Blacklists Compared

12 January 2002

[ Fighting Spam | Blacklists Compared | Current Blacklist Comparison ]

Survey results for all known public IP-based DNS blacklists. Lookups were done on connecting IP addresses. The "union of most IP zones" line excludes the xbl.selwerd.cx zone because it is too aggressive to be widely useful, and excludes the blocktest.relays.osirusoft.com zone because it is not a blacklist.

HitsDNS Zone
6633(total number of IP addresses tested, including 305 at SDSC)
2243(union of most IP zones)
1797xbl.selwerd.cx
1063blackholes.five-ten-sg.com (union of all results)
987bl.spamcop.net
544outputs.orbz.org
471blackholes.wirehub.net
393blackholes.five-ten-sg.com (result 127.0.0.4 = unconfirmed opt-in)
393ztl.dorkslayers.com
360inputs.orbz.org
343relays.ordb.org
292blackholes.intersil.net
280blackholes.five-ten-sg.com (result 127.0.0.2 = spam source)
220blackholes.five-ten-sg.com (result 127.0.0.7 = spam haven)
180block.blars.org
174orbs.dorkslayers.com
137flowgoaway.com
135blackholes.five-ten-sg.com (result 127.0.0.3 = dialup)
128pm0-no-more.compu.net
114blacklist.spambag.org
90dev.null.dk
88blocktest.relays.osirusoft.com (not a blacklist!)
70ipwhois.rfc-ignorant.org
64relays.visi.com
63spammers.v6net.org
60relays.dorkslayers.com
55relays.osirusoft.com (union of all results)
43relays.osirusoft.com (result 127.0.0.2 = relay)
41inputs.relays.osirusoft.com
31blackholes.five-ten-sg.com (result 127.0.0.5 = relay output)
26dynablock.wirehub.net (result 127.0.0.2 = dialup)
26dynablock.wirehub.net (union of all results)
20blackhole.compu.net
13spews.relays.osirusoft.com
12relays.osirusoft.com (result 127.0.0.4 = spam source)
5spamsources.relays.osirusoft.com (result 127.0.0.4 = spam source)
5spamsources.relays.osirusoft.com (union of all results)
4blackholes.five-ten-sg.com (result 127.0.0.8 = open web form)
2socks.relays.osirusoft.com
1relays.osirusoft.com (result 127.0.0.6 = spamsites)
1spamhaus.relays.osirusoft.com
1relays.osirusoft.com (result 127.0.0.9 = open socks proxy)

The blackholes.intersil.net zone "lists entrenched spammers, mainsleaze and mainsleaze wannabes who have pestered users at Intersil." The flowgoaway.com zone lists FloNetwork systems. The blackhole.compu.net zone "is primarily for hosts which were not blocked by other blackhole sites and spammed compu.net" and the pm0-no-more.compu.net zone "blocks all pm0 email."

Survey results for all known public domain-name-based DNS blacklists. Lookups were done on the domain names of connecting IP addresses.

HitsDNS Zone
6633(total number of IP addresses whose names were tested, including 305 at SDSC)
918(union of all domain zones)
341postmaster.rfc-ignorant.org
333whois.rfc-ignorant.org
296abuse.rfc-ignorant.org
4dsn.rfc-ignorant.org (zone not intended for this use)

Survey results for all known public domain-name-based DNS blacklists. Lookups were done on SMTP sender domains.

HitsDNS Zone
4676(total number of domains tested, including 182 at SDSC)
449(union of all domain zones)
242whois.rfc-ignorant.org
144abuse.rfc-ignorant.org
69postmaster.rfc-ignorant.org
48dsn.rfc-ignorant.org
7bandwidth-pigs.monkeys.com

This document was last updated by Jeff Makey <jeff@sdsc.edu> on 13 January 2002.