Blacklists Compared, 5-Aug-06

Blacklists Compared

5 August 2006

[ Fighting Spam | Dialup Zones | Blacklists Compared | Current Blacklist Comparison | Sendmail Configuration ]

Survey results for all known public IP-based DNS blacklists. Lookups were done on connecting IP addresses. The "union of most IP zones" line excludes the exemptions.ahbl.org and query.bondedsender.org zones because they are not blacklists, and because it is too aggressive to be widely useful the block.blars.org zone is also excluded.

Hits DNS Zone

98314 (total number of IP addresses tested, including 538 at SDSC)
82096 (union of most IP zones)
60528 block.blars.org
56180 t1.dnsbl.net.au
51088 dnsbl.sorbs.net (union of all results)
44828 blackholes.five-ten-sg.com (union of all results)
43223 blackholes.five-ten-sg.com (result 127.0.0.2 = spam source)
39989 dnsbl.tqmcube.com (union of all results)
37680 dnsbl.sorbs.net (result 127.0.0.10 = dialup)
27528 sbl-xbl.spamhaus.org (union of all results)
27065 dynablock.njabl.org
26675 xbl.spamhaus.org (union of all results)
24457 psbl.surriel.com
24143 cbl.abuseat.org
24114 sbl-xbl.spamhaus.org (result 127.0.0.4 = Composite Blocking List)
24111 xbl.spamhaus.org (result 127.0.0.4 = Composite Blocking List)
18902 cn-kr.blackholes.us (result 127.0.0.2 = China)
18902 cn-kr.blackholes.us (union of all results)
15472 dnsbl.tqmcube.com (result 127.0.0.2 = dialup)
15356 no-more-funn.moensted.dk (union of all results)
13386 china.blackholes.us
13100 dnsbl.tqmcube.com (result 127.0.0.5 = China)
12633 bl.csma.biz
12146 unconfirmed.dsbl.org
11974 list.dsbl.org
11967 dsbl.dnsbl.net.au
10895 dnsbl.sorbs.net (result 127.0.0.7 = hacked/vulnerable)
10146 blacklist.spambag.org
9130 dnsbl-2.uceprotect.net
8705 bl.spamcop.net
8427 wpbl.dnsbl.net.au
8084 dnsbl-1.uceprotect.net
7987 dnsbl.tqmcube.com (result 127.0.0.3 = spam source)
7483 dnsbl.sorbs.net (result 127.0.0.6 = spam source)
7102 combined-hib.dnsiplists.completewhois.com (union of all results)
7098 combined-hib.dnsiplists.completewhois.com (result 127.0.0.4 = bad whois data)
7065 dnsbl.njabl.org (union of all results)
6538 no-more-funn.moensted.dk (result 127.0.0.2 = spam source)
5760 korea.services.net
5587 dnsbl.njabl.org (result 127.0.0.9 = open proxy)
5528 korea.blackholes.us
4880 dnsbl.tqmcube.com (result 127.0.0.4 = South Korea)
4658 l2.spews.dnsbl.sorbs.net
4523 no-more-funn.moensted.dk (result 127.0.0.3 = dialup)
4399 xbl.spamhaus.org (result 127.0.0.5 = time-expired NJABL open proxy)
4399 sbl-xbl.spamhaus.org (result 127.0.0.5 = time-expired NJABL open proxy)
4103 dnsbl.ahbl.org (union of all results)
3791 dnsbl.ahbl.org (result 127.0.0.3 = open proxy)
3769 brazil.blackholes.us
3767 no-more-funn.moensted.dk (result 127.0.0.10 = open proxy)
3717 unsure.nether.net
3565 l1.spews.dnsbl.sorbs.net
3513 rmst.dnsbl.net.au
3020 spamsources.fabel.dk
2964 spam.wytnij.to
2607 ubl.unsubscore.com
2586 dnsbl.sorbs.net (result 127.0.0.2 = open http proxy)
2021 japan.blackholes.us
1806 mail-abuse.blacklist.jippg.org
1760 taiwan.blackholes.us
1561 dnsbl.sorbs.net (result 127.0.0.3 = open socks proxy)
1558 ricn.dnsbl.net.au
1476 tr.countries.nerd.dk
1467 turkey.blackholes.us
1437 dnsbl-3.uceprotect.net
1219 bl.spamcannibal.org
993 spews.dnsbl.net.au
990 sbl.spamhaus.org
989 sbl-xbl.spamhaus.org (result 127.0.0.2 = Spamhaus SBL)
986 argentina.blackholes.us
986 dnsbl.njabl.org (result 127.0.0.3 = dialup)
965 sbl.csma.biz
827 blackholes.five-ten-sg.com (result 127.0.0.4 = unconfirmed opt-in)
763 mexico.blackholes.us
693 russia.blackholes.us
672 probes.dnsbl.net.au
579 hongkong.blackholes.us
445 malaysia.blackholes.us
426 no-more-funn.moensted.dk (result 127.0.0.7 = spam haven)
422 blackholes.five-ten-sg.com (result 127.0.0.7 = spam haven)
393 thailand.blackholes.us
333 dnsbl.njabl.org (result 127.0.0.4 = spam source)
320 singapore.blackholes.us
287 dnsbl.ahbl.org (result 127.0.0.4 = spam source)
286 no-more-funn.moensted.dk (result 127.0.0.9 = misc)
257 blackholes.five-ten-sg.com (result 127.0.0.9 = misc)
248 blackholes.uceb.org (union of all results)
219 blackholes.uceb.org (result 127.0.0.3 = spam source)
169 dnsbl.sorbs.net (result 127.0.0.4 = open proxy)
169 dnsbl.njabl.org (result 127.0.0.2 = open relay)
167 blackholes.intersil.net
145 query.bondedsender.org (not a blacklist!)
141 ohps.dnsbl.net.au
140 multihop.dsbl.org
137 work.drbl.croco.net
96 dnsbl.antispam.or.id
95 relays.nether.net
82 flowgoaway.com
79 blackholes.five-ten-sg.com (result 127.0.0.12 = spam-friendly freemail provider)
70 dnsbl.ahbl.org (result 127.0.0.7 = spam haven)
61 relays.ordb.org
50 blackholes.brainerd.net
30 no-more-funn.moensted.dk (result 127.0.0.5 = relay output)
29 blackholes.uceb.org (result 127.0.0.2 = open relay)
29 osps.dnsbl.net.au
28 exemptions.ahbl.org (not a blacklist!)
24 rdts.dnsbl.net.au
23 tor.dnsbl.sectoor.de (union of all results)
22 tor.dnsbl.sectoor.de (result 127.0.0.2 = /24 contains a Tor server)
16 nigeria.blackholes.us
14 dnsbl.ahbl.org (result 127.0.0.19 = open proxy test zone)
14 spamguard.leadmon.net (union of all results)
13 dnsbl.sorbs.net (result 127.0.0.5 = open relay)
12 blackholes.five-ten-sg.com (result 127.0.0.10 = virus notices)
12 dnsbl.ahbl.org (result 127.0.0.15 = open relay)
10 spamguard.leadmon.net (result 127.0.0.7 = spam source netblock)
9 osrs.dnsbl.net.au
9 hil.habeas.com
4 blackholes.five-ten-sg.com (result 127.0.0.11 = TCPA violator)
4 bl.deadbeef.com
4 combined-hib.dnsiplists.completewhois.com (result 127.0.0.2 = unallocated IP address)
3 owps.dnsbl.net.au
3 spamsites.dnsbl.net.au
3 spamguard.leadmon.net (result 127.0.0.8 = open proxy)
2 blackholes.five-ten-sg.com (result 127.0.0.5 = relay output)
1 tor.dnsbl.sectoor.de (result 127.0.0.1 = Tor server)
1 dnsbl.sorbs.net (result 127.0.0.9 = zombie network)
1 omrs.dnsbl.net.au
1 spamguard.leadmon.net (result 127.0.0.3 = spam source)
1 no-more-funn.moensted.dk (result 127.0.0.4 = unconfirmed opt-in)
1 blackholes.five-ten-sg.com (result 127.0.0.8 = open web form)
1 blackholes.five-ten-sg.com (result 127.0.0.13 = challenge-response source)
1 dnsbl.ahbl.org (result 127.0.0.11 = no postmaster or abuse e-mail)
1 dnsbl.ahbl.org (result 127.0.0.14 = denial-of-service attacker)
1 dnsbl.ahbl.org (result 127.0.0.10 = shoot on sight spammer)

The blackholes.intersil.net zone "lists entrenched spammers, mainsleaze and mainsleaze wannabes who have pestered users at Intersil." The flowgoaway.com zone lists FloNetwork systems.

Survey results for all known public domain-name-based DNS blacklists. Lookups were done on the domain names of connecting IP addresses.

Hits DNS Zone

98314 (total number of IP addresses whose names were tested, including 538 at SDSC)
49993 (union of all domain zones)
36200 abuse.rfc-ignorant.org
33976 rddn.dnsbl.net.au
24729 whois.rfc-ignorant.org (union of all results)
23212 dynamic.rhs.mailpolice.com
18207 whois.rfc-ignorant.org (result 127.0.0.5 = bad whois data)
6528 whois.rfc-ignorant.org (result 127.0.0.7 = no whois data at all)
3356 webmail.rhs.mailpolice.com
777 rhsbl.ahbl.org
507 adv.rhs.mailpolice.com
307 postmaster.rfc-ignorant.org
106 dsn.rfc-ignorant.org (zone not intended for this use)
101 bulk.rhs.mailpolice.com
90 bogusmx.rfc-ignorant.org
14 porn.rhs.mailpolice.com
3 blackhole.securitysage.com
1 ex.dnsbl.org
1 bl.deadbeef.com

Survey results for all known public domain-name-based DNS blacklists. Lookups were done on SMTP sender domains.

Hits DNS Zone

51461 (total number of domains tested, including 443 at SDSC)
9348 (union of all domain zones)
3661 whois.rfc-ignorant.org (union of all results)
3323 abuse.rfc-ignorant.org
2990 whois.rfc-ignorant.org (result 127.0.0.7 = no whois data at all)
1464 webmail.rhs.mailpolice.com
1362 postmaster.rfc-ignorant.org
1126 rhsbl.ahbl.org
1015 dsn.rfc-ignorant.org
750 bogusmx.rfc-ignorant.org
671 whois.rfc-ignorant.org (result 127.0.0.5 = bad whois data)
276 bulk.rhs.mailpolice.com
268 porn.rhs.mailpolice.com
185 adv.rhs.mailpolice.com
159 blackhole.securitysage.com
53 rhsbl.sorbs.net (result 127.0.0.11 = domain uses bad address space)
53 rhsbl.sorbs.net (union of all results)
24 rddn.dnsbl.net.au (zone not intended for this use)
15 ex.dnsbl.org
9 dynamic.rhs.mailpolice.com

This document was last updated by Jeff Makey <jeff@sdsc.edu> on 23 August 2006.

Hits	DNS Zone
98314	(total number of IP addresses tested, including 538 at SDSC)
82096	(union of most IP zones)
60528	block.blars.org
56180	t1.dnsbl.net.au
51088	dnsbl.sorbs.net (union of all results)
44828	blackholes.five-ten-sg.com (union of all results)
43223	blackholes.five-ten-sg.com (result 127.0.0.2 = spam source)
39989	dnsbl.tqmcube.com (union of all results)
37680	dnsbl.sorbs.net (result 127.0.0.10 = dialup)
27528	sbl-xbl.spamhaus.org (union of all results)
27065	dynablock.njabl.org
26675	xbl.spamhaus.org (union of all results)
24457	psbl.surriel.com
24143	cbl.abuseat.org
24114	sbl-xbl.spamhaus.org (result 127.0.0.4 = Composite Blocking List)
24111	xbl.spamhaus.org (result 127.0.0.4 = Composite Blocking List)
18902	cn-kr.blackholes.us (result 127.0.0.2 = China)
18902	cn-kr.blackholes.us (union of all results)
15472	dnsbl.tqmcube.com (result 127.0.0.2 = dialup)
15356	no-more-funn.moensted.dk (union of all results)
13386	china.blackholes.us
13100	dnsbl.tqmcube.com (result 127.0.0.5 = China)
12633	bl.csma.biz
12146	unconfirmed.dsbl.org
11974	list.dsbl.org
11967	dsbl.dnsbl.net.au
10895	dnsbl.sorbs.net (result 127.0.0.7 = hacked/vulnerable)
10146	blacklist.spambag.org
9130	dnsbl-2.uceprotect.net
8705	bl.spamcop.net
8427	wpbl.dnsbl.net.au
8084	dnsbl-1.uceprotect.net
7987	dnsbl.tqmcube.com (result 127.0.0.3 = spam source)
7483	dnsbl.sorbs.net (result 127.0.0.6 = spam source)
7102	combined-hib.dnsiplists.completewhois.com (union of all results)
7098	combined-hib.dnsiplists.completewhois.com (result 127.0.0.4 = bad whois data)
7065	dnsbl.njabl.org (union of all results)
6538	no-more-funn.moensted.dk (result 127.0.0.2 = spam source)
5760	korea.services.net
5587	dnsbl.njabl.org (result 127.0.0.9 = open proxy)
5528	korea.blackholes.us
4880	dnsbl.tqmcube.com (result 127.0.0.4 = South Korea)
4658	l2.spews.dnsbl.sorbs.net
4523	no-more-funn.moensted.dk (result 127.0.0.3 = dialup)
4399	xbl.spamhaus.org (result 127.0.0.5 = time-expired NJABL open proxy)
4399	sbl-xbl.spamhaus.org (result 127.0.0.5 = time-expired NJABL open proxy)
4103	dnsbl.ahbl.org (union of all results)
3791	dnsbl.ahbl.org (result 127.0.0.3 = open proxy)
3769	brazil.blackholes.us
3767	no-more-funn.moensted.dk (result 127.0.0.10 = open proxy)
3717	unsure.nether.net
3565	l1.spews.dnsbl.sorbs.net
3513	rmst.dnsbl.net.au
3020	spamsources.fabel.dk
2964	spam.wytnij.to
2607	ubl.unsubscore.com
2586	dnsbl.sorbs.net (result 127.0.0.2 = open http proxy)
2021	japan.blackholes.us
1806	mail-abuse.blacklist.jippg.org
1760	taiwan.blackholes.us
1561	dnsbl.sorbs.net (result 127.0.0.3 = open socks proxy)
1558	ricn.dnsbl.net.au
1476	tr.countries.nerd.dk
1467	turkey.blackholes.us
1437	dnsbl-3.uceprotect.net
1219	bl.spamcannibal.org
993	spews.dnsbl.net.au
990	sbl.spamhaus.org
989	sbl-xbl.spamhaus.org (result 127.0.0.2 = Spamhaus SBL)
986	argentina.blackholes.us
986	dnsbl.njabl.org (result 127.0.0.3 = dialup)
965	sbl.csma.biz
827	blackholes.five-ten-sg.com (result 127.0.0.4 = unconfirmed opt-in)
763	mexico.blackholes.us
693	russia.blackholes.us
672	probes.dnsbl.net.au
579	hongkong.blackholes.us
445	malaysia.blackholes.us
426	no-more-funn.moensted.dk (result 127.0.0.7 = spam haven)
422	blackholes.five-ten-sg.com (result 127.0.0.7 = spam haven)
393	thailand.blackholes.us
333	dnsbl.njabl.org (result 127.0.0.4 = spam source)
320	singapore.blackholes.us
287	dnsbl.ahbl.org (result 127.0.0.4 = spam source)
286	no-more-funn.moensted.dk (result 127.0.0.9 = misc)
257	blackholes.five-ten-sg.com (result 127.0.0.9 = misc)
248	blackholes.uceb.org (union of all results)
219	blackholes.uceb.org (result 127.0.0.3 = spam source)
169	dnsbl.sorbs.net (result 127.0.0.4 = open proxy)
169	dnsbl.njabl.org (result 127.0.0.2 = open relay)
167	blackholes.intersil.net
145	query.bondedsender.org (not a blacklist!)
141	ohps.dnsbl.net.au
140	multihop.dsbl.org
137	work.drbl.croco.net
96	dnsbl.antispam.or.id
95	relays.nether.net
82	flowgoaway.com
79	blackholes.five-ten-sg.com (result 127.0.0.12 = spam-friendly freemail provider)
70	dnsbl.ahbl.org (result 127.0.0.7 = spam haven)
61	relays.ordb.org
50	blackholes.brainerd.net
30	no-more-funn.moensted.dk (result 127.0.0.5 = relay output)
29	blackholes.uceb.org (result 127.0.0.2 = open relay)
29	osps.dnsbl.net.au
28	exemptions.ahbl.org (not a blacklist!)
24	rdts.dnsbl.net.au
23	tor.dnsbl.sectoor.de (union of all results)
22	tor.dnsbl.sectoor.de (result 127.0.0.2 = /24 contains a Tor server)
16	nigeria.blackholes.us
14	dnsbl.ahbl.org (result 127.0.0.19 = open proxy test zone)
14	spamguard.leadmon.net (union of all results)
13	dnsbl.sorbs.net (result 127.0.0.5 = open relay)
12	blackholes.five-ten-sg.com (result 127.0.0.10 = virus notices)
12	dnsbl.ahbl.org (result 127.0.0.15 = open relay)
10	spamguard.leadmon.net (result 127.0.0.7 = spam source netblock)
9	osrs.dnsbl.net.au
9	hil.habeas.com
4	blackholes.five-ten-sg.com (result 127.0.0.11 = TCPA violator)
4	bl.deadbeef.com
4	combined-hib.dnsiplists.completewhois.com (result 127.0.0.2 = unallocated IP address)
3	owps.dnsbl.net.au
3	spamsites.dnsbl.net.au
3	spamguard.leadmon.net (result 127.0.0.8 = open proxy)
2	blackholes.five-ten-sg.com (result 127.0.0.5 = relay output)
1	tor.dnsbl.sectoor.de (result 127.0.0.1 = Tor server)
1	dnsbl.sorbs.net (result 127.0.0.9 = zombie network)
1	omrs.dnsbl.net.au
1	spamguard.leadmon.net (result 127.0.0.3 = spam source)
1	no-more-funn.moensted.dk (result 127.0.0.4 = unconfirmed opt-in)
1	blackholes.five-ten-sg.com (result 127.0.0.8 = open web form)
1	blackholes.five-ten-sg.com (result 127.0.0.13 = challenge-response source)
1	dnsbl.ahbl.org (result 127.0.0.11 = no postmaster or abuse e-mail)
1	dnsbl.ahbl.org (result 127.0.0.14 = denial-of-service attacker)
1	dnsbl.ahbl.org (result 127.0.0.10 = shoot on sight spammer)

Hits	DNS Zone
51461	(total number of domains tested, including 443 at SDSC)
9348	(union of all domain zones)
3661	whois.rfc-ignorant.org (union of all results)
3323	abuse.rfc-ignorant.org
2990	whois.rfc-ignorant.org (result 127.0.0.7 = no whois data at all)
1464	webmail.rhs.mailpolice.com
1362	postmaster.rfc-ignorant.org
1126	rhsbl.ahbl.org
1015	dsn.rfc-ignorant.org
750	bogusmx.rfc-ignorant.org
671	whois.rfc-ignorant.org (result 127.0.0.5 = bad whois data)
276	bulk.rhs.mailpolice.com
268	porn.rhs.mailpolice.com
185	adv.rhs.mailpolice.com
159	blackhole.securitysage.com
53	rhsbl.sorbs.net (result 127.0.0.11 = domain uses bad address space)
53	rhsbl.sorbs.net (union of all results)
24	rddn.dnsbl.net.au (zone not intended for this use)
15	ex.dnsbl.org
9	dynamic.rhs.mailpolice.com