Comparison of DNS blacklists
From Wikipedia, the free encyclopedia
The following table lists technical information for a number of DNS blacklists.
Blacklist operator | DNS blacklist | Informational URL | Zone | Listing goal | Nomination | Listing lifetime | Notes |
---|---|---|---|---|---|---|---|
UCEPROTECT-Network | UCEPROTECT Level 1 | [1] | dnsbl-1.uceprotect.net | Single IP's that send mail to ([Spamtraps]) | Automatic by a cluster of more than 60 trapservers | Automatic expiration 7 days after the last abuse was seen, optionally express delisting | UCEPROTECT's primary and the only independent list |
UCEPROTECT Level 2 | [2] | dnsbl-2.uceprotect.net | Allocations with exceeded UCEPROTECT Level 1 listings | Automatic calculated from UCEPROTECT-Level 1 | Automatic removal as soon as Level 1 listings decrease below Level 2 listing border, optionally express delisting | Fully depending on Level 1 | |
UCEPROTECT Level 3 | [3] | dnsbl-3.uceprotect.net | ASN's with excessive UCEPROTECT Level 1 listings | Automatic calculated from UCEPROTECT-Level 1 | Automatic removal as soon as Level 1 listings decrease below Level 3 listing border, optionally express delisting | Fully depending on Level 1 | |
Spam and Open Relay Blocking System (SORBS) | dnsbl | [4] | dnsbl.sorbs.net | Unsolicited bulk/commercial email senders | N/A (See individual zones) | N/A (See individual zones) | Aggregate zone (all aggregates and what they include are listed on [5]) |
safe.dnsbl | safe.dnsbl.sorbs.net | Unsolicited bulk/commercial email senders | N/A (See individual zones) | N/A (See individual zones) | "Safe" Aggregate zone (all zones in dnsbl.sorbs.net except "recent" and "escalations") | ||
http.dnsbl | http.dnsbl.sorbs.net | Open HTTP proxy servers | Feeder servers | Until delisting requested. | |||
socks.dnsbl | socks.dnsbl.sorbs.net | Open SOCKS proxy servers | Feeder servers | Until delisting requested. | |||
misc.dnsbl | misc.dnsbl.sorbs.net | Additional proxy servers | Feeder servers | Until delisting requested. | Those not already listed in the HTTP or SOCKS databases | ||
smtp.dnsbl | smtp.dnsbl.sorbs.net | Open SMTP relay servers | Feeder servers | Until delisting requested. | |||
web.dnsbl | web.dnsbl.sorbs.net | IP addresses with vulnerabilities that are exploitable by spammers (e.g. FormMail scripts) | Feeder servers | Until delisting requested or Automated Expiry | |||
new.spam.dnsbl | new.spam.dnsbl.sorbs.net | Hosts that have sent spam to the admins of SORBS in the last 48 hours | SORBS Admin and Spamtrap | Renewed every 20 minutes based inclusion in on 'spam.dnsbl.sorbs.net' | |||
recent.spam.dnsbl | recent.spam.dnsbl.sorbs.net | Hosts that have sent spam to the admins of SORBS in the last 28 days | SORBS Admin and Spamtrap | Renewed every 20 minutes based inclusion in on 'spam.dnsbl.sorbs.net' | |||
old.spam.dnsbl | old.spam.dnsbl.sorbs.net | Hosts that have sent spam to the admins of SORBS in the last year | SORBS Admin and Spamtrap | Renewed every 20 minutes based inclusion in on 'spam.dnsbl.sorbs.net' | |||
spam.dnsbl | spam.dnsbl.sorbs.net | Hosts that have sent spam to the admins of SORBS at any time | SORBS Admin and Spamtrap. | Until delisting requested or matter resolved | |||
escalations.dnsbl | escalations.dnsbl.sorbs.net | Netblocks of service providers believed to support spammers | SORBS Admin fed. | Until delisting requested and matter resolved. | Service providers are added on receipt of a 'third strike' spam | ||
block.dnsbl | block.dnsbl.sorbs.net | Hosts demanding that they never be tested | Request by host | N/A | |||
zombie.dnsbl | zombie.dnsbl.sorbs.net | Hijacked networks | SORBS Admin (manual submission) | Until delisting requested. | |||
dul.dnsbl | dul.dnsbl.sorbs.net | Dynamic IP address ranges | SORBS Admin (manual submission) | Until delisting requested. | Not a list of dial-up IP addresses | ||
rhsbl | rhsbl.sorbs.net | Aggregate RHS zones | N/A | N/A | |||
badconf.rhsbl | badconf.rhsbl.sorbs.net | Domains with invalid A or MX records in DNS | Open submission via automated testing page. | Until delisting requested. | |||
nomail.rhsbl | nomail.rhsbl.sorbs.net | Domains which the owners have confirmed will not be used for sending email | Owner submission | Until delisting requested. | |||
Spamhaus | SBL Advisory | [6] | sbl.spamhaus.org | Verified sources of spam, including spammers and their support services | Manual | From 30 minutes to a year or more, depending on issue and resolution | |
XBL Advisory | [7] | xbl.spamhaus.org | Illegal third-party exploits (e.g. open proxies and Trojan Horses) | Third-party (see Notes) with automated additions | Varies, under a month. | Includes the Composite Blocking List and parts of the Not Just Another Bogus List | |
PBL Advisory | [8] | pbl.spamhaus.org | All Static, dialup & DHCP IP address space that is not meant to be initiating SMTP connections | Manual | Unknown | Should not be confused with the MAPS DUL and Wirehub Dynablocker lists | |
SBL+XBL | [9] | sbl-xbl.spamhaus.org | A single lookup for querying the SBL and XBL databases | ||||
Zen | [10] | zen.spamhaus.org | A single lookup for querying the SBL, XBL and PBL databases. | The one to use to get all. | |||
ORBITrbl Aggressive RBL | RBL | [11] | rbl.orbitrbl.com | Unsolicited bulk/Commercial email senders (Block Class C IP Block) | Feeder servers | Until delisting requested? (Only When Found to be Non Spam Source) | Aggregate zone |
Composite Blocking List | CBL | [12] | cbl.abuseat.org | Only IPs exhibiting characteristics specific to open proxies, spamware, etc. | large spamtraps | Temporary, until spam stops | Imported by Spamhaus. Use ZEN instead, includes CBL. |
Passive Spam Block List | PSBL | [13] | psbl.surriel.com | IP addresses which send spam to trap | spamtraps | Temporary, until spam stops | |
Intercept - DNS Blacklist (DNSBL) | Intercept | [14] | intercept.datapacket.net | IP addresses which send spam to trap | spamtraps | Temporary, until spam stops | |
Weighted Private Block List | WPBL | [15] | db.wpbl.info | IP addresses which send UBE to members | spamtraps | Temporary, until spam stops | |
SpamCop Blocking List | SCBL | [16] | bl.spamcop.net | IP addresses which have transmitted reported email to SpamCop users | users submit | Temporary, until spam stops | |
SpamRats | RATSNOPTR | [17] | noptr.spamrats.com | IP addresses detected as abusive at ISP/Telcos using MagicMail Servers, with no reverse DNS | Automatically Submitted | Listed until removed, and reverse DNS configured | |
RATSDYNA | [18] | dyna.spamrats.com | IP addresses detected as abusive at ISP/Telcos using MagicMail Servers, with non-conforming reverse DNS (See Best Practises) indicative of a compromised PC | Automatically Submitted | Listed until removed, and reverse DNS set to conform to Best Practises | ||
RATSSPAM | [19] | spam.spamrats.com | IP addresses detected as abusive at ISP/Telcos using MagicMail Servers, and manually confirmed as a Spam Source | Manually Submitted | Listed until removed | ||
SpamCannibal | spamcannibal.org | [20] | bl.spamcannibal.org | ip addresses and related generic netblock that have sent spam to local mail hosts | spamtraps | until removal requested and matter resolved | listed=127.0.0.2 |
Distributed Sender Blackhole List | list.DSBL.org | [21] | list.dsbl.org | all single hop relays | tested by trusted testers | until de-listing requested | explanation of test methods |
multihop.DSBL.org | multihop.dsbl.org | the outputs of multihop relays | tested by trusted testers | until de-listing requested | explanation of test methods | ||
unconfirmed.DSBL.org | unconfirmed.dsbl.org | all the output servers | tested by untrusted and anonymous testers | until de-listing requested | explanation of test methods | ||
Not Just Another Bogus List | NJABL DNSBL | [22] | dnsbl.njabl.org | SMTP open relays, Multi-stage SMTP open relays, spam sources, Insecure CGI scripts that allow open relaying, open proxy servers | spamtraps, testing, testing by trusted contributors | Varies | |
Bad host, no cookie | bhnc.njabl.org | These hosts have done things proper SMTP servers don't do. | spamtraps | until de-listing requested | |||
Distributed Realtime Blocking List | drand DRBL node | [23] | spamtrap.drbl.drand.net | IP addresses which send spam to trap, IP addresses which send UBE to members. | Automated [de]listing. | Varies from spam type, rate and other sophisticated factors. 30s-1w. | Hight IP network aggregate threshold >= 254. |
Dynamic Realtime Blocking List | RU RBL | [24] | db.rurbl.ru | IP addresses which send spam or viruses to mail server with special sensors. | Automated [de]listing. | Varies from spam or virus pushing characteristics. 5s - 20min. | explanations |
Junk Email Filter | Hostkarma | [25] | hostkarma.junkemailfilter.com blacklist.hostkarma.com |
Detects viruses by behavior using fake high MX and tracking non-use of QUIT. | Automated [de]listing | Black list Data lives for 4 days. White list data lives for 10 days. | 127.0.0.1=white 127.0.0.2=black 127.0.0.3=yellow |
RFC-Ignorant.Org | DSN (<>) | [26] | dsn.rfc-ignorant.org | refusal to accept bounces (DSN) | Open submission via automated testing page. | Until delisting requested. | |
postmaster | [27] | postmaster.rfc-ignorant.org | refusal to accept e-mail to postmaster | ||||
abuse | [28] | abuse.rfc-ignorant.org | refusal to accept e-mail to abuse | ||||
whois | [29] | whois.rfc-ignorant.org | bogus whois information | ||||
bogusmx | [30] | bogusmx.rfc-ignorant.org | bogus MX record | ||||
Abusive Hosts Blocking List (AHBL) | dnsbl | [31] | dnsbl.ahbl.org | Aggregate zone, contains UCE/Bulk email senders, open proxies, open relays, trojaned/infected machines, comment/trackback spammers | Feeder systems, manual | Until delisting requested | Aggregate zone (all aggregates and what they include are listed on [32]) |
rhsbl | rhsbl.ahbl.org | Domains sending spam, domains owned by spammers, comment spam domains, spammed URLs | Manual | ||||
ircbl | ircbl.ahbl.org | Subset of dnsbl, contains only open proxies, comprimised machines, comment spammers | Until delisting requested | Designed for use on IRC servers | |||
tor | tor.ahbl.org | Current tor relay and exit nodes | Automated | N/A |
[edit] External links
- Blacklists Compared, weekly reports since July 2001
- DNSBL Statistics - A controversial[33][34][35] comparison of several popular DNSBL's.
- Spam Links - DNS & RHS Blackhole Lists
- Spam Links - Dead DNS and RHS Blackhole Lists