Blacklists Compared

30 October 2010

[ Fighting Spam | Dialup Zones | Blacklists Compared | Current Blacklist Comparison | Sendmail Configuration ]

Survey results for all known public IP-based DNS blacklists. Lookups were done on connecting IP addresses. The "union of most IP zones" line excludes the hostkarma.junkemailfilter.com (all results but 127.0.0.2, 127.0.0.3, and 127.0.0.4), exemptions.ahbl.org, query.bondedsender.org, list.dnswl.org, accredit.habeas.com, iadb.isipp.com, iadb2.isipp.com, swl.spamhaus.org, and wl.mailspike.net zones because they are not blacklists. Because they are too aggressive to be widely useful the spam.dnsbl.sorbs.net and l2.apews.org zones are also excluded from the union.

HitsDNS Zone
127360(total number of IP addresses tested, including 161 at SDSC)
123908(union of most IP zones)
115569b.barracudacentral.org
112990zen.spamhaus.org (union of all results)
110190l2.apews.org
100434zen.spamhaus.org (result 127.0.0.4 = Composite Blocking List)
100406cbl.abuseat.org
86720hostkarma.junkemailfilter.com (result 127.0.0.2 = spam source)
82711dnsbl-1.uceprotect.net
75917dnsbl-2.uceprotect.net
74938dnsbl-3.uceprotect.net
74575psbl.surriel.com
72419zen.spamhaus.org (result 127.0.0.11 = Spamhaus PBL, Spamhaus entry)
72212bl.mailspike.net (union of all results)
70466bl.tiopan.com
68809bl.spameatingmonkey.net
50397hostkarma.junkemailfilter.com (result 127.0.1.1 = MTA sends QUIT)
47063spam.dnsbl.sorbs.net
43733ubl.unsubscore.com
40457blackholes.five-ten-sg.com (union of all results)
36991bl.mailspike.net (result 127.0.0.2 = distributed spam wave participant)
35623bl.mailspike.net (result 127.0.0.10 = worst possible reputation)
34272bl.score.senderscore.com
30397db.wpbl.info
30264dnsbl.sorbs.net (union of all results)
27656blackholes.five-ten-sg.com (result 127.0.0.2 = spam source)
26632bl.spamcop.net
23056dnsbl.sorbs.net (result 127.0.0.10 = dialup)
18386zen.spamhaus.org (result 127.0.0.10 = Spamhaus PBL, ISP contributed)
17692bl.mailspike.net (result 127.0.0.11 = very bad reputation)
16250ix.dnsbl.manitu.net
15681dnsbl.inps.de
13971no-more-funn.moensted.dk (union of all results)
13333mail-abuse.blacklist.jippg.org
11468blackholes.five-ten-sg.com (result 127.0.0.9 = misc)
10241bl.mailspike.net (result 127.0.0.12 = bad reputation)
9838no-more-funn.moensted.dk (result 127.0.0.3 = dialup)
7757hostkarma.junkemailfilter.com (result 127.0.1.2 = MTA does not send QUIT)
4917wl.mailspike.net (union of all results) (not a blacklist!)
4679dnsbl.ahbl.org (union of all results)
4587dnsbl.sorbs.net (result 127.0.0.6 = spam source)
4402list.dnswl.org (not a blacklist!)
4202dnsbl.ahbl.org (result 127.0.0.4 = spam source)
3788wl.mailspike.net (result 127.0.0.18 = good reputation) (not a blacklist!)
3616ips.backscatterer.org
3552no-more-funn.moensted.dk (result 127.0.0.2 = spam source)
3344hostkarma.junkemailfilter.com (result 127.0.0.1 = whitelisted)
3169bl.spamcannibal.org
2893dnsbl.sorbs.net (result 127.0.0.7 = hacked/vulnerable)
2646spamsources.fabel.dk
2579korea.services.net
2232hostkarma.junkemailfilter.com (result 127.0.0.3 = mix of spam and nonspam)
1310blackholes.five-ten-sg.com (result 127.0.0.4 = unconfirmed opt-in)
1139dnsbl.njabl.org (union of all results)
1075wl.mailspike.net (result 127.0.0.17 = possible legitimate sender) (not a blacklist!)
1036hostkarma.junkemailfilter.com (result 127.0.0.5 = do not blacklist)
916dnsbl.njabl.org (result 127.0.0.9 = open proxy)
819tr.countries.nerd.dk
756l2.bbfh.ext.sorbs.net
553accredit.habeas.com (not a blacklist!)
504query.bondedsender.org (not a blacklist!)
484aspews.ext.sorbs.net
400dnsbl.ahbl.org (result 127.0.0.3 = open proxy)
399no-more-funn.moensted.dk (result 127.0.0.10 = open proxy)
302zen.spamhaus.org (union of SBL and SBLCSS results)
299zen.spamhaus.org (result 127.0.0.2 = Spamhaus SBL)
288l1.bbfh.ext.sorbs.net
176dnsbl.sorbs.net (result 127.0.0.3 = open socks proxy)
176dnsbl.sorbs.net (result 127.0.0.4 = open proxy)
176dnsbl.sorbs.net (result 127.0.0.2 = open http proxy)
157no-more-funn.moensted.dk (result 127.0.0.9 = misc)
146dnsbl.njabl.org (result 127.0.0.2 = open relay)
129iadb2.isipp.com (not a blacklist!)
105iadb.isipp.com (not a blacklist!)
87tor.dnsbl.sectoor.de (result 127.0.0.2 = /24 contains a Tor server)
87tor.dnsbl.sectoor.de (union of all results)
78no-more-funn.moensted.dk (result 127.0.0.7 = spam haven)
77dnsbl.njabl.org (result 127.0.0.4 = spam source)
77dnsbl.ahbl.org (result 127.0.0.10 = shoot on sight spammer)
68hostkarma.junkemailfilter.com (result 127.0.0.4 = spam source aspirant)
53wl.mailspike.net (result 127.0.0.19 = very good reputation) (not a blacklist!)
27bl.deadbeef.com
22blackholes.five-ten-sg.com (result 127.0.0.12 = spam-friendly freemail provider)
18swl.spamhaus.org (union of all results) (not a blacklist!)
12zen.spamhaus.org (result 127.0.0.5 = time-expired NJABL open proxy)
11swl.spamhaus.org (result 127.0.2.103 = sends transactions - temporary listing) (not a blacklist!)
11multi.surbl.org
11spamguard.leadmon.net (union of all results)
7swl.spamhaus.org (result 127.0.2.2 = sends individual mail) (not a blacklist!)
5spamguard.leadmon.net (result 127.0.0.9 = abused DNS server)
4spamguard.leadmon.net (result 127.0.0.7 = spam source netblock)
3zen.spamhaus.org (result 127.0.0.3 = Spamhaus SBLCSS)
3hostkarma.junkemailfilter.com (result 127.0.2.3 = domain first seen more than 7 days ago)
3multi.uribl.com (union of all results)
2multi.uribl.com (result 127.0.0.2 = spam resource)
2dnsbl-0.uceprotect.net
2dnsbl.sorbs.net (result 127.0.0.9 = zombie network)
1multi.uribl.com (result 127.0.0.8 = new domain or concealed contact)
1wl.mailspike.net (result 127.0.0.20 = excellent reputation) (not a blacklist!)
1dnsbl.sorbs.net (result 127.0.0.5 = open relay)
1spamguard.leadmon.net (result 127.0.0.3 = spam source)
1spamguard.leadmon.net (result 127.0.0.8 = open proxy)
1blackholes.five-ten-sg.com (result 127.0.0.8 = open web form)
Survey results for all known public domain-name-based DNS blacklists. Lookups were done on the domain names of connecting IP addresses. The "union of most domain zones" line includes data from the hostkarma.junkemailfilter.com zone only when the results are 127.0.0.2, 127.0.0.3, or 127.0.0.4 because other results are not blacklists.

HitsDNS Zone
127360(total number of IP addresses whose names were tested, including 161 at SDSC)
75206hostkarma.junkemailfilter.com (result 127.0.2.3 = domain first seen more than 7 days ago)
64729hostkarma.junkemailfilter.com (result 127.0.1.1 = MTA sends QUIT)
57073(union of most domain zones)
50262abuse.rfc-ignorant.org
49692l1.apews.org
20449whois.rfc-ignorant.org (union of all results)
15323whois.rfc-ignorant.org (result 127.0.0.7 = no whois data at all)
7316hostkarma.junkemailfilter.com (result 127.0.0.5 = do not blacklist)
5127whois.rfc-ignorant.org (result 127.0.0.5 = bad whois data)
4488hostkarma.junkemailfilter.com (result 127.0.0.1 = whitelisted)
2137hostkarma.junkemailfilter.com (result 127.0.1.4 = no verify host)
536hostkarma.junkemailfilter.com (result 127.0.0.2 = spam source)
455urired.spameatingmonkey.net
423dbl.spamhaus.org
286hostkarma.junkemailfilter.com (result 127.0.2.2 = domain first seen in last 7 days)
250hostkarma.junkemailfilter.com (result 127.0.0.3 = mix of spam and nonspam)
77hostkarma.junkemailfilter.com (result 127.0.1.2 = MTA does not send QUIT)
60postmaster.rfc-ignorant.org
56fresh.spameatingmonkey.net
55dob.sibl.support-intelligence.net
39multi.surbl.org
39rhsbl.ahbl.org
36dsn.rfc-ignorant.org (zone not intended for this use)
36hostkarma.junkemailfilter.com (result 127.0.2.1 = domain first seen today)
35bogusmx.rfc-ignorant.org
34multi.uribl.com (result 127.0.0.2 = spam resource)
34multi.uribl.com (union of all results)
3hostkarma.junkemailfilter.com (result 127.0.1.3 = MTA somtimes sends QUIT)
1bl.deadbeef.com
Survey results for all known public domain-name-based DNS blacklists. Lookups were done on SMTP sender domains. The "union of most domain zones" line includes data from the hostkarma.junkemailfilter.com zone only when the results are 127.0.0.2, 127.0.0.3, or 127.0.0.4 because other results are not blacklists.

HitsDNS Zone
60856(total number of domains tested, including 138 at SDSC)
56028hostkarma.junkemailfilter.com (result 127.0.2.3 = domain first seen more than 7 days ago)
11602(union of most domain zones)
6125hostkarma.junkemailfilter.com (result 127.0.1.1 = MTA sends QUIT)
3484urired.spameatingmonkey.net
3223abuse.rfc-ignorant.org
2909hostkarma.junkemailfilter.com (result 127.0.0.1 = whitelisted)
2903whois.rfc-ignorant.org (union of all results)
2652whois.rfc-ignorant.org (result 127.0.0.7 = no whois data at all)
2523hostkarma.junkemailfilter.com (result 127.0.0.5 = do not blacklist)
2151hostkarma.junkemailfilter.com (result 127.0.0.2 = spam source)
1739dbl.spamhaus.org
1469postmaster.rfc-ignorant.org
1384l1.apews.org
1033multi.surbl.org
982hostkarma.junkemailfilter.com (result 127.0.2.2 = domain first seen in last 7 days)
583multi.uribl.com (union of all results)
570multi.uribl.com (result 127.0.0.2 = spam resource)
515bogusmx.rfc-ignorant.org
407hostkarma.junkemailfilter.com (result 127.0.0.3 = mix of spam and nonspam)
283dsn.rfc-ignorant.org
251whois.rfc-ignorant.org (result 127.0.0.5 = bad whois data)
226fresh.spameatingmonkey.net
41dob.sibl.support-intelligence.net
26hostkarma.junkemailfilter.com (result 127.0.2.1 = domain first seen today)
23rhsbl.ahbl.org
17hostkarma.junkemailfilter.com (result 127.0.1.4 = no verify host)
12hostkarma.junkemailfilter.com (result 127.0.1.2 = MTA does not send QUIT)
10multi.uribl.com (result 127.0.0.4 = opt-out spam resource)
10ex.dnsbl.org
3multi.uribl.com (result 127.0.0.8 = new domain or concealed contact)
1bl.deadbeef.com
This document was last updated by Jeff Makey <jeff@sdsc.edu> on 4 November 2010.