0,49 €
Niedrigster Preis in 30 Tagen: 0,49 €
Niedrigster Preis in 30 Tagen: 0,49 €
Mehr erfahren.
This carefully crafted ebook is formatted for your eReader with a functional and detailed table of contents. The following table lists technical information for a number of DNS blacklists. This book has been derived from Wikipedia: it contains the entire text of the title Wikipedia article + the entire text of all the 19 related (linked) Wikipedia articles to the title article. This book does not contain illustrations. e-Pedia (an imprint of e-artnow) charges for the convenience service of formatting these e-books for your eReader. We donate a part of our net income after taxes to the Wikimedia Foundation from the sales of all books based on Wikipedia content.
Das E-Book können Sie in Legimi-Apps oder einer beliebigen App lesen, die das folgende Format unterstützen:
Veröffentlichungsjahr: 2017
Ähnliche
e-Pedia: Comparison of DNS Blacklists
Recommended titles:
e-Pedia: Web Scraping
e-Pedia: Anti-spam Techniques
Main table of contents:
Comparison of DNS Blacklists
Introduction
Linked articles
Comparison of DNS Blacklists
The following table lists technical information for a number of DNS blacklists.
Blacklist operatorDNS blacklistZoneListing goalNominationListing lifetimeNotesCollateral listingsNotifies upon listingWebIron LLC RBLBABLbabl.rbl.webiron.netLists IP ranges belonging to officially published abuse addresses that either bounce or request not to receive abuse notices. The aim of this list is to block companies that openly shrug their abuse responsibilities.Abuse addresses that fail to be deliverable for 3 out of the last 7 days are automatically added.Lifetime listing or automatic once mail delivery resumes in the case of automated additions.YesNoCABLcabl.rbl.webiron.netLists IP ranges belonging to abuse addresses that have failed to handle abuse issues for at least 30 days. The aim of this list is to hold companies accountable for the abuse that originates from their networks rather than just ignoring it.IP ranges belonging to abuse addresses with reported and unresolved issues for at least 30 days are automatically added.Automatic removal is done once all hosts with abuse unresolved for 30 days have been clean for 2 weeks.Data for lists are generated from live data collected by the WebIron web security platform.YesYesSTABLstabl.rbl.webiron.netLists single IP addresses recently attacking websites and servers.Lists IP addressed belonging to hosts that have attacked at least twice within the last 48 hours.Automatic removal is done once a host has gone 24 hours without an incidentData for lists are generated from live data collected by the WebIron web security platform.NoNoAllall.rbl.webiron.netContains IP addresses and ranges from BABL, CABL, and STABLDepends on listDepends on listYesNoCrawlercrawler.rbl.webiron.netWeb Crawler IP lookup used to match user agents with known crawler IP addresses. Data from this list is considered BETA.This DNSRBL contains valid and legitimate crawlers. Matching alone should not be used for blockingNoNoARM Research Labs, LLC GBUdbTruncatetruncate.gbudb.netExtremely conservative list of single IP4 addresses that produce exclusively spam/malware as indicated by the GBUdb IP Reputation system. Most systems should be able to safely reject connections based on this list.Automatic: IPs are added when the GBUdb "cloud" statistics reach a probability figure that indicates 95% of messages produce a spam/malware pattern match and a confidence figure that indicates sufficient data to trust the probability data.Automatic: Continuous while reputation statistics remain bad. Warning: Produces false positives, and has no remedy/removal process. IPs are dropped quickly if the statistics improve (within an hour). IPs are dropped within 36 hours (typ) if no more messages are seen (dead zombie).Source data is derived from a global network of Message Sniffer[1] filtering nodes in real-time. Truncate data is updated from statistics every 10 minutes.NoNoinvaluement DNSBLivmSIPPaid access via rsyncSingle IP addresses which only send UBE. Specializing in snowshoe spam and other 'under the radar' spams which evade many other DNSBLs. Has FP-level comparable to Zen.Automatic (upon receipt of a spam to a real person's mailbox), with extensive whitelists and filtering to prevent false positivesTypically an automatic expiration 11 days after the last abuse was seen, but with some exceptionsSpam samples are always kept on file for each listing. Removal requests are manually reviewed and processed without fees.NoNoivmSIP/24Paid access via rsyncLists /24 blocks of IP addresses which usually only send UBE and containing at least several addresses which are confirmed emitters of junk mail. Collateral listings are kept to a minimum because subsections are often carved from /24 listings when spammers and legit senders share the same /24 block.Automatic once at least several IP addresses from a given block are individually listed on ivmSIP, with extensive whitelists and filtering to prevent false positivesExpiration time increases to many weeks as the fraction of IP addresses in the /24 block in question sending junk mail increasesRemoval requests are quickly and manually reviewed and processed without fees.YesNoivmURIPaid access via rsyncComparable to uribl.com and surbl.org, this is a list of IP addresses and domains which are used by spammers in the clickable links found in the body of spam messagesAutomatic (upon receipt of a spam to a real person's mailbox), with extensive whitelists and filtering to prevent false positivesTypically an automatic expiration several weeks after the last abuse was seen.Spam samples are always kept on file for each listing. Removal requests are quickly and manually reviewed and processed without fees.NoNoproxyBLdnsbldnsbl.proxybl.orgLists all types of open (publicly accessible) proxiesAutomated listing through crawling of websitesAs long as proxy is verified open (automated)[2] Service died mid 2014Time between verifications increases exponentially in relation to the number of times the host was verified an open proxyYesNoUCEPROTECT-NetworkUCEPROTECT Level 1dnsbl-1.uceprotect.net (also free available via rsync [3])Single IP addresses that send mail to spamtrapsAutomatic by a cluster of more than 60 trapservers [4]Automatic expiration 7 days after the last abuse was seen, optionally express delisting for a small fee.UCEPROTECT's primary and the only independent listNoNoUCEPROTECT Level 2dnsbl-2.uceprotect.net (also free available via rsync [3])Allocations with exceeded UCEPROTECT Level 1 listingsAutomatic calculated from UCEPROTECT-Level 1Automatic removal as soon as Level 1 listings decrease below Level 2 listing border, optionally express delisting (for a fee)Fully depending on Level 1YesNoUCEPROTECT Level 3dnsbl-3.uceprotect.net (also free available via rsync [3])ASN's with excessive UCEPROTECT Level 1 listingsAutomatic calculated from UCEPROTECT-Level 1Automatic removal as soon as Level 1 listings decrease below Level 3 listing border, optionally express delisting (fee)Fully depending on Level 1YesNoSpam and Open Relay Blocking System (SORBS)dnsbldnsbl.sorbs.netUnsolicited bulk/commercial email sendersN/A (See individual zones)N/A (See individual zones)Aggregate zone (all aggregates and what they include are listed on SORBS)[5]As per component listVia SORBS Report Managersafe.dnsblsafe.dnsbl.sorbs.netUnsolicited bulk/commercial email sendersN/A (See individual zones)N/A (See individual zones)"Safe" Aggregate zone (all zones in dnsbl.sorbs.net except "recent", "old", "spam" and "escalations")NoVia SORBS Report Managerhttp.dnsblhttp.dnsbl.sorbs.netOpen HTTP proxy serversFeeder serversUntil delisting requested.NoVia SORBS Report Managersocks.dnsblsocks.dnsbl.sorbs.netOpen SOCKS proxy serversFeeder serversUntil delisting requested.NoVia SORBS Report Managermisc.dnsblmisc.dnsbl.sorbs.netAdditional proxy serversFeeder serversUntil delisting requested.Those not already listed in the HTTP or SOCKS databasesNoVia SORBS Report Managersmtp.dnsblsmtp.dnsbl.sorbs.netOpen SMTP relay serversFeeder serversUntil delisting requested.NoVia SORBS Report Managerweb.dnsblweb.dnsbl.sorbs.netIP addresses with vulnerabilities that are exploitable by spammers (e.g. FormMail scripts)Feeder serversUntil delisting requested or Automated ExpiryNoVia SORBS Report Managernew.spam.dnsblnew.spam.dnsbl.sorbs.netHosts that have sent spam to the admins of SORBS or SORBS Spamtraps in the last 48 hoursSORBS Admin and SpamtrapRenewed every 20 minutes based inclusion in on 'spam.dnsbl.sorbs.net'NoVia SORBS Report Managerrecent.spam.dnsblrecent.spam.dnsbl.sorbs.netHosts that have sent spam to the admins of SORBS or SORBS Spamtraps in the last 28 daysSORBS Admin and SpamtrapRenewed every 20 minutes based inclusion in on 'spam.dnsbl.sorbs.net'NoVia SORBS Report Managerold.spam.dnsblold.spam.dnsbl.sorbs.netHosts that have sent spam to the admins of SORBS or SORBS Spamtraps in the last yearSORBS Admin and SpamtrapRenewed every 20 minutes based inclusion in on 'spam.dnsbl.sorbs.net'NoVia SORBS Report Managerspam.dnsblspam.dnsbl.sorbs.netHosts that have allegedly sent spam to the admins of SORBS or SORBS Spamtraps at any timeSORBS Admin and Spamtrap.Until delisting requested.NoVia SORBS Report Managerescalations.dnsblescalations.dnsbl.sorbs.netNetblocks of service providers believed to support spammersSORBS Admin fed.Until delisting requested and matter resolved.Service providers are added on receipt of a 'third strike' spamYesVia SORBS Report Managerblock.dnsblblock.dnsbl.sorbs.netHosts demanding that they never be testedRequest by hostN/ANoVia SORBS Report Managerzombie.dnsblzombie.dnsbl.sorbs.netHijacked networksSORBS Admin (manual submission)Until delisting requested.NoVia SORBS Report Managerdul.dnsbldul.dnsbl.sorbs.netDynamic IP address rangesSORBS Admin (manual submission)Until delisting requested.Not a list of dial-up IP addressesNoVia SORBS Report Managernoservers.dnsblnoservers.dnsbl.sorbs.netNo Servers Permitted by ISP PolicyNetblock Owner AdministeredNot Applicable.No Servers Permitted by ISP PolicyNoVia SORBS Report Managerrhsblrhsbl.sorbs.netAggregate RHS zonesN/AN/ANoNobadconf.rhsblbadconf.rhsbl.sorbs.netDomains with invalid A or MX records in DNSOpen submission via automated testing page.Until delisting requested.NoNonomail.rhsblnomail.rhsbl.sorbs.netDomains which the owners have confirmed will not be used for sending emailOwner submissionUntil delisting requested.NoNoSpamhausSBL Advisorysbl.spamhaus.orgVerified sources of spam, including spammers and their support services, per policyManualFrom five minutes to a year or more, depending on issue and resolutionRarely (escalation)Yes (partial)XBL Advisoryxbl.spamhaus.orgIllegal third-party exploits (e.g. open proxies, email spambots, malware download sitesand botnets)
Third-party with automated additionsVaries, under a month, self removal via Composite Blocking List lookup.Consists of the Composite Blocking ListNoNoPBL Advisorypbl.spamhaus.orgAddresses not meant to be initiating SMTP connections, such as residential dynamic IPsManual, by providers controlling the IPs or by Spamhaus PBL TeamSelf-removal (see spamhaus web site)Should not be confused with the MAPS DUL and Wirehub Dynablocker listsNoNoSBL+XBLsbl-xbl.spamhaus.orgA single lookup for querying the SBL and XBL databasesAs per component listAs per component listZenzen.spamhaus.orgA single lookup for querying the SBL, XBL and PBL databases.Preferred list to check all Spamhaus listings with one query.As per component listAs per component listORBITrbl Aggressive RBLRBLrbl.orbitrbl.comUnsolicited bulk/Commercial email senders (/24 IP address block)Feeder serversUntil delisting requested? (Only When Found to be Non Spam Source)Their web server is down[6] 2014-11-17 - Their RBL server is reporting all queries as SPAM.Aggregate zoneYesNoComposite Blocking ListCBLcbl.abuseat.org (also free available rsync access, on request see FAQ [7])Only IP addresses exhibiting characteristics specific to open proxies, spamware, malware downloaders, botnets and the like.Automatic: large spamtraps, production mail servers and other detecton methods.Less than a month after last listable event, self-removal via CBL lookup.Use Spamhaus XBL or Spamhaus Zen instead; they include CBL.NoNoIBM DNS BlacklistCobiondnsbl.cobion.comThis DNSBL zone is part of the default configuration for Proventia Mail Security System and Lotus Protector for Mail SecurityNoNoPassive Spam Block ListPSBLpsbl.surriel.com (also free available via rsync [1])IP addresses used to send spam to trapspamtrapsTemporary, until spam stopsNoNoDNSRBL - DNS Real-time Blackhole ListDNSRBLdnsrbl.orgIP addresses used to send spam to trapspamtrapsTemporary, until spam stopsNoNoWeighted Private Block ListWPBLdb.wpbl.infoIP addresses used to send UBE to membersspamtrapsTemporary, until spam stopsNoNoProtected Sky RBLRBLbad.psky.meIP Reputation based. Seems to be proprietary.Automatic, "based on several factors".Temporary. Has self removal, users can not request delisting.YesNoSpamCop Blocking ListSCBLbl.spamcop.netIP addresses which have been used to transmit reported email to SpamCop usersUsers submitTemporary, until spam stops, has self removalNoYes (partial)SpamRatsRATS-NoPtrnoptr.spamrats.comIP addresses detected as abusive at ISP's using MagicMail Servers, with no reverse DNS serviceAutomatically SubmittedListed until removed, and reverse DNS configuredYesNoRATS-Dynadyna.spamrats.comIP addresses detected as abusive at ISP's using MagicMail Servers, with non-conforming reverse DNS service (See Best Practises) indicative of compromised systemsAutomatically SubmittedListed until removed, and reverse DNS set to conform to Best PractisesYesNoRATS-Spamspam.spamrats.comIP addresses detected as abusive at ISP's using MagicMail Servers, and manually confirmed as spam sourcesManually SubmittedListed until removedYesNoRATS-Authauth.spamrats.comIP addresses detected probing passwords or authenticating without sending mailAutomatically SubmittedListed until removedYesNoSpamCannibalspamcannibal.orgbl.spamcannibal.orgIP addresses and related generic netblocks that have sent spam.spamtrapsUntil removal requested and matter resolved by changing server DNS ptr record to a non-generic name.Even if a particular IP has not sent spam, it may be included in a generic netblock which will provide many false positives. listed=127.0.0.2YesNoDistributed Realtime Blocking Listdrand DRBL nodespamtrap.drbl.drand.netIP addresses used to send spam to traps or membersAutomated [de]listing.Varies from spam type, rate and other sophisticated factors. 30 s to 1 week.High IP network aggregate threshold greater than or equal 254. Offline since 2010. [8]YesNoJunk Email FilterHostkarmahostkarma.junkemailfilter.comblacklist.hostkarma.comDetects viruses by behavior using fake high MX and tracking non-use of QUITAutomated [de]listingBlack list Data lives for 4 days. White list data lives for 10 days.127.0.0.1=white 127.0.0.2=black 127.0.0.3=yellowYesNoThe Abusive Hosts Blocking List (AHBL)dnsbldnsbl.ahbl.orgAggregate zone, contains UCE/bulk email senders, open proxies, open relays, trojaned/infected machines, comment/trackback spammersFeeder systems, manualUntil delisting requested As announced,[9] all public zones are no longer functioning (they return positive responses for all queries)Aggregate zone (all aggregates and what they include are listed on AHBL)[10]Yesnorhsblrhsbl.ahbl.orgDomains sending spam, domains owned by spammers, comment spam domains, spammed URLsManualYesNoircblircbl.ahbl.orgSubset of dnsbl, contains only open proxies, compromised machines, comment spammersUntil delisting requestedDesigned for use on IRC serversYesNoQuorum.toip-dnsbllist.quorum.to. ( or per-subscriber: [id].list.quorum.to. )Stop spam from hosts that send no legitimate mail (list most non-mail-sending hosts).Listings based on "instant" automated checks, recipient nomination and traps.Listings can be challenged. Subscribers vote to decide sender status.Public list follows standard dnsbl protocol. Subscription based service is more capable, but does not follow standard.YesNoHeise Zeitschriften Verlag GmbH & Co. KG, hosted by manitu GmbHNiX Spam (nixspam)ix.dnsbl.manitu.netLists single IPs (no IP ranges) that send spam to spamtraps. Lists mailhosts, rather than domains, and thus blocks entire hosting providers and ISPs.Automated listing due to spamtrap hits. Exceptions apply to bounces, NDRs and whitelisted IPs.12 hours after last listing or until self delistingTXT records provide information of listing incident - NiX Spam also provides hashes for fuzzy checksum plugin (iXhash) for SpamAssassin.NoYes (for ISPs/ESPs on request)inps.deinps.de-DNSBLdnsbl.inps.deSingle IP addressesIP addresses can be reported as known spam sources by users, additionally automated listing if spam arrives at the mailservers of inps.deIP addresses are listed until they are removed manually via the website.A- and TXT records are available for each entry; Removal is free after 30 days for automatic additions and after 7 days for manual additions; otherwise removal fee is at least EUR 10,00.MaybeNoblocklist.de [2]dnsblbl.blocklist.deIP-Addresses who Attacks other Server/Honeypots over ssh, imap, smtp, ftp, web, rfi, sqli, ddos....Automatic: over Honeypots and with over 515 Users and 630 Servers from blocklist.de via Fail2Ban or own scriptsAutomatic: 48 Hours after the last Attack. But earlier remove is available over the Delist-LinkServices is free! Source data is from Honeypot-Systems and over 515 User with 630 Servern there reports Attacks with Fail2BanNoYesSRN:SurGATE Reputation NetworkSRNsrnblack.surgate.netSpam sources, relay abusersFeeder serversAutomatic expiry (varies by type); webpage allows delistingRemoval requests are quickly and manually reviewed and processed without fees.YesNos5h.net Internet Servicess5h.netall.s5h.netSpam sources from email, forums, referrer spam and dictionary attacksTrapsTwelve months unless ISPs request removal earlierBy request. ISPs can provide request exclusionYesNoMegaRBLRBLrbl.megarbl.netIP addresses used to send spam to trapsspamtraps, in order to avoid abusive reports (Competitors, false positive, etc...) only MegaRBL team can add an IP to the list.Until delisting requested.Removal requests are quickly and manually reviewed and processed without fees.NoYesrealtimeBLACKLIST.comRBLrbl.realtimeblacklist.comSpam TrapList of IP addresses that sends spam or causing troubles with botnets or phishingUntil delisting requested.Removal requests will be investigated and processed within 24 hours of submission. Previously known as IPrange.net RBL ProjectNoNoBarracudaCentralRBLb.barracudacentral.orgSpam TrapProvides a list of IP addresses which are sending spam. The Barracuda Reputation system uses automated collection methods to add and delete IP addresses from the BRBL.Until delisting requested.Requires registration of administrator and hosts to use. Removal requests are typically investigated and processed within 12 hours of submission if provided with a valid explanationNoNoVirblRBLvirbl.dnsbl.bit.nlIP addresses that recently sent viruses.2 virus mails sent to an associated system.Automatic delisting. Listed as long as there were more than 2 virus mails sent in the last week. Offline Since May 2016NoNoNotes
"Collateral Listings" - Deliberately listing non-offending IP addresses, in order to coerce ISPs to take action against spammers under their control.
"Notifies upon listing" - Warns the owner of the IP/Domain when they list an IP. (so owners can take action to fix the problem)
References
External links
RBL Check, RBL Check, Multiple & Real-TimeBlacklists Compared, weekly reports since July 2001 (no new reports since 13 September 2014)Intra2net Blacklist Monitor, tracking more than 40 blacklists and giving weekly reports on hits and false positivesInstant Multiple DNSBL Check Test, Open-to-use, Multiple DNSBL Check TestMulti-RBL Checking Tool, Multi-RBL Checker Tool (Check to see if your IP is showing up one or more RBLs)RBLTracker DNSBL Monitoring, Automated, Real-Time Black List Monitoring Service.SpamAssassin rule statistics, SpamAassassin's rule ham/spam ratios over time.List of all RBLs, Information about all existing blacklists including discontinued blacklists.Mail Server Blacklist Monitor, Blacklist monitoring service checking 150 blacklists, can be used freely.Barracuda Central, Devoted to sharing information with Barracuda Networks customers and the Internet security community.WebIron, Dedicated to advanced bot network detection, tracking, blocking and eradication through cleanup and reporting.This page was last edited on 7 April 2017, at 09:32.
This text is based on the Wikipedia article Comparison of DNS Blacklists: https://en.wikipedia.org/wiki/Comparison_of_DNS_blacklists which is released under the Creative Commons Attribution-ShareAlike 3.0 Unported License available online at: http://creativecommons.org/licenses/by-sa/3.0/legalcode List of authors: https://tools.wmflabs.org/xtools/wikihistory/wh.php?page_title=Comparison_of_DNS_blacklistsContents
DNSBL
A DNS-based Blackhole List (DNSBL) or Real-time Blackhole List (RBL) is an effort to stop email spamming. It is a "blacklist" of locations on the Internet reputed to send email spam. The locations consist of IP addresses which are most often used to publish the addresses of computers or networks linked to spamming; most mail server software can be configured to reject or flag messages which have been sent from a site listed on one or more such lists. The term "Blackhole List" is sometimes interchanged with the term "blacklist" and "blocklist".
A DNSBL is a software mechanism, rather than a specific list or policy. There are dozens of DNSBLs in existence,[1] which use a wide array of criteria for listing and delisting of addresses. These may include listing the addresses of zombie computers or other machines being used to send spam, ISPs who willingly host spammers, or those which have sent spam to a honeypot system.
Since the creation of the first DNSBL in 1997, the operation and policies of these lists have been frequently controversial,[2][3] both in Internet advocacy and occasionally in lawsuits. Many email systems operators and users[4] consider DNSBLs a valuable tool to share information about sources of spam, but others including some prominent Internet activists have objected to them as a form of censorship.[5][6][7][8] In addition, a small number of DNSBL operators have been the target of lawsuits filed by spammers seeking to have the lists shut down.[9]
History of DNSBLs
The first DNSBL was the Real-time Blackhole List (RBL), created in 1997, at first as a BGP feed by Paul Vixie, and then as a DNSBL by Eric Ziegast as part of Vixie's Mail Abuse Prevention System (MAPS); Dave Rand at Abovenet was its first subscriber.[10] The very first version of the RBL was not published as a DNSBL, but rather a list of networks transmitted via BGP to routers owned by subscribers so that network operators could drop all TCP/IP traffic for machines used to send spam or host spam supporting services, such as a website. The inventor of the technique later commonly called a DNSBL was Eric Ziegast while employed at Vixie Enterprises.
The term "blackhole" refers to a networking black hole, an expression for a link on a network that drops incoming traffic instead of forwarding it normally. The intent of the RBL was that sites using it would refuse traffic from sites which supported spam — whether by actively sending spam, or in other ways. Before an address would be listed on the RBL, volunteers and MAPS staff would attempt repeatedly to contact the persons responsible for it and get its problems corrected. Such effort was considered very important before blackholing all network traffic, but it also meant that spammers and spam supporting ISPs could delay being put on the RBL for long periods while such discussions went on.
Later, the RBL was also released in a DNSBL form and Paul Vixie encouraged the authors of sendmail and other mail software to implement RBL support in their clients. These allowed the mail software to query the RBL and reject mail from listed sites on a per-mail-server basis instead of blackholing all traffic.
Soon after the advent of the RBL, others started developing their own lists with different policies. One of the first was Alan Brown's Open Relay Behavior-modification System (ORBS). This used automated testing to discover and list mail servers running as open mail relays—exploitable by spammers to carry their spam. ORBS was controversial at the time because many people felt running an open relay was acceptable, and that scanning the Internet for open mail servers could be abusive.
In 2003, a number of DNSBLs came under denial-of-service attacks. Since no party has admitted to these attacks nor been discovered responsible, their purpose is a matter of speculation. However, many observers believe the attacks are perpetrated by spammers in order to interfere with the DNSBLs' operation or hound them into shutting down. In August 2003, the firm Osirusoft, an operator of several DNSBLs including one based on the SPEWS data set, shut down its lists after suffering weeks of near-continuous attack.
Technical specifications for DNSBLs came relatively late in RFC5782.[11]
URI DNSBLs
A URI DNSBL is a DNSBL that lists the domain names and sometimes also IP addresses which are found in the "clickable" links contained in the body of spams, but generally not found inside legitimate messages.
URI DNSBLs were created when it was determined that much spam made it past spam filters during that short time frame between the first use of a spam-sending IP address and the point where that sending IP address was first listed on major sending-IP-based DNSBLs.
In many cases, such elusive spams contain in their links domain names or IP addresses (collectively referred to as a URIs) where that URI was already spotted in previously caught spam and where that URI is not found in non-spam e-mail.
Therefore, when a spam filter extracts all URIs from a message and checks them against a URI DNSBL, then the spam can be blocked even if the sending IP for that spam has not yet been listed on any sending IP DNSBL.
Of the three major URI DNSBLs, the oldest and most popular is SURBL.[12] After SURBL was created, some of the volunteers for SURBL started the second major URI DNSBL, URIBL.[13] In 2008, another long-time SURBL volunteer started another URI DNSBL, ivmURI.[14]The Spamhaus Project provides the Spamhaus Domain Block List (DBL) which they describe as domains "found in spam messages".[15] The DBL is intended as both a URIBL and RHSBL, to be checked against both domains in a message's envelope and headers and domains in URLs in message bodies. Unlike other URIBLs, the DBL only lists domain names, not IP addresses, since Spamhaus provides other lists of IP addresses.
URI DNSBLs are often confused with RHSBLs (Right Hand Side BLs). But they are different. A URI DNSBL lists domain names and IPs found in the body of the message. An RHSBL lists the domain names used in the "from" or "reply-to" e-mail address. RHSBLs are of debatable effectiveness since many spams either use forged "from" addresses or use "from" addresses containing popular freemail domain names, such as @gmail.com, @yahoo.com, or @hotmail.com URI DNSBLs are more widely used than RHSBLs, are very effective, and are used by the majority of spam filters.
How a DNSBL works
To operate a DNSBL requires three things: a domain to host it under, a nameserver for that domain, and a list of addresses to publish.
It is possible to serve a DNSBL using any general-purpose DNS server software. However this is typically inefficient for zones containing large numbers of addresses, particularly DNSBLs which list entire Classless Inter-Domain Routing netblocks. For the large resource consumption when using software designed as the role of a Domain Name Server, there are role-specific software applications designed specifically for servers with a role of a DNS blacklist.
The hard part of operating a DNSBL is populating it with addresses. DNSBLs intended for public use usually have specific, published policies as to what a listing means, and must be operated accordingly to attain or sustain public confidence.
DNSBL queries
When a mail server receives a connection from a client, and wishes to check that client against a DNSBL (let's say, dnsbl.example.net), it does more or less the following:
Take the client's IP address—say, 192.168.42.23—and reverse the order of octets, yielding 23.42.168.192.Append the DNSBL's domain name: 23.42.168.192.dnsbl.example.net.Look up this name in the DNS as a domain name ("A" record). This will return either an address, indicating that the client is listed; or an "NXDOMAIN" ("No such domain") code, indicating that the client is not.Optionally, if the client is listed, look up the name as a text record ("TXT" record). Most DNSBLs publish information about why a client is listed as TXT records.Looking up an address in a DNSBL is thus similar to looking it up in reverse-DNS. The differences are that a DNSBL lookup uses the "A" rather than "PTR" record type, and uses a forward domain (such as dnsbl.example.net above) rather than the special reverse domain in-addr.arpa.
There is an informal protocol for the addresses returned by DNSBL queries which match. Most DNSBLs return an address in the 127.0.0.0/8 IP loopback network. The address 127.0.0.2 indicates a generic listing. Other addresses in this block may indicate something specific about the listing—that it indicates an open relay, proxy, spammer-owned host, etc. For details see RFC 5782.
URI DNSBL
A URI DNSBL query (and an RHSBL query) is fairly straightforward. The domain name to query is prepended to the DNS list host as follows:
example.net.dnslist.example.comwhere dnslist.example.com is the DNS list host and example.net is the queried domain. Generally if an A record is returned the name is listed.
DNSBL policies
Different DNSBLs have different policies. DNSBL policies differ from one another on three fronts:
Goals. What does the DNSBL seek to list? Is it a list of open-relay mail servers or open proxies—or of IP addresses known to send spam—or perhaps of IP addresses belonging to ISPs that harbor spammers?Nomination. How does the DNSBL discover addresses to list? Does it use nominations submitted by users? Spam-trap addresses or honeypots?Listing lifetime. How long does a listing last? Are they automatically expired, or only removed manually? What can the operator of a listed host do to have it delisted?Varieties of DNSBLs
In addition to the different types of listed entities (IP addresses for traditional DNSBLs, host and domain names for RHSBLs, URIs for URIBLs) there is a wide range of semantic variations between lists as to what a listing means. List maintainers themselves have been divided on the issues of whether their listings should be seen as statements of objective fact or subjective opinion and on how their lists should best be used. As a result, there is no definitive taxonomy for DNSBLs. Some names defined here (e.g. "Yellow" and "NoBL"[16] ) are varieties that are not in widespread use and so the names themselves are not in widespread use, but should be recognized by many spam control specialists.
White ListA listing is an affirmative indication of essentially absolute trustBlack ListA listing is a negative indication of essentially absolute distrustGrey ListMost frequently seen as one word (greylist or greylisting) not involving DNSBLs directly, but using temporary deferral of mail from unfamiliar sources to allow for the development of a public reputation (such as DNSBL listings) or to discourage speed-focused spamming. Occasionally used to refer to actual DNSBLs on which listings denote distinct non-absolute levels and forms of trust or distrust.Yellow ListA listing indicates that the source is known to produce a mixture of spam and non-spam to a degree that makes checking other DNSBLs of any sort useless.NoBL ListA listing indicates that the source is believed to send no spam and should not be subjected to blacklist testing, but is not quite as trusted as a whitelisted source.Uses of DNSBLs
Criticisms
Some end-users and organizations have concerns regarding the concept of DNSBLs or the specifics of how they are created and used. Some of the criticisms include:
Legitimate emails blocked along with spam from shared mailservers. When an ISP's shared mailserver has one or more compromised machines sending spam, it can become listed on a DNSBL. End-users assigned to that same shared mailserver may find their emails blocked by receiving mailservers using such a DNSBL.[19] In May 2016, the SORBS system was blocking the SMTP servers of Telstra Australia, Australia's largest internet service provider. This is no surprise as at any one time, there would be thousands of computers connected to this mail server infected by zombie type viruses sending spam. The effect is to cut off all the legitimate emails from the users of the Telstra Australia system.Lists of dynamic IP addresses. This type of DNSBL lists IP addresses submitted by ISPs as dynamic and therefore presumably unsuitable to send email directly;[6] the end-user is supposed to use the ISP's mailserver for all sending of email. But these lists can also accidentally include static addresses, which may be legitimately used by small-business owners or other end-users to host small email servers.[20]Lists that include "spam-support operations", such as MAPS RBL.[21] A spam-support operation is a site that may not directly send spam, but provides commercial services for spammers, such as hosting of Web sites that are advertised in spam. Refusal to accept mail from spam-support operations is intended as a boycott to encourage such sites to cease doing business with spammers, at the expense of inconveniencing non-spammers who use the same site as spammers.Some lists have unclear listing criteria and delisting may not happen automatically nor quickly. A few DNSBL operators will request payment (e.g. uceprotect.net)[22] or donation (e.g. SORBS). Some of the many listing/delisting policies can be found in the Comparison of DNS blacklists article.Because lists have varying methods for adding IP addresses and/or URIs, it can be difficult for senders to configure their systems appropriately to avoid becoming listed on a DNSBL. For example, the UCEProtect DNSBL seems to list IP addresses merely once they have validated a recipient address or established a TCP connection, even if no spam message is ever delivered.[23]Despite the criticisms, few people object to the principle that mail-receiving sites should be able to reject undesired mail systematically. One person who does is John Gilmore, who deliberately operates an open mail relay. Gilmore accuses DNSBL operators of violating antitrust law.
For Joe Blow to refuse emails is legal (though it's bad policy, akin to "shooting the messenger"). But if Joe and ten million friends all gang up to make a blacklist, they are exercising illegal monopoly power.[24]A number of parties, such as the Electronic Frontier Foundation and Peacefire, have raised concerns about some use of DNSBLs by ISPs. One joint statement issued by a group including EFF and Peacefire addressed "stealth blocking", in which ISPs use DNSBLs or other spam-blocking techniques without informing their clients.[25]
