Comparison of DNS blacklists

The following table lists technical information for a number of DNS blacklists.

Blacklist operator DNS blacklist Zone Listing goal Nomination Listing lifetime Notes Collateral listings Notifies upon listing
WebIron LLC RBL BABL babl.rbl.webiron.net Lists IP ranges belonging to officially published abuse addresses that either bounce or request not to receive abuse notices. The aim of this list is to block companies that openly shrug their abuse responsibilities. Abuse addresses that fail to be deliverable for 3 out of the last 7 days are automatically added. Lifetime listing or automatic once mail delivery resumes in the case of automated additions. Yes No
CABL cabl.rbl.webiron.net Lists IP ranges belonging to abuse addresses that have failed to handle abuse issues for at least 30 days. The aim of this list is to hold companies accountable for the abuse that originates from their networks rather than just ignoring it. IP ranges belonging to abuse addresses with reported and unresolved issues for at least 30 days are automatically added. Automatic removal is done once all hosts with abuse unresolved for 30 days have been clean for 2 weeks. Data for lists are generated from live data collected by the WebIron web security platform. Yes Yes
STABL stabl.rbl.webiron.net Lists single IP addresses recently attacking websites and servers. Lists IP addressed belonging to hosts that have attacked at least twice within the last 48 hours. Automatic removal is done once a host has gone 24 hours without an incident Data for lists are generated from live data collected by the WebIron web security platform. No No
All all.rbl.webiron.net Contains IP addresses and ranges from BABL, CABL, and STABL Depends on list Depends on list Yes No
Crawler crawler.rbl.webiron.net Web Crawler IP lookup used to match user agents with known crawler IP addresses. Data from this list is considered BETA. This DNSRBL contains valid and legitimate crawlers. Matching alone should not be used for blocking No No
ARM Research Labs, LLC GBUdb Truncate truncate.gbudb.net Extremely conservative list of single IP4 addresses that produce exclusively spam/malware as indicated by the GBUdb IP Reputation system. Most systems should be able to safely reject connections based on this list. Automatic: IPs are added when the GBUdb "cloud" statistics reach a probability figure that indicates 95% of messages produce a spam/malware pattern match and a confidence figure that indicates sufficient data to trust the probability data. Automatic: Continuous while reputation statistics remain bad. Warning: Produces false positives, and has no remedy/removal process. IPs are dropped quickly if the statistics improve (within an hour). IPs are dropped within 36 hours (typ) if no more messages are seen (dead zombie). Source data is derived from a global network of Message Sniffer[1] filtering nodes in real-time. Truncate data is updated from statistics every 10 minutes. No No
invaluement DNSBL ivmSIP Paid access via rsync Single IP addresses which only send UBE. Specializing in snowshoe spam and other 'under the radar' spams which evade many other DNSBLs. Has FP-level comparable to Zen. Automatic (upon receipt of a spam to a real person's mailbox), with extensive whitelists and filtering to prevent false positives Typically an automatic expiration 11 days after the last abuse was seen, but with some exceptions Spam samples are always kept on file for each listing. Removal requests are manually reviewed and processed without fees. No No
ivmSIP/24 Paid access via rsync Lists /24 blocks of IP addresses which usually only send UBE and containing at least several addresses which are confirmed emitters of junk mail. Collateral listings are kept to a minimum because subsections are often carved from /24 listings when spammers and legit senders share the same /24 block. Automatic once at least several IP addresses from a given block are individually listed on ivmSIP, with extensive whitelists and filtering to prevent false positives Expiration time increases to many weeks as the fraction of IP addresses in the /24 block in question sending junk mail increases Removal requests are quickly and manually reviewed and processed without fees. Yes No
ivmURI Paid access via rsync Comparable to uribl.com and surbl.org, this is a list of IP addresses and domains which are used by spammers in the clickable links found in the body of spam messages Automatic (upon receipt of a spam to a real person's mailbox), with extensive whitelists and filtering to prevent false positives Typically an automatic expiration several weeks after the last abuse was seen. Spam samples are always kept on file for each listing. Removal requests are quickly and manually reviewed and processed without fees. No No
proxyBL dnsbl dnsbl.proxybl.org Lists all types of open (publicly accessible) proxies Automated listing through crawling of websites As long as proxy is verified open (automated)[2]Service died mid 2014 Time between verifications increases exponentially in relation to the number of times the host was verified an open proxy Yes No
UCEPROTECT-Network UCEPROTECT Level 1 dnsbl-1.uceprotect.net
(also free available via rsync [3])
Single IP addresses that send mail to spamtraps Automatic by a cluster of more than 60 trapservers [4] Automatic expiration 7 days after the last abuse was seen, optionally express delisting for a small fee. UCEPROTECT's primary and the only independent list No No
UCEPROTECT Level 2 dnsbl-2.uceprotect.net
(also free available via rsync [3])
Allocations with exceeded UCEPROTECT Level 1 listings Automatic calculated from UCEPROTECT-Level 1 Automatic removal as soon as Level 1 listings decrease below Level 2 listing border, optionally express delisting (for a fee) Fully depending on Level 1 Yes No
UCEPROTECT Level 3 dnsbl-3.uceprotect.net
(also free available via rsync [3])
ASN's with excessive UCEPROTECT Level 1 listings Automatic calculated from UCEPROTECT-Level 1 Automatic removal as soon as Level 1 listings decrease below Level 3 listing border, optionally express delisting (fee) Fully depending on Level 1 Yes No
Spam and Open Relay Blocking System (SORBS) dnsbl dnsbl.sorbs.net Unsolicited bulk/commercial email senders N/A (See individual zones) N/A (See individual zones) Aggregate zone (all aggregates and what they include are listed on SORBS)[5] As per component list Via SORBS Report Manager
safe.dnsbl safe.dnsbl.sorbs.net Unsolicited bulk/commercial email senders N/A (See individual zones) N/A (See individual zones) "Safe" Aggregate zone (all zones in dnsbl.sorbs.net except "recent", "old", "spam" and "escalations") No Via SORBS Report Manager
http.dnsbl http.dnsbl.sorbs.net Open HTTP proxy servers Feeder servers Until delisting requested. No Via SORBS Report Manager
socks.dnsbl socks.dnsbl.sorbs.net Open SOCKS proxy servers Feeder servers Until delisting requested. No Via SORBS Report Manager
misc.dnsbl misc.dnsbl.sorbs.net Additional proxy servers Feeder servers Until delisting requested. Those not already listed in the HTTP or SOCKS databases No Via SORBS Report Manager
smtp.dnsbl smtp.dnsbl.sorbs.net Open SMTP relay servers Feeder servers Until delisting requested. No Via SORBS Report Manager
web.dnsbl web.dnsbl.sorbs.net IP addresses with vulnerabilities that are exploitable by spammers (e.g. FormMail scripts) Feeder servers Until delisting requested or Automated Expiry No Via SORBS Report Manager
new.spam.dnsbl new.spam.dnsbl.sorbs.net Hosts that have sent spam to the admins of SORBS or SORBS Spamtraps in the last 48 hours SORBS Admin and Spamtrap Renewed every 20 minutes based inclusion in on 'spam.dnsbl.sorbs.net' No Via SORBS Report Manager
recent.spam.dnsbl recent.spam.dnsbl.sorbs.net Hosts that have sent spam to the admins of SORBS or SORBS Spamtraps in the last 28 days SORBS Admin and Spamtrap Renewed every 20 minutes based inclusion in on 'spam.dnsbl.sorbs.net' No Via SORBS Report Manager
old.spam.dnsbl old.spam.dnsbl.sorbs.net Hosts that have sent spam to the admins of SORBS or SORBS Spamtraps in the last year SORBS Admin and Spamtrap Renewed every 20 minutes based inclusion in on 'spam.dnsbl.sorbs.net' No Via SORBS Report Manager
spam.dnsbl spam.dnsbl.sorbs.net Hosts that have allegedly sent spam to the admins of SORBS or SORBS Spamtraps at any time SORBS Admin and Spamtrap. Until delisting requested. No Via SORBS Report Manager
escalations.dnsbl escalations.dnsbl.sorbs.net Netblocks of service providers believed to support spammers SORBS Admin fed. Until delisting requested and matter resolved. Service providers are added on receipt of a 'third strike' spam Yes Via SORBS Report Manager
block.dnsbl block.dnsbl.sorbs.net Hosts demanding that they never be tested Request by host N/A No Via SORBS Report Manager
zombie.dnsbl zombie.dnsbl.sorbs.net Hijacked networks SORBS Admin (manual submission) Until delisting requested. No Via SORBS Report Manager
dul.dnsbl dul.dnsbl.sorbs.net Dynamic IP address ranges SORBS Admin (manual submission) Until delisting requested. Not a list of dial-up IP addresses No Via SORBS Report Manager
noservers.dnsbl noservers.dnsbl.sorbs.net No Servers Permitted by ISP Policy Netblock Owner Administered Not Applicable. No Servers Permitted by ISP Policy No Via SORBS Report Manager
rhsbl rhsbl.sorbs.net Aggregate RHS zones N/A N/A No No
badconf.rhsbl badconf.rhsbl.sorbs.net Domains with invalid A or MX records in DNS Open submission via automated testing page. Until delisting requested. No No
nomail.rhsbl nomail.rhsbl.sorbs.net Domains which the owners have confirmed will not be used for sending email Owner submission Until delisting requested. No No
Spamhaus SBL Advisory sbl.spamhaus.org Verified sources of spam, including spammers and their support services, per policy Manual From five minutes to a year or more, depending on issue and resolution Rarely (escalation) Yes (partial)
XBL Advisory xbl.spamhaus.org Illegal third-party exploits (e.g. open proxies, email spambots, malware download sites

and botnets)

Third-party with automated additions Varies, under a month, self removal via Composite Blocking List lookup. Consists of the Composite Blocking List No No
PBL Advisory pbl.spamhaus.org Addresses not meant to be initiating SMTP connections, such as residential dynamic IPs Manual, by providers controlling the IPs or by Spamhaus PBL Team Self-removal (see spamhaus web site) Should not be confused with the MAPS DUL and Wirehub Dynablocker lists No No
SBL+XBL sbl-xbl.spamhaus.org A single lookup for querying the SBL and XBL databases As per component list As per component list
Zen zen.spamhaus.org A single lookup for querying the SBL, XBL and PBL databases. Preferred list to check all Spamhaus listings with one query. As per component list As per component list
ORBITrbl Aggressive RBL RBL rbl.orbitrbl.com Unsolicited bulk/Commercial email senders (/24 IP address block) Feeder servers Until delisting requested? (Only When Found to be Non Spam Source)Their web server is down[6] 2014-11-17 - Their RBL server is reporting all queries as SPAM. Aggregate zone Yes No
Composite Blocking List CBL cbl.abuseat.org
(also free available rsync access, on request see FAQ [7])
Only IP addresses exhibiting characteristics specific to open proxies, spamware, malware downloaders, botnets and the like. Automatic: large spamtraps, production mail servers and other detecton methods. Less than a month after last listable event, self-removal via CBL lookup. Use Spamhaus XBL or Spamhaus Zen instead; they include CBL. No No
IBM DNS Blacklist Cobion dnsbl.cobion.com
This DNSBL zone is part of the default configuration for Proventia Mail Security System and Lotus Protector for Mail Security No No
Passive Spam Block List PSBL psbl.surriel.com
(also free available via rsync )
IP addresses used to send spam to trap spamtraps Temporary, until spam stops No No
DNSRBL - DNS Real-time Blackhole List DNSRBL dnsrbl.org IP addresses used to send spam to trap spamtraps Temporary, until spam stops No No
Weighted Private Block List WPBL db.wpbl.info IP addresses used to send UBE to members spamtraps Temporary, until spam stops No No
Protected Sky RBL RBL bad.psky.me IP Reputation based. Seems to be proprietary. Automatic, "based on several factors". Temporary. Has self removal as well as user delisting. No No
SpamCop Blocking List SCBL bl.spamcop.net IP addresses which have been used to transmit reported email to SpamCop users Users submit Temporary, until spam stops, has self removal No Yes (partial)
SpamRats RATSNOPTR noptr.spamrats.com IP addresses detected as abusive at ISP's using MagicMail Servers, with no reverse DNS service Automatically Submitted Listed until removed, and reverse DNS configured Yes No
RATSDYNA dyna.spamrats.com IP addresses detected as abusive at ISP's using MagicMail Servers, with non-conforming reverse DNS service (See Best Practises) indicative of compromised systems Automatically Submitted Listed until removed, and reverse DNS set to conform to Best Practises Yes No
RATSSPAM spam.spamrats.com IP addresses detected as abusive at ISP's using MagicMail Servers, and manually confirmed as spam sources Manually Submitted Listed until removed Yes No
SpamCannibal spamcannibal.org bl.spamcannibal.org IP addresses and related generic netblocks that have sent spam. spamtraps Until removal requested and matter resolved by changing server DNS ptr record to a non-generic name. Even if a particular IP has not sent spam, it may be included in a generic netblock which will provide many false positives. listed=127.0.0.2 Yes No
Distributed Realtime Blocking List drand DRBL node spamtrap.drbl.drand.net IP addresses used to send spam to traps or members Automated [de]listing. Varies from spam type, rate and other sophisticated factors. 30 s to 1 week. High IP network aggregate threshold >= 254. Yes No
Junk Email Filter Hostkarma hostkarma.junkemailfilter.com
blacklist.hostkarma.com
Detects viruses by behavior using fake high MX and tracking non-use of QUIT Automated [de]listing Black list Data lives for 4 days. White list data lives for 10 days. 127.0.0.1=white 127.0.0.2=black 127.0.0.3=yellow Yes No
The Abusive Hosts Blocking List (AHBL) dnsbl dnsbl.ahbl.org Aggregate zone, contains UCE/bulk email senders, open proxies, open relays, trojaned/infected machines, comment/trackback spammers Feeder systems, manual Until delisting requested As announced,[8] all public zones are no longer functioning (they return positive responses for all queries) Aggregate zone (all aggregates and what they include are listed on AHBL)[9] Yes no
rhsbl rhsbl.ahbl.org Domains sending spam, domains owned by spammers, comment spam domains, spammed URLs Manual Yes No
ircbl ircbl.ahbl.org Subset of dnsbl, contains only open proxies, compromised machines, comment spammers Until delisting requested Designed for use on IRC servers Yes No
Quorum.to ip-dnsbl list.quorum.to. ( or per-subscriber: [id].list.quorum.to. ) Stop spam from hosts that send no legitimate mail (list most non-mail-sending hosts). Listings based on "instant" automated checks, recipient nomination and traps. Listings can be challenged. Subscribers vote to decide sender status. Public list follows standard dnsbl protocol. Subscription based service is more capable, but does not follow standard. Yes No
Heise Zeitschriften Verlag GmbH & Co. KG, hosted by manitu GmbH NiX Spam (nixspam) ix.dnsbl.manitu.net Lists single IPs (no IP ranges) that send spam to spamtraps. Lists mailhosts, rather than domains, and thus blocks entire hosting providers and ISPs. Automated listing due to spamtrap hits. Exceptions apply to bounces, NDRs and whitelisted IPs. 12 hours after last listing or until self delisting TXT records provide information of listing incident - NiX Spam also provides hashes for fuzzy checksum plugin (iXhash) for SpamAssassin. No Yes (for ISPs/ESPs on request)
inps.de inps.de-DNSBL dnsbl.inps.de Single IP addresses IP addresses can be reported as known spam sources by users, additionally automated listing if spam arrives at the mailservers of inps.de IP addresses are listed until they are removed manually via the website. A- and TXT records are available for each entry; Removal is free after 30 days for automatic additions and after 7 days for manual additions; otherwise removal fee is at least EUR 10,00. Maybe No
blocklist.de dnsbl bl.blocklist.de IP-Addresses who Attacks other Server/Honeypots over ssh, imap, smtp, ftp, web, rfi, sqli, ddos.... Automatic: over Honeypots and with over 515 Users and 630 Servers from blocklist.de via Fail2Ban or own scripts Automatic: 48 Hours after the last Attack. But earlier remove is available over the Delist-Link Services is free! Source data is from Honeypot-Systems and over 515 User with 630 Servern there reports Attacks with Fail2Ban No Yes
SRN:SurGATE Reputation Network SRN srnblack.surgate.net Spam sources, relay abusers Feeder servers Automatic expiry (varies by type); webpage allows delisting Removal requests are quickly and manually reviewed and processed without fees. Yes No
s5h.net Internet Services s5h.net all.s5h.net Spam sources from email, forums, referrer spam and dictionary attacks Traps Twelve months unless ISPs request removal earlier By request. ISPs can provide request exclusion Yes No
MegaRBL RBL rbl.megarbl.net IP addresses used to send spam to traps spamtraps, in order to avoid abusive reports (Competitors, false positive, etc...) only MegaRBL team can add an IP to the list. Until delisting requested. Removal requests are quickly and manually reviewed and processed without fees. No Yes
IPrange.net RBL rbl.iprange.net Spam Trap List of IP addresses that sends spam or causing troubles with botnets or phishing Until delisting requested. Removal requests will be investigated and processed within 24 hours of submission. No No
BarracudaCentral RBL b.barracudacentral.org Spam Trap Provides a list of IP addresses which are sending spam. The Barracuda Reputation system uses automated collection methods to add and delete IP addresses from the BRBL. Until delisting requested. Requires registration of administrator and hosts to use. Removal requests are typically investigated and processed within 12 hours of submission if provided with a valid explanation No No

Notes

"Collateral Listings" - Deliberately listing non-offending IP addresses, in order to coerce ISPs to take action against spammers under their control.

"Notifies upon listing" - Warns the owner of the IP/Domain when they list an IP. (so owners can take action to fix the problem)

References

  1. "armresearch.com". armresearch.com. Retrieved 2012-05-06.
  2. https://www.astaro.org/gateway-products/web-server-security/54332-dnsbl-proxybl-org-offline.html
  3. 1 2 3 UCEPROTECT® abc@uceprotect.org. "UCEPROTECT®-Network - Germanys first Spam protection database". Uceprotect.net. Retrieved 2012-05-06.
  4. Simpson, Ken. "Getting Onto a Blacklist Without Sending Any Spam". MailChannels Anti-Spam Blog. MailChannels Corporation. Retrieved 16 September 2011.
  5. "sorbs.net". sorbs.net. Retrieved 2012-05-06.
  6. http://www.orbitrbl.com
  7. "The Cbl Faq". Cbl.abuseat.org. 2006-12-31. Retrieved 2012-05-06.
  8. http://www.ahbl.org/content/changes-ahbl
  9. ahbl.org

External links

This article is issued from Wikipedia - version of the Friday, April 15, 2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.