Blocklist Resource

Status of relays.osirusoft.com: DEAD

This one has been gone for a long while now, but somebody asked me about it the other day, so I figured I should post something about it here.

Joe Jared was the operator of relays.osirusoft.com, a widely used anti-spam blocklist service created in 2001 that combined multiple DNSBLs to help email administrators filter out spam.

In August 2003, relays.osirusoft.com ceased operations following a series of Distributed Denial-of-Service (DDoS) attacks aimed at disrupting the service. These attacks overwhelmed the servers, leading Jared to shut down the blacklist. This decision was influenced by the persistent nature of the attacks and the challenges in maintaining the service under such conditions.

Jared's stance on data tracking and responding to policy concerns wasn't always the best; I blogged about this back in 2001, lamenting that it would be better if he could stop handing opponents ammo to use against him. In 2004, Salon wrote about Joe's legal tangles with an alleged spammer, a case he seems to have eventually won.

SpamAssassin actually seems to have utilized the Osirusoft blocklist automatically once upon a time, leading to problems when the dying blocklist configured wildcard DNS, effectively "listing the world" -- often a problem with blocklists looking to stop providing service.

Status of ix.dnsbl.manitu.net: DEAD

The maintainers of the "NixSPAM" blocklist (with a DNSBL zone of ix.dnsbl.manitu.net) have decided to shut down. As of January 16, 2025, their website at nixspam.net states that, "With a heavy heart, we have decided to discontinue the project ix.dnsbl.manitu.net." This matches a statement posted by the blocklist's maintainer on X.

No further information is available at this time. The website indicates that further information may be coming. In the mean time, I suggest that you remove this DNSBL from any spam filtering or IP reputation checks as soon as possible, as when blocklists shut down, they often can end up with "wildcard DNS" that can cause unexpected and unwanted inbound email delivery impediments.

Jan-Piet Mens previously described the NixSPAM thusly: "The NixSPAM black-list is a DNS block-list created by Bert Ungerer of ix. It contains automatically generated entries from open proxies, relays, dialup gateways, etc., and [...] Black-listed entries are automatically removed after 12 hours if no further spam from that particular source is detected within that time frame."

The NiXSPAM blocklist appears to have launched in 2003. Congrats to iX for a nearly 22 year long run.

Status of dnsbl.sorbs.net: DEAD

Multiple sources are reporting (and Proofpoint has confirmed -- see below) that the SORBS blocklist is shutting down.

According to SORBS website, they published the following DNS zones:

badconf.rhsbl.sorbs.net
block.dnsbl.sorbs.net
dnsbl.sorbs.net
dul.dnsbl.sorbs.net
escalations.dnsbl.sorbs.net
http.dnsbl.sorbs.net
misc.dnsbl.sorbs.net
new.spam.dnsbl.sorbs.net
nomail.rhsbl.sorbs.net
noserver.dnsbl.sorbs.net
old.spam.dnsbl.sorbs.net
recent.spam.dnsbl.sorbs.net
rhsbl.sorbs.net
smtp.dnsbl.sorbs.net
socks.dnsbl.sorbs.net
spam.dnsbl.sorbs.net
web.dnsbl.sorbs.net
zombie.dnsbl.sorbs.net

I would recommend removing any and all of these from any spam filter or mail server configuration ASAP.

You can find analysis on SORBS and this shutdown over on Mickey Chandler's Spamtacular blog. Word to the Wise had previously published a lengthy series of issues and concerns surrounding SORBS going all the way back to 2010.

Proofpoint confirmed SORBS closing to the Register, providing the following statement:

"The decision to sunset a product is never an easy one and was made after thorough consideration of various factors impacting the service's sustainability. We can confirm that SORBS was decommissioned on June 5, 2024, and the service no longer contains reputation data. Given the wide range of potential replacement solutions in the market, Proofpoint cannot make recommendations nor endorse any specific replacement product; this is dependent on an organization's needs."

As of the publishing of this note, the SORBS website itself does not seem to indicate that things are shutting down; but note the confirmation of shutdown by Proofpoint, as quoted in various press linked above.

Status of ubl.unsubscore.com: OFFLINE

LashBack's unsubscribe blacklist ("UBL"), as described by its publisher "is a unique, real-time blacklist of IP addresses which have sent email to addresses harvested from suppression files." It's a neat idea, an interesting way to monitor unsusbcribe compliance. But it can be tricky when it comes to things like shared IP addresses, addresss leakage, subscription forgery or data breaches. As I haven't tested it in a while, I can't speak to its accuracy as far as a spam filtering tool. I did test it years ago but that data is so dusty as to not warrant digging it back up.

Anyway, the reason I mention this today is that I've seen a poster on the Mailop list indicate that the Lashback UBL DNSBL is currently unavailable. If you use this DNSBL (ubl.unsubscore.com) in any of your spam filtering tools, you'll want to remove it.

Status of dnsbl.inps.de: DEAD

Christian Jung launched the inps.de DNSBL way back on December 29th, 2007.

Christian described the listing criteria as follows: "Every day thousands of spam e-mails arrive on our e-mail servers, which have to be processed by our anti-spam system. If an email is recognized as spam, the IP address of the sender is recorded in a blacklist for a certain period of time in order to enable faster email processing and reduce the system load."

Today, May 25, 2020, he has announced that it is shutting down, due to concerns around GDPR and personal challenges brought on by the coronavirus pandemic.

He appears to be shutting it down in a graceful manner -- not "listing the world" as so many lists do as they wind down. This is good to see.

Note that in addition to the DNSBL dnsbl.inps.de, this also affects the DNSWL (whitelist) found at dnswl.inps.de. Both are ceasing.

If you use either the whitelist or blocklist in your email server config, you'll want to disable those checks as soon as possible.

Status of all.rbl.webiron.net and bsb.spamlookup.net: DEAD or BROKEN

Two anti-spam blocking lists appear to have died or malfunctioned recently.

Users on the Mailop mailing list are reporting that Webiron (all.rbl.webiron.net) blocklist appears to be malfunctioning. Its domain has expired and the temporary holding pattern pending payment or termination has resulted in the Webiron DNSBL effectively "listing the world" because of wildcard DNS entries.

Another list, BSB (bsb.spamlookup.net), a DNSBL focusing on "comment spam," also recently appears to have died, as reported by MX Toolbox back on April 17th.

When most lists "die" or malfunction, they often end up with wildcard DNS entries in place, as this is a common domain DNS setting implemented by registrars, domain speculators, or domain parkers. What this means is that every single DNSBL query made to the DNSBL's domain is falsely returns with "yes, block that IP address." Meaning your spam filter suddenly blocks 100% of your inbound mail. This is bad news, if you like to actually receive inbound mail.

If you're using either of these lists, you should cease doing so immediately, as their use may impede your ability to receive inbound mail successfully. As always, it's important to pay attention what DNSBLs you use for spam filtering, and periodically review and ensure that they still exist and that they're working properly.

And if you run a DNSBL, see RFC 6471 for best practices around DNSBL management, including how to appropriately shut one down.

Status of megarbl.net: DEAD

The DNSBL "MegaRBL.net" is no-more. According to the Internet Archive, MegaRBL had been around since at least some time in 2013. It was a non-commercial independently run spamtrap-driven blocking list. Mailop subscribers suggest the list may have been dead for years, but the Internet Archive shows its website being alive and active as recently as March 2019.

As of today, November 25, 2019, the blocklist's domain name appears to have expired and the new owner or domain registrar has implemented wildcard DNS. This has the net effect of "listing the world" and it means that if you use this DNSBL in your mail server configuration, you're likely to now be rejecting all attempts to send mail to your users.

You don't want that! Remove the "MegaRBL.net" DNSBL from your mail server configuration as soon as possible.

Status of bl.emailbasura.org: DEAD

The DNSBL Email Basura is no more. Email Basura ("Trash" in Spanish) appears to have been online since at least 2004, according to the Internet Archive. This anti-spam blocklist's DNSBL zone was "bl.emailbasura.org."

The domain emailbasura.org seems to have expired and been purchased by a domain speculator. The domain has wildcard DNS entries, meaning that any use of the old DNSBL zone in your email server may result in your server blocking all inbound mail. You don't want that! Remove the DNSBL zone "bl.emailbasura.org" from your mail server configuration as soon as possible.

Status of combined.rbl.msrbl.net: FIXED

If you use any of the MSRBL DNSBLs, take note: For the second time since 2017, the domain msrbl.net has expired and its name servers are responding positively to any DNS request.

This has the net effect of the DNSBL "listing the world." If you use any MSRBL blocklist in your mail server, you're blocking all mail from any IP address in the whole world.

So....don't do that!

The MSRBL's website at msrbl.com is up and running, but the DNSBL zones are not under "dot com" -- they are under "dot net."

June 14, 2019 Update: Looks like the DNSBL has been restored and is no longer "listing the world."

Status of exitnodes.tor.dnsbl.sectoor.de: DEAD

As reported by Word to the Wise, the DNSBL at exitnodes.tor.dnsbl.sectoor.de seems to have gone extinct. Like has happened with other lists in the past, the domain now contains a wildcard DNS entry which is bad news for DNSBLs. This means that those folks who use this DNSBL to filter mail are going to get a match on every possible IP address in the world. Every possible IP address will show up as listed, even though it's not actually listed by the blocklist.

As a result, I strongly suggest that mail administrators stop using the exitnodes.tor.dnsbl.sectoor.de DNSBL immediately.

DNSBL lookup sites should stop including exitnodes.tor.dnsbl.sectoor.de in blocklist results; the information they display would be incorrect and would scare people into thinking that they are listed, when they are not.

I don't know much about this DNSBL. Based on its name, it seems to exist to allow people to block mail from servers that host TOR Exit Nodes. If you're receiving anonymized harassing mail, that might be something you'd want to block.

DNSBL.info has more information.

The Internet Archive suggests that this list has been around since at least February 7, 2005.

June 6, 2018 Update: The DNS "wildcard" entry has been removed. This should stop any false positive issues, and means that the list is no longer "listing the world." However, the blocklist is still offline, seemingly for good, and I still strongly suggest that mail admins cease use of this list immediately.

Status of dnsbl.cyberlogic.net: BROKEN

As reported on the mailop mailing list on Friday May 25, 2018, the blocking list at dnsbl.cyberlogic.net now contains a "wildcard" DNS entry, effectively listing the entire internet. If you use this DNSBL in your mail server configuration, you should remove it immediately, as it will impede your ability to receive legitimate mail.

New blocklist: SPFBL

Leonardo from SPFBL shared the following information with me and I thought it would be useful to share it here with folks.

Status of bad.psky.me: QUESTIONABLE

Noted and respected spam filterer Spamhaus is indicating that they believe the the Protected Sky (bad.psky.me) blocklist is "fraudulent." They report that Protected Sky is "an anonymously-run DNSBL service which was pirating [Spamhaus] data and republishing it as its own work." Spamhaus further indicates that Protected Sky doesn't follow DNSBL best practices as indicated in RFC6471.

Status of anonwhois.org: DEAD

I first blogged about the ANONWHOIS blocking list back in 2010. It was very useful to identify domains were ownership information was cloaked from the public. Why? Because many of us in the anti-spam and security community think that for a domain being used for commercial purposes, it isn't right to hide who the owner is. And this obstruction to transparency is often exploited by bad guys who send spam and malware, to try to make it harder to identify them.

Status of bl.spamcannibal.org: DEAD

Back in 2016, I used this page to report on a temporary system issue with the Spam Cannibal DNSBL.

Today (May 30, 2018) I'm updating this page to let folks know that they should immediately cease using the Spam Cannibal blocking list. ~~The domain spamcannibal.org seems to have expired and been taken over by somebody else. If you decide to visit the website, be careful! It tried to get me to install what I assume to be malware.~~

If you use this DNSBL in your mail server configuration, you're probably now rejecting all mail, as the domain has a wildcard DNS entry. This kind of thing makes a blocklist look like it has listed the whole world. Every IP address checked usually shows up as listed.

The Spam Cannibal DNSBL has been around since at least 2003. It was started by a gentleman that I think prefers to be anonymous, so I'm choosing not to name him. It was basically spamtrap-driven, though I believe it would sometimes list /24 blocks of IP addresses in response to some spamtrap hits. It wasn't that widely used, but back in the old days, it often put the fear of god into marketing senders when seeing a hit against this list on their favorite DNSBL checking tool. This was also good in that it helped to drive marketer understanding of how sending to bad addresses can cause bad things to happen. As the list was primarily spamtrap-driven, it was mostly safe for hobbyist mail server use (in my opinion, anyway).

I reached out to the publisher of the Spam Cannibal DNSBL He let me know that the DNSBL is dead and gone. It is no longer an ongoing concern.

Fifteen years is a pretty good run, if you ask me. I wish him best of luck on any future projects.

May 31, 2018 update: The operator of Spam Cannibal is working with some smart folks to shut down the list in a graceful fashion. While there is no longer a "wildcard DNS" issue, the list is no longer being updated and is retired; you should still remove it from your mail server configuration.

SURBL: Adding ABUSE sublist, deprecating SC & AB

The domain blocking list SURBL announced today that it is deprecating the SC (Spamcop) and AB (AbuseButler) sublists, migrating their data into a new ABUSE sublist. They note that the WS (Bill Stearns' sa-blacklist) sublist is also going to be migrated into ABUSE in 2016.

SURBL also recently announced the addition of SURBL-specific blocking notification messages to the popular SpamAssassin spam filtering software.

Status of no-more-funn.moensted.dk: DEAD

The "No More Funn" blocking list (DNSBL zone no-more-funn.moensted.dk) was run by a gentleman from Denmark using the alias dr. Jørgen Mash. First observed in 2002, listing criteria included spam sources, IP address ranges that appeared dynamic, bulk mailers not required confirmed opt-in (double opt-in) and more. It was easy for email service providers (ESPs) to end up listed there, and ESP clients would often ask about those listings because they would show up in DNSBL lookups, though it's not clear that the list was widely used for spam blocking.

At some point in 2012, the list was taken offline. At the end of 2015, the website reports that the list is still offline. Thus, I'm going to call this one "dead."

What is blacklist.zap?

Here's a blast from the past: Remember blacklist.zap?

There were various "blacklist.zap" lists and they were all indicative of blocking when sending to mailboxes hosted behind "FrontBridge" anti-spam and security protection:

The list 85.blacklist.zap specifically referred to FrontBridge's use of the Composite Blocking List (CBL). If you were blocked by 85.blacklist.zap, it meant that your sending IP address was listed on the CBL.
The list 86.blacklist.zap specifically referred to FrontBridge's use of the Spamhaus Block List (SBL). If you were blocked by 86.blacklist.zap, it meant that your sending IP address was listed on the SBL.
The list 87.blacklist.zap specifically referred to FrontBridge's use of the Spamhaus Exploits Block List (SBL). If you were blocked by 87.blacklist.zap, it meant that your sending IP address was listed on the XBL.
The list 88.blacklist.zap specifically referred to FrontBridge's own internally-generated blacklist of sending IP addresses noted to be spammy, usually based on a high percentage of mail from that IP address being denoted as spammy.

FrontBridge was later acquired by Microsoft and I think it's been a long time since anybody has seen blacklist.zap blocking in a bounce message, but I thought it would be good to keep a record of this for posterity's sake.

Status of dnsbl.burnt-tech.com: DEAD

Uh-oh! On or about September 19th, the domain burnt-tech.com seems to have expired. Now when you visit the website, you are informed that the domain is for sale. Also, you'll now find a wildcard A record in DNS, meaning that any lookup of any host name in DNS under burnt-tech.com will result in a positive response being returned.

The net result here is that due to the domain now having a wildcard A record, any users of the Burnt Tech DNSBL now find that they are blocking all inbound mail. If you were using the dnsbl.burnt-tech.com blocking list to filter inbound spam, you'll need to remove it from your mail server or spam filter configuration immediately, as it is going to impede your ability to receive any mail.

Reviewing Internet Archive versions of the Burnt Tech DNSBL website, it appears that the list has been in action since at least 2006. From a 2015 archived copy of the website: "The Block List runs entirely automated and designed to avoid listings of spamtrap hits due to bounces of forged spam, virus bounces, and "real" mail servers emitting the occasional spam. It tries very hard to avoid listing legitimate mail sources. It does not attempt to list every possible spam source."

No other information was available regarding ownership, listing criteria or history of this DNSBL.

(H/T: Matthew Vernhout)

Status of truncate.gbudb.net: ALIVE

The "Truncate" DNSBL (zone truncate.gbudb.net) lists IPv4 addresses that have been observed transmitting "email containing spam, scams, viruses, or other malware based on statistics in the global GBUdb network." This "Good, Bad, Ugly database (GBUdb)" is a "real-time collaborative IP reputation system," based on statistics collected by email threat protection software Message Sniffer.

If you're listed on the Truncate DNSBL, can you request removal? No, explains the website. IP addresses are removed automatically, usually within a couple of days of the bad activity having ceased. They warn, however, that in some instances, if enough bad activity was denoted, it may take longer for an IP address to automatically disappear from their list.

Have any more information you'd like to share about this blocking list? Please feel free to contact me and I'll be happy to update this page with your additional information.