GBUdb "cloud" statistics reach a probability figure that indicates 95% of messages produce a spam/malware pattern match and a confidence figure that indicates sufficient data to trust the probability data. Automatic: Continuous while reputation statistics remain bad. Warning: Produces false positives, and has no remedy/removal process. IP addresses are dropped quickly if the statistics improve (within an hour). IP addresses are dropped within 36 hours (typ) if no more messages are seen (dead zombie). Source data is derived from a global network of Message Sniffer[1] filtering nodes in real-time. Truncate data is updated from statistics every 10 minutes.

Warning: Unreliable, as it produces false positives. It is impossible to find additional information or to manually troubleshoot the problem. It is based on results created by their proprietary software running a proprietary algorithm.

No No
Metunet Research Labs Metunet dnsbl rbl.metunet.com Single IP4 addresses that produce exclusively spam or malware. Mail service providers are protected. Automatic Last activities after one year automatic or delist request by mail Removal requests are quickly and manually reviewed and processed without fees. No No
Mailspike / Anubisnetworks mailspike.org bl.mailspike.org IP4 / IPv6 addresses that produce spam or malware. Automatic List is updated daily. Reputation is gradually restored after days of good / null activity Immediate delisting via the website No No
invaluement DNSBL ivmSIP Paid access via rsync Single IP addresses which only send UBE. Specializing in snowshoe spam and other 'under the radar' spam which evades many other DNSBLs. Has FP-level comparable to Zen. Automatic (upon receipt of spam to a real person's mailbox), with extensive whitelists and filtering to prevent false positives Typically an automatic expiration 11 days after the last abuse was seen, but with some exceptions Spam samples are always kept on file for each listing. Removal requests are manually reviewed and processed without fees. No No
ivmSIP/24 Paid access via rsync Lists /24 blocks of IP addresses which usually only send UBE and containing at least several addresses which are confirmed emitters of junk mail. Collateral listings are kept to a minimum because subsections are often carved from /24 listings when spammers and legit senders share the same /24 block. Automatic once at least several IP addresses from a given block are individually listed on ivmSIP, with extensive whitelists and filtering to prevent false positives Expiration time increases to many weeks as the fraction of IP addresses in the /24 block in question sending junk mail increases. Removal requests are quickly and manually reviewed and processed without fees. Yes No
ivmURI Paid access via rsync Comparable to uribl.com and surbl.org, this is a list of IP addresses and domains which are used by spammers in the clickable links found in the body of spam messages Automatic (upon receipt of spam to a real person's mailbox), with extensive whitelists and filtering to prevent false positives Typically an automatic expiration several weeks after the last abuse was seen Spam samples are always kept on file for each listing. Removal requests are quickly and manually reviewed and processed without fees. No No
Spam and Open Relay Blocking System (SORBS) dnsbl dnsbl.sorbs.net Unsolicited bulk/commercial e-mail senders N/A (See individual zones) N/A (See individual zones) Aggregate zone (all aggregates and what they include are listed on SORBS)[2] As per component list Via SORBS Report Manager
safe.dnsbl safe.dnsbl.sorbs.net Unsolicited bulk/commercial e-mail senders N/A (See individual zones) N/A (See individual zones) "Safe" Aggregate zone (all zones in dnsbl.sorbs.net except "recent", "old", "spam" and "escalations") No Via SORBS Report Manager
http.dnsbl http.dnsbl.sorbs.net Open HTTP proxy servers Feeder servers Until delisting requested No Via SORBS Report Manager
socks.dnsbl socks.dnsbl.sorbs.net Open SOCKS proxy servers Feeder servers Until delisting requested No Via SORBS Report Manager
misc.dnsbl misc.dnsbl.sorbs.net Additional proxy servers Feeder servers Until delisting requested Those not already listed in the HTTP or SOCKS databases No Via SORBS Report Manager
smtp.dnsbl smtp.dnsbl.sorbs.net Open SMTP relay servers Feeder servers Until delisting requested No Via SORBS Report Manager
web.dnsbl web.dnsbl.sorbs.net IP addresses with vulnerabilities that are exploitable by spammers (e.g. FormMail scripts) Feeder servers Until delisting requested or automated expiry No Via SORBS Report Manager
new.spam.dnsbl new.spam.dnsbl.sorbs.net Hosts that have sent spam to the SORBS spam traps or administrators in the last 48 hours SORBS administrators and spam traps Renewed every 20 minutes based inclusion in on 'spam.dnsbl.sorbs.net' No Via SORBS Report Manager
recent.spam.dnsbl recent.spam.dnsbl.sorbs.net Hosts that have sent spam to the SORBS spam traps or administrators in the last 28 days SORBS administrators and spam traps Renewed every 20 minutes based inclusion in on 'spam.dnsbl.sorbs.net' No Via SORBS Report Manager
old.spam.dnsbl old.spam.dnsbl.sorbs.net Hosts that have sent spam to the SORBS spam traps or administrators in the last year SORBS administrator and spam traps Renewed every 20 minutes based inclusion in on 'spam.dnsbl.sorbs.net' No Via SORBS Report Manager
spam.dnsbl spam.dnsbl.sorbs.net Hosts that have allegedly sent spam to the SORBS spam traps or administrators ever SORBS administrators and spam traps Until delisting requested No Via SORBS Report Manager
escalations.dnsbl escalations.dnsbl.sorbs.net Address blocks of service providers believed to support spammers SORBS administrators Until delisting requested and matter resolved Service providers are added on receipt of a 'third strike' spam Yes Via SORBS Report Manager
block.dnsbl block.dnsbl.sorbs.net Hosts demanding that they never be tested Request by host N/A No Via SORBS Report Manager
zombie.dnsbl zombie.dnsbl.sorbs.net Hijacked networks SORBS administrators (manual submission) Until delisting requested No Via SORBS Report Manager
dul.dnsbl dul.dnsbl.sorbs.net Dynamic IP address ranges SORBS administrators (manual submission) Until delisting requested Not a list of dial-up IP addresses No Via SORBS Report Manager
noservers.dnsbl noservers.dnsbl.sorbs.net No Servers Permitted by ISP Policy Administered by address registrants Not Applicable. No Servers Permitted by ISP Policy No Via SORBS Report Manager
rhsbl rhsbl.sorbs.net Aggregate RHS zones N/A N/A No No
badconf.rhsbl badconf.rhsbl.sorbs.net Domains with invalid A or MX records in DNS Open submission via automated testing page Until delisting requested No No
nomail.rhsbl nomail.rhsbl.sorbs.net Domains which the owners have confirmed will not be used for sending mail Owner submission Until delisting requested No No
Spamhaus Spamhaus Blocklist (SBL) sbl.spamhaus.org This list contains IP addresses that are observed to be involved in sending spam, snowshoe spamming, botnet command and controllers (C&Cs), bulletproof hosting companies and hijacked address space. Manual From five minutes to a year or more, depending on issue and resolution Rarely (escalation) Yes (partial)
eXploits Blocklist (XBL) N/A This lists the individual IPv4 addresses (/32s) that are infected with malware, worms, and Trojans; third party exploits, such as open proxies; or devices controlled by botnets. The constantly updated list is designed to protect networks from malware and spam by preventing mailservers from accepting connections from compromised computing devices. Third-party with automated additions Varies, under a month, self removal via Composite Blocking List lookup Consists of the Composite Blocking List No No
Extended eXploits Blocklist (eXBL) N/A This list is a real-time database of raw and filtered feeds that provides additional information on hijacked IP addresses. The eXBL is available to selected security organizations and cyber incident response teams. Third-party with automated additions Varies, under a month, self removal via Composite Blocking List lookup Consists of the Composite Blocking List No No
Domain Blocklist (DBL) dbl.spamhaus.org Domains owned by spammers and used for spam or other malicious purposes. This blocklist also contains domains owned by non-spammers which are used for legitimate purposes, but have been hijacked by spammers. Ranking of over 80 different metrics and machine learning A few days, with self-removal generally allowed {{}} Rarely
Enhanced Domain Blocklist (eDBL) dbl.spamhaus.org This list provides detailed information on each domain listing and is available via an API. This enables querying of the DBL engine, returning a JSON record for each domain.

The Enhanced Domain Blocklist (eDBL) can be used to track a particular domain's score over a longer period, or to combine Domain Blocklist data with other information.

A few days. Self-removal generally allowed. {{}} Rarely
Policy Blocklist (PBL) pbl.spamhaus.org This list includes IP address ranges for end-user devices, such as home routers, smart TVs, and other Information of Things (IoT) devices, from which mail should never be sent. This protects networks from the potential of being compromised by malware spread by botnet command and controller servers (C&Cs). Manual, by providers controlling the IPs or by Spamhaus PBL Team Self-removal (see spamhaus web site) Should not be confused with the MAPS DUL and Wirehub Dynablocker lists No No
Hash Blocklist (HBL) hbl.spamhaus.org This list contains the following content areas: Cryptowallet (Bitcoin etc.), malware and e-mail addresses.

Hash Blocklists (HBL) are lists of cryptographic hashes associated with malicious content, as opposed to IP addresses or domains. They are extremely useful for filtering fraudulent mail coming from ISPs, domains, or IP addresses that Spamhaus is unable to list e.g. Gmail. Additionally, they can block mail containing malware files.

Manual, by providers controlling the addresses or by Spamhaus PBL Team Self-removal (see spamhaus web site) No No
Zero Reputation Domains (ZRD) <key>.authbl.dq.spamhaus.net This lists newly registered domains for 24 hours. Domains that have just been registered are rarely used by legitimate organizations immediately. Cybercriminals register and burn 100s of domains daily.

The Zero Reputation Domain (ZRD) blocklist helps to protect users from following links and visiting newly registered domains until it is established that they are not associated with zero day attacks; phishing, bot-herding, spyware or ransomware campaigns.

Automated 24 hours No No
Zen zen.spamhaus.org A single lookup for querying the SBL, XBL and PBL databases Preferred list to check all Spamhaus address lists with one query As per component list As per component list
THREATINT DNSBL dnsbl.threatint.zone IP addresses used to send spam and/or scan networks/hosts spam traps, honeypots Automatic: 48 hrs after activity stops No No
JustSpam JustSpam.Org dnsbl.justspam.org IP addresses used to send spam to trap spam traps Until Free Removal Sending a special mail generated using the removalform contains the listed IP in the mailheader. No No


Passive Spam Block List PSBL psbl.surriel.com
(also free available via rsync [1])
IP addresses used to send spam to trap spam traps Temporary, until spam stops No No
Weighted Private Block List WPBL db.wpbl.info IP addresses used to send UBE to members spam traps Temporary, until spam stops No No
SpamCop Blocking List SCBL bl.spamcop.net IP addresses which have been used to transmit reported mail to SpamCop users Users submit Temporary, until spam stops, has self removal No Yes (partial)
SpamRats RATS-NoPtr noptr.spamrats.com IP addresses detected as abusive at ISPs using MagicMail Servers, with no reverse DNS service Automatically Submitted Listed until removed, and reverse DNS configured Yes No
RATS-Dyna dyna.spamrats.com IP addresses detected as abusive at ISPs using MagicMail Servers, with non-conforming reverse DNS service (See Best Practises) indicative of compromised systems Automatically Submitted Listed until removed, and reverse DNS set to conform to Best Practises Yes No
RATS-Spam spam.spamrats.com IP addresses detected as abusive at ISPs using MagicMail Servers, and manually confirmed as spam sources Manually Submitted Listed until removed Yes No
RATS-Auth auth.spamrats.com IP addresses detected probing passwords or authenticating without sending mail Automatically Submitted Listed until removed Yes No
Junk Email Filter Hostkarma hostkarma.junkemailfilter.com Detects viruses by behavior using fake high MX and tracking non-use of QUIT Automated [de]listing Black list entries last 4 days. White list entries last 10 days. 127.0.0.1=white 127.0.0.2=black 127.0.0.3=yellow Yes No
Heise Zeitschriften Verlag GmbH & Co. KG, hosted by manitu GmbH NiX Spam (nixspam) ix.dnsbl.manitu.net Lists single IP addresses (no address ranges) that send spam to spam traps. Lists mailhosts, rather than domains, and thus blocks entire hosting providers and ISPs. Automated listing due to spam trap hits. Exceptions apply to bounces, NDRs and whitelisted IP addresses. 12 hours after last listing or until self delisting TXT records provide information of listing incident - NiX Spam also provides hashes for fuzzy checksum plugin (iXhash) for SpamAssassin. No Yes (for ISPs/ESPs on request)
blocklist.de [2] dnsbl bl.blocklist.de IP addresses used to in attacks over SSH, IMAP, SMTP, FTP, or HTTP, or for attacks involving remote file inclusion, SQL injection, or DDOS Automatic: over honeypots and with over 515 users and 630 servers from blocklist.de via Fail2Ban or own scripts Automatic: 48 Hours after the last Attack. But earlier remove is available over the Delist-Link Services are free. Source data is from Honeypot-Systems and over 515 User with 630 Servern there reports Attacks with Fail2Ban No Yes
s5h.net Internet Services s5h.net all.s5h.net Spam sources from mail, forums, referrer spam and dictionary attacks Traps Twelve months unless ISPs request removal earlier By request. ISPs can provide request exclusion. Yes No


BarracudaCentral RBL b.barracudacentral.org Spam Trap Provides a list of IP addresses which are sending spam. The Barracuda Reputation system uses automated collection methods to add and delete IP addresses from the BRBL. Until delisting requested Requires registration of administrator and hosts to use. Removal requests are typically investigated and processed within 12 hours of submission if provided with a valid explanation. No No
The NordSpam Project NordSpam IP Blacklist bl.nordspam.com IP addresses detected as unsolicited bulk/commercial e-mail senders, Web spam Manual Until delisting requested Removal requests are manually reviewed and processed without fees. Rarely (escalation) Sometimes
NordSpam Domain Blacklist dbl.nordspam.com Unsolicited bulk/commercial e-mail senders, Web spam Manual Until delisting requested Removal requests are manually reviewed and processed without fees. No Sometimes
0Spam Project bl.0spam.org bl.0spam.org Lists single IP's for spam, malware, abuse, RFC Non-Compliance, Bad configuration and fraud Automated listings from: Machine Learning, Spam traps, and abuse detection Until IP Owner/Authorized administrator/End User requests listing removal 0spam AI detects: # General spam, # RFC-non-compliance issue, # Bouncing mail to the wrong server, # Unauthorized Mail relay, # Spoof & Bouncing spoofed-sender mail, # Fraud or scam mail, malware or illegal or abusive content No Yes
rbl.0spam.org rbl.0spam.org Lists single IP's for spam, malware, abuse, RFC Non-Compliance, Bad configuration and fraud Automated listings from: Machine Learning, Spam traps, and abuse detection Automated removal after 24 hours of no spam. 0spam AI detects: # General spam, # RFC-non-compliance issue, # Bouncing mail to the wrong server, # Unauthorized Mail relay, # Spoof & Bouncing spoofed-sender mail, # Fraud or scam mail, malware or illegal or abusive content No Yes
nbl.0spam.org nbl.0spam.org Lists Class C networks with high number of unaddressed abuse reports on the bl.0spam.org list. Automated listings for spam source Class C blocks Until IP Owner/Authorized administrator/End User requests listing removal It's suggestion to use the nbl.0spam.org list in conjunction with rule based filtering. This is a NetworkBlockList(NBL) so it lists full Class C IP blocks containing a high number of spam IP's. Use with SPF/DKIM Fail to produce the most accurate results. No Yes
dbl.0spam.org dbl.0spam.org Lists single IP's for domains found to be in spam emails. Automated listings from: Parsing spam emails Until IP Owner/Authorized administrator/End User requests listing removal This list contains the IP's of domains found to be in emails identified as spam. You should NOT use this list as a sole identifier of spam. No Yes
Brukalai.lt DNSBL black.dnsbl.brukalai.lt Addresses and domains for junk mail filtering (aggregate zone) Mostly automatic with some manual additions Until delisting requested Yes No
Metunet DNSBL rbl.metunet.com Single IP4 addresses produce exclusively spam or malware. Respective Mail providers protected like Free and paid mail providers. Automatic One year after last activity (automatic) or delist request by mail Removal requests are quickly and manually reviewed and processed without fees. No No
Excello s.r.o. Virusfree BIP bip.virusfree.cz Botnet IP list. Single IPv4 addresses produced from spam, pure bots. No mail server addresses. Automatic listing Automatic delisting Included in RSPAMD No No
Virusfree BAD bad.virusfree.cz BAD senders list. Single IPv4 addresses with high spam rate. Mostly botnets and large spammers. Also, mail servers which send malware are listed. Automatic listing Automatic delisting No No

Notes[edit]

"Collateral listings"—Deliberately listing non-offending IP addresses, in order to coerce ISPs to take action against spammers under their control.

"Notifies upon listing"—Warns registrants of listed IP addresses or domains (so registrants can take actions to fix problems).

Suspect RBL providers[edit]

Suspect RBL providers are those who employ well-documented patterns[3] of questionable or reckless practices[4] or have questionable actors based on statements or communications from the RBL's principal management to official forums.[5] These practices usually include acceptance of de-listing payments (also known as ransom payments) - which incentivizes fraud - such as is the case with UCEPROTECT/Whitelisted.org.[6] Often, these RBL providers use circular rhetoric such as "only spammers would claim we are illegitimate" in furtherance of their scheme. These RBL providers have shown clear or lengthy patterns of misconduct or unstable behavior in public forums or operations or both.[3][5] It is recommended that ISPs carefully consider these RBL providers before incorporating them into spam blocking regimens. These RBL providers have demonstrated the potential and willingness to adversely affect vast swaths of internet communications for misguided, reckless or likely fraudulent purposes. Using these RBL providers will likely result in clogging up ISP support channels while negatively affecting legitimate business customers.

Blacklist operator Questionable Operations DNS blacklist Zone Listing goal Nomination Listing lifetime Notes Collateral listings Notifies upon listing
UCEPROTECT-Network Accepts monetary fees to de-list which incentivizes fraud or abuse;[4] principal management engages in questionable behavior in official communications[5] UCEPROTECT Level 1 dnsbl-1.uceprotect.net
(also free available via rsync [7])
Single IP addresses that send mail to spamtraps.

Or anything that could have attacked them, even if not related to email.

Automatic by a cluster of more than 60 trapservers [8] Automatic expiration 7 days after the last abuse was seen, optionally express delisting for a small fee. UCEPROTECT's primary and the only independent list No No
UCEPROTECT Level 2 dnsbl-2.uceprotect.net
(also free available via rsync [7])
Allocations with exceeded UCEPROTECT Level 1 listings Automatic calculated from UCEPROTECT-Level 1 Automatic removal as soon as Level 1 listings decrease below Level 2 listing border, optionally express delisting (for a fee) Fully depending on Level 1 Yes No
UCEPROTECT Level 3 dnsbl-3.uceprotect.net
(also free available via rsync [7])
ASN's with excessive UCEPROTECT Level 1 listings Automatic calculated from UCEPROTECT-Level 1 Automatic removal as soon as Level 1 listings decrease below Level 3 listing border, optionally express delisting (fee) Fully depending on Level 1 Yes No
SPFBL.net Offers paid delisting[9] which violates Section 2.2.5 Conflict of Interest, RFC 6471[10] RBL dnsbl.spfbl.net Bad reputation, difficult to identify the responsible, dynamic addresses, SLAAC flag without genuine mail service and inappropriate use of the URL Provides a list of IPv4/IPv6 addresses and domains which are sending spam or phishing. Until delisting requested or seven days with good reputation The feedback system runs at SMTP layer. See Feedback Yes Yes


References[edit]

  1. ^ "armresearch.com". armresearch.com. Retrieved 2012-05-06.
  2. ^ "sorbs.net". sorbs.net. Retrieved 2012-05-06.
  3. ^ a b GitHub. "About removing UceProtect". github.com. Retrieved 2021-04-02.
  4. ^ a b Security Boulevard. "UCEPROTECT: When RBLs Go Bad". securityboulevard.com. Archived from the original on 21 April 2021. Retrieved 2021-04-02.
  5. ^ a b c IETF. "IETF Mail Archive: [Asrg] Final statement". mailarchive.ietf.org. Retrieved 2021-04-02.
  6. ^ whitelisted.org. "UceProtect Ransom Payment Collection Arm". www.whitelisted.org. Retrieved 2021-04-03.
  7. ^ a b c UCEPROTECT. "UCEPROTECT-Network - Germanys first Spam protection database". Uceprotect.net. Retrieved 2012-05-06.
  8. ^ Simpson, Ken. "Getting Onto a Blacklist Without Sending Any Spam". MailChannels Anti-Spam Blog. MailChannels Corporation. Archived from the original on 19 September 2011. Retrieved 16 September 2011.
  9. ^ spfbl.net. "Query and delist - Rules for paid delist". spfbl.net. Retrieved 2023-08-25.
  10. ^ C. Lewis and M. Sergeant. "Overview of Best Email DNS-Based List (DNSBL) Operational Practices - 2.2.5. Conflict of Interest". IETF. Retrieved 2023-08-25.

External links[edit]

  • List of all RBLs, Information about all existing blacklists including discontinued blacklists.