Blacklists Compared

22 October 2005

[ Fighting Spam | Dialup Zones | Blacklists Compared | Current Blacklist Comparison | Sendmail Configuration ]

Survey results for all known public IP-based DNS blacklists. Lookups were done on connecting IP addresses. The "union of most IP zones" line excludes the exemptions.ahbl.org and query.bondedsender.org zones because they are not blacklists, and because it is too aggressive to be widely useful the block.blars.org zone is also excluded.

HitsDNS Zone
53075(total number of IP addresses tested, including 486 at SDSC)
45839(union of most IP zones)
36249block.blars.org
28500dnsbl.sorbs.net (union of all results)
27341blackholes.five-ten-sg.com (union of all results)
26383blackholes.five-ten-sg.com (result 127.0.0.2 = spam source)
24871t1.dnsbl.net.au
19897sbl-xbl.spamhaus.org (union of all results)
19517dnsbl.sorbs.net (result 127.0.0.10 = dialup)
18734xbl.spamhaus.org (union of all results)
17466xbl.spamhaus.org (result 127.0.0.4 = Composite Blocking List)
17464sbl-xbl.spamhaus.org (result 127.0.0.4 = Composite Blocking List)
17431cbl.abuseat.org
13222dynablock.njabl.org
12395no-more-funn.moensted.dk (union of all results)
12247cn-kr.blackholes.us (result 127.0.0.2 = China)
12247cn-kr.blackholes.us (union of all results)
11916psbl.surriel.com
9855unconfirmed.dsbl.org
9771list.dsbl.org
9763dsbl.dnsbl.net.au
9202sbl.csma.biz
8234china.blackholes.us
6147dnsbl.sorbs.net (result 127.0.0.7 = open formmail.cgi)
6121combined-hib.dnsiplists.completewhois.com (union of all results)
6115combined-hib.dnsiplists.completewhois.com (result 127.0.0.4 = bad whois data)
5664bl.spamcop.net
5433blacklist.spambag.org
4887no-more-funn.moensted.dk (result 127.0.0.10 = open proxy)
4650bl.csma.biz
4504no-more-funn.moensted.dk (result 127.0.0.2 = spam source)
4047l2.spews.dnsbl.sorbs.net
4013korea.blackholes.us
3994korea.services.net
3930dnsbl.sorbs.net (result 127.0.0.6 = spam source)
3805dnsbl.njabl.org (union of all results)
3645dnsbl.rangers.eu.org (union of all results)
3444dnsbl.rangers.eu.org (result 127.0.0.2 = dialup)
3439l1.spews.dnsbl.sorbs.net
3436spews.dnsbl.net.au
3168dnsbl.ahbl.org (union of all results)
3024spamsources.fabel.dk
2930dnsbl.njabl.org (result 127.0.0.9 = open proxy)
2737brazil.blackholes.us
2655ricn.dnsbl.net.au
2621dnsbl.ahbl.org (result 127.0.0.3 = open proxy)
2568wpbl.dnsbl.net.au
2477unsure.nether.net
2365dnsbl.regedit64.net
2108no-more-funn.moensted.dk (result 127.0.0.3 = dialup)
1897rmst.dnsbl.net.au
1867opm.blitzed.org
1866xbl.spamhaus.org (result 127.0.0.6 = Blitzed Open Proxy Monitor List)
1866sbl-xbl.spamhaus.org (result 127.0.0.6 = Blitzed Open Proxy Monitor List)
1804dnsbl.sorbs.net (result 127.0.0.3 = open socks proxy)
1571xbl.spamhaus.org (result 127.0.0.5 = time-expired NJABL open proxy)
1571sbl-xbl.spamhaus.org (result 127.0.0.5 = time-expired NJABL open proxy)
1409sbl-xbl.spamhaus.org (result 127.0.0.2 = Spamhaus SBL)
1407sbl.spamhaus.org
1092dnsbl.sorbs.net (result 127.0.0.2 = open http proxy)
1050japan.blackholes.us
1022bl.spamcannibal.org
1017spam.wytnij.to
988dnsbl.antispam.or.id
948russia.blackholes.us
850tr.countries.nerd.dk
847turkey.blackholes.us
840mexico.blackholes.us
712no-more-funn.moensted.dk (result 127.0.0.9 = misc)
705taiwan.blackholes.us
601probes.dnsbl.net.au
598dnsbl.njabl.org (result 127.0.0.3 = dialup)
535dnsbl.ahbl.org (result 127.0.0.4 = spam source)
497hongkong.blackholes.us
464argentina.blackholes.us
436blackholes.five-ten-sg.com (result 127.0.0.7 = spam haven)
356blackholes.five-ten-sg.com (result 127.0.0.4 = unconfirmed opt-in)
240thailand.blackholes.us
229singapore.blackholes.us
222malaysia.blackholes.us
194no-more-funn.moensted.dk (result 127.0.0.7 = spam haven)
189query.bondedsender.org (not a blacklist!)
182mail-abuse.blacklist.jippg.org
167blackholes.intersil.net
157dnsbl.njabl.org (result 127.0.0.2 = open relay)
142dnsbl.njabl.org (result 127.0.0.4 = spam source)
134dnsbl.ahbl.org (result 127.0.0.7 = spam haven)
133relays.ordb.org
128dnsbl.sorbs.net (result 127.0.0.4 = open proxy)
118dnsbl.rangers.eu.org (result 127.0.0.16 = spam haven)
95blackholes.five-ten-sg.com (result 127.0.0.9 = misc)
87ohps.dnsbl.net.au
74flowgoaway.com
70dnsbl.rangers.eu.org (result 127.0.0.8 = spam source)
66multihop.dsbl.org
57blackholes.five-ten-sg.com (result 127.0.0.12 = spam-friendly freemail provider)
39osps.dnsbl.net.au
33rdts.dnsbl.net.au
32exemptions.ahbl.org (not a blacklist!)
28blackholes.brainerd.net
27relays.nether.net
21osrs.dnsbl.net.au
20spamguard.leadmon.net (union of all results)
18spamguard.leadmon.net (result 127.0.0.7 = spam source netblock)
17blackholes.uceb.org (union of all results)
15dnsbl.sorbs.net (result 127.0.0.5 = open relay)
13dnsbl.rangers.eu.org (result 127.0.0.4 = virus notices)
9nigeria.blackholes.us
9dnsbl.ahbl.org (result 127.0.0.15 = open relay)
8blackholes.five-ten-sg.com (result 127.0.0.10 = virus notices)
8dnsbl.ahbl.org (result 127.0.0.19 = open proxy test zone)
7blackholes.uceb.org (result 127.0.0.2 = open relay)
7hil.habeas.com
6combined-hib.dnsiplists.completewhois.com (result 127.0.0.2 = unallocated IP address)
5blackholes.uceb.org (result 127.0.0.3 = spam source)
5blackholes.five-ten-sg.com (result 127.0.0.5 = relay output)
4blackholes.uceb.org (result 127.0.0.6 = spam haven)
3owps.dnsbl.net.au
2tor.dnsbl.sectoor.de (result 127.0.0.2 = /24 contains a Tor server)
2spamguard.leadmon.net (result 127.0.0.3 = spam source)
2no-more-funn.moensted.dk (result 127.0.0.5 = relay output)
2no-more-funn.moensted.dk (result 127.0.0.4 = unconfirmed opt-in)
2bl.deadbeef.com
2tor.dnsbl.sectoor.de (union of all results)
1blackholes.uceb.org (result 127.0.0.4 = spam source network)
1dnsbl.sorbs.net (result 127.0.0.9 = zombie network)
1omrs.dnsbl.net.au
1dnsbl.njabl.org (result 127.0.0.8 = open formmail.cgi)
1relays.bl.kundenserver.de
1blackholes.five-ten-sg.com (result 127.0.0.6 = open relay)

The blackholes.intersil.net zone "lists entrenched spammers, mainsleaze and mainsleaze wannabes who have pestered users at Intersil." The flowgoaway.com zone lists FloNetwork systems.

Survey results for all known public domain-name-based DNS blacklists. Lookups were done on the domain names of connecting IP addresses.

HitsDNS Zone
53075(total number of IP addresses whose names were tested, including 486 at SDSC)
26494(union of all domain zones)
19849abuse.rfc-ignorant.org
15701rddn.dnsbl.net.au
12018whois.rfc-ignorant.org (union of all results)
9269whois.rfc-ignorant.org (result 127.0.0.5 = bad whois data)
7926dynamic.rhs.mailpolice.com
2752whois.rfc-ignorant.org (result 127.0.0.7 = no whois data at all)
2090webmail.rhs.mailpolice.com
1059rhsbl.ahbl.org
483adv.rhs.mailpolice.com
360bl.deadbeef.com
351bulk.rhs.mailpolice.com
283postmaster.rfc-ignorant.org
181dsn.rfc-ignorant.org (zone not intended for this use)
181bogusmx.rfc-ignorant.org
6porn.rhs.mailpolice.com
1blackhole.securitysage.com
1cart00ney.surriel.com

Survey results for all known public domain-name-based DNS blacklists. Lookups were done on SMTP sender domains.

HitsDNS Zone
28029(total number of domains tested, including 435 at SDSC)
6813(union of all domain zones)
2474whois.rfc-ignorant.org (union of all results)
2461abuse.rfc-ignorant.org
1977whois.rfc-ignorant.org (result 127.0.0.7 = no whois data at all)
1299postmaster.rfc-ignorant.org
1188webmail.rhs.mailpolice.com
1007rhsbl.ahbl.org
914dsn.rfc-ignorant.org
549bogusmx.rfc-ignorant.org
497whois.rfc-ignorant.org (result 127.0.0.5 = bad whois data)
334bulk.rhs.mailpolice.com
207adv.rhs.mailpolice.com
174bl.deadbeef.com
151blackhole.securitysage.com
90porn.rhs.mailpolice.com
51rhsbl.sorbs.net (result 127.0.0.11 = domain uses bad address space)
51rhsbl.sorbs.net (union of all results)
22rddn.dnsbl.net.au (zone not intended for this use)
16ex.dnsbl.org
5dynamic.rhs.mailpolice.com
4cart00ney.surriel.com
2fraud.rhs.mailpolice.com

This document was last updated by Jeff Makey <jeff@sdsc.edu> on 8 November 2005.