Comparison of DNS blacklists
Encyclopedia
The following table lists technical information for a number of DNS blacklists
DNSBL
A DNSBL is a list of IP addresses published through the Internet Domain Name Service either as a zone file that can be used by DNS server software, or as a live DNS zone that can be queried in real-time...

.
Blacklist operator DNS blacklist Informational URL Zone Listing goal Nomination Listing lifetime Notes
ARM Research Labs, LLC GBUdb Truncate http://www.gbudb.com/truncate/ truncate.gbudb.net Extremely conservative list of single IP4 addresses that produce exclusively spam/malware as indicated by the GBUdb IP Reuptation system. Most systems should be able to safely reject connections based on this list. Automatic: IPs are added when the GBUdb "cloud" statistics reach a probability figure that indicates 95% of messages produce a spam/malware pattern match and a confidence figure that indicates sufficient data to trust the probability data. Automatic: Continuous while reputation statistics remain bad. IPs are dropped quickly if the statistics improve (within an hour). IPs are dropped within 36 hours (typ) if no more messages are seen (dead zombie). Source data is derived from a global network of Message Sniffer filtering nodes in real-time. Truncate data is updated from statistics every 10 minutes.
invaluement DNSBL ivmSIP http://dnsbl.invaluement.com/ivmsip/ N/A
(paid access via rsync)
Single IP addresses which only send UBE. Specializing in snowshoe spam and other 'under the radar' spams which evade many other DNSBLs. Has FP-level comparable to Zen. Automatic (upon receipt of a spam to a real person's mailbox), with extensive whitelists and filtering to prevent false positives Typically an automatic expiration 11 days after the last abuse was seen, but with some exceptions Spam samples are always kept on file for each listing. Removal requests are quickly and manually reviewed and processed without fees.
ivmSIP/24 http://dnsbl.invaluement.com/ivmsip24/ N/A
(paid access via rsync)
lists /24 blocks of IP addresses which usually only send UBE and containing at least several addresses which are confirmed emitters of junk mail. Automatic once at least several IP addresses from a given block are individually listed on ivmSIP, with extensive whitelists and filtering to prevent false positives expiration time increases to many weeks as the fraction of IP addresses in the /24 block in question sending junk mail increases Removal requests are quickly and manually reviewed and processed without fees.
ivmURI http://dnsbl.invaluement.com/ivmuri/ N/A
(paid access via rsync)
comparable to uribl.com and surbl.org, this is a list of IP addresses and domains which are used by spammers in the clickable links found in the body of spam messages Automatic (upon receipt of a spam to a real person's mailbox), with extensive whitelists and filtering to prevent false positives Typically an automatic expiration several weeks after the last abuse was seen. Spam samples are always kept on file for each listing. Removal requests are quickly and manually reviewed and processed without fees.
proxyBL dnsbl http://proxybl.org/ dnsbl.proxybl.org Lists all types of open (publicly accessible) proxies Automated listing through crawling of websites As long as proxy is verified open (automated) Time between verifications increases exponentially in relation to the number of times the host was verified an open proxy
UCEPROTECT-Network UCEPROTECT Level 1 http://www.uceprotect.net/en/index.php?m=3&s=3 dnsbl-1.uceprotect.net
(also free available via rsync http://www.uceprotect.net/en/index.php?m=6&s=10)
Single IP addresses that send mail to spamtrap
Spamtrap
A spamtrap is a honeypot used to collect spam.Spamtraps are usually e-mail addresses that are created not for communication, but rather to lure spam...

s
Automatic by a cluster of more than 60 trapservers Automatic expiration 7 days after the last abuse was seen, optionally express delisting (fee) UCEPROTECT's primary and the only independent list
UCEPROTECT Level 2 http://www.uceprotect.net/en/index.php?m=3&s=4 dnsbl-2.uceprotect.net
(also free available via rsync http://www.uceprotect.net/en/index.php?m=6&s=10)
Allocations with exceeded UCEPROTECT Level 1 listings Automatic calculated from UCEPROTECT-Level 1 Automatic removal as soon as Level 1 listings decrease below Level 2 listing border, optionally express delisting (fee) Fully depending on Level 1
UCEPROTECT Level 3 http://www.uceprotect.net/en/index.php?m=3&s=5 dnsbl-3.uceprotect.net
(also free available via rsync http://www.uceprotect.net/en/index.php?m=6&s=10)
ASN's with excessive UCEPROTECT Level 1 listings Automatic calculated from UCEPROTECT-Level 1 Automatic removal as soon as Level 1 listings decrease below Level 3 listing border, optionally express delisting (fee) Fully depending on Level 1
Spam and Open Relay Blocking System
Spam and Open Relay Blocking System
SORBS is a list of e-mail servers suspected of sending or relaying spam . It has been augmented with complementary lists that include various other classes of hosts, allowing for customized email rejection by its users.-History:The SORBS DNSbl project was created November 2002...

 (SORBS)
dnsbl http://www.sorbs.net/ dnsbl.sorbs.net Unsolicited bulk/commercial email senders N/A (See individual zones) N/A (See individual zones) Aggregate zone (all aggregates and what they include are listed on SORBS
Spam and Open Relay Blocking System
SORBS is a list of e-mail servers suspected of sending or relaying spam . It has been augmented with complementary lists that include various other classes of hosts, allowing for customized email rejection by its users.-History:The SORBS DNSbl project was created November 2002...

)
safe.dnsbl safe.dnsbl.sorbs.net Unsolicited bulk/commercial email senders N/A (See individual zones) N/A (See individual zones) "Safe" Aggregate zone (all zones in dnsbl.sorbs.net except "recent" and "escalations")
http.dnsbl http.dnsbl.sorbs.net Open HTTP proxy servers Feeder servers Until delisting requested.
socks.dnsbl socks.dnsbl.sorbs.net Open SOCKS
SOCKS
SOCKS is an Internet protocol that routes network packets between a client and server through a proxy server. SOCKS5 additionally provides authentication so only authorized users may access a server...

 proxy servers
Feeder servers Until delisting requested.
misc.dnsbl misc.dnsbl.sorbs.net Additional proxy servers Feeder servers Until delisting requested. Those not already listed in the HTTP or SOCKS databases
smtp.dnsbl smtp.dnsbl.sorbs.net Open SMTP relay servers Feeder servers Until delisting requested.
web.dnsbl web.dnsbl.sorbs.net IP addresses with vulnerabilities that are exploitable by spammers (e.g. FormMail
FormMail
Formmail and its many variants, is a free open source web server CGI script that captures and processes form contents and then typically e-mails them to one or more recipients....

 scripts)
Feeder servers Until delisting requested or Automated Expiry
new.spam.dnsbl new.spam.dnsbl.sorbs.net Hosts that have sent spam to the admins of SORBS in the last 48 hours SORBS Admin and Spamtrap Renewed every 20 minutes based inclusion in on 'spam.dnsbl.sorbs.net'
recent.spam.dnsbl recent.spam.dnsbl.sorbs.net Hosts that have sent spam to the admins of SORBS in the last 28 days SORBS Admin and Spamtrap Renewed every 20 minutes based inclusion in on 'spam.dnsbl.sorbs.net'
old.spam.dnsbl old.spam.dnsbl.sorbs.net Hosts that have sent spam to the admins of SORBS in the last year SORBS Admin and Spamtrap Renewed every 20 minutes based inclusion in on 'spam.dnsbl.sorbs.net'
spam.dnsbl spam.dnsbl.sorbs.net Hosts that have allegedly sent spam to the admins of SORBS at any time SORBS Admin and Spamtrap. Until 1 year after the last spam is received and a request has been made or until the "fine" is paid for express delisting
escalations.dnsbl escalations.dnsbl.sorbs.net Netblocks of service providers believed to support spammers SORBS Admin fed. Until delisting requested and matter resolved. Service providers are added on receipt of a 'third strike' spam
block.dnsbl block.dnsbl.sorbs.net Hosts demanding that they never be tested Request by host N/A
zombie.dnsbl zombie.dnsbl.sorbs.net Hijacked networks SORBS Admin (manual submission) Until delisting requested.
dul.dnsbl dul.dnsbl.sorbs.net Dynamic IP address ranges SORBS Admin (manual submission) Until delisting requested. Not a list of dial-up IP addresses
rhsbl rhsbl.sorbs.net Aggregate RHS zones N/A N/A
badconf.rhsbl badconf.rhsbl.sorbs.net Domains with invalid A or MX records in DNS
Domain name system
The Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...

Open submission via automated testing page. Until delisting requested.
nomail.rhsbl nomail.rhsbl.sorbs.net Domains which the owners have confirmed will not be used for sending email Owner submission Until delisting requested.
Spamhaus SBL Advisory http://www.spamhaus.org/sbl sbl.spamhaus.org Verified sources of spam
Spam (electronic)
Spam is the use of electronic messaging systems to send unsolicited bulk messages indiscriminately...

, including spammers and their support services
Manual From 30 minutes to a year or more, depending on issue and resolution
XBL Advisory http://www.spamhaus.org/xbl xbl.spamhaus.org Illegal third-party exploits (e.g. open proxies
Open proxy
An open proxy is a proxy server that is accessible by any Internet user. Generally, a proxy server allows users within a network group to store and forward Internet services such as DNS or web pages to reduce and control the bandwidth used by the group...

 and Trojan Horses
Trojan horse (computing)
A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.-Malware:A destructive program that masquerades as a benign...

)
Third-party (see Notes) with automated additions Varies, under a month. Includes the Composite Blocking List
Composite Blocking List
In computer networking, the Composite Blocking List is a DNS-based Blackhole List of suspected E-mail spam sending computer infections.The CBL takes its source data from very large spamtraps/mail infrastructures, and only lists IPs exhibiting characteristics such as:* Open proxies of various sorts...

 and parts of the Not Just Another Bogus List
Not Just Another Bogus List
Not Just Another Bogus List, or NJABL, is a DNS blacklist.NJABL maintains a list of known and potential spam sources for the purpose of being able to tag or refuse e-mail and thereby block spam from certain sources...

PBL Advisory http://www.spamhaus.org/pbl pbl.spamhaus.org Static, dial-up & DHCP IP address space that is not meant to be initiating SMTP connections Manual Unknown Should not be confused with the MAPS DUL and Wirehub Dynablocker lists
SBL+XBL http://www.spamhaus.org sbl-xbl.spamhaus.org A single lookup for querying the SBL and XBL databases
Zen http://www.spamhaus.org/zen zen.spamhaus.org A single lookup for querying the SBL, XBL and PBL databases. The one to use to get all.
ORBITrbl Aggressive RBL RBL http://www.orbitrbl.com rbl.orbitrbl.com Unsolicited bulk/Commercial email senders (/24 IP address block) Feeder servers Until delisting requested? (Only When Found to be Non Spam Source) Aggregate zone
Composite Blocking List
Composite Blocking List
In computer networking, the Composite Blocking List is a DNS-based Blackhole List of suspected E-mail spam sending computer infections.The CBL takes its source data from very large spamtraps/mail infrastructures, and only lists IPs exhibiting characteristics such as:* Open proxies of various sorts...

CBL http://cbl.abuseat.org/ cbl.abuseat.org
(also free available rsync access, on request see FAQ http://cbl.abuseat.org/faq.html)
Only IP addresses exhibiting characteristics specific to open proxies, spamware, botnets and the like. Automatic: large spamtraps and production mail servers Temporary, until spam stops Use Spamhaus XBL or Spamhaus Zen instead; they include CBL.
Passive Spam Block List PSBL http://psbl.surriel.com/ psbl.surriel.com
(also free available via rsync http://psbl.surriel.com/howto/)
IP addresses used to send spam to trap spamtraps Temporary, until spam stops
Intercept - DNS Blacklist (DNSBL) Intercept http://intercept.datapacket.net/ intercept.datapacket.net IP addresses used to send spam to trap spamtraps Temporary, until spam stops
Weighted Private Block List WPBL http://www.wpbl.info/ db.wpbl.info IP addresses used to send UBE to members spamtraps Temporary, until spam stops
SpamCop Blocking List
SpamCop
SpamCop is a free spam reporting service, allowing recipients of unsolicited bulk email and unsolicited commercial email to report offenders to the senders' Internet Service Providers , and sometimes their web hosts...

SCBL http://spamcop.net/bl.shtml bl.spamcop.net IP addresses which have been used to transmit reported email to SpamCop users users submit Temporary, until spam stops
SpamRats RATSNOPTR http://www.spamrats.com noptr.spamrats.com IP addresses detected as abusive at ISP's using MagicMail Servers, with no reverse DNS service Automatically Submitted Listed until removed, and reverse DNS configured
RATSDYNA http://www.spamrats.com dyna.spamrats.com IP addresses detected as abusive at ISP's using MagicMail Servers, with non-conforming reverse DNS service (See Best Practises) indicative of compromised systems Automatically Submitted Listed until removed, and reverse DNS set to conform to Best Practises
RATSSPAM http://www.spamrats.com spam.spamrats.com IP addresses detected as abusive at ISP's using MagicMail Servers, and manually confirmed as spam sources Manually Submitted Listed until removed
SpamCannibal spamcannibal.org http://spamcannibal.org/ bl.spamcannibal.org IP addresses and related generic netblocks that have sent spam. spamtraps until removal requested and matter resolved by changing server DNS ptr record to a non-generic name. Even if a particular IP has not sent spam, it may be included in a generic netblock which will provide many false positives. listed=127.0.0.2
IPQuery ipquery.org http://ipquery.org/ any.dnsl.ipquery.org Spam sources, relay abusers, backscatterers Automated, based on traffic observed locally, with some human supervision Automatic expiry (varies by type); webpage allows delisting Keeps a listing history; retains specimens
Not Just Another Bogus List
Not Just Another Bogus List
Not Just Another Bogus List, or NJABL, is a DNS blacklist.NJABL maintains a list of known and potential spam sources for the purpose of being able to tag or refuse e-mail and thereby block spam from certain sources...

NJABL DNSBL http://www.njabl.org/use.html dnsbl.njabl.org open SMTP relays, multi-stage SMTP open relays, spam sources, Insecure CGI scripts that allow open relaying, and open proxy servers spamtraps, testing, testing by trusted contributors Varies
Bad host, no cookie bhnc.njabl.org These hosts have done things proper SMTP servers don't do. spamtraps until de-listing requested
Distributed Realtime Blocking List drand DRBL node http://www.drbl.ru/ spamtrap.drbl.drand.net IP addresses used to send spam to traps or members Automated [de]listing. Varies from spam type, rate and other sophisticated factors. 30 s to 1 week. Hight IP network aggregate threshold >= 254.
Junk Email Filter Hostkarma http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists hostkarma.junkemailfilter.com
blacklist.hostkarma.com
Detects viruses by behavior using fake high MX and tracking non-use of QUIT Automated [de]listing Black list Data lives for 4 days. White list data lives for 10 days. 127.0.0.1=white 127.0.0.2=black 127.0.0.3=yellow
RFC-Ignorant.Org DSN (<>) http://rfc-ignorant.org/policy-dsn.php dsn.rfc-ignorant.org
(also free available via Rsync http://www.rfc-ignorant.org/rsync.php)
refusal to accept bounces (DSN) Open submission via automated testing page. Until delisting requested.
postmaster http://rfc-ignorant.org/policy-postmaster.php postmaster.rfc-ignorant.org
(also free available via Rsync http://www.rfc-ignorant.org/rsync.php)
refusal to accept e-mail to postmaster
abuse http://rfc-ignorant.org/policy-abuse.php abuse.rfc-ignorant.org
(also free available via Rsync http://www.rfc-ignorant.org/rsync.php)
refusal to accept e-mail to abuse
whois http://rfc-ignorant.org/policy-whois.php whois.rfc-ignorant.org
(also free available via Rsync http://www.rfc-ignorant.org/rsync.php)
bogus whois information
bogusmx http://rfc-ignorant.org/policy-bogusmx.php bogusmx.rfc-ignorant.org
(also free available via Rsync http://www.rfc-ignorant.org/rsync.php)
bogus MX record
The Abusive Hosts Blocking List
The Abusive Hosts Blocking List
The Abusive Hosts Blocking List is an internet abuse tracking and filtering system developed by The Summit Open Source Development Group, and based on the original Summit Blocking List .-DNSbl and RHSbl lists:...

 (AHBL)
dnsbl http://www.ahbl.org/ dnsbl.ahbl.org Aggregate zone, contains UCE/bulk email senders, open proxies, open relays, trojaned/infected machines, comment/trackback spammers Feeder systems, manual Until delisting requested Aggregate zone (all aggregates and what they include are listed on AHBL
The Abusive Hosts Blocking List
The Abusive Hosts Blocking List is an internet abuse tracking and filtering system developed by The Summit Open Source Development Group, and based on the original Summit Blocking List .-DNSbl and RHSbl lists:...

)
rhsbl rhsbl.ahbl.org Domains sending spam, domains owned by spammers, comment spam domains, spammed URLs Manual
ircbl ircbl.ahbl.org Subset of dnsbl, contains only open proxies, compromised machines, comment spammers Until delisting requested Designed for use on IRC servers
tor tor.ahbl.org Current tor relay and exit nodes Automated N/A
Dronebl dnsbl http://dronebl.org/docs/howtouse dnsbl.dronebl.org All-in-one abusive hosts blacklist Automated listing via distributed monitoring points Permanent until delisted via website.
Quorum.to ip-dnsbl http://www.quorum.to/ list.quorum.to. ( or per-subscriber: [id].list.quorum.to. ) Stop spam from hosts that send no legitimate mail (list most non-mail-sending hosts). Listings based on "instant" automated checks, recipient nomination and traps. Listings can be challenged. Subscribers vote to decide sender status. Public list follows standard dnsbl protocol. Subscription based service is more capable, but does not follow standard.
Spamanalysis.org GeoBL http://spamanalysis.org/overview.html User-defined: [*].geobl.spamanalysis.org Lists hosts known as being in certain geographic locations. Users set their own list of blocked countries. Hosts reported as being incorrectly located may be delisted. Allows basic monitoring, listed if A=127.0.0.2 or TXT=blocked
ATLBL ATLBL RBL http://www.atlbl.com/en/about.html rbl.atlbl.net World wide abuse detection network made of spamtraps/honeypots. Automatic, as soon as no further abuse is detected. Allows simple DNSBL lookups of email spam sources.
ATLBL HBL http://www.atlbl.com/en/about.html hbl.atlbl.net List malware/abuse sources by hostname and domain for use in email and forum spam detection. World wide abuse detection network made of spamtraps/honeypots. Automatic, as soon as no further abuse is detected. Allows simple DNSBL lookups of abuse sources.
ATLBL ABL http://www.atlbl.com/en/about.html access.atlbl.net World wide abuse detection network made of spamtraps/honeypots. Automatic, as soon as no further abuse is detected. Allows simple DNSBL lookups of IP addresses for known abusive sources such as SSH brute force attack
Brute force attack
In cryptography, a brute-force attack, or exhaustive key search, is a strategy that can, in theory, be used against any encrypted data. Such an attack might be utilized when it is not possible to take advantage of other weaknesses in an encryption system that would make the task easier...

sources and other forms of internet crime and abuse.
Heise Zeitschriften Verlag GmbH & Co. KG and hosted by manitu GmbH NiX Spam (nixspam) http://www.dnsbl.manitu.net/ ix.dnsbl.manitu.net Lists single IPs (no IP ranges) that send spam to spamtraps. Automated listing due to spamtrap hits. Exceptions apply to bounces, NDRs and whitelisted IPs. 12 hours after last listing or until self delisting TXT records provide information of listing incident - NiX Spam also provides hashes for fuzzy checksum plugin (iXhash) for SpamAssassin.
inps.de inps.de-DNSBL http://dnsbl.inps.de/?lang=en dnsbl.inps.de Single IP addresses IP addresses can be reported as known spam sources by users, additionally automated listing if spam arrives at the mailservers of inps.de IP addresses are listed until they are removed manually via the website. A- and TXT records are available for each entry; Removal is free after 30 days for automatic additions and after 7 days for manual additions; otherwise removal fee is at least EUR 10,00.

External links

The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK