Blacklists Compared, 2-Jul-05

Blacklists Compared

2 July 2005

[ Fighting Spam | Dialup Zones | Blacklists Compared | Current Blacklist Comparison | Sendmail Configuration ]

Survey results for all known public IP-based DNS blacklists. Lookups were done on connecting IP addresses. The "union of most IP zones" line excludes the exemptions.ahbl.org and query.bondedsender.org zones because they are not blacklists, and because it is too aggressive to be widely useful the block.blars.org zone is also excluded.

The blackholes.intersil.net zone "lists entrenched spammers, mainsleaze and mainsleaze wannabes who have pestered users at Intersil." The flowgoaway.com zone lists FloNetwork systems.

Survey results for all known public domain-name-based DNS blacklists. Lookups were done on the domain names of connecting IP addresses.

Hits DNS Zone

40824 (total number of IP addresses whose names were tested, including 409 at SDSC)
18334 (union of all domain zones)
14309 abuse.rfc-ignorant.org
8599 rddn.dnsbl.net.au
8546 whois.rfc-ignorant.org (union of all results)
6854 whois.rfc-ignorant.org (result 127.0.0.5 = bad whois data)
4798 dynamic.rhs.mailpolice.com
1693 whois.rfc-ignorant.org (result 127.0.0.7 = no whois data at all)
1402 webmail.rhs.mailpolice.com
859 rhsbl.ahbl.org
589 bulk.rhs.mailpolice.com
463 bl.deadbeef.com
340 adv.rhs.mailpolice.com
86 postmaster.rfc-ignorant.org
28 dsn.rfc-ignorant.org (zone not intended for this use)
6 bogusmx.rfc-ignorant.org
6 porn.rhs.mailpolice.com
4 blackhole.securitysage.com

Survey results for all known public domain-name-based DNS blacklists. Lookups were done on SMTP sender domains.

Hits DNS Zone

25996 (total number of domains tested, including 354 at SDSC)
7032 (union of all domain zones)
2862 whois.rfc-ignorant.org (union of all results)
2296 whois.rfc-ignorant.org (result 127.0.0.7 = no whois data at all)
2215 abuse.rfc-ignorant.org
1261 webmail.rhs.mailpolice.com
1212 postmaster.rfc-ignorant.org
932 rhsbl.ahbl.org
895 dsn.rfc-ignorant.org
566 whois.rfc-ignorant.org (result 127.0.0.5 = bad whois data)
489 bogusmx.rfc-ignorant.org
472 bulk.rhs.mailpolice.com
202 blackhole.securitysage.com
186 adv.rhs.mailpolice.com
175 bl.deadbeef.com
88 porn.rhs.mailpolice.com
51 rhsbl.sorbs.net (result 127.0.0.11 = domain uses bad address space)
51 rhsbl.sorbs.net (union of all results)
43 rddn.dnsbl.net.au (zone not intended for this use)
27 dynamic.rhs.mailpolice.com
16 ex.dnsbl.org
3 cart00ney.surriel.com
2 fraud.rhs.mailpolice.com

This document was last updated by Jeff Makey <jeff@sdsc.edu> on 15 July 2005.

Hits	DNS Zone
40824	(total number of IP addresses tested, including 409 at SDSC)
35242	(union of most IP zones)
29605	block.blars.org
23694	t1.dnsbl.net.au
16850	dnsbl.sorbs.net (union of all results)
15794	sbl-xbl.spamhaus.org (union of all results)
13914	xbl.spamhaus.org (union of all results)
12508	sbl-xbl.spamhaus.org (result 127.0.0.4 = Composite Blocking List)
12506	xbl.spamhaus.org (result 127.0.0.4 = Composite Blocking List)
12503	cbl.abuseat.org
12297	cn-kr.blackholes.us (union of all results)
11889	dnsbl.sorbs.net (result 127.0.0.10 = dialup)
10519	rmst.dnsbl.net.au
9831	dynablock.njabl.org
9638	no-more-funn.moensted.dk (union of all results)
9439	unconfirmed.dsbl.org
9380	list.dsbl.org
9375	dsbl.dnsbl.net.au
9244	blackholes.five-ten-sg.com (union of all results)
8867	blackholes.five-ten-sg.com (result 127.0.0.2 = spam source)
6524	sbl.csma.biz
6271	korea.services.net
6243	cn-kr.blackholes.us (result 127.0.0.3 = Korea)
6243	korea.blackholes.us
6054	cn-kr.blackholes.us (result 127.0.0.2 = China)
6054	china.blackholes.us
5738	combined-hib.dnsiplists.completewhois.com (union of all results)
5699	combined-hib.dnsiplists.completewhois.com (result 127.0.0.4 = bad whois data)
5470	no-more-funn.moensted.dk (result 127.0.0.2 = spam source)
5150	psbl.surriel.com
4644	blacklist.spambag.org
4529	bl.spamcop.net
3528	l2.spews.dnsbl.sorbs.net
3320	bl.csma.biz
3298	dnsbl.njabl.org (union of all results)
3099	l1.spews.dnsbl.sorbs.net
2969	dnsbl.ahbl.org (union of all results)
2884	spews.dnsbl.net.au
2717	spamsources.fabel.dk
2502	dnsbl.njabl.org (result 127.0.0.9 = open proxy)
2473	dnsbl.ahbl.org (result 127.0.0.3 = open proxy)
2433	opm.blitzed.org
2425	sbl-xbl.spamhaus.org (result 127.0.0.6 = Blitzed Open Proxy Monitor List)
2421	xbl.spamhaus.org (result 127.0.0.6 = Blitzed Open Proxy Monitor List)
2292	wpbl.dnsbl.net.au
2164	ricn.dnsbl.net.au
1971	sbl-xbl.spamhaus.org (result 127.0.0.2 = Spamhaus SBL)
1971	sbl.spamhaus.org
1964	dnsbl.rangers.eu.org (union of all results)
1905	dnsbl.sorbs.net (result 127.0.0.7 = open formmail.cgi)
1902	dnsbl.regedit64.net
1833	dnsbl.sorbs.net (result 127.0.0.6 = spam source)
1724	dnsbl.rangers.eu.org (result 127.0.0.2 = dialup)
1715	no-more-funn.moensted.dk (result 127.0.0.10 = open proxy)
1689	no-more-funn.moensted.dk (result 127.0.0.3 = dialup)
1530	dnsbl.sorbs.net (result 127.0.0.3 = open socks proxy)
1408	brazil.blackholes.us
1319	xbl.spamhaus.org (result 127.0.0.5 = time-expired NJABL open proxy)
1319	sbl-xbl.spamhaus.org (result 127.0.0.5 = time-expired NJABL open proxy)
1179	unsure.nether.net
1172	pdl.blackholes.us
1155	bl.spamcannibal.org
1016	dnsbl.antispam.or.id
973	dnsbl.sorbs.net (result 127.0.0.2 = open http proxy)
955	spam.wytnij.to
953	comcast.blackholes.us
923	japan.blackholes.us
742	taiwan.blackholes.us
640	rr.blackholes.us
607	no-more-funn.moensted.dk (result 127.0.0.9 = misc)
579	probes.dnsbl.net.au
518	dnsbl.njabl.org (result 127.0.0.3 = dialup)
486	dnsbl.ahbl.org (result 127.0.0.4 = spam source)
478	hongkong.blackholes.us
462	argentina.blackholes.us
384	charter.blackholes.us
368	mci.blackholes.us
283	mexico.blackholes.us
265	tr.countries.nerd.dk
244	cw.blackholes.us
208	dnsbl.njabl.org (result 127.0.0.2 = open relay)
206	blackholes.five-ten-sg.com (result 127.0.0.7 = spam haven)
193	query.bondedsender.org (not a blacklist!)
187	blackholes.intersil.net
180	turkey.blackholes.us
173	thailand.blackholes.us
168	mail-abuse.blacklist.jippg.org
165	no-more-funn.moensted.dk (result 127.0.0.7 = spam haven)
160	level3.blackholes.us
157	qwest.blackholes.us
150	dnsbl.rangers.eu.org (result 127.0.0.16 = spam haven)
124	singapore.blackholes.us
115	malaysia.blackholes.us
111	ohps.dnsbl.net.au
110	russia.blackholes.us
109	verio.blackholes.us
108	relays.ordb.org
107	ybl.megacity.org
107	blackholes.five-ten-sg.com (result 127.0.0.4 = unconfirmed opt-in)
106	dnsbl.sorbs.net (result 127.0.0.4 = open proxy)
106	dnsbl.ahbl.org (result 127.0.0.7 = spam haven)
96	flowgoaway.com
85	internap.blackholes.us
79	bellsouth.blackholes.us
79	dnsbl.njabl.org (result 127.0.0.4 = spam source)
77	multihop.dsbl.org
75	xo.blackholes.us
74	dnsbl.rangers.eu.org (result 127.0.0.8 = spam source)
68	cybercon.blackholes.us
65	osps.dnsbl.net.au
60	above.blackholes.us
56	wanadoo-fr.blackholes.us
50	he.blackholes.us
50	blackholes.brainerd.net
45	broadwing.blackholes.us
36	telstra.blackholes.us
36	osrs.dnsbl.net.au
34	rogers.blackholes.us
33	a2000.blackholes.us
32	inflow.blackholes.us
32	covad.blackholes.us
32	exemptions.ahbl.org (not a blacklist!)
29	combined-hib.dnsiplists.completewhois.com (result 127.0.0.2 = unallocated IP address)
28	interbusiness.blackholes.us
26	relays.nether.net
24	blackholes.five-ten-sg.com (result 127.0.0.12 = spam-friendly freemail provider)
22	blackholes.five-ten-sg.com (result 127.0.0.9 = misc)
21	eli.blackholes.us
20	spamguard.leadmon.net (union of all results)
18	spamguard.leadmon.net (result 127.0.0.7 = spam source netblock)
17	rdts.dnsbl.net.au
16	infolink.blackholes.us
16	dnsbl.sorbs.net (result 127.0.0.5 = open relay)
14	dnsbl.rangers.eu.org (result 127.0.0.4 = virus notices)
14	blackholes.uceb.org (union of all results)
13	swbell.blackholes.us
13	rackspace.blackholes.us
12	yipes.blackholes.us
10	lauderdale.blackholes.us
10	combined-hib.dnsiplists.completewhois.com (result 127.0.0.3 = hijacked network)
9	hil.habeas.com
8	nigeria.blackholes.us
8	maxim.blackholes.us
8	blackholes.five-ten-sg.com (result 127.0.0.5 = relay output)
8	dialup.blacklist.jippg.org (union of all results)
7	olm.blackholes.us
7	navisite.blackholes.us
7	epoch.blackholes.us
7	blackholes.uceb.org (result 127.0.0.2 = open relay)
7	dnsbl.ahbl.org (result 127.0.0.15 = open relay)
7	dnsbl.ahbl.org (result 127.0.0.19 = open proxy test zone)
6	pajo.blackholes.us
6	dialup.blacklist.jippg.org (result 127.0.0.4 = dialup in Japan)
5	affinity.blackholes.us
5	owps.dnsbl.net.au
4	blackholes.uceb.org (result 127.0.0.3 = spam source)
4	dnsbl.sorbs.net (result 127.0.0.9 = zombie network)
4	blackholes.five-ten-sg.com (result 127.0.0.10 = virus notices)
3	burst.blackholes.us
3	blackholes.five-ten-sg.com (result 127.0.0.8 = open web form)
3	blackholes.five-ten-sg.com (result 127.0.0.6 = open relay)
2	blackholes.uceb.org (result 127.0.0.6 = spam haven)
2	dnsbl.rangers.eu.org (result 127.0.0.32 = worm source)
2	spamguard.leadmon.net (result 127.0.0.3 = spam source)
2	dialup.blacklist.jippg.org (result 127.0.0.3 = dialup outside Japan)
1	blackholes.uceb.org (result 127.0.0.8 = spam source with fake sender)
1	spamsites.dnsbl.net.au
1	omrs.dnsbl.net.au
1	owfs.dnsbl.net.au
1	no-more-funn.moensted.dk (result 127.0.0.4 = unconfirmed opt-in)
1	bl.deadbeef.com

Hits	DNS Zone
25996	(total number of domains tested, including 354 at SDSC)
7032	(union of all domain zones)
2862	whois.rfc-ignorant.org (union of all results)
2296	whois.rfc-ignorant.org (result 127.0.0.7 = no whois data at all)
2215	abuse.rfc-ignorant.org
1261	webmail.rhs.mailpolice.com
1212	postmaster.rfc-ignorant.org
932	rhsbl.ahbl.org
895	dsn.rfc-ignorant.org
566	whois.rfc-ignorant.org (result 127.0.0.5 = bad whois data)
489	bogusmx.rfc-ignorant.org
472	bulk.rhs.mailpolice.com
202	blackhole.securitysage.com
186	adv.rhs.mailpolice.com
175	bl.deadbeef.com
88	porn.rhs.mailpolice.com
51	rhsbl.sorbs.net (result 127.0.0.11 = domain uses bad address space)
51	rhsbl.sorbs.net (union of all results)
43	rddn.dnsbl.net.au (zone not intended for this use)
27	dynamic.rhs.mailpolice.com
16	ex.dnsbl.org
3	cart00ney.surriel.com
2	fraud.rhs.mailpolice.com