Blacklists Compared

20 April 2002

[ Fighting Spam | Blacklists Compared | Current Blacklist Comparison ]

Survey results for all known public IP-based DNS blacklists. Lookups were done on connecting IP addresses. The "union of most IP zones" line excludes the xbl.selwerd.cx zone because it is too aggressive to be widely useful, and excludes the blocktest.relays.osirusoft.com zone because it is not a blacklist.

HitsDNS Zone
7734(total number of IP addresses tested, including 441 at SDSC)
3416(union of most IP zones)
2756xbl.selwerd.cx
1738blackholes.five-ten-sg.com (union of all results)
1234bl.spamcop.net
936relays.osirusoft.com (union of all results)
824blackholes.five-ten-sg.com (result 127.0.0.2 = spam source)
794dnsbl.njabl.org (union of all results)
784dnsbl.njabl.org (result 127.0.0.2 = source or relay)
648ipwhois.rfc-ignorant.org
559korea.services.net
515block.blars.org
492ztl.dorkslayers.com
470blackholes.intersil.net
434work.drbl.croco.net
419relays.osirusoft.com (result 127.0.0.2 = relay)
419inputs.relays.osirusoft.com
385relays.ordb.org
373blackholes.five-ten-sg.com (result 127.0.0.4 = unconfirmed opt-in)
363t1.bl.reynolds.net.au
343unconfirmed.dsbl.org
334relays.visi.com
307blackholes.five-ten-sg.com (result 127.0.0.7 = spam haven)
292orbs.dorkslayers.com
290relays.osirusoft.com (result 127.0.0.4 = spam source)
279blackholes.wirehub.net
252proxies.relays.monkeys.com
239blackholes.2mbit.com (union of all results)
218relays.osirusoft.com (result 127.0.0.9 = open proxy)
217socks.relays.osirusoft.com
200blacklist.spambag.org
195spews.relays.osirusoft.com
180blackholes.five-ten-sg.com (result 127.0.0.3 = dialup)
177blocktest.relays.osirusoft.com (not a blacklist!)
171flowgoaway.com
159spamsources.fabel.dk
125spam.wytnij.to
1153y.spam.mrs.kithrup.com
115spamsources.relays.osirusoft.com (union of all results)
111spamsources.relays.osirusoft.com (result 127.0.0.4 = spam source)
88relays.dorkslayers.com
82blackholes.2mbit.com (result 127.0.0.4 = spam source)
81list.dsbl.org
77blackholes.2mbit.com (result 127.0.0.10 = spam haven)
77spamguard.leadmon.net (union of all results)
69blackholes.2mbit.com (result 127.0.0.2 = relay)
67opm.blitzed.org
58http.opm.blitzed.org
50sbl.spamhaus.org
50spamguard.leadmon.net (result 127.0.0.2 = dialup)
50blackholes.five-ten-sg.com (result 127.0.0.5 = relay output)
49spamhaus.relays.osirusoft.com
42formmail.relays.monkeys.com
41relays.osirusoft.com (result 127.0.0.6 = spamsites)
37spammers.v6net.org
37dews.qmail.org
22spamguard.leadmon.net (result 127.0.0.7 = spam source netblock)
15dynablock.wirehub.net (result 127.0.0.2 = dialup)
15dynablock.wirehub.net (union of all results)
13socks.opm.blitzed.org
13dialups.relays.osirusoft.com
12relays.osirusoft.com (result 127.0.0.3 = dialup)
11blackholes.2mbit.com (result 127.0.0.9 = open proxy)
10dnsbl.njabl.org (result 127.0.0.3 = dialup)
5spamguard.leadmon.net (result 127.0.0.3 = spam source)
5blackhole.compu.net
4spamsources.relays.osirusoft.com (result 127.0.0.6 = spamhaus)
4spamsites.relays.osirusoft.com (result 127.0.0.6)
4spamsites.relays.osirusoft.com (union of all results)
3blackholes.five-ten-sg.com (result 127.0.0.8 = open web form)
2pm0-no-more.compu.net
1wingate.opm.blitzed.org
1blackholes.five-ten-sg.com (result 127.0.0.6 = relay)

The blackholes.intersil.net zone "lists entrenched spammers, mainsleaze and mainsleaze wannabes who have pestered users at Intersil." The flowgoaway.com zone lists FloNetwork systems. The blackhole.compu.net zone "is primarily for hosts which were not blocked by other blackhole sites and spammed compu.net" and the pm0-no-more.compu.net zone "blocks all pm0 email."

Survey results for all known public domain-name-based DNS blacklists. Lookups were done on the domain names of connecting IP addresses.

HitsDNS Zone
7734(total number of IP addresses whose names were tested, including 441 at SDSC)
1139(union of all domain zones)
792abuse.rfc-ignorant.org
453whois.rfc-ignorant.org (union of all results)
238whois.rfc-ignorant.org (result 127.0.0.5 = bad whois data)
215whois.rfc-ignorant.org (result 127.0.0.7 = no whois data at all)
7postmaster.rfc-ignorant.org
5client-domain.sjesl.monkeys.com
3sender-domain.sjesl.monkeys.com (zone not intended for this use)
2dsn.rfc-ignorant.org (zone not intended for this use)
2helo-domain.sjesl.monkeys.com (zone not intended for this use)

Survey results for all known public domain-name-based DNS blacklists. Lookups were done on SMTP sender domains.

HitsDNS Zone
5202(total number of domains tested, including 207 at SDSC)
771(union of all domain zones)
319whois.rfc-ignorant.org (union of all results)
266abuse.rfc-ignorant.org
260whois.rfc-ignorant.org (result 127.0.0.7 = no whois data at all)
135sender-domain.sjesl.monkeys.com
132postmaster.rfc-ignorant.org
75helo-domain.sjesl.monkeys.com (zone not intended for this use)
63dsn.rfc-ignorant.org
59whois.rfc-ignorant.org (result 127.0.0.5 = bad whois data)
53client-domain.sjesl.monkeys.com (zone not intended for this use)
28ex.dnsbl.org (union of all results)
24ex.dnsbl.org (result 127.0.0.2 = spamsites)
7bandwidth-pigs.monkeys.com
4ex.dnsbl.org (result 127.0.0.3 = spam source)

This document was last updated by Jeff Makey <jeff@sdsc.edu> on 22 April 2002.