Blacklists Compared

17 September 2011

[ Fighting Spam | Dialup Zones | Blacklists Compared | Current Blacklist Comparison | Sendmail Configuration ]

Survey results for all known public IP-based DNS blacklists. Lookups were done on connecting IP addresses. The "union of most IP zones" line excludes the hostkarma.junkemailfilter.com (all results but 127.0.0.2, 127.0.0.3, and 127.0.0.4), exemptions.ahbl.org, query.bondedsender.org, list.dnswl.org, accredit.habeas.com, iadb.isipp.com, iadb2.isipp.com, swl.spamhaus.org, and wl.mailspike.net zones because they are not blacklists. Because they are too aggressive to be widely useful the spam.dnsbl.sorbs.net and l2.apews.org zones are also excluded from the union.

HitsDNS Zone
56426(total number of IP addresses tested, including 155 at SDSC)
53694(union of most IP zones)
44534b.barracudacentral.org
43891l2.apews.org
42956zen.spamhaus.org (union of all results)
41034zen.spamhaus.org (result 127.0.0.4 = Composite Blocking List)
41034cbl.abuseat.org
35389hostkarma.junkemailfilter.com (result 127.0.0.2 = spam source)
33518bl.mailspike.net (union of all results)
29510ddnsbl.internetdefensesystems.com
28687dnsbl-1.uceprotect.net
28378dnsbl-2.uceprotect.net
28196zen.spamhaus.org (result 127.0.0.11 = Spamhaus PBL, Spamhaus entry)
28101dnsbl-3.uceprotect.net
27775spam.dnsbl.sorbs.net
22550bl.tiopan.com
22511dnsbl.sorbs.net (union of all results)
22138truncate.gbudb.net
20485ubl.unsubscore.com
19939hostkarma.junkemailfilter.com (result 127.0.1.1 = MTA sends QUIT)
19457bl.spameatingmonkey.net
18573blackholes.five-ten-sg.com (union of all results)
16285psbl.surriel.com
16107dnsbl.sorbs.net (result 127.0.0.7 = hacked/vulnerable)
15477bl.mailspike.net (result 127.0.0.2 = distributed spam wave participant)
14867bl.mailspike.net (result 127.0.0.10 = worst possible reputation)
14819bl.mailspike.net (result 127.0.0.11 = very bad reputation)
9855blackholes.five-ten-sg.com (result 127.0.0.2 = spam source)
7130blackholes.five-ten-sg.com (result 127.0.0.9 = misc)
6504db.wpbl.info
6285bl.spamcop.net
6083dnsbl.sorbs.net (result 127.0.0.6 = spam source)
5995list.dnswl.org (not a blacklist!)
5919dnsbl.sorbs.net (result 127.0.0.10 = dialup)
5622hostkarma.junkemailfilter.com (result 127.0.1.2 = MTA does not send QUIT)
5514zen.spamhaus.org (result 127.0.0.10 = Spamhaus PBL, ISP contributed)
5008bl.score.senderscore.com
4984no-more-funn.moensted.dk (union of all results)
4215wl.mailspike.net (union of all results) (not a blacklist!)
4159dnsbl.inps.de
3527ix.dnsbl.manitu.net
3032bl.mailspike.net (result 127.0.0.12 = bad reputation)
2798wl.mailspike.net (result 127.0.0.17 = possible legitimate sender) (not a blacklist!)
2678hostkarma.junkemailfilter.com (result 127.0.0.1 = whitelisted)
2618hostkarma.junkemailfilter.com (result 127.0.0.3 = mix of spam and nonspam)
2514no-more-funn.moensted.dk (result 127.0.0.2 = spam source)
2424ips.backscatterer.org
2247no-more-funn.moensted.dk (result 127.0.0.3 = dialup)
1649hostkarma.junkemailfilter.com (result 127.0.0.5 = do not blacklist)
1558blackholes.five-ten-sg.com (result 127.0.0.4 = unconfirmed opt-in)
1508korea.services.net
1435bl.spamcannibal.org
1411wl.mailspike.net (result 127.0.0.18 = good reputation) (not a blacklist!)
1167spamsources.fabel.dk
1012mail-abuse.blacklist.jippg.org
584accredit.habeas.com (not a blacklist!)
539query.bondedsender.org (not a blacklist!)
416dnsbl.njabl.org (union of all results)
337zen.spamhaus.org (result 127.0.0.2 = Spamhaus SBL)
337zen.spamhaus.org (union of SBL and SBLCSS results)
329dnsbl.ahbl.org (union of all results)
325dnsbl.njabl.org (result 127.0.0.9 = open proxy)
316aspews.ext.sorbs.net
302tr.countries.nerd.dk
237dnsbl.ahbl.org (result 127.0.0.4 = spam source)
205iadb2.isipp.com (not a blacklist!)
187iadb.isipp.com (not a blacklist!)
160l2.bbfh.ext.sorbs.net
123hostkarma.junkemailfilter.com (result 127.0.0.4 = spam source aspirant)
115no-more-funn.moensted.dk (result 127.0.0.10 = open proxy)
92no-more-funn.moensted.dk (result 127.0.0.9 = misc)
89dnsbl.sorbs.net (result 127.0.0.3 = open socks proxy)
89dnsbl.sorbs.net (result 127.0.0.4 = open proxy)
89dnsbl.sorbs.net (result 127.0.0.2 = open http proxy)
60dnsbl.ahbl.org (result 127.0.0.3 = open proxy)
53dnsbl.njabl.org (result 127.0.0.2 = open relay)
47l1.bbfh.ext.sorbs.net
39no-more-funn.moensted.dk (result 127.0.0.7 = spam haven)
38dnsbl.njabl.org (result 127.0.0.4 = spam source)
32tor.dnsbl.sectoor.de (result 127.0.0.2 = /24 contains a Tor server)
32dnsbl.ahbl.org (result 127.0.0.10 = shoot on sight spammer)
32tor.dnsbl.sectoor.de (union of all results)
29blackholes.five-ten-sg.com (result 127.0.0.12 = spam-friendly freemail provider)
20bl.deadbeef.com
20swl.spamhaus.org (union of all results) (not a blacklist!)
10swl.spamhaus.org (result 127.0.2.3 = sends transactions) (not a blacklist!)
8dnsbl-0.uceprotect.net
8swl.spamhaus.org (result 127.0.2.2 = sends individual mail) (not a blacklist!)
8multi.surbl.org
7hostkarma.junkemailfilter.com (result 127.0.2.3 = domain first seen more than 7 days ago)
6wl.mailspike.net (result 127.0.0.19 = very good reputation) (not a blacklist!)
3dnsbl.sorbs.net (result 127.0.0.9 = zombie network)
2swl.spamhaus.org (result 127.0.2.103 = sends transactions - temporary listing) (not a blacklist!)
2spamguard.leadmon.net (union of all results)
1dnsbl.sorbs.net (result 127.0.0.5 = open relay)
1spamguard.leadmon.net (result 127.0.0.7 = spam source netblock)
1spamguard.leadmon.net (result 127.0.0.3 = spam source)
1blackholes.five-ten-sg.com (result 127.0.0.8 = open web form)
Survey results for all known public domain-name-based DNS blacklists. Lookups were done on the domain names of connecting IP addresses. The "union of most domain zones" line includes data from the hostkarma.junkemailfilter.com zone only when the results are 127.0.0.2, 127.0.0.3, or 127.0.0.4 because other results are not blacklists.

HitsDNS Zone
56426(total number of IP addresses whose names were tested, including 155 at SDSC)
30461hostkarma.junkemailfilter.com (result 127.0.2.3 = domain first seen more than 7 days ago)
24079hostkarma.junkemailfilter.com (result 127.0.1.1 = MTA sends QUIT)
20994(union of most domain zones)
17004abuse.rfc-ignorant.org
13775l1.apews.org
8673whois.rfc-ignorant.org (union of all results)
7454whois.rfc-ignorant.org (result 127.0.0.7 = no whois data at all)
4354hostkarma.junkemailfilter.com (result 127.0.0.5 = do not blacklist)
2853hostkarma.junkemailfilter.com (result 127.0.0.1 = whitelisted)
1220whois.rfc-ignorant.org (result 127.0.0.5 = bad whois data)
396hostkarma.junkemailfilter.com (result 127.0.0.2 = spam source)
282hostkarma.junkemailfilter.com (result 127.0.2.2 = domain first seen in last 7 days)
255hostkarma.junkemailfilter.com (result 127.0.0.3 = mix of spam and nonspam)
252dbl.spamhaus.org (union of all results)
251hostkarma.junkemailfilter.com (result 127.0.1.4 = no verify host)
251dbl.spamhaus.org (result 127.0.1.2 = spam source)
198urired.spameatingmonkey.net
114hostkarma.junkemailfilter.com (result 127.0.1.2 = MTA does not send QUIT)
52postmaster.rfc-ignorant.org
37bogusmx.rfc-ignorant.org
24multi.surbl.org
24rhsbl.ahbl.org
22fresh.spameatingmonkey.net
16multi.uribl.com (result 127.0.0.2 = spam resource)
16multi.uribl.com (union of all results)
10dob.sibl.support-intelligence.net
8hostkarma.junkemailfilter.com (result 127.0.2.1 = domain first seen today)
4dsn.rfc-ignorant.org (zone not intended for this use)
4bl.deadbeef.com
1dbl.spamhaus.org (result 127.0.1.3 = domain redirects to spammer)
Survey results for all known public domain-name-based DNS blacklists. Lookups were done on SMTP sender domains. The "union of most domain zones" line includes data from the hostkarma.junkemailfilter.com zone only when the results are 127.0.0.2, 127.0.0.3, or 127.0.0.4 because other results are not blacklists.

HitsDNS Zone
35978(total number of domains tested, including 118 at SDSC)
24581hostkarma.junkemailfilter.com (result 127.0.2.3 = domain first seen more than 7 days ago)
6987(union of most domain zones)
4094hostkarma.junkemailfilter.com (result 127.0.1.1 = MTA sends QUIT)
3538whois.rfc-ignorant.org (union of all results)
3412whois.rfc-ignorant.org (result 127.0.0.7 = no whois data at all)
2250hostkarma.junkemailfilter.com (result 127.0.0.1 = whitelisted)
2087hostkarma.junkemailfilter.com (result 127.0.0.5 = do not blacklist)
1427abuse.rfc-ignorant.org
1212hostkarma.junkemailfilter.com (result 127.0.2.2 = domain first seen in last 7 days)
819urired.spameatingmonkey.net
755postmaster.rfc-ignorant.org
648l1.apews.org
607bogusmx.rfc-ignorant.org
595dbl.spamhaus.org (result 127.0.1.2 = spam source)
595dbl.spamhaus.org (union of all results)
521hostkarma.junkemailfilter.com (result 127.0.0.2 = spam source)
425multi.uribl.com (union of all results)
412multi.uribl.com (result 127.0.0.2 = spam resource)
318multi.surbl.org
316hostkarma.junkemailfilter.com (result 127.0.0.3 = mix of spam and nonspam)
276dsn.rfc-ignorant.org
126whois.rfc-ignorant.org (result 127.0.0.5 = bad whois data)
121fresh.spameatingmonkey.net
64dob.sibl.support-intelligence.net
42hostkarma.junkemailfilter.com (result 127.0.2.1 = domain first seen today)
28rhsbl.ahbl.org
16hostkarma.junkemailfilter.com (result 127.0.1.2 = MTA does not send QUIT)
14hostkarma.junkemailfilter.com (result 127.0.1.4 = no verify host)
12multi.uribl.com (result 127.0.0.4 = opt-out spam resource)
9ex.dnsbl.org
1multi.uribl.com (result 127.0.0.8 = new domain or concealed contact)
1hostkarma.junkemailfilter.com (result 127.0.1.3 = MTA somtimes sends QUIT)
This document was last updated by Jeff Makey <jeff@sdsc.edu> on 19 September 2011.