Comparison of DNS blacklists
The following table lists technical information for a number of DNS blacklists used for blocking spam.
Blacklist operator | DNS blacklist | Zone | Listing goal | Nomination | Listing lifetime | Notes | Collateral listings | Notifies upon listing |
---|---|---|---|---|---|---|---|---|
Abusix | combined | combined.mail.abusix.zone | Aggregate zone | Aggregate zone | Aggregate Zone | Single lookup that contains results from black, exploit and policy lists. | No | No |
black | black.mail.abusix.zone | Lists individual IP addresses that have sent mail to spam traps. And some manual added netblocks. | Mostly Automatic with some manual additions. | For automated listings 5.6 days after last event, manual additions are permanent. | No | No (but planned) | ||
exploit | exploit.mail.abusix.zone | Lists IP addresses behaving in a way that indicates the IP is compromised, infected, proxy, VPN, TOR, malware, | Automatic | 5.6 days after last event | No | No (but planned) | ||
policy | dynamic.mail.abusix.zone | Lists IP addresses that should not be connecting directly to MX, such as residential IPs etc. | Automatic | Permanent (until delist requested) | Lists ranges that have generic or templated rDNS. Individual IPs can be delisted immediately via web. | No | No | |
dblack | dblack.mail.abusix.zone | Lists domains seen in spam hitting traps. | Automatic | 5.6 days after last event | Can be used as an RHSBL and a URIBL. | No | No (but planned) | |
nod | nod.mail.abusix.zone | Lists domains that are newly observed (first use) | Automatic | 25 hours | Based on historical passive DNS data, lists domains first seen in the wild within the last 25 hours). | No | No | |
shorthash | shorthash.mail.abusix.zone | Lists short URLs (SHA-1 hashed) seen in traps. | Automatic | 5.6 days after last event | Created to handle popular shorteners that are misused to hide domains from blacklisting. | No | No | |
diskhash | diskhash.mail.abusix.zone | Lists URLs of online drive services (SHA-1 hashed) seen in traps. | Automatic | 5.6 days after last event | Current only listing Google Drive and Yandex Disk URLs that are used to avoid domain blacklisting. | No | No | |
ARM Research Labs, LLC GBUdb | Truncate | truncate.gbudb.net | Extremely conservative list of single IP4 addresses that produce exclusively spam/malware as indicated by the GBUdb IP Reputation system. Most systems should be able to safely reject connections based on this list. | Automatic: IPs are added when the GBUdb "cloud" statistics reach a probability figure that indicates 95% of messages produce a spam/malware pattern match and a confidence figure that indicates sufficient data to trust the probability data. | Automatic: Continuous while reputation statistics remain bad. Warning: Produces false positives, and has no remedy/removal process. IPs are dropped quickly if the statistics improve (within an hour). IPs are dropped within 36 hours (typ) if no more messages are seen (dead zombie). | Source data is derived from a global network of Message Sniffer[1] filtering nodes in real-time. Truncate data is updated from statistics every 10 minutes.
Warning: Unreliable, as it produces false positives. It is impossible to find additional information or to manually troubleshoot the problem. It is based on results created by their proprietary software running a proprietary algorithm. |
No | No |
Metunet Research Labs Metunet | dnsbl | rbl.metunet.com | Single IP4 addresses produce exclusively spam or malware. Respective Mail providers protected like Free and paid mail providers. | Automatic | Last activities after one year automatic or delist request by mail [email protected] | Removal requests are quickly and manually reviewed and processed without fees. | No | No |
invaluement DNSBL | ivmSIP | Paid access via rsync | Single IP addresses which only send UBE. Specializing in snowshoe spam and other 'under the radar' spams which evade many other DNSBLs. Has FP-level comparable to Zen. | Automatic (upon receipt of a spam to a real person's mailbox), with extensive whitelists and filtering to prevent false positives | Typically an automatic expiration 11 days after the last abuse was seen, but with some exceptions | Spam samples are always kept on file for each listing. Removal requests are manually reviewed and processed without fees. | No | No |
ivmSIP/24 | Paid access via rsync | Lists /24 blocks of IP addresses which usually only send UBE and containing at least several addresses which are confirmed emitters of junk mail. Collateral listings are kept to a minimum because subsections are often carved from /24 listings when spammers and legit senders share the same /24 block. | Automatic once at least several IP addresses from a given block are individually listed on ivmSIP, with extensive whitelists and filtering to prevent false positives | Expiration time increases to many weeks as the fraction of IP addresses in the /24 block in question sending junk mail increases | Removal requests are quickly and manually reviewed and processed without fees. | Yes | No | |
ivmURI | Paid access via rsync | Comparable to uribl.com and surbl.org, this is a list of IP addresses and domains which are used by spammers in the clickable links found in the body of spam messages | Automatic (upon receipt of a spam to a real person's mailbox), with extensive whitelists and filtering to prevent false positives | Typically an automatic expiration several weeks after the last abuse was seen. | Spam samples are always kept on file for each listing. Removal requests are quickly and manually reviewed and processed without fees. | No | No | |
UCEPROTECT-Network | UCEPROTECT Level 1 | dnsbl-1.uceprotect.net (also free available via rsync [2]) |
Single IP addresses that send mail to spamtraps | Automatic by a cluster of more than 60 trapservers [3] | Automatic expiration 7 days after the last abuse was seen, optionally express delisting for a small fee. | UCEPROTECT's primary and the only independent list | No | No |
UCEPROTECT Level 2 | dnsbl-2.uceprotect.net (also free available via rsync [2]) |
Allocations with exceeded UCEPROTECT Level 1 listings | Automatic calculated from UCEPROTECT-Level 1 | Automatic removal as soon as Level 1 listings decrease below Level 2 listing border, optionally express delisting (for a fee) | Fully depending on Level 1 | Yes | No | |
UCEPROTECT Level 3 | dnsbl-3.uceprotect.net (also free available via rsync [2]) |
ASN's with excessive UCEPROTECT Level 1 listings | Automatic calculated from UCEPROTECT-Level 1 | Automatic removal as soon as Level 1 listings decrease below Level 3 listing border, optionally express delisting (fee) | Fully depending on Level 1 | Yes | No | |
Spam and Open Relay Blocking System (SORBS) | dnsbl | dnsbl.sorbs.net | Unsolicited bulk/commercial email senders | N/A (See individual zones) | N/A (See individual zones) | Aggregate zone (all aggregates and what they include are listed on SORBS)[4] | As per component list | Via SORBS Report Manager |
safe.dnsbl | safe.dnsbl.sorbs.net | Unsolicited bulk/commercial email senders | N/A (See individual zones) | N/A (See individual zones) | "Safe" Aggregate zone (all zones in dnsbl.sorbs.net except "recent", "old", "spam" and "escalations") | No | Via SORBS Report Manager | |
http.dnsbl | http.dnsbl.sorbs.net | Open HTTP proxy servers | Feeder servers | Until delisting requested. | No | Via SORBS Report Manager | ||
socks.dnsbl | socks.dnsbl.sorbs.net | Open SOCKS proxy servers | Feeder servers | Until delisting requested. | No | Via SORBS Report Manager | ||
misc.dnsbl | misc.dnsbl.sorbs.net | Additional proxy servers | Feeder servers | Until delisting requested. | Those not already listed in the HTTP or SOCKS databases | No | Via SORBS Report Manager | |
smtp.dnsbl | smtp.dnsbl.sorbs.net | Open SMTP relay servers | Feeder servers | Until delisting requested. | No | Via SORBS Report Manager | ||
web.dnsbl | web.dnsbl.sorbs.net | IP addresses with vulnerabilities that are exploitable by spammers (e.g. FormMail scripts) | Feeder servers | Until delisting requested or Automated Expiry | No | Via SORBS Report Manager | ||
new.spam.dnsbl | new.spam.dnsbl.sorbs.net | Hosts that have sent spam to the admins of SORBS or SORBS Spamtraps in the last 48 hours | SORBS Admin and Spamtrap | Renewed every 20 minutes based inclusion in on 'spam.dnsbl.sorbs.net' | No | Via SORBS Report Manager | ||
recent.spam.dnsbl | recent.spam.dnsbl.sorbs.net | Hosts that have sent spam to the admins of SORBS or SORBS Spamtraps in the last 28 days | SORBS Admin and Spamtrap | Renewed every 20 minutes based inclusion in on 'spam.dnsbl.sorbs.net' | No | Via SORBS Report Manager | ||
old.spam.dnsbl | old.spam.dnsbl.sorbs.net | Hosts that have sent spam to the admins of SORBS or SORBS Spamtraps in the last year | SORBS Admin and Spamtrap | Renewed every 20 minutes based inclusion in on 'spam.dnsbl.sorbs.net' | No | Via SORBS Report Manager | ||
spam.dnsbl | spam.dnsbl.sorbs.net | Hosts that have allegedly sent spam to the admins of SORBS or SORBS Spamtraps at any time | SORBS Admin and Spamtrap. | Until delisting requested. | No | Via SORBS Report Manager | ||
escalations.dnsbl | escalations.dnsbl.sorbs.net | Netblocks of service providers believed to support spammers | SORBS Admin fed. | Until delisting requested and matter resolved. | Service providers are added on receipt of a 'third strike' spam | Yes | Via SORBS Report Manager | |
block.dnsbl | block.dnsbl.sorbs.net | Hosts demanding that they never be tested | Request by host | N/A | No | Via SORBS Report Manager | ||
zombie.dnsbl | zombie.dnsbl.sorbs.net | Hijacked networks | SORBS Admin (manual submission) | Until delisting requested. | No | Via SORBS Report Manager | ||
dul.dnsbl | dul.dnsbl.sorbs.net | Dynamic IP address ranges | SORBS Admin (manual submission) | Until delisting requested. | Not a list of dial-up IP addresses | No | Via SORBS Report Manager | |
noservers.dnsbl | noservers.dnsbl.sorbs.net | No Servers Permitted by ISP Policy | Netblock Owner Administered | Not Applicable. | No Servers Permitted by ISP Policy | No | Via SORBS Report Manager | |
rhsbl | rhsbl.sorbs.net | Aggregate RHS zones | N/A | N/A | No | No | ||
badconf.rhsbl | badconf.rhsbl.sorbs.net | Domains with invalid A or MX records in DNS | Open submission via automated testing page. | Until delisting requested. | No | No | ||
nomail.rhsbl | nomail.rhsbl.sorbs.net | Domains which the owners have confirmed will not be used for sending email | Owner submission | Until delisting requested. | No | No | ||
Spamhaus | Spamhaus Blocklist (SBL) | sbl.spamhaus.org | This list contains IP addresses that are observed to be involved in sending spam, snowshoe spamming, botnet command and controllers (C&Cs), bulletproof hosting companies and hijacked IP space. | Manual | From five minutes to a year or more, depending on issue and resolution | Rarely (escalation) | Yes (partial) | |
eXploits Blocklist (XBL) | N/A | This lists the individual IPs (/32s) that are infected with malware, worms, and Trojans; third party exploits, such as open proxies; or devices controlled by botnets. The constantly updated list is designed to protect networks from malware and spam by preventing mailservers from accepting connections from compromised computing devices. | Third-party with automated additions | Varies, under a month, self removal via Composite Blocking List lookup. | Consists of the Composite Blocking List | No | No | |
Extended eXploits Blocklist (eXBL) | N/A | This list is a real-time database of raw and filtered feeds that provides additional information on hijacked IP addresses. The eXBL is available to selected security organizations and cyber incident response teams. | Third-party with automated additions | Varies, under a month, self removal via Composite Blocking List lookup. | Consists of the Composite Blocking List | No | No | |
Domain Blocklist (DBL) | dbl.spamhaus.org | Domains owned by spammers and used for spam or other malicious purposes. This blocklist also contains domains owned by non-spammers which are used for legitimate purposes, but have been hijacked by spammers. | Ranking of over 80 different metrics and machine learning | A few days. Self-removal generally allowed. | {{}} | Rarely | ||
Enhanced Domain Blocklist (eDBL) | dbl.spamhaus.org | This list provides detailed information on each domain listing and is available via an API. This enables you to query the DBL engine, returning a JSON record for each domain that you are investigating.
The Enhanced Domain Blocklist (eDBL) helps you to track a particular domain's score over a longer period, or combine Domain Blocklist data with information from your own threat intelligence platform. |
A few days. Self-removal generally allowed. | {{}} | Rarely | |||
Policy Blocklist (PBL) | pbl.spamhaus.org | This list includes IP address ranges for end-user devices, such as home routers, smart TVs, and other Information of Things (IoT) devices, from which email should never be sent. This protects networks from the potential of being compromised by malware spread by botnet command and controller servers (C&Cs). | Manual, by providers controlling the IPs or by Spamhaus PBL Team | Self-removal (see spamhaus web site) | Should not be confused with the MAPS DUL and Wirehub Dynablocker lists | No | No | |
Hash Blocklist (HBL) | hbl.spamhaus.org | This list contains the following content areas: Cryptowallet (Bitcoin etc.), Malware and Email addresses.
Hash Blocklists (HBL) are lists of cryptographic hashes associated with malicious content, as opposed to IP addresses or domains. They are extremely useful for filtering fraudulent emails coming from ISPs, domains, or IP addresses that Spamhaus is unable to list e.g. Gmail. Additionally, they can block emails containing malware files. |
Manual, by providers controlling the IPs or by Spamhaus PBL Team | Self-removal (see spamhaus web site) | No | No | ||
Zero Reputation Domains (ZRD) | <key>.authbl.dq.spamhaus.net | This lists newly registered domains for 24 hours. Domains that have just been registered are rarely used by legitimate organizations immediately. Cybercriminals register and burn 100s of domains daily.
The Zero Reputation Domain (ZRD) blocklist helps to protect your users from clicking on links and visiting newly registered domains until it is established that they are not associated with zero day attacks; phishing, bot-herding, spyware and ransomware campaigns. |
Automated | 24 hours | No | No | ||
Zen | zen.spamhaus.org | A single lookup for querying the SBL, XBL and PBL databases. | Preferred list to check all Spamhaus listings with one query. | As per component list | As per component list | |||
IBM DNS Blacklist | Cobion | dnsbl.cobion.com |
This DNSBL zone is part of the default configuration for Proventia Mail Security System and Lotus Protector for Mail Security | No | No | |||
Passive Spam Block List | PSBL | psbl.surriel.com (also free available via rsync ) |
IP addresses used to send spam to trap | spamtraps | Temporary, until spam stops | No | No | |
DNSRBL - DNS Real-time Blackhole List | DNSRBL | dnsrbl.org | IP addresses used to send spam to trap | spamtraps | Temporary, until spam stops | No | No | |
Weighted Private Block List | WPBL | db.wpbl.info | IP addresses used to send UBE to members | spamtraps | Temporary, until spam stops | No | No | |
SpamCop Blocking List | SCBL | bl.spamcop.net | IP addresses which have been used to transmit reported email to SpamCop users | Users submit | Temporary, until spam stops, has self removal | No | Yes (partial) | |
SpamRats | RATS-NoPtr | noptr.spamrats.com | IP addresses detected as abusive at ISP's using MagicMail Servers, with no reverse DNS service | Automatically Submitted | Listed until removed, and reverse DNS configured | Yes | No | |
RATS-Dyna | dyna.spamrats.com | IP addresses detected as abusive at ISP's using MagicMail Servers, with non-conforming reverse DNS service (See Best Practises) indicative of compromised systems | Automatically Submitted | Listed until removed, and reverse DNS set to conform to Best Practises | Yes | No | ||
RATS-Spam | spam.spamrats.com | IP addresses detected as abusive at ISP's using MagicMail Servers, and manually confirmed as spam sources | Manually Submitted | Listed until removed | Yes | No | ||
RATS-Auth | auth.spamrats.com | IP addresses detected probing passwords or authenticating without sending mail | Automatically Submitted | Listed until removed | Yes | No | ||
Junk Email Filter | Hostkarma | hostkarma.junkemailfilter.com | Detects viruses by behavior using fake high MX and tracking non-use of QUIT | Automated [de]listing | Black list Data lives for 4 days. White list data lives for 10 days. | 127.0.0.1=white 127.0.0.2=black 127.0.0.3=yellow | Yes | No |
Heise Zeitschriften Verlag GmbH & Co. KG, hosted by manitu GmbH | NiX Spam (nixspam) | ix.dnsbl.manitu.net | Lists single IPs (no IP ranges) that send spam to spamtraps. Lists mailhosts, rather than domains, and thus blocks entire hosting providers and ISPs. | Automated listing due to spamtrap hits. Exceptions apply to bounces, NDRs and whitelisted IPs. | 12 hours after last listing or until self delisting | TXT records provide information of listing incident - NiX Spam also provides hashes for fuzzy checksum plugin (iXhash) for SpamAssassin. | No | Yes (for ISPs/ESPs on request) |
blocklist.de | dnsbl | bl.blocklist.de | IP-Addresses who Attacks other Server/Honeypots over ssh, imap, smtp, ftp, web, rfi, sqli, ddos.... | Automatic: over Honeypots and with over 515 Users and 630 Servers from blocklist.de via Fail2Ban or own scripts | Automatic: 48 Hours after the last Attack. But earlier remove is available over the Delist-Link | Services are free. Source data is from Honeypot-Systems and over 515 User with 630 Servern there reports Attacks with Fail2Ban | No | Yes |
s5h.net Internet Services | s5h.net | all.s5h.net | Spam sources from email, forums, referrer spam and dictionary attacks | Traps | Twelve months unless ISPs request removal earlier | By request. ISPs can provide request exclusion. | Yes | No |
realtimeBLACKLIST.com | RBL | rbl.realtimeblacklist.com | Spam Trap | List of IP addresses that sends spam or causing troubles with botnets or phishing | Until delisting requested. | Removal requests will be investigated and processed within 24 hours of submission. Previously known as IPrange.net RBL Project |
No | No |
James Sawyer | Blocklist | security.jamessawyer.co.uk | Collection of Bad Actors from various sources, Works great with PiHole for personal use. | Spammers, Scammers, Malware, Cryptominers, TOR, botnets, phishing, attackers, harvesters, exfiltration etc. Basically anything and everything "bad" | Until delisting requested. | Removal requests will be investigated. Contact details provided. | Yes | No |
BarracudaCentral | RBL | b.barracudacentral.org | Spam Trap | Provides a list of IP addresses which are sending spam. The Barracuda Reputation system uses automated collection methods to add and delete IP addresses from the BRBL. | Until delisting requested. | Requires registration of administrator and hosts to use. Removal requests are typically investigated and processed within 12 hours of submission if provided with a valid explanation. | No | No |
SPFBL.net | RBL | dnsbl.spfbl.net | Bad reputation, difficult to identify the responsible, dynamic IP, SLAAC flag without genuine email service and inappropriate use of the URL | Provides a list of IPv4/IPv6 addresses and domains which are sending spam or phishing. | Until delisting requested or seven days with good reputation. | The feedback system runs at SMTP layer. See https://spfbl.net/en/feedback | Yes | Yes |
LashBack | UBL | ubl.unsubscore.com | IP addresses which have sent email to addresses harvested from suppression (opt-out) files | Traps | For 30 days after last offending message unless removal is requested | No | No | |
The NordSpam Project | NordSpam IP Blacklist | bl.nordspam.com | IP addresses detected as unsolicited bulk/commercial email senders, webspam | Manual | Until delisting requested. | Removal requests are manually reviewed and processed without fees. | Rarely (escalation) | Sometimes |
NordSpam Domain Blacklist | dbl.nordspam.com | Unsolicited bulk/commercial email senders, webspam | Manual | Until delisting requested. | Removal requests are manually reviewed and processed without fees. | No | Sometimes | |
0Spam Project | DNSBL | 0spam.fusionzero.com | Spam Traps | A single IP(127.0.0.#) is listed upon sending spam to a spam trap, sending from multiple IPs within a range within a short period of time will result in a class C listing(127.0.#.0). | Until an IP owner/authorized admin requests listing removal. | Single IP Listed with Data result 127.0.0.#
Class C IP Block Listed with Data result 127.0.#.0 Codes are as follows: (ie. General spam single IP result 127.0.0.1)
|
No | No |
Brukalai.lt | DNSBL | black.dnsbl.brukalai.lt | IPs and domains for junk mail filtering (aggregate zone). | Mostly automatic with some manual additions. | Until delisting requested. | Yes | No | |
Metunet | DNSBL | rbl.metunet.com | Single IP4 addresses produce exclusively spam or malware. Respective Mail providers protected like Free and paid mail providers. | Automatic | Last activites after one year automatic or delist request by mail. | Removal requests are quickly and manually reviewed and processed without fees. | No | No |
Excello s.r.o. | Virusfree BIP | bip.virusfree.cz | Botnet IP list. Single IPv4 addresses produced from spam, pure bots. No mail server IPs. | Automatic listing. | Automatic delisting. | Included in RSPAMD | No | No |
Virusfree BAD | bad.virusfree.cz | BAD senders list. Single IPv4 addresses with high spam rate. Mostly botnets and large spammers. Also, email servers which send malmail are listed. | Automatic listing. | Automatic delisting. | No | No |
Notes
"Collateral Listings" - Deliberately listing non-offending IP addresses, in order to coerce ISPs to take action against spammers under their control.
"Notifies upon listing" - Warns the owner of the IP/Domain when they list an IP. (so owners can take action to fix the problem)
References
- "armresearch.com". armresearch.com. Retrieved 2012-05-06.
- UCEPROTECT [email protected]. "UCEPROTECT-Network - Germanys first Spam protection database". Uceprotect.net. Retrieved 2012-05-06.
- Simpson, Ken. "Getting Onto a Blacklist Without Sending Any Spam". MailChannels Anti-Spam Blog. MailChannels Corporation. Archived from the original on 19 September 2011. Retrieved 16 September 2011.
- "sorbs.net". sorbs.net. Retrieved 2012-05-06.
External links
- Blacklist Checker queries the major DNS Blacklists for specific IP address and returns whether it is listed for any malicious activities.
- RBL Check, RBL Check, Multiple & Real-Time
- Blacklists Compared, weekly reports since July 2001 (no new reports since 13 September 2014)
- Intra2net Blacklist Monitor, tracking more than 40 blacklists and giving weekly reports on hits and false positives
- Instant Multiple DNSBL Check Test, Open-to-use, Multiple DNSBL Check Test
- Multi-RBL Checking Tool, Multi-RBL Checker Tool (Check to see if your IP is showing up one or more RBLs)
- RBLTracker DNSBL Monitoring, Automated, Real-Time Black List Monitoring Service.
- SpamAssassin rule statistics, SpamAssassin's rule ham/spam ratios over time.
- List of all RBLs, Information about all existing blacklists including discontinued blacklists.
- Mail Server Blacklist Monitor, Blacklist monitoring service checking 150 blacklists, can be used freely.
- Barracuda Central, Devoted to sharing information with Barracuda Networks customers and the Internet security community.
- WebIron, Dedicated to advanced bot network detection, tracking, blocking and eradication through cleanup and reporting.
- WebSitePulse. Real-time monitoring service ensures the IP a mail server has not fallen into one of the major DNSBL blacklists.
- INPS Comparison of DNS blacklists and whitelists including spam hits, non-spam hits and error rates.
- Excello Datafeeds from Virusfree Cloud Email Security Service.