Status of dnsbl.ahbl.org: SHUTTING DOWN

On March 26, 2014, blacklist administrator Brielle Bruns announced that the Abusive Hosts Blocking List DNSBLs are to be shut down.

In email to me, she explained:
"After quite a bit of thought and consideration, I've decided that it is time to wind down some of the AHBL's public DNSbl services - specifically the dnsbl, ircbl, and rhsbl. 
We've had a good 11 year run with the lists.  Times have changed -- with the deployment of IPv6 moving full speed ahead, I don't feel that the current implementation of our DNSbl services are suited to the task. 
This doesn't mean that the AHBL is going away - we'll still be around, just focusing our efforts on a mix of other anti-abuse related things and a relaunch of the RHSbl (likely in 2-3 months, possibly sooner). 
I look forward to continuing to work with the community, and appreciate and value the feedback I've received over the years."
As a result, the lists dnsbl.ahbl.org, ircbl.ahbl.org and rhsbl.ahbl.org, and associated public look up tools are being retired.

I've known Brielle for many years and my interactions with her have been universally positive. Congratulations on a long eleven year run with AHBL, and I hope whatever she works on next is something she finds fun and fulfilling.

Status of dnsblchile.org: ALIVE

DNSBL Chile, created in 2011, appears to be a Chilean homegrown effort to tackle spamblocking from a local perspective. As they explain on their website: "Existing DNSBL services aim to block spam based on the type and origin affecting certain types of user. Chilean spam is generally ignored by these DNSBLs, mainly because of the language barrier. This raises the need for a specific DNSBL for Chile, which is able to investigate cases of spam in South-American Spanish."

The DNSBL zone is just "dnsblchile.org" and they report a few different types of responses: 127.0.0.2 and 127.0.0.3 for "verified spam sources," 127.0.0.5 for "verified scam sources," and 127.0.0.10 and 127.0.0.11 for DUL/PBL-like dynamic/"should not be running an MTA" entries.

I don't know much about this blacklist in particular but it's always nice to see somebody attempt to address a previously segment or region's spam problem.  If you have any thoughts or details around this list, don't hesitate to drop me a line.

(Crappy translation above courtesy of my high school Spanish + a little help from Google Translate.)

Status of APEWS: ????

Long-standing (though not very accurate) blacklist APEWS seemed to be down for the count. Their website at www.apews.org has been down since March 15th, according to David Ritz.

My recommendation to mail administrators is to stop using APEWS. But then again, was anybody using APEWS recently, anyway?

For history's sake, here's a link to the article I published long ago, explaining what to do if you find yourself blacklisted by APEWS.

APEWS was previously down for three weeks in August, 2010.

Update: APEWS appears to have returned somewhere around May 1st, 2013.

It goes down, it comes back up, it goes down again, it comes back up again. At this point I think we'll just call it a status of "?????"

Status of spamtrap.trblspam.com: DEAD

The DNSBL spamtrap.trblspam.com appears to have gone offline as of April 2, 2013. It appears to have been created in early 2011 by somebody known as "Tom from TRBL," whom I observed participating in various email discussion lists. I've emailed Tom and will update this page if I receive any further details.

I recommend removing spamtrap.trblspam.com from any blacklist checking you're doing. Any time a blacklist is shut down, there's a chance that they will end up putting in a wildcard DNS record, which ends up effectively "blacklisting the world" and causing problems for any receiving sites who still have that DNSBL configured in their mail server configuration.

(Thanks to Martijn Grooten for the heads up.)

Status of dnsbl.njabl.org: DEAD

It is with sadness that I report  on the closure of Jon Lewis's NJABL blacklist.  From the NJABL website: "March 1, 2013: NJABL is in the process of being shut down. The DNSBL zones have been emptied. After "the Internet" has had some time to remove NJABL from server configs, the NS's will be pointed off into unallocated space (192.0.2.0/24 TEST-NET-1) to hopefully make the shutdown obvious to those who were slower to notice."

NJABL (Not Just Another BlackList) had been in existence from at least January 2002. Congrats to Jon and team for a pretty good run of eleven years.

Update: I received this in email: "Today, April 29, 2013, NS for the NJABL DNSBL zones is being pointed into 192.0.2.0/24 (TEST-NET-1) which is unrouted IP space.  This will likely cause any systems using the NJABL DNSBL zones to experience long delays in DNS resolution of NJABL DNSBL lookups.  This is being done both to sink the DNS query traffic and to hopefully be noticed by the owners/managers of those systems."

(H/T: Laura Atkins and others.)

Status of bl.csma.biz: DEAD

An entity called McFadden Associates had been publishing two different, spamtrap-driven DNSBL zones starting from October 2003. Almost ten years later, it appears that these blacklist zones are no more.

The McFadden CSMA blacklist encompassed two different DNSBL zones. The primary zone, bl.csma.biz, contained only "aggressive" hosts that have spammed repeatedly during a short (recent) timeframe. An additional zone, sbl.csma.biz, had a broader listing criteria, noted by the publisher as more suitable for scoring in a filtering system than outright blocking.

As of January 2013, querying either zone will result in a false positive response, showing that an IP address is blocked, due to a wildcard DNS entry. This means that you should immediately stop using either DNSBL in your spam blocking configuration, otherwise you will reject all inbound mail, legitimate or not.

It's fairly common for a blacklist, when dying, to intentionally or un-intentionally "list the world," answering any DNS lookup request with what amounts to a "yep, that's blocked" response. This regularly causes problems for unsuspecting email system administrators who may still be querying blacklists that are now out of commission. That's why it's important to periodically review your inbound mail server's configuration to revisit what blacklists you might be using and whether or not it makes sense to continue to use them.

In this case, these blacklists are no more, and should be removed from any mail server configurations where they may still linger.

I've reached out to the one-time publisher of these blacklists, and I will follow up with more information if he's able to provide more details.




Status of rfc-ignorant.org: SHUTTING DOWN

One-time Yahoo administrator Derek Balling has announced that the RFC Ignorant blacklist is being shut down. This blacklist has existed since at least late 2001. Its listing criteria including things like not having an "abuse" or "postmaster"address that accepted mail. Listing criteria didn't necessarily overlap with the generally accepted criteria for fighting spam, so my guess is that this blacklist's lack of usefulness as a spam fighting tool had finally diminished past the point of no useful return. As Derek himself says, "the usefulness of a DNSBL is greatly diminished," and of the old hardware running the service, "the value proposition just isn't there."

I blogged about the RFC Ignorant blacklist back in 2006.

Status of blackholes.five-ten-sg.com: DEAD

The "Fiveten" Blacklist (blackholes.five-ten-sg.com) was a combination anti-spam blacklist run by Carl Byington, publishing under the name of "510 Software Group." This blacklist has been available since at least February, 2001, and it appears to have been retired as of April 2012.

As of late April, 2012, any attempt to look up an entry on the blacklist results in output indicating that "The blackholes.five-ten-sg.com list is retired. No ip address is listed here." Meaning, the blacklist is no longer in operation.

I had previously written about this blacklist back in October, 2007, and my 2007-2008 DNSBL statistics project data showed that the blacklist may not be suitable for broad production use if one wishes to receive requested email messages. The list has been up and down at various other times, most recently being taken offline for a period in November 2010.

(Hat tip: Word to the Wise)

DNSWL.org Announces Changes

Whitelist provider DNSWL.org announced changes to its operating model. Who is DNSWL.org? "Dnswl.org is the leading whitelist provider for email filtering. It is being used by over 50'000 organisations worldwide, and contains close to 100'000 entries of 'good mailservers.' Your email filter should try to avoid tagging messages as spam, if they come from one of those good mailservers."

As announced on their website and on multiple mailing lists today: "As announced earlier, dnswl.org will change it's operating model. "Heavy users" (defined as those doing > 100'000 queries/24 hours on the public nameservers) and vendors of anti-spam products and services will need a paid subscription.

We are now ready to implement the model and will gradually start to enforce it. Since we do not know the current users (all we have are IPs and sometimes hostnames), we will also need to "cut off" users if our attempts at identifying and notifying them fail.

The "cut off" may have two of effects: 1) rsync suddenly stops working 2) queries on the public nameservers are refused. We may be able to reinstate access on a case by case basis.

As usual, we can be reached at admins/at/dnswl.org (or office/at/dnswl.org for direct access to the people handling the subscriptions). All details are available from http://www.dnswl.org/ "