Blacklists Compared

16 April 2011

[ Fighting Spam | Dialup Zones | Blacklists Compared | Current Blacklist Comparison | Sendmail Configuration ]

Survey results for all known public IP-based DNS blacklists. Lookups were done on connecting IP addresses. The "union of most IP zones" line excludes the hostkarma.junkemailfilter.com (all results but 127.0.0.2, 127.0.0.3, and 127.0.0.4), exemptions.ahbl.org, query.bondedsender.org, list.dnswl.org, accredit.habeas.com, iadb.isipp.com, iadb2.isipp.com, swl.spamhaus.org, and wl.mailspike.net zones because they are not blacklists. Because they are too aggressive to be widely useful the spam.dnsbl.sorbs.net and l2.apews.org zones are also excluded from the union.

HitsDNS Zone
52920(total number of IP addresses tested, including 206 at SDSC)
49470(union of most IP zones)
40191b.barracudacentral.org
39726l2.apews.org
39079zen.spamhaus.org (union of all results)
37242cbl.abuseat.org
37241zen.spamhaus.org (result 127.0.0.4 = Composite Blocking List)
29921hostkarma.junkemailfilter.com (result 127.0.0.2 = spam source)
29580bl.mailspike.net (union of all results)
26321zen.spamhaus.org (result 127.0.0.11 = Spamhaus PBL, Spamhaus entry)
25008dnsbl-1.uceprotect.net
24030dnsbl-2.uceprotect.net
23622dnsbl-3.uceprotect.net
20944bl.tiopan.com
20559spam.dnsbl.sorbs.net
20004bl.spameatingmonkey.net
19090dnsbl.sorbs.net (union of all results)
17597blackholes.five-ten-sg.com (union of all results)
17243hostkarma.junkemailfilter.com (result 127.0.1.1 = MTA sends QUIT)
15733ddnsbl.internetdefensesystems.com
13717dnsbl.sorbs.net (result 127.0.0.7 = hacked/vulnerable)
13706psbl.surriel.com
13217bl.mailspike.net (result 127.0.0.10 = worst possible reputation)
12735bl.mailspike.net (result 127.0.0.2 = distributed spam wave participant)
12611bl.mailspike.net (result 127.0.0.11 = very bad reputation)
9547blackholes.five-ten-sg.com (result 127.0.0.2 = spam source)
6757db.wpbl.info
6598blackholes.five-ten-sg.com (result 127.0.0.9 = misc)
5884bl.spamcop.net
5665ubl.unsubscore.com
5505list.dnswl.org (not a blacklist!)
5409dnsbl.sorbs.net (result 127.0.0.10 = dialup)
4630no-more-funn.moensted.dk (union of all results)
3915wl.mailspike.net (union of all results) (not a blacklist!)
3416hostkarma.junkemailfilter.com (result 127.0.0.1 = whitelisted)
3312zen.spamhaus.org (result 127.0.0.10 = Spamhaus PBL, ISP contributed)
3288bl.mailspike.net (result 127.0.0.12 = bad reputation)
3275dnsbl.sorbs.net (result 127.0.0.6 = spam source)
3252hostkarma.junkemailfilter.com (result 127.0.1.2 = MTA does not send QUIT)
3138ips.backscatterer.org
2882dnsbl.inps.de
2640no-more-funn.moensted.dk (result 127.0.0.2 = spam source)
2594ix.dnsbl.manitu.net
2417wl.mailspike.net (result 127.0.0.17 = possible legitimate sender) (not a blacklist!)
2129hostkarma.junkemailfilter.com (result 127.0.0.3 = mix of spam and nonspam)
1842no-more-funn.moensted.dk (result 127.0.0.3 = dialup)
1486wl.mailspike.net (result 127.0.0.18 = good reputation) (not a blacklist!)
1458korea.services.net
1433blackholes.five-ten-sg.com (result 127.0.0.4 = unconfirmed opt-in)
1329bl.spamcannibal.org
1260spamsources.fabel.dk
1213hostkarma.junkemailfilter.com (result 127.0.0.5 = do not blacklist)
1199mail-abuse.blacklist.jippg.org
921zen.spamhaus.org (result 127.0.0.2 = Spamhaus SBL)
921zen.spamhaus.org (union of SBL and SBLCSS results)
888l2.bbfh.ext.sorbs.net
651accredit.habeas.com (not a blacklist!)
580query.bondedsender.org (not a blacklist!)
478dnsbl.njabl.org (union of all results)
450tr.countries.nerd.dk
373aspews.ext.sorbs.net
365dnsbl.njabl.org (result 127.0.0.9 = open proxy)
323l1.bbfh.ext.sorbs.net
226bl.score.senderscore.com
207iadb2.isipp.com (not a blacklist!)
182iadb.isipp.com (not a blacklist!)
148dnsbl.ahbl.org (union of all results)
105hostkarma.junkemailfilter.com (result 127.0.0.4 = spam source aspirant)
85dnsbl.ahbl.org (result 127.0.0.3 = open proxy)
73no-more-funn.moensted.dk (result 127.0.0.10 = open proxy)
66dnsbl.sorbs.net (result 127.0.0.3 = open socks proxy)
66dnsbl.sorbs.net (result 127.0.0.4 = open proxy)
66dnsbl.sorbs.net (result 127.0.0.2 = open http proxy)
65dnsbl.njabl.org (result 127.0.0.2 = open relay)
61no-more-funn.moensted.dk (result 127.0.0.9 = misc)
48dnsbl.njabl.org (result 127.0.0.4 = spam source)
41tor.dnsbl.sectoor.de (union of all results)
40tor.dnsbl.sectoor.de (result 127.0.0.2 = /24 contains a Tor server)
38dnsbl.ahbl.org (result 127.0.0.4 = spam source)
33no-more-funn.moensted.dk (result 127.0.0.7 = spam haven)
25dnsbl.ahbl.org (result 127.0.0.10 = shoot on sight spammer)
19blackholes.five-ten-sg.com (result 127.0.0.12 = spam-friendly freemail provider)
16swl.spamhaus.org (union of all results) (not a blacklist!)
12wl.mailspike.net (result 127.0.0.19 = very good reputation) (not a blacklist!)
10swl.spamhaus.org (result 127.0.2.103 = sends transactions - temporary listing) (not a blacklist!)
10bl.deadbeef.com
6swl.spamhaus.org (result 127.0.2.2 = sends individual mail) (not a blacklist!)
4dnsbl-0.uceprotect.net
4multi.surbl.org
4spamguard.leadmon.net (result 127.0.0.7 = spam source netblock)
4hostkarma.junkemailfilter.com (result 127.0.2.3 = domain first seen more than 7 days ago)
4spamguard.leadmon.net (union of all results)
3zen.spamhaus.org (result 127.0.0.5 = time-expired NJABL open proxy)
2dnsbl.sorbs.net (result 127.0.0.9 = zombie network)
1tor.dnsbl.sectoor.de (result 127.0.0.1 = Tor server)
Survey results for all known public domain-name-based DNS blacklists. Lookups were done on the domain names of connecting IP addresses. The "union of most domain zones" line includes data from the hostkarma.junkemailfilter.com zone only when the results are 127.0.0.2, 127.0.0.3, or 127.0.0.4 because other results are not blacklists.

HitsDNS Zone
52920(total number of IP addresses whose names were tested, including 206 at SDSC)
30117hostkarma.junkemailfilter.com (result 127.0.2.3 = domain first seen more than 7 days ago)
24492hostkarma.junkemailfilter.com (result 127.0.1.1 = MTA sends QUIT)
20941(union of most domain zones)
17659abuse.rfc-ignorant.org
14681l1.apews.org
6658whois.rfc-ignorant.org (union of all results)
5303whois.rfc-ignorant.org (result 127.0.0.7 = no whois data at all)
3805hostkarma.junkemailfilter.com (result 127.0.0.5 = do not blacklist)
3730hostkarma.junkemailfilter.com (result 127.0.0.1 = whitelisted)
1355whois.rfc-ignorant.org (result 127.0.0.5 = bad whois data)
869hostkarma.junkemailfilter.com (result 127.0.0.2 = spam source)
779hostkarma.junkemailfilter.com (result 127.0.2.2 = domain first seen in last 7 days)
724dbl.spamhaus.org (result 127.0.1.2 = spam source)
724dbl.spamhaus.org (union of all results)
518fresh.spameatingmonkey.net
288hostkarma.junkemailfilter.com (result 127.0.0.3 = mix of spam and nonspam)
202urired.spameatingmonkey.net
147hostkarma.junkemailfilter.com (result 127.0.1.4 = no verify host)
121hostkarma.junkemailfilter.com (result 127.0.1.2 = MTA does not send QUIT)
118hostkarma.junkemailfilter.com (result 127.0.2.1 = domain first seen today)
53postmaster.rfc-ignorant.org
31bogusmx.rfc-ignorant.org
25multi.surbl.org
24dsn.rfc-ignorant.org (zone not intended for this use)
20rhsbl.ahbl.org
12multi.uribl.com (result 127.0.0.2 = spam resource)
12multi.uribl.com (union of all results)
8dob.sibl.support-intelligence.net
2bl.deadbeef.com
Survey results for all known public domain-name-based DNS blacklists. Lookups were done on SMTP sender domains. The "union of most domain zones" line includes data from the hostkarma.junkemailfilter.com zone only when the results are 127.0.0.2, 127.0.0.3, or 127.0.0.4 because other results are not blacklists.

HitsDNS Zone
26397(total number of domains tested, including 182 at SDSC)
18998hostkarma.junkemailfilter.com (result 127.0.2.3 = domain first seen more than 7 days ago)
8304(union of most domain zones)
4198whois.rfc-ignorant.org (union of all results)
4034whois.rfc-ignorant.org (result 127.0.0.7 = no whois data at all)
4014hostkarma.junkemailfilter.com (result 127.0.1.1 = MTA sends QUIT)
2696hostkarma.junkemailfilter.com (result 127.0.0.1 = whitelisted)
2538hostkarma.junkemailfilter.com (result 127.0.2.2 = domain first seen in last 7 days)
2442hostkarma.junkemailfilter.com (result 127.0.0.5 = do not blacklist)
1677abuse.rfc-ignorant.org
1367dbl.spamhaus.org (result 127.0.1.2 = spam source)
1367dbl.spamhaus.org (union of all results)
914postmaster.rfc-ignorant.org
749hostkarma.junkemailfilter.com (result 127.0.0.2 = spam source)
679l1.apews.org
620urired.spameatingmonkey.net
524multi.surbl.org
516bogusmx.rfc-ignorant.org
440multi.uribl.com (union of all results)
433multi.uribl.com (result 127.0.0.2 = spam resource)
382hostkarma.junkemailfilter.com (result 127.0.0.3 = mix of spam and nonspam)
318dsn.rfc-ignorant.org
311dob.sibl.support-intelligence.net
210fresh.spameatingmonkey.net
164whois.rfc-ignorant.org (result 127.0.0.5 = bad whois data)
59hostkarma.junkemailfilter.com (result 127.0.2.1 = domain first seen today)
18hostkarma.junkemailfilter.com (result 127.0.1.2 = MTA does not send QUIT)
14rhsbl.ahbl.org
13hostkarma.junkemailfilter.com (result 127.0.1.4 = no verify host)
7multi.uribl.com (result 127.0.0.4 = opt-out spam resource)
1hostkarma.junkemailfilter.com (result 127.0.1.3 = MTA somtimes sends QUIT)
This document was last updated by Jeff Makey <jeff@sdsc.edu> on 18 April 2011.