Blacklists Compared

8 January 2005

[ Fighting Spam | Dialup Zones | Blacklists Compared | Current Blacklist Comparison | Sendmail Configuration ]

Survey results for all known public IP-based DNS blacklists. Lookups were done on connecting IP addresses. The "union of most IP zones" line excludes the exemptions.ahbl.org and query.bondedsender.org zones because they are not blacklists, and because it is too aggressive to be widely useful the block.blars.org zone is also excluded.

HitsDNS Zone
36389(total number of IP addresses tested, including 417 at SDSC)
31462(union of most IP zones)
26394t1.dnsbl.net.au
22942blackholes.five-ten-sg.com (union of all results)
22103blackholes.five-ten-sg.com (result 127.0.0.2 = spam source)
18532dnsbl.sorbs.net (union of all results)
15090sbl-xbl.spamhaus.org (union of all results)
13955xbl.spamhaus.org (union of all results)
13198cbl.abuseat.org
13116sbl-xbl.spamhaus.org (result 127.0.0.4 = Composite Blocking List)
13109xbl.spamhaus.org (result 127.0.0.4 = Composite Blocking List)
12842no-more-funn.moensted.dk (union of all results)
12789cn-kr.blackholes.us (union of all results)
12752dnsbl.sorbs.net (result 127.0.0.10 = dialup)
11252unconfirmed.dsbl.org
11153list.dsbl.org
11147dsbl.dnsbl.net.au
10786dynablock.njabl.org
10051cn-kr.blackholes.us (result 127.0.0.3 = Korea)
10051korea.blackholes.us
10043korea.services.net
9100no-more-funn.moensted.dk (result 127.0.0.2 = spam source)
7986rmst.dnsbl.net.au
7809sbl.csma.biz
7720combined-hib.dnsiplists.completewhois.com (union of all results)
7703combined-hib.dnsiplists.completewhois.com (result 127.0.0.4 = bad whois data)
6288psbl.surriel.com
5127bl.csma.biz
4712bl.spamcop.net
4685dnsbl.njabl.org (union of all results)
4002blacklist.spambag.org
3543dnsbl.sorbs.net (result 127.0.0.7 = open formmail.cgi)
3532wpbl.dnsbl.net.au
3455dnsbl.njabl.org (result 127.0.0.9 = open proxy)
3122dnsbl.ahbl.org (union of all results)
2972opm.blitzed.org
2887sbl-xbl.spamhaus.org (result 127.0.0.6 = Blitzed Open Proxy Monitor List)
2885xbl.spamhaus.org (result 127.0.0.6 = Blitzed Open Proxy Monitor List)
2738cn-kr.blackholes.us (result 127.0.0.2 = China)
2738china.blackholes.us
2719spamsources.fabel.dk
2666ricn.dnsbl.net.au
2556l2.spews.dnsbl.sorbs.net
2329spews.dnsbl.net.au
2329dnsbl.ahbl.org (result 127.0.0.3 = open proxy)
2188l1.spews.dnsbl.sorbs.net
2169dnsbl.sorbs.net (result 127.0.0.6 = spam source)
1942pdl.blackholes.us
1832no-more-funn.moensted.dk (result 127.0.0.3 = dialup)
1806dnsbl.sorbs.net (result 127.0.0.3 = open socks proxy)
1609block.blars.org
1559spam.wytnij.to
1487dnsbl.sorbs.net (result 127.0.0.2 = open http proxy)
1423dnsbl.regedit64.net
1293probes.dnsbl.net.au
1279sbl.spamhaus.org
1256sbl-xbl.spamhaus.org (result 127.0.0.2 = Spamhaus SBL)
1124unsure.nether.net
1028no-more-funn.moensted.dk (result 127.0.0.10 = open proxy)
1006dnsbl.rangers.eu.org (union of all results)
1002dnsbl.njabl.org (result 127.0.0.3 = dialup)
994bl.spamcannibal.org
948dnsbl.antispam.or.id
936brazil.blackholes.us
903work.drbl.croco.net
793dnsbl.rangers.eu.org (result 127.0.0.2 = dialup)
735dnsbl.ahbl.org (result 127.0.0.4 = spam source)
635no-more-funn.moensted.dk (result 127.0.0.9 = misc)
601japan.blackholes.us
535level3.blackholes.us
534blackholes.five-ten-sg.com (result 127.0.0.7 = spam haven)
520ybl.megacity.org
455taiwan.blackholes.us
385comcast.blackholes.us
371charter.blackholes.us
337rr.blackholes.us
325mexico.blackholes.us
310cw.blackholes.us
260no-more-funn.moensted.dk (result 127.0.0.7 = spam haven)
223argentina.blackholes.us
211blackholes.five-ten-sg.com (result 127.0.0.4 = unconfirmed opt-in)
208hongkong.blackholes.us
203wanadoo-fr.blackholes.us
197mail-abuse.blacklist.jippg.org
196blackholes.intersil.net
195ohps.dnsbl.net.au
188interbusiness.blackholes.us
182qwest.blackholes.us
149xo.blackholes.us
143russia.blackholes.us
139dnsbl.sorbs.net (result 127.0.0.4 = open proxy)
139dnsbl.rangers.eu.org (result 127.0.0.16 = spam haven)
132turkey.blackholes.us
131dnsbl.njabl.org (result 127.0.0.4 = spam source)
131query.bondedsender.org (not a blacklist!)
126verio.blackholes.us
121dialup.blacklist.jippg.org (union of all results)
119dialup.blacklist.jippg.org (result 127.0.0.3 = dialup outside Japan)
117dnsbl.njabl.org (result 127.0.0.2 = source or relay)
111singapore.blackholes.us
110tr.countries.nerd.dk
99relays.ordb.org
95malaysia.blackholes.us
84multihop.dsbl.org
81internap.blackholes.us
80flowgoaway.com
78above.blackholes.us
78osps.dnsbl.net.au
69thailand.blackholes.us
66cybercon.blackholes.us
60dnsbl.rangers.eu.org (result 127.0.0.8 = spam source)
59yipes.blackholes.us
56dnsbl.sorbs.net (result 127.0.0.9 = zombie network)
55dnsbl.ahbl.org (result 127.0.0.19 = open proxy test zone)
49blackholes.five-ten-sg.com (result 127.0.0.9 = misc)
46he.blackholes.us
44bellsouth.blackholes.us
43ph.rbl.cluecentral.net
42nigeria.blackholes.us
40inflow.blackholes.us
39rogers.blackholes.us
35telstra.blackholes.us
34swbell.blackholes.us
34covad.blackholes.us
32a2000.blackholes.us
32dnsbl.ahbl.org (result 127.0.0.7 = spam haven)
31rdts.dnsbl.net.au
31blackholes.uceb.org (union of all results)
29blackholes.brainerd.net
28osrs.dnsbl.net.au
28relays.nether.net
26blackholes.five-ten-sg.com (result 127.0.0.12 = spam-friendly freemail provider)
24dnsbl.sorbs.net (result 127.0.0.5 = open relay)
24dnsbl.ahbl.org (result 127.0.0.15 = open relay)
22blackholes.uceb.org (result 127.0.0.3 = spam source)
19eli.blackholes.us
17rackspace.blackholes.us
17broadwing.blackholes.us
17spamguard.leadmon.net (result 127.0.0.7 = spam source netblock)
17combined-hib.dnsiplists.completewhois.com (result 127.0.0.2 = unallocated IP address)
17dnsbl.ahbl.org (result 127.0.0.10 = shoot on sight spammer)
17spamguard.leadmon.net (union of all results)
16hil.habeas.com
15exemptions.ahbl.org (not a blacklist!)
13dnsbl.rangers.eu.org (result 127.0.0.4 = virus notices)
13satos.rbl.cluecentral.net
11blackholes.five-ten-sg.com (result 127.0.0.5 = relay output)
10maxim.blackholes.us
9epoch.blackholes.us
9blackholes.uceb.org (result 127.0.0.2 = open relay)
8infolink.blackholes.us
7navisite.blackholes.us
7owps.dnsbl.net.au
6burst.blackholes.us
5olm.blackholes.us
5affinity.blackholes.us
5blackholes.five-ten-sg.com (result 127.0.0.10 = virus notices)
4omrs.dnsbl.net.au
4bl.deadbeef.com
3dnsbl.ahbl.org (result 127.0.0.14 = denial-of-service attacker)
2pajo.blackholes.us
2relays.bl.kundenserver.de
2dialup.blacklist.jippg.org (result 127.0.0.4 = dialup in Japan)
2no-more-funn.moensted.dk (result 127.0.0.5 = relay output)
2no-more-funn.moensted.dk (result 127.0.0.4 = unconfirmed opt-in)
2blackholes.five-ten-sg.com (result 127.0.0.8 = open web form)
1ciberlynx.blackholes.us
1dnsbl.rangers.eu.org (result 127.0.0.32 = worm source)
1blackholes.five-ten-sg.com (result 127.0.0.6 = open relay)

The blackholes.intersil.net zone "lists entrenched spammers, mainsleaze and mainsleaze wannabes who have pestered users at Intersil." The flowgoaway.com zone lists FloNetwork systems.

Survey results for all known public domain-name-based DNS blacklists. Lookups were done on the domain names of connecting IP addresses.

HitsDNS Zone
36389(total number of IP addresses whose names were tested, including 417 at SDSC)
14001(union of all domain zones)
10539abuse.rfc-ignorant.org
7827rddn.dnsbl.net.au
4137whois.rfc-ignorant.org (union of all results)
3185dynamic.rhs.mailpolice.com
3133whois.rfc-ignorant.org (result 127.0.0.5 = bad whois data)
1400webmail.rhs.mailpolice.com
1005whois.rfc-ignorant.org (result 127.0.0.7 = no whois data at all)
388rhsbl.ahbl.org
357bulk.rhs.mailpolice.com
300adv.rhs.mailpolice.com
274bl.deadbeef.com
20dsn.rfc-ignorant.org (zone not intended for this use)
18postmaster.rfc-ignorant.org
6fraud.rhs.mailpolice.com
4porn.rhs.mailpolice.com
2blackhole.securitysage.com
1bogusmx.rfc-ignorant.org
1cart00ney.surriel.com

Survey results for all known public domain-name-based DNS blacklists. Lookups were done on SMTP sender domains.

HitsDNS Zone
27051(total number of domains tested, including 286 at SDSC)
7326(union of all domain zones)
3179whois.rfc-ignorant.org (union of all results)
2727whois.rfc-ignorant.org (result 127.0.0.7 = no whois data at all)
2225abuse.rfc-ignorant.org
1045webmail.rhs.mailpolice.com
990postmaster.rfc-ignorant.org
832dsn.rfc-ignorant.org
686rhsbl.ahbl.org
582bulk.rhs.mailpolice.com
452whois.rfc-ignorant.org (result 127.0.0.5 = bad whois data)
255bogusmx.rfc-ignorant.org
247bl.deadbeef.com
199blackhole.securitysage.com
195adv.rhs.mailpolice.com
64porn.rhs.mailpolice.com
46rddn.dnsbl.net.au (zone not intended for this use)
45rhsbl.sorbs.net (result 127.0.0.11 = domain uses bad address space)
45rhsbl.sorbs.net (union of all results)
20dynamic.rhs.mailpolice.com
18ex.dnsbl.org
4cart00ney.surriel.com
2fraud.rhs.mailpolice.com

This document was last updated by Jeff Makey <jeff@sdsc.edu> on 20 January 2005.