Blacklists Compared

4 May 2002

[ Fighting Spam | Dialup Zones | Blacklists Compared | Current Blacklist Comparison ]

Survey results for all known public IP-based DNS blacklists. Lookups were done on connecting IP addresses. The "union of most IP zones" line excludes the xbl.selwerd.cx zone because it is too aggressive to be widely useful, and excludes the blocktest.relays.osirusoft.com zone because it is not a blacklist.

HitsDNS Zone
8030(total number of IP addresses tested, including 386 at SDSC)
3644(union of most IP zones)
2920xbl.selwerd.cx
1791blackholes.five-ten-sg.com (union of all results)
1268bl.spamcop.net
862blackholes.five-ten-sg.com (result 127.0.0.2 = spam source)
801relays.osirusoft.com (union of all results)
781dnsbl.njabl.org (union of all results)
773dnsbl.njabl.org (result 127.0.0.2 = source or relay)
590korea.services.net
548block.blars.org
501work.drbl.croco.net
490blackholes.intersil.net
484ztl.dorkslayers.com
470unconfirmed.dsbl.org
376blackholes.five-ten-sg.com (result 127.0.0.4 = unconfirmed opt-in)
373inputs.relays.osirusoft.com
372relays.osirusoft.com (result 127.0.0.2 = relay)
365relays.ordb.org
331ipwhois.rfc-ignorant.org
318blackholes.wirehub.net
314relays.visi.com
296relays.osirusoft.com (result 127.0.0.4 = spam source)
296blackholes.five-ten-sg.com (result 127.0.0.7 = spam haven)
257blackholes.2mbit.com (union of all results)
239t1.bl.reynolds.net.au
231blacklist.spambag.org
216orbs.dorkslayers.com
212list.dsbl.org
209spews.relays.osirusoft.com
199blocktest.relays.osirusoft.com (not a blacklist!)
186blackholes.five-ten-sg.com (result 127.0.0.3 = dialup)
183spamsources.fabel.dk
1703y.spam.mrs.kithrup.com
169flowgoaway.com
153proxies.relays.monkeys.com
126multihop.dsbl.org
112spamsources.relays.osirusoft.com (union of all results)
111relays.osirusoft.com (result 127.0.0.9 = open proxy)
106spamsources.relays.osirusoft.com (result 127.0.0.4 = spam source)
102blackholes.2mbit.com (result 127.0.0.4 = spam source)
91spam.wytnij.to
82sbl.spamhaus.org
79spamguard.leadmon.net (union of all results)
77blackholes.2mbit.com (result 127.0.0.2 = relay)
74spamhaus.relays.osirusoft.com
71blackholes.2mbit.com (result 127.0.0.10 = spam haven)
65blackholes.five-ten-sg.com (result 127.0.0.5 = relay output)
61relays.osirusoft.com (result 127.0.0.6 = spamsites)
59spamguard.leadmon.net (result 127.0.0.2 = dialup)
58relays.dorkslayers.com
50formmail.relays.monkeys.com
45dews.qmail.org
43spammers.v6net.org
32opm.blitzed.org
28http.opm.blitzed.org
25dynablock.wirehub.net (result 127.0.0.2 = dialup)
25dynablock.wirehub.net (union of all results)
19spamguard.leadmon.net (result 127.0.0.7 = spam source netblock)
8dnsbl.njabl.org (result 127.0.0.3 = dialup)
7blackholes.2mbit.com (result 127.0.0.9 = open proxy)
7dialups.relays.osirusoft.com
7relays.osirusoft.com (result 127.0.0.3 = dialup)
7blackhole.compu.net
6socks.opm.blitzed.org
6spamsources.relays.osirusoft.com (result 127.0.0.6 = spamhaus)
6socks.relays.osirusoft.com
5spamsites.relays.osirusoft.com (result 127.0.0.6)
5spamsites.relays.osirusoft.com (union of all results)
3blackholes.five-ten-sg.com (result 127.0.0.8 = open web form)
2blackholes.five-ten-sg.com (result 127.0.0.9 = misc)
2pm0-no-more.compu.net
1spamguard.leadmon.net (result 127.0.0.3 = spam source)
1blackholes.five-ten-sg.com (result 127.0.0.6 = relay)

The blackholes.intersil.net zone "lists entrenched spammers, mainsleaze and mainsleaze wannabes who have pestered users at Intersil." The flowgoaway.com zone lists FloNetwork systems. The blackhole.compu.net zone "is primarily for hosts which were not blocked by other blackhole sites and spammed compu.net" and the pm0-no-more.compu.net zone "blocks all pm0 email."

Survey results for all known public domain-name-based DNS blacklists. Lookups were done on the domain names of connecting IP addresses.

HitsDNS Zone
8030(total number of IP addresses whose names were tested, including 386 at SDSC)
1188(union of all domain zones)
845abuse.rfc-ignorant.org
422whois.rfc-ignorant.org (union of all results)
227whois.rfc-ignorant.org (result 127.0.0.5 = bad whois data)
195whois.rfc-ignorant.org (result 127.0.0.7 = no whois data at all)
14postmaster.rfc-ignorant.org
6dsn.rfc-ignorant.org (zone not intended for this use)
6client-domain.sjesl.monkeys.com
4sender-domain.sjesl.monkeys.com (zone not intended for this use)
3helo-domain.sjesl.monkeys.com (zone not intended for this use)

Survey results for all known public domain-name-based DNS blacklists. Lookups were done on SMTP sender domains.

HitsDNS Zone
5329(total number of domains tested, including 156 at SDSC)
704(union of all domain zones)
262abuse.rfc-ignorant.org
262whois.rfc-ignorant.org (union of all results)
190whois.rfc-ignorant.org (result 127.0.0.7 = no whois data at all)
136sender-domain.sjesl.monkeys.com
131postmaster.rfc-ignorant.org
74helo-domain.sjesl.monkeys.com (zone not intended for this use)
72whois.rfc-ignorant.org (result 127.0.0.5 = bad whois data)
66dsn.rfc-ignorant.org
54client-domain.sjesl.monkeys.com (zone not intended for this use)
31ex.dnsbl.org (union of all results)
27ex.dnsbl.org (result 127.0.0.2 = spamsites)
6bandwidth-pigs.monkeys.com
4ex.dnsbl.org (result 127.0.0.3 = spam source)

This document was last updated by Jeff Makey <jeff@sdsc.edu> on 5 May 2002.