Blacklists Compared

19 August 2006

[ Fighting Spam | Dialup Zones | Blacklists Compared | Current Blacklist Comparison | Sendmail Configuration ]

Survey results for all known public IP-based DNS blacklists. Lookups were done on connecting IP addresses. The "union of most IP zones" line excludes the exemptions.ahbl.org and query.bondedsender.org zones because they are not blacklists, and because it is too aggressive to be widely useful the block.blars.org zone is also excluded.

HitsDNS Zone
83795(total number of IP addresses tested, including 526 at SDSC)
77185(union of most IP zones)
61387t1.dnsbl.net.au
53813block.blars.org
50014dnsbl.sorbs.net (union of all results)
42650blackholes.five-ten-sg.com (union of all results)
41235blackholes.five-ten-sg.com (result 127.0.0.2 = spam source)
41048sbl-xbl.spamhaus.org (union of all results)
40425xbl.spamhaus.org (union of all results)
38561cbl.abuseat.org
38530sbl-xbl.spamhaus.org (result 127.0.0.4 = Composite Blocking List)
38520xbl.spamhaus.org (result 127.0.0.4 = Composite Blocking List)
38264dnsbl.tqmcube.com (union of all results)
37065dnsbl.sorbs.net (result 127.0.0.10 = dialup)
34017psbl.surriel.com
25989dynablock.njabl.org
22035no-more-funn.moensted.dk (union of all results)
18082cn-kr.blackholes.us (result 127.0.0.2 = China)
18082cn-kr.blackholes.us (union of all results)
16427dnsbl-2.uceprotect.net
15371dnsbl-1.uceprotect.net
14393dnsbl.tqmcube.com (result 127.0.0.2 = dialup)
12253dnsbl.sorbs.net (result 127.0.0.7 = hacked/vulnerable)
11897china.blackholes.us
11682dnsbl.tqmcube.com (result 127.0.0.5 = China)
11402unconfirmed.dsbl.org
11317list.dsbl.org
11308dsbl.dnsbl.net.au
10960bl.spamcop.net
9679blacklist.spambag.org
9364no-more-funn.moensted.dk (result 127.0.0.3 = dialup)
9079bl.csma.biz
7587no-more-funn.moensted.dk (result 127.0.0.2 = spam source)
7070combined-hib.dnsiplists.completewhois.com (union of all results)
7069combined-hib.dnsiplists.completewhois.com (result 127.0.0.4 = bad whois data)
6784dnsbl.tqmcube.com (result 127.0.0.3 = spam source)
6597wpbl.dnsbl.net.au
6581dnsbl.njabl.org (union of all results)
6450korea.services.net
6184korea.blackholes.us
5914dnsbl.sorbs.net (result 127.0.0.6 = spam source)
5583dnsbl.tqmcube.com (result 127.0.0.4 = South Korea)
5284dnsbl.njabl.org (result 127.0.0.9 = open proxy)
4922no-more-funn.moensted.dk (result 127.0.0.10 = open proxy)
4284l2.spews.dnsbl.sorbs.net
4113xbl.spamhaus.org (result 127.0.0.5 = time-expired NJABL open proxy)
4113sbl-xbl.spamhaus.org (result 127.0.0.5 = time-expired NJABL open proxy)
3851dnsbl.ahbl.org (union of all results)
3670unsure.nether.net
3585dnsbl.ahbl.org (result 127.0.0.3 = open proxy)
3394l1.spews.dnsbl.sorbs.net
3157spamsources.fabel.dk
3131ubl.unsubscore.com
3069spam.wytnij.to
2983rmst.dnsbl.net.au
2914brazil.blackholes.us
2344dnsbl.sorbs.net (result 127.0.0.2 = open http proxy)
2135mail-abuse.blacklist.jippg.org
1781taiwan.blackholes.us
1599spews.dnsbl.net.au
1548dnsbl.sorbs.net (result 127.0.0.3 = open socks proxy)
1421tr.countries.nerd.dk
1419turkey.blackholes.us
1366japan.blackholes.us
1095bl.spamcannibal.org
1060dnsbl-3.uceprotect.net
980dnsbl.njabl.org (result 127.0.0.3 = dialup)
826blackholes.five-ten-sg.com (result 127.0.0.4 = unconfirmed opt-in)
798probes.dnsbl.net.au
754argentina.blackholes.us
730sbl-xbl.spamhaus.org (result 127.0.0.2 = Spamhaus SBL)
730sbl.spamhaus.org
685russia.blackholes.us
615ricn.dnsbl.net.au
608mexico.blackholes.us
578sbl.csma.biz
479thailand.blackholes.us
442malaysia.blackholes.us
379hongkong.blackholes.us
290no-more-funn.moensted.dk (result 127.0.0.7 = spam haven)
288singapore.blackholes.us
275blackholes.uceb.org (union of all results)
264blackholes.five-ten-sg.com (result 127.0.0.9 = misc)
260blackholes.uceb.org (result 127.0.0.3 = spam source)
249no-more-funn.moensted.dk (result 127.0.0.9 = misc)
246dnsbl.ahbl.org (result 127.0.0.4 = spam source)
245blackholes.five-ten-sg.com (result 127.0.0.7 = spam haven)
168dnsbl.njabl.org (result 127.0.0.4 = spam source)
164blackholes.intersil.net
154dnsbl.njabl.org (result 127.0.0.2 = open relay)
151query.bondedsender.org (not a blacklist!)
128ohps.dnsbl.net.au
115dnsbl.sorbs.net (result 127.0.0.4 = open proxy)
90flowgoaway.com
75blackholes.five-ten-sg.com (result 127.0.0.12 = spam-friendly freemail provider)
74dnsbl.ahbl.org (result 127.0.0.7 = spam haven)
67work.drbl.croco.net
66multihop.dsbl.org
61relays.ordb.org
60dnsbl.antispam.or.id
33relays.nether.net
26osps.dnsbl.net.au
16tor.dnsbl.sectoor.de (result 127.0.0.2 = /24 contains a Tor server)
16exemptions.ahbl.org (not a blacklist!)
16tor.dnsbl.sectoor.de (union of all results)
15spamguard.leadmon.net (union of all results)
13rdts.dnsbl.net.au
12blackholes.brainerd.net
10nigeria.blackholes.us
10spamguard.leadmon.net (result 127.0.0.7 = spam source netblock)
9blackholes.uceb.org (result 127.0.0.2 = open relay)
9dnsbl.ahbl.org (result 127.0.0.15 = open relay)
9dnsbl.ahbl.org (result 127.0.0.19 = open proxy test zone)
7dnsbl.sorbs.net (result 127.0.0.5 = open relay)
6osrs.dnsbl.net.au
6hil.habeas.com
5dnsbl.ahbl.org (result 127.0.0.10 = shoot on sight spammer)
3blackholes.uceb.org (result 127.0.0.5 = dialup)
3owps.dnsbl.net.au
3spamguard.leadmon.net (result 127.0.0.3 = spam source)
2blackholes.uceb.org (result 127.0.0.8 = spam source with fake sender)
2dnsbl.sorbs.net (result 127.0.0.9 = zombie network)
2spamguard.leadmon.net (result 127.0.0.8 = open proxy)
2bl.deadbeef.com
1blackholes.uceb.org (result 127.0.0.6 = spam haven)
1no-more-funn.moensted.dk (result 127.0.0.5 = relay output)
1blackholes.five-ten-sg.com (result 127.0.0.8 = open web form)
1blackholes.five-ten-sg.com (result 127.0.0.11 = TCPA violator)
1blackholes.five-ten-sg.com (result 127.0.0.6 = open relay)
1blackholes.five-ten-sg.com (result 127.0.0.10 = virus notices)
1blackholes.five-ten-sg.com (result 127.0.0.13 = challenge-response source)
1combined-hib.dnsiplists.completewhois.com (result 127.0.0.2 = unallocated IP address)

The blackholes.intersil.net zone "lists entrenched spammers, mainsleaze and mainsleaze wannabes who have pestered users at Intersil." The flowgoaway.com zone lists FloNetwork systems.

Survey results for all known public domain-name-based DNS blacklists. Lookups were done on the domain names of connecting IP addresses.

HitsDNS Zone
83795(total number of IP addresses whose names were tested, including 526 at SDSC)
44889(union of all domain zones)
32708rddn.dnsbl.net.au
31956abuse.rfc-ignorant.org
22356dynamic.rhs.mailpolice.com
21945whois.rfc-ignorant.org (union of all results)
17208whois.rfc-ignorant.org (result 127.0.0.5 = bad whois data)
4738whois.rfc-ignorant.org (result 127.0.0.7 = no whois data at all)
3007webmail.rhs.mailpolice.com
645rhsbl.ahbl.org
510adv.rhs.mailpolice.com
335postmaster.rfc-ignorant.org
107dsn.rfc-ignorant.org (zone not intended for this use)
105bogusmx.rfc-ignorant.org
99bulk.rhs.mailpolice.com
2porn.rhs.mailpolice.com
1blackhole.securitysage.com

Survey results for all known public domain-name-based DNS blacklists. Lookups were done on SMTP sender domains.

HitsDNS Zone
42809(total number of domains tested, including 457 at SDSC)
8025(union of all domain zones)
2917whois.rfc-ignorant.org (union of all results)
2883abuse.rfc-ignorant.org
2338whois.rfc-ignorant.org (result 127.0.0.7 = no whois data at all)
1289postmaster.rfc-ignorant.org
1285webmail.rhs.mailpolice.com
1031rhsbl.ahbl.org
952dsn.rfc-ignorant.org
713bogusmx.rfc-ignorant.org
579whois.rfc-ignorant.org (result 127.0.0.5 = bad whois data)
210porn.rhs.mailpolice.com
206bulk.rhs.mailpolice.com
199adv.rhs.mailpolice.com
161blackhole.securitysage.com
55rhsbl.sorbs.net (result 127.0.0.11 = domain uses bad address space)
55rhsbl.sorbs.net (union of all results)
25rddn.dnsbl.net.au (zone not intended for this use)
16ex.dnsbl.org
11dynamic.rhs.mailpolice.com
1cart00ney.surriel.com

This document was last updated by Jeff Makey <jeff@sdsc.edu> on 27 August 2006.