Blacklists Compared

23 March 2002

[ Fighting Spam | Blacklists Compared | Current Blacklist Comparison ]

Survey results for all known public IP-based DNS blacklists. Lookups were done on connecting IP addresses. The "union of most IP zones" line excludes the xbl.selwerd.cx zone because it is too aggressive to be widely useful, and excludes the blocktest.relays.osirusoft.com zone because it is not a blacklist.

HitsDNS Zone
7231(total number of IP addresses tested, including 432 at SDSC)
3093(union of most IP zones)
2296xbl.selwerd.cx
1407blackholes.five-ten-sg.com (union of all results)
1159blocktest.relays.osirusoft.com (not a blacklist!)
1067bl.spamcop.net
687relays.osirusoft.com (union of all results)
656dnsbl.njabl.org (union of all results)
645dnsbl.njabl.org (result 127.0.0.2 = source or relay)
576blackholes.five-ten-sg.com (result 127.0.0.2 = spam source)
522block.blars.org
506work.drbl.croco.net
468ztl.dorkslayers.com
459blackholes.intersil.net
385korea.services.net
337blackholes.five-ten-sg.com (result 127.0.0.4 = unconfirmed opt-in)
330relays.osirusoft.com (result 127.0.0.2 = relay)
330inputs.relays.osirusoft.com
324blackholes.wirehub.net
321relays.ordb.org
285blackholes.five-ten-sg.com (result 127.0.0.7 = spam haven)
259relays.visi.com
228relays.osirusoft.com (result 127.0.0.4 = spam source)
190t1.bl.reynolds.net.au
189orbs.dorkslayers.com
179blacklist.spambag.org
179flowgoaway.com
153blackholes.five-ten-sg.com (result 127.0.0.3 = dialup)
150spews.relays.osirusoft.com
132blackholes.2mbit.com (union of all results)
130proxies.relays.monkeys.com
126relays.osirusoft.com (result 127.0.0.9 = open socks proxy)
126socks.relays.osirusoft.com
1183y.spam.mrs.kithrup.com
107spamsources.fabel.dk
97ipwhois.rfc-ignorant.org
88spam.wytnij.to
88spamsources.relays.osirusoft.com (union of all results)
84spamsources.relays.osirusoft.com (result 127.0.0.4 = spam source)
73spamguard.leadmon.net (union of all results)
66blackholes.2mbit.com (result 127.0.0.10 = spam haven)
66relays.dorkslayers.com
65blackholes.2mbit.com (result 127.0.0.2 = relay)
60dev.null.dk
54blackholes.five-ten-sg.com (result 127.0.0.5 = relay output)
43spammers.v6net.org
41spamguard.leadmon.net (result 127.0.0.2 = dialup)
33sbl.spamhaus.org
32formmail.relays.monkeys.com
31spamhaus.relays.osirusoft.com
27spamguard.leadmon.net (result 127.0.0.7 = spam source netblock)
23relays.osirusoft.com (result 127.0.0.6 = spamsites)
22opm.blitzed.org
19dynablock.wirehub.net (result 127.0.0.2 = dialup)
19dynablock.wirehub.net (union of all results)
16http.opm.blitzed.org
15dews.qmail.org
11dialups.relays.osirusoft.com
11relays.osirusoft.com (result 127.0.0.3 = dialup)
11dnsbl.njabl.org (result 127.0.0.3 = dialup)
9socks.opm.blitzed.org
5spamguard.leadmon.net (result 127.0.0.3 = spam source)
4spamsources.relays.osirusoft.com (result 127.0.0.6 = spamhaus)
2spamsites.relays.osirusoft.com (result 127.0.0.6)
2blackholes.five-ten-sg.com (result 127.0.0.8 = open web form)
2spamsites.relays.osirusoft.com (union of all results)
1blackholes.2mbit.com (result 127.0.0.4 = spam source)
1wingate.opm.blitzed.org
1pm0-no-more.compu.net
1blackhole.compu.net

The blackholes.intersil.net zone "lists entrenched spammers, mainsleaze and mainsleaze wannabes who have pestered users at Intersil." The flowgoaway.com zone lists FloNetwork systems. The blackhole.compu.net zone "is primarily for hosts which were not blocked by other blackhole sites and spammed compu.net" and the pm0-no-more.compu.net zone "blocks all pm0 email."

Survey results for all known public domain-name-based DNS blacklists. Lookups were done on the domain names of connecting IP addresses.

HitsDNS Zone
7231(total number of IP addresses whose names were tested, including 432 at SDSC)
1059(union of all domain zones)
732abuse.rfc-ignorant.org
383whois.rfc-ignorant.org
7postmaster.rfc-ignorant.org
7client-domain.sjesl.monkeys.com
3dsn.rfc-ignorant.org (zone not intended for this use)
3sender-domain.sjesl.monkeys.com (zone not intended for this use)

Survey results for all known public domain-name-based DNS blacklists. Lookups were done on SMTP sender domains.

HitsDNS Zone
4878(total number of domains tested, including 147 at SDSC)
659(union of all domain zones)
264whois.rfc-ignorant.org
212abuse.rfc-ignorant.org
131sender-domain.sjesl.monkeys.com
106postmaster.rfc-ignorant.org
73helo-domain.sjesl.monkeys.com (zone not intended for this use)
52dsn.rfc-ignorant.org
49client-domain.sjesl.monkeys.com (zone not intended for this use)
33ex.dnsbl.org (union of all results)
27ex.dnsbl.org (result 127.0.0.2 = spamsites)
7bandwidth-pigs.monkeys.com
7ex.dnsbl.org (result 127.0.0.3 = spam source)

This document was last updated by Jeff Makey <jeff@sdsc.edu> on 25 March 2002.