Blacklists Compared

18 May 2002

[ Fighting Spam | Dialup Zones | Blacklists Compared | Current Blacklist Comparison ]

Survey results for all known public IP-based DNS blacklists. Lookups were done on connecting IP addresses. The "union of most IP zones" line excludes the xbl.selwerd.cx zone because it is too aggressive to be widely useful, and excludes the blocktest.relays.osirusoft.com zone because it is not a blacklist.

HitsDNS Zone
8335(total number of IP addresses tested, including 434 at SDSC)
3998(union of most IP zones)
3022xbl.selwerd.cx
1888blackholes.five-ten-sg.com (union of all results)
1205bl.spamcop.net
1187no-more-funn.moensted.dk (union of all results)
1056relays.osirusoft.com (union of all results)
1013blackholes.five-ten-sg.com (result 127.0.0.2 = spam source)
1000blocktest.relays.osirusoft.com (not a blacklist!)
953dnsbl.njabl.org (union of all results)
946dnsbl.njabl.org (result 127.0.0.2 = source or relay)
865no-more-funn.moensted.dk (result 127.0.0.2 = spam source)
753unconfirmed.dsbl.org
729block.blars.org
674korea.services.net
621work.drbl.croco.net
573ztl.dorkslayers.com
537blackholes.wirehub.net
518relays.osirusoft.com (result 127.0.0.2 = relay)
509inputs.relays.osirusoft.com
456blackholes.intersil.net
453list.dsbl.org
453blackholes.2mbit.com (union of all results)
442relays.visi.com
395orbs.dorkslayers.com
374ipwhois.rfc-ignorant.org
365t1.bl.reynolds.net.au
362relays.ordb.org
337blackholes.five-ten-sg.com (result 127.0.0.4 = unconfirmed opt-in)
321relays.osirusoft.com (result 127.0.0.4 = spam source)
299spews.relays.osirusoft.com
268multihop.dsbl.org
249blackholes.five-ten-sg.com (result 127.0.0.7 = spam haven)
247spamsources.fabel.dk
243proxies.relays.monkeys.com
221blacklist.spambag.org
213blackholes.five-ten-sg.com (result 127.0.0.3 = dialup)
208blackholes.2mbit.com (result 127.0.0.2 = relay)
202relays.osirusoft.com (result 127.0.0.9 = open proxy)
1723y.spam.mrs.kithrup.com
165flowgoaway.com
144spam.wytnij.to
134blackholes.2mbit.com (result 127.0.0.9 = open proxy)
123spamguard.leadmon.net (union of all results)
118no-more-funn.moensted.dk (result 127.0.0.7 = spam haven)
117no-more-funn.moensted.dk (result 127.0.0.3 = dialup)
97sbl.spamhaus.org
83relays.osirusoft.com (result 127.0.0.6 = spamsites)
83spamhaus.relays.osirusoft.com
77spamsources.relays.osirusoft.com (union of all results)
72opm.blitzed.org
72blackholes.five-ten-sg.com (result 127.0.0.5 = relay output)
67spamsources.relays.osirusoft.com (result 127.0.0.4 = spam source)
67dews.qmail.org
63spamguard.leadmon.net (result 127.0.0.2 = dialup)
62blackholes.2mbit.com (result 127.0.0.4 = spam source)
60relays.dorkslayers.com
59http.opm.blitzed.org
55no-more-funn.moensted.dk (result 127.0.0.4 = unconfirmed opt-in)
53spamguard.leadmon.net (result 127.0.0.7 = spam source netblock)
52blackholes.2mbit.com (result 127.0.0.10 = spam haven)
44formmail.relays.monkeys.com
37spammers.v6net.org
32no-more-funn.moensted.dk (result 127.0.0.5 = relay output)
21dynablock.wirehub.net (result 127.0.0.2 = dialup)
21dynablock.wirehub.net (union of all results)
17socks.opm.blitzed.org
17dialups.relays.osirusoft.com
15relays.osirusoft.com (result 127.0.0.3 = dialup)
13socks.relays.osirusoft.com
11dnsbl.njabl.org (result 127.0.0.3 = dialup)
10spamsources.relays.osirusoft.com (result 127.0.0.6 = spamhaus)
7spamguard.leadmon.net (result 127.0.0.3 = spam source)
7blackhole.compu.net
2blackholes.five-ten-sg.com (result 127.0.0.9 = misc)
2ex.dnsbl.org (result 127.0.0.2 = spamsites)
2pm0-no-more.compu.net
1blackholes.five-ten-sg.com (result 127.0.0.8 = open web form)
1blackholes.five-ten-sg.com (result 127.0.0.6 = relay)

The blackholes.intersil.net zone "lists entrenched spammers, mainsleaze and mainsleaze wannabes who have pestered users at Intersil." The flowgoaway.com zone lists FloNetwork systems. The blackhole.compu.net zone "is primarily for hosts which were not blocked by other blackhole sites and spammed compu.net" and the pm0-no-more.compu.net zone "blocks all pm0 email."

Survey results for all known public domain-name-based DNS blacklists. Lookups were done on the domain names of connecting IP addresses.

HitsDNS Zone
8335(total number of IP addresses whose names were tested, including 434 at SDSC)
1354(union of all domain zones)
974abuse.rfc-ignorant.org
911whois.rfc-ignorant.org (union of all results)
679whois.rfc-ignorant.org (result 127.0.0.5 = bad whois data)
232whois.rfc-ignorant.org (result 127.0.0.7 = no whois data at all)
17postmaster.rfc-ignorant.org
6client-domain.sjesl.monkeys.com
4dsn.rfc-ignorant.org (zone not intended for this use)
4sender-domain.sjesl.monkeys.com (zone not intended for this use)
3helo-domain.sjesl.monkeys.com (zone not intended for this use)
2ex.dnsbl.org (result 127.0.0.2 = spamsites)
2ex.dnsbl.org (union of all results)

Survey results for all known public domain-name-based DNS blacklists. Lookups were done on SMTP sender domains.

HitsDNS Zone
5461(total number of domains tested, including 208 at SDSC)
793(union of all domain zones)
305whois.rfc-ignorant.org (union of all results)
299abuse.rfc-ignorant.org
226whois.rfc-ignorant.org (result 127.0.0.7 = no whois data at all)
149postmaster.rfc-ignorant.org
146sender-domain.sjesl.monkeys.com
79whois.rfc-ignorant.org (result 127.0.0.5 = bad whois data)
75helo-domain.sjesl.monkeys.com (zone not intended for this use)
72dsn.rfc-ignorant.org
53client-domain.sjesl.monkeys.com (zone not intended for this use)
30ex.dnsbl.org (union of all results)
25ex.dnsbl.org (result 127.0.0.2 = spamsites)
6bandwidth-pigs.monkeys.com
5ex.dnsbl.org (result 127.0.0.3 = spam source)
1in.dnsbl.org (result 127.0.0.2 = spam source)
1in.dnsbl.org (union of all results)

This document was last updated by Jeff Makey <jeff@sdsc.edu> on 19 May 2002.