Showing posts with label dead dnsbls. Show all posts
Showing posts with label dead dnsbls. Show all posts

Status of blackholes.five-ten-sg.com: DEAD

The "Fiveten" Blocklist (blackholes.five-ten-sg.com) was a combination anti-spam blocking list run by Carl Byington, publishing under the name of "510 Software Group." This blocking list has been available since at least February, 2001, and it appears to have been retired as of April 2012.

As of late April, 2012, any attempt to look up an entry on the list results in output indicating that "The blackholes.five-ten-sg.com list is retired. No ip address is listed here." Meaning, the list is no longer in operation.

I had previously written about this list back in October, 2007, and my 2007-2008 DNSBL statistics project data showed that the list may not be suitable for broad production use if one wishes to receive requested email messages. The list has been up and down at various other times, most recently being taken offline for a period in November 2010.

(Hat tip: Word to the Wise)

Spews.org Domain Expired

Thanks for Joe Sniderman for the tip that the domain spews.org has expired and was grabbed up by somebody that appears to be a domain speculator or parked domain monetizer. The SPEWS blocking list is long-dead, since August, 2006.

Status of ybl.megacity.org: DEAD

There once was a DNSBL called ybl.megacity.org. Exactly when it was created is lost to the mists of time, but I'm guessing it was somewhere around the end of 2001 or beginning of 2002, after its maintainer, Derek Balling, parted ways with Yahoo. I recall that the point of the list was to be able to reject mail from Yahoo.

Today, reader John Carver kindly wrote in to let me know that this blocking list is indeed defunct and has "listed the world," installing a wildcard DNS record with the result that if you use ybl.megacity.org in your mail server configuration, you're going to reject 100% of your mail. Query of any domain or IP address under ybl.megacity.org will result in a "127.0.0.2" positive response, that will make a mail server think it should reject the email message in question.

If you use ybl.megacity.org as a DNSBL list in your mail server configuration, I strongly recommend you remove it immediately. The list is long dead, and use of the list will result in you accidentally rejecting 100% of inbound mail.

As recently as 2006, the DNSBL also responded with text warning that it was defunct: "521 The IP is Blacklisted by ybl.megacity.org. This zone has been deprecated for about two years. Maybe if it starts blocking your mail you'll notice and stop using it." This is no longer the case; the text record does not seem to be present.

See also the Ipswitch ImailServer knowledge base article on this topic.

Status of dnsbl.karmasphere.com: SHUTTING DOWN

As messaged to the Karmasphere-Users and Karmasphere-Announce mailing lists, the Karmasphere Reputation Services data feeds are being retired. This means that the associated blocking list(s), including the karmasphere.email-sender.dnsbl.karmasphere.com DNSBL zone, and any other DNSBL/DNSWL zones under karmasphere.com. It is unclear to the author if karmasphere.org is similarly affected.

Karmasphere has indicated that the feed service will be discontinued on November 16, 2009. It's very important that all Karmasphere-using mail administrators remove any Karmasphere-hosted DNSBLs from their configuration before that date, else inbound receipt of legitimate email messages could be delayed or otherwise impacted.

For more information, click on over to Spam Resource to read a copy of the Karmasphere notice.

Status of rbl.cluecentral.net: DEAD

The rbl.cluecentral.net DNSBLs were created in 2001 or 2002 by Sabri Berisha. The goal: To list "all known assigned IPv4 address space, by originating AS and by country. [This is based on] a full routing view is extracted daily from a router in the default free zone. The AS->country mapping is done via the statistics which are being provided by the four RIR's, ARIN, APNIC, LACNIC and RIPE."

Today, the website warns that the rbl.cluecentral.net service is closed. Sabri notes that "[it has become] more and more difficult and time-consuming to maintain a trustworthy list I started to notice more and more errors. The list is no longer of the quality needed to use in a production environment."

The website warns that if DNS queries continue at a high level, the DNS servers are likely to be configured in a way that will cause 100% of inbound mail attempts to be rejected, for all mail servers still using rbl.cluecentral.net. This makes it imperative that you remove any rbl.cluecentral.net zones from your mail server configuration, as soon as possible.

Status of blackholes.us: DEAD

Created by Matthew Evans in 2002, the goal of the blackholes.us site was "to create (yet more) DNS blocklists of spammers, spam supporting ISPs, spamware hosts, dialup networks, and other notorious email abusers originating in the United States." Matthew published many different DNSBL zones, listing various countries, ISPs, netblocks, etc.

Status of vox.schpider.com: DEAD

Scott Glassbrook writes: "I ran a dnsbl, vox.schpider.com many many years ago. I stopped the DNSBL back in June of 2006, and shut down the server it was running on. 

"Since that time, all queries to vox.schpider.com have timed out. I made an attempt to bring the domain name back up in 2008, only to find that people are still trying to query the domain name. [...] Because of that, I see no other option than to start returning positives for *any* query issued to vox.schpider.com, beginning 10/16/2009. If you happen to be trying to use a dead DNSBL, please update your mail server configuration."

Scott indicates that random mail administrators are still "pounding the hell" out of his DNSBL hundreds fo times per second, all day and all night, ever day. Not cool.

If you're still querying this DNSBL, it's important that you immediately remove it from your mail server configuration. As of October 16th, use of this DNSBL will result in you rejecting 100% of your inbound email.

Status of bl.open-whois.org: DEAD

As of July, it looks like a popular blocking list used in default SpamAssassin installations is no more. Users were reporting false positive issues, where every message checked by SpamAssassin would receive a score of 2.43, supposedly due to the sender being listed in the blocking list bl.open-whois.org.

The Open Whois list appears to have been created in 2007, with a goal of promoting transparency in domain registrations. According to the (now deceased) website, "It is a list of domains which are privately (or anonymously) registered, e.g. through services such as Domains By Proxy, or Moniker Privacy Protection."

As of July 18, 2009, it appears that a squatter has taken over the open-whois.org domain name. At first, the new owner of the domain used a "wildcard" DNS record, resulting in the return of a positive response for any DNS query. The net effect is that every domain checked against this blocking list results in a DNS response that makes your spam filter think that the domain is listed, usually incorrectly so.

Since the issue was first observed, the squatter must have noticed all of this DNS traffic coming from SpamAssassin users and decided that the traffic was undesirable, so they've modified the domain in whois so that its name servers point at obviously invalid IP addresses.

That's good, because it means there shouldn't be any more false positive issues, for now. But, it does mean that your SpamAssassin checks take longer than usual, as queries against this dead list will time out. (And who is to say the squatter won't resurrect the domain with valid DNS servers and perhaps another DNS wildcard, causing a whole new batch of false positives for a whole bunch of SpamAssassin users.)

If you're a SpamAssassin user, it would be wise to remove or disable the SpamAssassin rule that check for that list. The rule you're looking for is located in the "72_active.cf" file in the rules subdirectory of your SA installation.

To disable this check in your SpamAssassin installation (manually), move or delete the "72_active.cf" file from your rules directory. Where this directory is exactly located is going to depend on your installation. On my friend's Linux installation, the directory path is /etc/mail/spamassassin/rules .

The better thing to do, I was advised by friendly SpamAssassin user Phil Randal, is to run sa-update. It's best practice for SA users to run sa-update every week or few to load the latest "in between-release" updates. Running sa-update will ensure that the bl.open-whois.org check is disabled.

I suspect that this blocking list check will be removed from SpamAssassin in future releases, but as of today (8/18/2009), the check is still in the most recent version available for download (3.2.5). As long as you run sa-update or manually disable this check, you should be all set.

TQMCUBE Status Updated

Here's a quick note to let you know that I've updated my page of information on the long-dead TQMCUBE blocking list. Click here for more information.

Status of dnsbl.net.au: DEAD

The blocking list at dnsbl.net.au has announced it is winding down. As noted in a February 25, 2009 posting on its website, "Please note that as of Wednesday, April 1, 2009 the DNSBL.NET.AU blacklist will cease to exist."

As of this writing on April 29th, 2009, I do still see active entries when querying via DNS, but I assume that these are likely to go away soon. If you utilize this list, I'd recommend removing it from your MTA or spam filter configuration.

Status of DSBL: DEAD

The DNSBL called "DSBL" is no more. As of March 11, 2009, their website reports: "DSBL is GONE and highly unlikely to return. Please remove it from your mail server configuration."

Shutting Down Blocklists

As I often do, today I'm receiving reports about a DNSBL (which I've previously warned was dead) is returning false positive entries for those still using it today.

What does this mean?

Security Sage Update

It seems today as though the Security Sage domains have expired and/or replaced by "placeholder" pages by their registrar. Net result: Bad things. If you were still using their BL, you're probably having problems receiving inbound mail right about now.

DSBL Current Status: DEAD

DSBL, the Distributed Sender Blackhole List, seems to have gone missing. The list appears to have been in operation since at least May, 2002.

Help, we're listed on ORDB!

I've received multiple queries about this today, so I figured it would be wise to put up a quick message about this.

ORDB is a long dead blocking list, gone for more than a year.

Recently, they started "listing the world" -- meaning everybody using ORDB is now blocking 100% of inbound mail. Blocking lists do this to shed themselves of any excess DNS query traffic from sites who haven't yet ceased querying their data. It can very much be considered a slap in the face -- hey, we tried shutting down the nice way, but since you're not listening, we're going to make all your mail bounce.

But what does that mean? Why am I listed?

You're not actually listed on ORDB. ORDB is returning a "yup, they're listed" answer for any IP address that people check. Meaning the whole world is listed. Everybody, not just you. It's not because they hate you, it's because they want people to stop querying their DNSBL.

If you received bounces from somebody that suggests that you're listed on ORDB, here's what to do:
  1. Call that person on the phone, if you can. Tell them all of their inbound mail is probably not working, and won't work, until they stop using ORDB. Point them to this page for more information.
  2. Don't worry. The person who bounced your mail is suddenly now having problems receiving any mail at all. They're likely to figure this out very quickly and fix it. Try your mail again, in a day or two.

Status of rbl.spamhaus.org: NOT A BLOCKING LIST

My friend Mickey Chandler pointed out recently that he's been seeing some unusual bounces that look like this:

Host blacklisted - Found on Realtime Black List server blocklist.address.is.wrong.spamhaus.org

Status of blackhole.securitysage.com: DOWN

The RHSBL (right hand side blocking list) blackhole.securitysage.com appears to have been created by Jeffrey Posluns and appears to have been around since at least August, 2004.

I received a report today indicating that a mail administrator has been unable to reliably query the blackhole.securitysage.com DNSBL zone. With the help of my friends, I was able to confirm this issue.

It looks to be a DNS issue. What we see from here is that the zone blackhole.securitysage.com is delegated to nameserver blackhole.securitysage.com. The two DNS "glue entries" for the zone are servers that aren't configured to be authoritative for the zone, so no results are returned. Ultimately, this points toward a DNS configuration issue with this domain and/or sub-domain.

The popular anti-spam filter SpamAssassin has been tracking this issue since at least October 8, 2007. On October 17th, SpamAssassin decide to remove support for this list (implemented in the DNS_FROM_SECURITYSAGE rule), due to the ongoing issues with accessing this DNSBL.

As a result of this ongoing issue, I recommend against using the blackhole.securitysage.com blocking list. If you continue to check against this list; queries are likely to time out and it could delay the receipt of inbound mail. Use of this list while this issue persists is likely to provide no blocking or filtering benefit.

I, and others, have contacted Security Sage and Mr. Posluns, making him aware of the issue and asking for more information. I'll be sure to update this page with more information as I have it.

11/03/2007 update: I've seen no response to my email to Mr. Posluns, nor to a friend's email to Security Sage's support address. I emailed that support address today, and my attempt bounced. The error message suggested an SPF failure. The fact that I publish a working SPF record, and other information in the bounce, suggest that it is in error. I guess that means either nobody's home, or they don't want anyone to contact them.

5/26/2008 update: Way back in November, I talked to Jeffrey Posluns. He is no longer actively involved with Security Sage, but was kind enough to nudge the folks running things, in hopes of making things better. It fell off my radar, until a few days ago, when I was alerted to the fact that Security Sage's domains have expired.

Net result: Broken blocklist. Has a wildcard listing, meaning that if you use their list, you're probably negatively impacting your own email delivery.

My recommendation: Stop using this blocklist immediately and permanently. Even if they do somehow manage to pull things back together, they don't have a good track record of staying online.

Status of completewhois.com: IN FLUX

Update 9/30/2007: The website www.completewhois.com is operational again, but some links appear to be broken. My attempts to query their DNSBLs have all timed out. While CompleteWhois may be on the mend, it seems that it may be too soon to give the all clear.

Previous updates follow.

Status of dnsbl.radparker.com: NOT A DNSBL

For a time, SORBS was found to be inaccurately referring to “dnsbl.radparker.com” on the mail server configuration pages over on the SORBS blocking list website. This appears to have been done in retaliation for DNSBL.com publishing data on the effectiveness of the SORBS blocking list. (Both domains are owned by me.)

The real problem was for potential SORBS users – if they followed the instructions verbatim, they ended up rejecting 100% of your inbound mail. Sadly, I've seen traffic, which implies that this has happened to some degree. If you're going to use the SORBS blocklist, be very careful to make sure you've implemented it correctly. Both this, and SORBS' claim that dnsbl.sorbs.net is an unsafe zone to use, suggest that the SORBS' list may not be a wise starting point for those looking to simply, safely block spam. More information on SORBS can be found here.

There has never been a blocklist with a zone name of dnsbl.radparker.com -- and if you type that into the DNSBL section of your mail server config, you will break your inability to receive inbound mail.

Status of dnsbl.tqmcube.com: DEAD

The DNSBL TQMCUBE was created by David Cary Hart sometime in 2004 or 2005. The front page of the website www.tqmcube.com was modified to specifically become the homepage of the TQM blocking list in January of 2006. August 17, 2009 update: A reader was kind enough to let me know that the TQMCUBE list is now officially dead and gone. The TQMCUBE website now redirects to the website of another list called the invaluement Anti-Spam DNSBL. Please see this page for more information. Below find my commentary from 2007 from around the time the TQMCUBE project seemed to have first gone dormant.

From 2007: Various sources and my own investigation show that the website seems to be running on autopilot with nobody at the helm.

A postmaster at a large ISP contacted me and indicated that he had received no response to DNSBL remove requests submitted to TQM. Those requests were submitted on March 27th, and it is now June 30th (2007) that I write this article.

Other data points showing that the list appears to be unmanned and likely abandoned:

  • The list's website has a "last update" date of March 11, 2007.

  • The last known response received in reply to a blocking list remove request seems to have been in February, 2007.

  • I contacted David Cary Hart via email to the address on his domain registration on June 20th, 2007, and have not received a reply.

  • I contacted the abuse desk of his ISP (Fortress ITX) and asked them to confirm that he was alive. This was on June 24th. I received a ticket number but no other response.

  • The DNSBL's experimental world zone has not been operational since December, 2006.

  • The last known sighting of Mr. Hart online appears to be here, from April 2007.

  • This newsgroup posting from Colin Leroy on June 14, 2007 indicates that Colin had last seen email from Mr. Hart back in December, 2006. The email was a message posted to a mailing list that they both participate in.

  • Others have indicated to me that they have called the telephone number in the TQMCUBE domain registration, and that the voice mail box associated with this phone number is full, no longer accepting new messages.

This thread in the news.admin.net-abuse.email newsgroup wondering why the list's administrators are non-responsive is typical of the discussion I've come across during my investigation. I am receiving numerous reports of issues with listings going unresolved. Additionally, when checked against my personal spamtrap data (8000+ spams/day) I am seeing the effectiveness of this list trending downward over the past few weeks.

After careful consideration of all of the facts and discussion surrounding the status of TQM and its maintainer, I do not think it is wise to use the TQMCUBE DNSBL.

November 25, 2007 update: Within the past week, a large number of entries have been removed from the TQMCUBE blocking list database. The Internet Wayback Machine suggests that TQMCUBE had 1.37 million IP addresses listed on August 29, 2007. As of today, November 25th, the TQMCUBE website suggests that there are approximately 851,000 active listings.