Status of anonwhois.org: DEAD

I first blogged about the ANONWHOIS blacklist back in 2010. It was very useful to identify domains were ownership information was cloaked from the public. Why? Because many of us in the anti-spam and security community think that for a domain being used for commercial purposes, it isn't right to hide who the owner is. And this obstruction to transparency is often exploited by bad guys who send spam and malware, to try to make it harder to identify them.

For folks working in the deliverability realm, we used ANONWHOIS to remind clients that it is not a best practice to mask ownership info for a domain name. ISPs who notice this will often consider it suspicious, and services like the Network Abuse Clearinghouse will decline to include your domains in their database.

The ANONWHOIS website recently went offline, somewhere around the start of February, 2017. (The Internet Wayback Machine last shows the ANONWHOIS website up and running on October 2, 2016.)

I was able to contact one of the maintainers of ANONWHOIS and he confirmed for me that they have shut down for good. Sounds like ICANN policy changes over the past few years have made it harder and harder for them to adequately track information necessary to make informed decisions regarding potential entries on their list.

I am sorry to see them go, but I thank them for their six+ years of service to the internet community.

Perhaps a new service will appear to fill the void.

Status of bl.spamcannibal.org: Fix in progress

Reader Matt wrote to me with the following: "I had to take bl.spamcannibal.org out of my DNSbl checks due to 1+ second DNS response times and zero unique hits. Do you have any details on what's going on with them? Are they dying or dead?"

Matt, don't despair. I reached out to the publisher of the Spam Cannibal DNSBL (bl.spamcannibal.org) and he let me know that Spam Cannibal is experiencing a system issue with their primary database mirror. A new system should go online soon and then things should be up and working again.

I'll update this page with more information as I receive it. Stay tuned.

SURBL: Adding ABUSE sublist, deprecating SC & AB

The domain blacklist SURBL announced today that it is deprecating the SC (Spamcop) and AB (AbuseButler) sublists, migrating their data into a new ABUSE sublist. They note that the WS (Bill Stearns' sa-blacklist) sublist is also going to be migrated into ABUSE in 2016.

SURBL also recently announced the addition of SURBL-specific blocking notification messages to the popular SpamAssassin spam filtering software.

Status of no-more-funn.moensted.dk: DEAD

The "No More Funn" blacklist (DNSBL zone no-more-funn.moensted.dk) was run by a gentleman from Denmark using the alias dr. Jørgen Mash. First observed in 2002, listing criteria included spam sources, IP address ranges that appeared dynamic, bulk mailers not required confirmed opt-in (double opt-in) and more. It was easy for email service providers (ESPs) to end up listed there, and ESP clients would often ask about those listings because they would show up in DNSBL lookups, though it's not clear that the blacklist was widely used for spam blocking.

At some point in 2012, the blacklist was taken offline. At the end of 2015, the website reports that the blacklist is still offline. Thus, I'm going to call this one "dead."

What is blacklist.zap?

Here's a blast from the past: Remember blacklist.zap?

There were various "blacklist.zap" blacklists and they were all indicative of blocking when sending to mailboxes hosted behind "FrontBridge" anti-spam and security protection:

  • The list 85.blacklist.zap specifically referred to FrontBridge's use of the Composite Blocking List (CBL). If you were blocked by 85.blacklist.zap, it meant that your sending IP address was listed on the CBL.
  • The list 86.blacklist.zap specifically referred to FrontBridge's use of the Spamhaus Block List (SBL). If you were blocked by 86.blacklist.zap, it meant that your sending IP address was listed on the SBL.
  • The list 87.blacklist.zap specifically referred to FrontBridge's use of the Spamhaus Exploits Block List (SBL). If you were blocked by 87.blacklist.zap, it meant that your sending IP address was listed on the XBL.
  • The list 88.blacklist.zap specifically referred to FrontBridge's own internally-generated blacklist of sending IP addresses noted to be spammy, usually based on a high percentage of mail from that IP address being denoted as spammy.

FrontBridge was later acquired by Microsoft and I think it's been a long time since anybody has seen blacklist.zap blocking in a bounce message, but I thought it would be good to keep a record of this for posterity's sake.