Blacklists Compared

21 April 2012

[ Fighting Spam | Dialup Zones | Blacklists Compared | Current Blacklist Comparison | Sendmail Configuration ]

Survey results for all known public IP-based DNS blacklists. Lookups were done on connecting IP addresses. The "union of most IP zones" line excludes the hostkarma.junkemailfilter.com (all results but 127.0.0.2, 127.0.0.3, and 127.0.0.4), exemptions.ahbl.org, query.bondedsender.org, list.dnswl.org, accredit.habeas.com, iadb.isipp.com, iadb2.isipp.com, swl.spamhaus.org, and wl.mailspike.net zones because they are not blacklists. Because they are too aggressive to be widely useful the spam.dnsbl.sorbs.net and l2.apews.org zones are also excluded from the union.

HitsDNS Zone
50250(total number of IP addresses tested, including 178 at SDSC)
47418(union of most IP zones)
38092l2.apews.org
37602b.barracudacentral.org
37201zen.spamhaus.org (union of all results)
35850ip.v4bl.org
35585zen.spamhaus.org (result 127.0.0.4 = Composite Blocking List)
35585cbl.abuseat.org
28208bl.tiopan.com
24837zen.spamhaus.org (result 127.0.0.11 = Spamhaus PBL, Spamhaus entry)
24218hostkarma.junkemailfilter.com (result 127.0.0.2 = spam source)
22328dnsbl-1.uceprotect.net
19473dnsbl-3.uceprotect.net
19143dnsbl-2.uceprotect.net
18738all.spamrats.com (union of all results)
17780spam.dnsbl.sorbs.net
17303bl.mailspike.net (union of all results)
16380hostkarma.junkemailfilter.com (result 127.0.1.1 = MTA sends QUIT)
15990dnsbl.sorbs.net (union of all results)
13344psbl.surriel.com
12859bl.spameatingmonkey.net
12830blackholes.five-ten-sg.com (union of all results)
10348all.spamrats.com (result 127.0.0.36 = dialup)
8725dnsbl.sorbs.net (result 127.0.0.7 = hacked/vulnerable)
8475all.spamrats.com (result 127.0.0.37 = no reverse DNS entry)
8098bl.mailspike.net (result 127.0.0.2 = distributed spam wave participant)
7435dnsbl.inps.de
7143dnsbl.sorbs.net (result 127.0.0.10 = dialup)
6519bl.mailspike.net (result 127.0.0.11 = very bad reputation)
6329list.dnswl.org (not a blacklist!)
5860blackholes.five-ten-sg.com (result 127.0.0.9 = misc)
5843bl.spamcop.net
5700truncate.gbudb.net
5653bl.mailspike.net (result 127.0.0.10 = worst possible reputation)
5582ubl.unsubscore.com
5576blackholes.five-ten-sg.com (result 127.0.0.2 = spam source)
5355hostkarma.junkemailfilter.com (result 127.0.1.2 = MTA does not send QUIT)
5176db.wpbl.info
4076zen.spamhaus.org (result 127.0.0.10 = Spamhaus PBL, ISP contributed)
3488wl.mailspike.net (union of all results) (not a blacklist!)
3343bl.score.senderscore.com
2926ips.backscatterer.org
2791ix.dnsbl.manitu.net
2751hostkarma.junkemailfilter.com (result 127.0.0.1 = whitelisted)
2550hostkarma.junkemailfilter.com (result 127.0.0.3 = mix of spam and nonspam)
2245wl.mailspike.net (result 127.0.0.17 = possible legitimate sender) (not a blacklist!)
1662hostkarma.junkemailfilter.com (result 127.0.0.5 = do not blacklist)
1506korea.services.net
1400dnsbl.sorbs.net (result 127.0.0.6 = spam source)
1388blackholes.five-ten-sg.com (result 127.0.0.4 = unconfirmed opt-in)
1340bl.spamcannibal.org
1240wl.mailspike.net (result 127.0.0.18 = good reputation) (not a blacklist!)
885spamsources.fabel.dk
712accredit.habeas.com (not a blacklist!)
657query.bondedsender.org (not a blacklist!)
620zen.spamhaus.org (union of SBL and SBLCSS results)
559mail-abuse.blacklist.jippg.org
470zen.spamhaus.org (result 127.0.0.2 = Spamhaus SBL)
436tr.countries.nerd.dk
331l2.bbfh.ext.sorbs.net
328dnsbl.njabl.org (union of all results)
262dnsbl.njabl.org (result 127.0.0.9 = open proxy)
261dnsbl.ahbl.org (union of all results)
245aspews.ext.sorbs.net
214iadb.isipp.com (not a blacklist!)
191hostkarma.junkemailfilter.com (result 127.0.0.4 = spam source aspirant)
185dnsbl.ahbl.org (result 127.0.0.4 = spam source)
150zen.spamhaus.org (result 127.0.0.3 = Spamhaus SBLCSS)
82iadb2.isipp.com (not a blacklist!)
69dnsbl.sorbs.net (result 127.0.0.3 = open socks proxy)
69dnsbl.sorbs.net (result 127.0.0.4 = open proxy)
69dnsbl.sorbs.net (result 127.0.0.2 = open http proxy)
57dnsbl.ahbl.org (result 127.0.0.3 = open proxy)
42dnsbl.njabl.org (result 127.0.0.2 = open relay)
24dnsbl.njabl.org (result 127.0.0.4 = spam source)
24tor.dnsbl.sectoor.de (union of all results)
21tor.dnsbl.sectoor.de (result 127.0.0.2 = /24 contains a Tor server)
19dnsbl.ahbl.org (result 127.0.0.10 = shoot on sight spammer)
15dnsbl.sorbs.net (result 127.0.0.9 = zombie network)
13swl.spamhaus.org (union of all results) (not a blacklist!)
8bl.deadbeef.com
7multi.uribl.com (result 127.0.0.2 = spam resource)
7dnsbl-0.uceprotect.net
7multi.uribl.com (union of all results)
6swl.spamhaus.org (result 127.0.2.3 = sends transactions) (not a blacklist!)
6multi.surbl.org
6blackholes.five-ten-sg.com (result 127.0.0.12 = spam-friendly freemail provider)
5swl.spamhaus.org (result 127.0.2.103 = sends transactions - temporary listing) (not a blacklist!)
5spamguard.leadmon.net (union of all results)
3tor.dnsbl.sectoor.de (result 127.0.0.1 = Tor server)
3wl.mailspike.net (result 127.0.0.19 = very good reputation) (not a blacklist!)
3spamguard.leadmon.net (result 127.0.0.9 = abused DNS server)
2swl.spamhaus.org (result 127.0.2.2 = sends individual mail) (not a blacklist!)
2spamguard.leadmon.net (result 127.0.0.7 = spam source netblock)
2hostkarma.junkemailfilter.com (result 127.0.2.3 = domain first seen more than 7 days ago)
Survey results for all known public domain-name-based DNS blacklists. Lookups were done on the domain names of connecting IP addresses. The "union of most domain zones" line includes data from the hostkarma.junkemailfilter.com zone only when the results are 127.0.0.2, 127.0.0.3, or 127.0.0.4 because other results are not blacklists.

HitsDNS Zone
50250(total number of IP addresses whose names were tested, including 178 at SDSC)
25813hostkarma.junkemailfilter.com (result 127.0.2.3 = domain first seen more than 7 days ago)
20707hostkarma.junkemailfilter.com (result 127.0.1.1 = MTA sends QUIT)
16112(union of most domain zones)
12794abuse.rfc-ignorant.org
9967l1.apews.org
6530whois.rfc-ignorant.org (union of all results)
5615whois.rfc-ignorant.org (result 127.0.0.7 = no whois data at all)
3335hostkarma.junkemailfilter.com (result 127.0.0.5 = do not blacklist)
2786hostkarma.junkemailfilter.com (result 127.0.0.1 = whitelisted)
915whois.rfc-ignorant.org (result 127.0.0.5 = bad whois data)
367hostkarma.junkemailfilter.com (result 127.0.0.2 = spam source)
273hostkarma.junkemailfilter.com (result 127.0.0.3 = mix of spam and nonspam)
259dbl.spamhaus.org (result 127.0.1.2 = spam source)
259dbl.spamhaus.org (union of all results)
223hostkarma.junkemailfilter.com (result 127.0.1.4 = no verify host)
176urired.spameatingmonkey.net
160hostkarma.junkemailfilter.com (result 127.0.2.2 = domain first seen in last 7 days)
98hostkarma.junkemailfilter.com (result 127.0.1.2 = MTA does not send QUIT)
56rhsbl.ahbl.org
43postmaster.rfc-ignorant.org
22multi.surbl.org
22bogusmx.rfc-ignorant.org
18fresh.spameatingmonkey.net
8multi.uribl.com (result 127.0.0.2 = spam resource)
8hostkarma.junkemailfilter.com (result 127.0.2.1 = domain first seen today)
8multi.uribl.com (union of all results)
4dsn.rfc-ignorant.org (zone not intended for this use)
1dob.sibl.support-intelligence.net
1bl.deadbeef.com
Survey results for all known public domain-name-based DNS blacklists. Lookups were done on SMTP sender domains. The "union of most domain zones" line includes data from the hostkarma.junkemailfilter.com zone only when the results are 127.0.0.2, 127.0.0.3, or 127.0.0.4 because other results are not blacklists.

HitsDNS Zone
20569(total number of domains tested, including 150 at SDSC)
16252hostkarma.junkemailfilter.com (result 127.0.2.3 = domain first seen more than 7 days ago)
4798(union of most domain zones)
3974hostkarma.junkemailfilter.com (result 127.0.1.1 = MTA sends QUIT)
2134hostkarma.junkemailfilter.com (result 127.0.0.1 = whitelisted)
1974hostkarma.junkemailfilter.com (result 127.0.0.5 = do not blacklist)
1511whois.rfc-ignorant.org (union of all results)
1401hostkarma.junkemailfilter.com (result 127.0.2.2 = domain first seen in last 7 days)
1386whois.rfc-ignorant.org (result 127.0.0.7 = no whois data at all)
1271abuse.rfc-ignorant.org
1062dbl.spamhaus.org (result 127.0.1.2 = spam source)
1062dbl.spamhaus.org (union of all results)
1025hostkarma.junkemailfilter.com (result 127.0.0.2 = spam source)
806multi.surbl.org
693postmaster.rfc-ignorant.org
678urired.spameatingmonkey.net
547multi.uribl.com (union of all results)
531multi.uribl.com (result 127.0.0.2 = spam resource)
477l1.apews.org
351bogusmx.rfc-ignorant.org
269hostkarma.junkemailfilter.com (result 127.0.0.3 = mix of spam and nonspam)
231dsn.rfc-ignorant.org
128fresh.spameatingmonkey.net
125whois.rfc-ignorant.org (result 127.0.0.5 = bad whois data)
88hostkarma.junkemailfilter.com (result 127.0.2.1 = domain first seen today)
18rhsbl.ahbl.org
16hostkarma.junkemailfilter.com (result 127.0.1.4 = no verify host)
14multi.uribl.com (result 127.0.0.4 = opt-out spam resource)
14hostkarma.junkemailfilter.com (result 127.0.1.2 = MTA does not send QUIT)
8ex.dnsbl.org
3hostkarma.junkemailfilter.com (result 127.0.1.3 = MTA somtimes sends QUIT)
2multi.uribl.com (result 127.0.0.8 = new domain or concealed contact)
1dob.sibl.support-intelligence.net
1bl.deadbeef.com
This document was last updated by Jeff Makey <jeff@sdsc.edu> on 23 April 2012.