Arabic  Chinese (simplified)  Chinese (traditional)  French  German  Italian  Japanese  Korean  Portuguese  Russian  Spanish 

DNSBL

From ASSPSMTP

Jump to: navigation, search

A DNS-based Block List or DNSBL is a means by which an Internet site (a DNSBL provider) may publish a list of IP addresses - typically with the intent of being used as a reference of sources of spam. It is published in a format which can be easily queried by computer programs on the Internet; and as the name suggests, the technology is built on top of the Internet Domain Name System (DNS). Most Mail Transfer Agents (MTAs, also simply referred to as mail servers) and anti-spam software can be configured to reject or flag messages which have been sent from an IP address listed by a DNSBL provider.

Sometimes incorrectly referred to as a Realtime Blackhole List or RBL, the definition of the acronym "DNSBL" varies - but all its variations are describing the same type of service for blocking network connections based on IP addresses. As well as "DNS-based Block List", DNSBL has also been known to stand for "DNS Black List" as well as "DNS Blackhole List". The term "Realtime Blackhole List" (RBL) is a registered trademark of MAPS, which is now owned by Trend Micro. Because it is a registered trademark of a service, it is not the appropriate term to use to generically refer to DNSBL providers.

On This Page


DNSBL Providers

DNSBL providers are organizations (or in some cases individuals) that host DNS servers with the specific intent to publish databases of IP addresses that are associated to the distribution of spam. Typically, each of the major DNSBL providers specialize in a certain aspect or type of spam, which is why multiple DNSBL providers should be used for comprehensive protection.

The DNSBL providers in this article have been categorized and listed based on their designed use and trustworthiness. Wherever possible, aggregate (composite/combined) DNS zones are used to provide the most functionality for the least amount of DNSBL provider queries.

This is not a complete list of all known DNSBL providers. Some well-known providers were intentionally left off this list because of data/functionality redundancy. Also, some unrecommended and untrustworthy DNSBL providers have been listed below as a reference of DNSBL providers not to use and why. A well-kept list of all known DNS-based spam databases is maintained at DECLUDE.

  • Grayed DNSBL host names indicate that they fall within an encompassing aggregate zone.

Safe DNSBL Providers

This is a list of recommended DNSBL providers. These DNSBL providers are well-known, trusted, and are generally considered safe to use. They are not overly aggressive and should generally not cause any false-positives.

  • Please be aware of any cautionary notes attached to an individually listed DNSBL.


Name DNSBL Host Information & Notes
Spamhaus ZEN zen.spamhaus.org

sbl.spamhaus.org
xbl.spamhaus.org
pbl.spamhaus.org
Spamhaus
Spamhaus ZEN is the combination of all Spamhaus DNSBL providers into one comprehensive aggregate block list zone:
  • SBL (Spamhaus Block List) is a real-time database of IP addresses of verified spam sources and spam operations; including spammers, spam gangs, spam support services (service providers), as well as the ROKSO-listed spammers.
    • ROKSO (Register of Known Spam Operations) is a database that collates information and evidence on known professional spam operations that have been terminated by a minimum of 3 Internet Service Providers for spam offenses.
  • XBL (eXploits Block List) is a real-time database of IP addresses of illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits. This list includes the CBL and NJABL open proxy lists.
  • PBL (Policy Block List) is a database of end-user (residential and dial-up) IP address ranges which should not be delivering unauthenticated SMTP email to any Internet mail server except those provided for specifically by an ISP for that customer's use. IP address ranges are added and maintained by each network participating in the PBL project, or are manually added by Spamhaus where spam received from those ranges, rDNS and server patterns are consistent with end-user IP space which typically contain high concentrations of "botnet zombies", a major source of spam.

Using ZEN is highly recommended. With the addition of the PBL, ZEN now encompasses the functionality of NJABL Combined - making it no longer necessary to use the two together.

ZEN has replaced the SBL+XBL combined zone. If you currently use SBL+XBL, make the change to ZEN. SBL+XBL is set to be withdrawn completely from service.

NJABL Combined combined.njabl.org

dnsbl.njabl.org
dynablocknjabl.org 		NJABL (Not Just Another Bogus List) Combined is the combination of all NJABL's DNSBL providers into one comprehensive aggregate block list zone:
  • DNSBL is a database of IP addresses of UBE sources, verified spam services and open SMTP relay servers.
  • Dynablock is a database of IP addresses of Dynamic/Residential IP ranges.

NJABL Combined is currently redundant to and obsoleted by the functionality of Spamhaus's ZEN.

SORBS DUL dul.dnsbl.sorbs.net
SORBS
SORBS (Spam and Open Relay Blocking System) DUL (Dynamic User List) is a database of dynamic IP address ranges.

SORBS DUL is a single zone that is also encompassed by the SORBS DNSBL aggregate zone listed in the Aggressive DNSBL Providers section.

DSBL List list.dsbl.org
DSBL
DSBL (Distributed Sender Blackhole List) List is a database of IP addresses of open single-stage SMTP relays, open proxies, and non-secure FormMail servers. IP addresses are are added based on their improper ability to send specially coded messages back to DSBL's mail server.

Be careful that you do not pluralize the hostname. It is "list", not "lists".

MailPolice adult.rhs.mailpolice.com
block.rhs.mailpolice.com
dynamic.rhs.mailpolice.com
porn.rhs.mailpolice.com

bulk.rhs.mailpolice.com
fraud.rhs.mailpolice.com
MailPolice
MailPolice provides multiple Right Hand Side block lists for blocking various types of spam:
  • adult is a database of IP addresses of domain names that have adult-oriented sites
  • block is combination of bulk and fraud into one comprehensive aggregate block list zone:
    • bulk is a database of IP addresses of domain names that send spam or have: bulk-senders, unconfirmed mailing-list, and unsolicited advertising sites
    • fraud is a database of IP addresses of domain names host fraudulent content (phishing)
  • dynamic is a database of IP addresses of domain names that are dynamic PPP/DSL/cable reverse DNS hostnames
  • porn is a database of IP addresses of domain names that pornographic (18+) sites
HIL hil.habeas.com
Habeas
HIL (Habeas Infringer's List) is a database of IP addresses of infringer's of Habeas's technologies; such as spammers forging Habeas headers in an attempt to bypass spam filters.
iX NiX ix.dnsbl.manitu.net
IX
iX NiX SPAM (born as a RBL project of a large german technology magazine, [1] ) is a medium size (about 40.000 entrys ) realtime database of IP addresses that are sending spam. The iX blacklist is made of automatically generated entries without distinguishing open proxies from relays, dialup gateways, and so on. An email source just has to send spam to make it on the list. The idea behind is to estabilish a secure rejection list that minimizes false positives and cover different sorts of spam sources.

The list is avaibale as a realtime checksum table (Fuzzy MD5 Checksum), RBL Service and complete realtime list download.


Aggressive DNSBL Providers

These DNSBL providers are well-known, generally trusted, but are considered to be slightly or moderately aggressive in their blocking behavior. Because of the aggressive nature of these DNSBL providers, it is recommended they be used with caution and only by experienced DNSBL users that know how to deal with or provide balance to the aggressive behavior. In some situations it can be advantageous to use aggressive DNSBL providers - particularly if you are blocking based on multiple DNSBL listing hits or are simply looking to add more scoring criteria to your spam analysis.

  • Please be aware of any cautionary notes attached to an individually listed DNSBL.


Name DNSBL Host Information & Notes
SCBL bl.spamcop.net
Spamcop
SCBL (SpamCop Blocking List) is a database of IP addresses which have transmitted reported email to SpamCop users, which in turn is used to block and filter unwanted email. The SCBL is a fast and automatic list of sites sending reported mail, with a number of report sources, including automated reports and SpamCop user submissions. The SCBL also quickly and automatically de-lists these sites when reports stop.

SpamCop is a very popular yet aggressive service that can quickly list what their registered users and spamtraps report as spam - in near real-time (provided that there are multiple unique complaints). This frequently effects mail coming from easily abusable "free" e-mail providers, such as Yahoo, MSN, and Gmail - which are commonly abused by spammers. These blocks are typically short-lived, but depending on your organization and its communications needs, these sporadic blocks can be problematic.


Caution: False-positives are common when using the SCBL because of the unpredictable reporting behavior of the members participating in the service. This database should only be used when blocking against multiple DNSBL hits or to add additional scoring information.
SORBS DNSBL dnsbl.sorbs.net

http.dnsbl.sorbs.net
socks.dnsbl.sorbs.net
misc.dnsbl.sorbs.net
smtp.dnsbl.sorbs.net
web.dnsbl.sorbs.net
new.spam.dnsbl.sorbs.net
recent.spam.dnsbl.sorbs.net
old.spam.dnsbl.sorbs.net
escalations.dnsbl.sorbs.net
block.dnsbl.sorbs.net
zombie.dnsbl.sorbs.net
dul.dnsbl.sorbs.net
SORBS
SORBS (Spam and Open Relay Blocking System) DNSBL (DNS-based Block List) combines all of SORBS's LHS (Left Hand Side) block lists into a single aggregate zone:
  • http is a database of IP addresses of open HTTP proxy servers.
  • socks is a database of IP addresses of open SOCKS proxy servers.
  • misc is a database of IP addresses of open proxy servers not listed in the SOCKS or HTTP lists.
  • smtp is a database of IP addresses of open SMTP relay servers.
  • web is a database of IP addresses of web (WWW) servers which have spammer-abusable vulnerabilities (e.g. FormMail scripts) Note: This zone now includes non-web server IP addresses that have abusable vulnerabilities.
  • old.spam is a database of IP addresses of hosts that have been noted as sending spam/UCE/UBE to the admins of SORBS within the last year. (includes recent.spam).
    • recent.spam is a database of IP addresses of hosts that have been noted as sending spam/UCE/UBE to the admins of SORBS within the last 28 days (includes new.spam).
      • new.spam is a database of IP addresses of hosts that have been noted as sending spam/UCE/UBE to the admins of SORBS within the last 48 hours.
  • escalations is a database of IP addresses of netblocks of spam supporting service providers, including those who provide web sites, DNS or drop boxes for a spammer. Spam supporters are added on a 'third strike and you are out' basis, where the third spam will cause the supporter to be added to the list.
  • block is a database of IP addresses of hosts demanding that they never be tested by SORBS.
  • zombie is a database of IP addresses of networks hijacked from their original owners, some of which have already used for spamming.
  • dul is a database of IP addresses of dynamic IP address ranges
SORBS RHSBL rhsbl.sorbs.net

badconf.rhsbl.sorbs.net
nomail.rhsbl.sorbs.net
SORBS
SORBS (Spam and Open Relay Blocking System) RHSBL (Right Hand Side Blacklist) combines all of SORBS's (RHS) Right Hand Side block lists into a single aggregate zone:
  • badconf is a database of IP addresses of domain names where the A or MX records point to bad address space.
  • nomail is a database of IP addresses of domain names where the owners have indicated no email should ever originate from these domains.
DSBL Multihop multihop.dsbl.org
DSBL
DSBL (Distributed Sender Blackhole List) Multihop is a database of IP addresses of open multiple-stage SMTP relays, open proxies, and non-secure FormMail servers. IP addresses are are added based on their improper ability to send specially coded messages back to DSBL's mail server.
UCEProtect dnsbl-1.uceprotect.net
dnsbl-2.uceprotect.net
dnsbl-3.uceprotect.net 		UCE (Unsolicited Commercial E-mail) Protect provides 3 Policy Levels of DNSBL listings for increasing levels of agressiveness to block spam:
  • dnsbl-1 (Level 1) is a database of IP addresses with either wrong or missing or generic reverse DNS (PTR record), or "dialup" connections (typically suggesting a home/other user with a dynamic connection), or computers with exploited / exploitable security holes. e.g. open proxies, open relays, vulnerable web servers, virus infected, using abusive techniques (Portscanning, Probes etc), or which are assigned to well-known spammers, that have hit spamtraps within the last 7 days.
  • dnsbl-2 (Level 2) is a database of abusive networks (allocations) based on the number of abusive IP addresses that are listed in Policy Level 1 within the last 7 days.
  • dnsbl-3 (Level 3) is a database of abusive providers (ASN's) that have 0.2% but at least 100 IP addresses listed in Policy Level 1 within the last 7 days.
Caution: False-positives are more common in Level 2 and Level 3 because they encompass a much broader IP range in an attempt to punish the network providers. These databases should only be used when blocking against multiple DNSBL hits or to add additional scoring information.
RFC-Ignorant dsn.rfc-ignorant.org
postmaster.rfc-ignorant.org
abuse.rfc-ignorant.org
whois.rfc-ignorant.org
bogusmx.rfc-ignorant.org 		RFC (Request For Comments) Ignorant provides multiple DNSBL providers for blocking various violators of RFC specifications for SMTP:
  • dsn is a database of IP address of servers that do not accept DSN notifications from "<>". "<>" is used for the From: field to prevent e-mail loops.
  • postmaster is a database of IP address of domains that do not have an accepting postmaster@ e-mail address.
  • abuse is a database of IP address of domains that do not have an accepting abuse@ reporting e-mail address.
  • whois is a database of IP address of domains that have missing, wrong or falsified information in their WHOIS record.
  • bogusmx is a database of IP address of domains that have invalid MX and MX RR records for those MX records in DNS.
CSMA bl.csma.biz
sbl.csma.biz 		CSMA (Corey S. McFadden Associates) provides two DNSBL providers for different levels of aggressiveness to block spam:
  • bl is a database of IP addresses of aggressive hosts that have spammed repeatedly during a "short" time frame.
  • sbl is a database of IP addresses of hosts that have generated spam within a 45-day period.
Caution: False-positives are more common in the sbl database because of the possibility of stale records. This database should only be used when blocking against multiple DNSBL hits or to add additional scoring information.
MailPolice adv.rhs.mailpolice.com
redir.rhs.mailpolice.com
webmail.rhs.mailpolice.com
MailPolice
MailPolice provides multiple Right Hand Side block lists for blocking various types of spam:
  • adv is a database of IP addresses of domain names of e-mail marketers, such as opt-in advertisers and newsletters
  • redir is a database of IP addresses of domain names that have website redirectors
  • webmail is a database of IP addresses of domain names that host webmail services
TQM3 DNSBL dnsbl.tqmcube.com

dhcp.tqmcube.com
spam.tqmcube.com
ko.tqmcube.com
prc.tqmcube.com
 		TQM3 (Total Quality Management (cubed)) DNSBL (DNS-based Block List) combines all of TQM3's block lists into a single aggregate zone:
  • dhcp is a database of IP addresses of dynamic IP address ranges.
  • spam is a database of IP addresses of hosts that have sent email to spamtraps.
  • ko is a database of IP addresses of South Korea.
  • prc is a database of IP addresses of People's Republic of China.
PSBL psbl.surriel.com PSBL (Passive Spam Block List) is a database of IP addresses that have sent spam to a PSBL spamtrap.
UCEB blackholes.uceb.org UCEB (Unsolicited Commercial E-mail Blackholes) is a privately maintained, yet well regarded database of IP addresses.


Country-specific DNSBL Providers

These DNSBL providers list IP addresses of specific countries. The result is that you can block e-mail session attempts per-country by using these DNSBL providers. This can be a very convenient and efficient way of blocking email from countries that you knowingly would never communicate with.

While there are other providers of this type of country-specific service, countries.nerd.dk offers a well maintained and diverse base of countries to block from. A full description of their services can be found on their web site.

The hostnames used for these DNS zones at countries.nerd.dk are based on the country code top-level domain (ccTLD) for each country; which is based on the International Organization for Standardization (ISO) geographical coding standard ISO 3166. The two letter coding standard as described in the ISO 3166-1 alpha-2 subset is what is used as the hostname to identify these country-specific DNSBL providers.

Use the following example, with <ccTLD> replaced with the appropriete country code that you wish to use, as a DNSBL provider to block with:

<ccTLD>.countries.nerd.dk
  • The most common high-volume spam countries have been listed here.
  • Use these ccTLDs as DNSBL providers with countries.nerd.dk at your own risk, as you will be blocking entire geographical locations.


Country ccTLD Information & Notes
Image:ISO-ar.png  Argentina ar  
Image:ISO-bm.png  Bermuda bm  
Image:ISO-bw.png  Botswana bw  
Image:ISO-br.png  Brazil br  
Image:ISO-ca.png  Canada ca  
Image:ISO-cl.png  Chile cl  
Image:ISO-cn.png  China cn  
Image:ISO-cc.png  Cocos (Keeling) Islands cc Caution: .cc is promoted for international registration as "the next .com".
Image:ISO-cy.png  Cyprus cy  
Image:ISO-ee.png  Estonia ee  
Image:ISO-fj.png  Fiji fj  
Image:ISO-fr.png  France fr  
Image:ISO-de.png  Germany (Deutschland) de  
Image:ISO-gr.png  Greece gr  
Image:ISO-hk.png  Hong Kong hk  
Image:ISO-hu.png  Hungary hu  
Image:ISO-in.png  India in  
Image:ISO-id.png  Indonesia id  
Image:ISO-il.png  Israel il  
Image:ISO-jp.png  Japan jp  
Image:ISO-lu.png  Luxembourg lu  
Image:ISO-my.png  Malaysia my  
Image:ISO-mx.png  Mexico mx  
Image:ISO-nl.png  Netherlands nl  
Image:ISO-nz.png  New Zealand nz  
Image:ISO-ng.png  Nigeria ng  
Image:ISO-pe.png  Peru pe  
Image:ISO-pl.png  Poland pl  
Image:ISO-sg.png  Singapore sg  
Image:ISO-za.png  South Africa (Zuid-Afrika) za  
Image:ISO-kr.png  South Korea kr  
Image:ISO-es.png  Spain (EspaƱa) es  
Image:ISO-tw.png  Taiwan tw  
Image:ISO-th.png  Thailand th  
Image:ISO-tr.png  Turkey tr  
Image:ISO-uk.png  United Kingdom uk  
Image:ISO-us.png  United States us  
Image:ISO-uy.png  Uruguay uy  


Untrustworthy DNSBL Providers

These are certain DNSBL providers that do not adhere to standard or fair practices for an IP address to be listed or removed from being listed on DNSBL providers. These DNSBL providers typically use listing criteria that is considered overly aggressive, and are difficult if not impossible to be removed from. The most problematic known DNSBL providers have been listed here.

  • Do not use these DNSBL providers.


Name Reason
BLARSBL Blocks large IP ranges indiscriminately
FIVETENIGNORE Blocks large IP ranges indiscriminately
FIVETENSRC Blocks large IP ranges indiscriminately
JAMMDNSBL Blocks large IP ranges indiscriminately
MAPS-DUL Lists IP addresses that are not known to send spam
SPAMBAG Blocks large IP ranges indiscriminately
SPEWS Blocks large IP ranges indiscriminately
Retrieved from "http://www.asspsmtp.org/wiki/DNSBL"
These icons link to social bookmarking sites where readers can share and discover new web pages. Blinklist  del.icio.us  digg  Furl  Google  ma.gnolia  Reddit  Slashdot  Spurl  YahooMyWeb 
Personal tools