Blacklists Compared

8 June 2002

[ Fighting Spam | Dialup Zones | Blacklists Compared | Current Blacklist Comparison ]

Survey results for all known public IP-based DNS blacklists. Lookups were done on connecting IP addresses. The "union of most IP zones" line excludes the xbl.selwerd.cx zone because it is too aggressive to be widely useful, and excludes the blocktest.relays.osirusoft.com zone because it is not a blacklist.

HitsDNS Zone
8128(total number of IP addresses tested, including 375 at SDSC)
4009(union of most IP zones)
3001xbl.selwerd.cx
1815blackholes.five-ten-sg.com (union of all results)
1141no-more-funn.moensted.dk (union of all results)
1129relays.osirusoft.com (union of all results)
1045bl.spamcop.net
920blackholes.five-ten-sg.com (result 127.0.0.2 = spam source)
876dnsbl.njabl.org (union of all results)
864dnsbl.njabl.org (result 127.0.0.2 = source or relay)
740unconfirmed.dsbl.org
736no-more-funn.moensted.dk (result 127.0.0.2 = spam source)
706block.blars.org
691blocktest.relays.osirusoft.com (not a blacklist!)
640ztl.dorkslayers.com
554korea.services.net
513relays.osirusoft.com (result 127.0.0.2 = relay)
512inputs.relays.osirusoft.com
507work.drbl.croco.net
467blackholes.intersil.net
459blackholes.wirehub.net
431list.dsbl.org
428relays.osirusoft.com (result 127.0.0.4 = spam source)
398relays.ordb.org
392spews.relays.osirusoft.com
386ybl.megacity.org
363t1.bl.reynolds.net.au
361relays.visi.com
313blackholes.five-ten-sg.com (result 127.0.0.4 = unconfirmed opt-in)
311ipwhois.rfc-ignorant.org
303blackholes.five-ten-sg.com (result 127.0.0.7 = spam haven)
264multihop.dsbl.org
251orbs.dorkslayers.com
219blacklist.spambag.org
219no-more-funn.moensted.dk (result 127.0.0.7 = spam haven)
207blackholes.five-ten-sg.com (result 127.0.0.3 = dialup)
189proxies.relays.monkeys.com
172relays.osirusoft.com (result 127.0.0.9 = open proxy)
170socks.relays.osirusoft.com
166flowgoaway.com
165spamsources.fabel.dk
1573y.spam.mrs.kithrup.com
131sbl.spamhaus.org
130spam.wytnij.to
129no-more-funn.moensted.dk (result 127.0.0.3 = dialup)
118spamhaus.relays.osirusoft.com
117relays.osirusoft.com (result 127.0.0.6 = spamsites)
76spamguard.leadmon.net (union of all results)
72spamsources.relays.osirusoft.com (union of all results)
68spamsources.relays.osirusoft.com (result 127.0.0.4 = spam source)
68blackholes.five-ten-sg.com (result 127.0.0.5 = relay output)
67opm.blitzed.org
57dews.qmail.org
55http.opm.blitzed.org
54formmail.relays.monkeys.com
54relays.dorkslayers.com
48spamguard.leadmon.net (result 127.0.0.2 = dialup)
41spammers.v6net.org
37no-more-funn.moensted.dk (result 127.0.0.4 = unconfirmed opt-in)
25dynablock.wirehub.net (result 127.0.0.2 = dialup)
25dynablock.wirehub.net (union of all results)
20spamguard.leadmon.net (result 127.0.0.7 = spam source netblock)
19no-more-funn.moensted.dk (result 127.0.0.5 = relay output)
16dialups.relays.osirusoft.com
15relays.osirusoft.com (result 127.0.0.3 = dialup)
13socks.opm.blitzed.org
12proxies.relays.osirusoft.com
12dnsbl.njabl.org (result 127.0.0.3 = dialup)
9blackhole.compu.net
8spamguard.leadmon.net (result 127.0.0.3 = spam source)
4spamsources.relays.osirusoft.com (result 127.0.0.6 = spamhaus)
4blackholes.five-ten-sg.com (result 127.0.0.8 = open web form)
1wingate.opm.blitzed.org
1spamsites.relays.osirusoft.com (result 127.0.0.6)
1no-more-funn.moensted.dk (result 127.0.0.8 = open web form)
1pm0-no-more.compu.net
1spamsites.relays.osirusoft.com (union of all results)

The blackholes.intersil.net zone "lists entrenched spammers, mainsleaze and mainsleaze wannabes who have pestered users at Intersil." The flowgoaway.com zone lists FloNetwork systems. The blackhole.compu.net zone "is primarily for hosts which were not blocked by other blackhole sites and spammed compu.net" and the pm0-no-more.compu.net zone "blocks all pm0 email."

Survey results for all known public domain-name-based DNS blacklists. Lookups were done on the domain names of connecting IP addresses.

HitsDNS Zone
8128(total number of IP addresses whose names were tested, including 375 at SDSC)
1201(union of all domain zones)
848abuse.rfc-ignorant.org
834whois.rfc-ignorant.org (union of all results)
612whois.rfc-ignorant.org (result 127.0.0.5 = bad whois data)
222whois.rfc-ignorant.org (result 127.0.0.7 = no whois data at all)
9postmaster.rfc-ignorant.org
7client-domain.sjesl.monkeys.com
5sender-domain.sjesl.monkeys.com (zone not intended for this use)
3helo-domain.sjesl.monkeys.com (zone not intended for this use)
2dsn.rfc-ignorant.org (zone not intended for this use)

Survey results for all known public domain-name-based DNS blacklists. Lookups were done on SMTP sender domains.

HitsDNS Zone
5352(total number of domains tested, including 163 at SDSC)
733(union of all domain zones)
285whois.rfc-ignorant.org (union of all results)
279abuse.rfc-ignorant.org
200whois.rfc-ignorant.org (result 127.0.0.7 = no whois data at all)
145sender-domain.sjesl.monkeys.com
141postmaster.rfc-ignorant.org
89helo-domain.sjesl.monkeys.com (zone not intended for this use)
85whois.rfc-ignorant.org (result 127.0.0.5 = bad whois data)
59client-domain.sjesl.monkeys.com (zone not intended for this use)
53dsn.rfc-ignorant.org
28ex.dnsbl.org (union of all results)
26ex.dnsbl.org (result 127.0.0.2 = spamsites)
5bandwidth-pigs.monkeys.com
2ex.dnsbl.org (result 127.0.0.3 = spam source)

This document was last updated by Jeff Makey <jeff@sdsc.edu> on 9 June 2002.