Blocklist Resource

Status of ubl.unsubscore.com: OFFLINE

LashBack's unsubscribe blacklist ("UBL"), as described by its publisher "is a unique, real-time blacklist of IP addresses which have sent email to addresses harvested from suppression files." It's a neat idea, an interesting way to monitor unsusbcribe compliance. But it can be tricky when it comes to things like shared IP addresses, addresss leakage, subscription forgery or data breaches. As I haven't tested it in a while, I can't speak to its accuracy as far as a spam filtering tool. I did test it years ago but that data is so dusty as to not warrant digging it back up.

Anyway, the reason I mention this today is that I've seen a poster on the Mailop list indicate that the Lashback UBL DNSBL is currently unavailable. If you use this DNSBL (ubl.unsubscore.com) in any of your spam filtering tools, you'll want to remove it.

Status of dnsbl.inps.de: DEAD

Christian Jung launched the inps.de DNSBL way back on December 29th, 2007.

Christian described the listing criteria as follows: "Every day thousands of spam e-mails arrive on our e-mail servers, which have to be processed by our anti-spam system. If an email is recognized as spam, the IP address of the sender is recorded in a blacklist for a certain period of time in order to enable faster email processing and reduce the system load."

Today, May 25, 2020, he has announced that it is shutting down, due to concerns around GDPR and personal challenges brought on by the coronavirus pandemic.

He appears to be shutting it down in a graceful manner -- not "listing the world" as so many lists do as they wind down. This is good to see.

Note that in addition to the DNSBL dnsbl.inps.de, this also affects the DNSWL (whitelist) found at dnswl.inps.de. Both are ceasing.

If you use either the whitelist or blocklist in your email server config, you'll want to disable those checks as soon as possible.

Status of all.rbl.webiron.net and bsb.spamlookup.net: DEAD or BROKEN

Two anti-spam blocking lists appear to have died or malfunctioned recently.

Users on the Mailop mailing list are reporting that Webiron (all.rbl.webiron.net) blocklist appears to be malfunctioning. Its domain has expired and the temporary holding pattern pending payment or termination has resulted in the Webiron DNSBL effectively "listing the world" because of wildcard DNS entries.

Another list, BSB (bsb.spamlookup.net), a DNSBL focusing on "comment spam," also recently appears to have died, as reported by MX Toolbox back on April 17th.

When most lists "die" or malfunction, they often end up with wildcard DNS entries in place, as this is a common domain DNS setting implemented by registrars, domain speculators, or domain parkers. What this means is that every single DNSBL query made to the DNSBL's domain is falsely returns with "yes, block that IP address." Meaning your spam filter suddenly blocks 100% of your inbound mail. This is bad news, if you like to actually receive inbound mail.

If you're using either of these lists, you should cease doing so immediately, as their use may impede your ability to receive inbound mail successfully. As always, it's important to pay attention what DNSBLs you use for spam filtering, and periodically review and ensure that they still exist and that they're working properly.

And if you run a DNSBL, see RFC 6471 for best practices around DNSBL management, including how to appropriately shut one down.

Status of megarbl.net: DEAD

The DNSBL "MegaRBL.net" is no-more. According to the Internet Archive, MegaRBL had been around since at least some time in 2013. It was a non-commercial independently run spamtrap-driven blocking list. Mailop subscribers suggest the list may have been dead for years, but the Internet Archive shows its website being alive and active as recently as March 2019.

As of today, November 25, 2019, the blocklist's domain name appears to have expired and the new owner or domain registrar has implemented wildcard DNS. This has the net effect of "listing the world" and it means that if you use this DNSBL in your mail server configuration, you're likely to now be rejecting all attempts to send mail to your users.

You don't want that! Remove the "MegaRBL.net" DNSBL from your mail server configuration as soon as possible.

Status of bl.emailbasura.org: DEAD

The DNSBL Email Basura is no more. Email Basura ("Trash" in Spanish) appears to have been online since at least 2004, according to the Internet Archive. This anti-spam blocklist's DNSBL zone was "bl.emailbasura.org."

The domain emailbasura.org seems to have expired and been purchased by a domain speculator. The domain has wildcard DNS entries, meaning that any use of the old DNSBL zone in your email server may result in your server blocking all inbound mail. You don't want that! Remove the DNSBL zone "bl.emailbasura.org" from your mail server configuration as soon as possible.

Status of combined.rbl.msrbl.net: FIXED

If you use any of the MSRBL DNSBLs, take note: For the second time since 2017, the domain msrbl.net has expired and its name servers are responding positively to any DNS request.

This has the net effect of the DNSBL "listing the world." If you use any MSRBL blocklist in your mail server, you're blocking all mail from any IP address in the whole world.

So....don't do that!

The MSRBL's website at msrbl.com is up and running, but the DNSBL zones are not under "dot com" -- they are under "dot net."

June 14, 2019 Update: Looks like the DNSBL has been restored and is no longer "listing the world."

Status of exitnodes.tor.dnsbl.sectoor.de: DEAD

As reported by Word to the Wise, the DNSBL at exitnodes.tor.dnsbl.sectoor.de seems to have gone extinct. Like has happened with other lists in the past, the domain now contains a wildcard DNS entry which is bad news for DNSBLs. This means that those folks who use this DNSBL to filter mail are going to get a match on every possible IP address in the world. Every possible IP address will show up as listed, even though it's not actually listed by the blocklist.

As a result, I strongly suggest that mail administrators stop using the exitnodes.tor.dnsbl.sectoor.de DNSBL immediately.

DNSBL lookup sites should stop including exitnodes.tor.dnsbl.sectoor.de in blocklist results; the information they display would be incorrect and would scare people into thinking that they are listed, when they are not.

I don't know much about this DNSBL. Based on its name, it seems to exist to allow people to block mail from servers that host TOR Exit Nodes. If you're receiving anonymized harassing mail, that might be something you'd want to block.

DNSBL.info has more information.

The Internet Archive suggests that this list has been around since at least February 7, 2005.

June 6, 2018 Update: The DNS "wildcard" entry has been removed. This should stop any false positive issues, and means that the list is no longer "listing the world." However, the blocklist is still offline, seemingly for good, and I still strongly suggest that mail admins cease use of this list immediately.

Status of dnsbl.cyberlogic.net: BROKEN

As reported on the mailop mailing list on Friday May 25, 2018, the blocking list at dnsbl.cyberlogic.net now contains a "wildcard" DNS entry, effectively listing the entire internet. If you use this DNSBL in your mail server configuration, you should remove it immediately, as it will impede your ability to receive legitimate mail.

New blocklist: SPFBL

Leonardo from SPFBL shared the following information with me and I thought it would be useful to share it here with folks.

Status of bad.psky.me: QUESTIONABLE

Noted and respected spam filterer Spamhaus is indicating that they believe the the Protected Sky (bad.psky.me) blocklist is "fraudulent." They report that Protected Sky is "an anonymously-run DNSBL service which was pirating [Spamhaus] data and republishing it as its own work." Spamhaus further indicates that Protected Sky doesn't follow DNSBL best practices as indicated in RFC6471.

Status of anonwhois.org: DEAD

I first blogged about the ANONWHOIS blocking list back in 2010. It was very useful to identify domains were ownership information was cloaked from the public. Why? Because many of us in the anti-spam and security community think that for a domain being used for commercial purposes, it isn't right to hide who the owner is. And this obstruction to transparency is often exploited by bad guys who send spam and malware, to try to make it harder to identify them.

Status of bl.spamcannibal.org: DEAD

Back in 2016, I used this page to report on a temporary system issue with the Spam Cannibal DNSBL.

Today (May 30, 2018) I'm updating this page to let folks know that they should immediately cease using the Spam Cannibal blocking list. ~~The domain spamcannibal.org seems to have expired and been taken over by somebody else. If you decide to visit the website, be careful! It tried to get me to install what I assume to be malware.~~

If you use this DNSBL in your mail server configuration, you're probably now rejecting all mail, as the domain has a wildcard DNS entry. This kind of thing makes a blocklist look like it has listed the whole world. Every IP address checked usually shows up as listed.

The Spam Cannibal DNSBL has been around since at least 2003. It was started by a gentleman that I think prefers to be anonymous, so I'm choosing not to name him. It was basically spamtrap-driven, though I believe it would sometimes list /24 blocks of IP addresses in response to some spamtrap hits. It wasn't that widely used, but back in the old days, it often put the fear of god into marketing senders when seeing a hit against this list on their favorite DNSBL checking tool. This was also good in that it helped to drive marketer understanding of how sending to bad addresses can cause bad things to happen. As the list was primarily spamtrap-driven, it was mostly safe for hobbyist mail server use (in my opinion, anyway).

I reached out to the publisher of the Spam Cannibal DNSBL He let me know that the DNSBL is dead and gone. It is no longer an ongoing concern.

Fifteen years is a pretty good run, if you ask me. I wish him best of luck on any future projects.

May 31, 2018 update: The operator of Spam Cannibal is working with some smart folks to shut down the list in a graceful fashion. While there is no longer a "wildcard DNS" issue, the list is no longer being updated and is retired; you should still remove it from your mail server configuration.

SURBL: Adding ABUSE sublist, deprecating SC & AB

The domain blocking list SURBL announced today that it is deprecating the SC (Spamcop) and AB (AbuseButler) sublists, migrating their data into a new ABUSE sublist. They note that the WS (Bill Stearns' sa-blacklist) sublist is also going to be migrated into ABUSE in 2016.

SURBL also recently announced the addition of SURBL-specific blocking notification messages to the popular SpamAssassin spam filtering software.

Status of no-more-funn.moensted.dk: DEAD

The "No More Funn" blocking list (DNSBL zone no-more-funn.moensted.dk) was run by a gentleman from Denmark using the alias dr. Jørgen Mash. First observed in 2002, listing criteria included spam sources, IP address ranges that appeared dynamic, bulk mailers not required confirmed opt-in (double opt-in) and more. It was easy for email service providers (ESPs) to end up listed there, and ESP clients would often ask about those listings because they would show up in DNSBL lookups, though it's not clear that the list was widely used for spam blocking.

At some point in 2012, the list was taken offline. At the end of 2015, the website reports that the list is still offline. Thus, I'm going to call this one "dead."

What is blacklist.zap?

Here's a blast from the past: Remember blacklist.zap?

There were various "blacklist.zap" lists and they were all indicative of blocking when sending to mailboxes hosted behind "FrontBridge" anti-spam and security protection:

The list 85.blacklist.zap specifically referred to FrontBridge's use of the Composite Blocking List (CBL). If you were blocked by 85.blacklist.zap, it meant that your sending IP address was listed on the CBL.
The list 86.blacklist.zap specifically referred to FrontBridge's use of the Spamhaus Block List (SBL). If you were blocked by 86.blacklist.zap, it meant that your sending IP address was listed on the SBL.
The list 87.blacklist.zap specifically referred to FrontBridge's use of the Spamhaus Exploits Block List (SBL). If you were blocked by 87.blacklist.zap, it meant that your sending IP address was listed on the XBL.
The list 88.blacklist.zap specifically referred to FrontBridge's own internally-generated blacklist of sending IP addresses noted to be spammy, usually based on a high percentage of mail from that IP address being denoted as spammy.

FrontBridge was later acquired by Microsoft and I think it's been a long time since anybody has seen blacklist.zap blocking in a bounce message, but I thought it would be good to keep a record of this for posterity's sake.

Status of dnsbl.burnt-tech.com: DEAD

Uh-oh! On or about September 19th, the domain burnt-tech.com seems to have expired. Now when you visit the website, you are informed that the domain is for sale. Also, you'll now find a wildcard A record in DNS, meaning that any lookup of any host name in DNS under burnt-tech.com will result in a positive response being returned.

The net result here is that due to the domain now having a wildcard A record, any users of the Burnt Tech DNSBL now find that they are blocking all inbound mail. If you were using the dnsbl.burnt-tech.com blocking list to filter inbound spam, you'll need to remove it from your mail server or spam filter configuration immediately, as it is going to impede your ability to receive any mail.

Reviewing Internet Archive versions of the Burnt Tech DNSBL website, it appears that the list has been in action since at least 2006. From a 2015 archived copy of the website: "The Block List runs entirely automated and designed to avoid listings of spamtrap hits due to bounces of forged spam, virus bounces, and "real" mail servers emitting the occasional spam. It tries very hard to avoid listing legitimate mail sources. It does not attempt to list every possible spam source."

No other information was available regarding ownership, listing criteria or history of this DNSBL.

(H/T: Matthew Vernhout)

Status of truncate.gbudb.net: ALIVE

The "Truncate" DNSBL (zone truncate.gbudb.net) lists IPv4 addresses that have been observed transmitting "email containing spam, scams, viruses, or other malware based on statistics in the global GBUdb network." This "Good, Bad, Ugly database (GBUdb)" is a "real-time collaborative IP reputation system," based on statistics collected by email threat protection software Message Sniffer.

If you're listed on the Truncate DNSBL, can you request removal? No, explains the website. IP addresses are removed automatically, usually within a couple of days of the bad activity having ceased. They warn, however, that in some instances, if enough bad activity was denoted, it may take longer for an IP address to automatically disappear from their list.

Have any more information you'd like to share about this blocking list? Please feel free to contact me and I'll be happy to update this page with your additional information.

Status of dul.ru: DEAD

As noted by participants of the SDLU mailing list, the Russian Dial-up User List at the domain dul.ru is no more.

The Russian Dial-up User List website is no longer to be found at dul.ru; when you visit that domain you find a simple Russian-language "this domain is for sale" page.

As of May 19, 2015, this domain seems to have been set to "wildcard" status in DNS. This means that DUL.ru is effectively "listing the world;" any site still using the DUL.ru DNSBL zone will reject all inbound mail until this DNSBL is removed from that mail server's configuration.

The Russian Dial-up User list appears to have been a dialup or dynamic blocking list. The intent of this type of anti-spam tool is usually to block SMTP connections from hosts that aren't typically expected to be running mail services.

H/T: Neil Schwartzman

Reminder: AHBL is Shutting Down

As previously reported, the AHBL DNSBL has been shut down.

Please note that the publisher of the AHBL DNSBL has indicated that she will set all of the DNS zones to "wildcard" status as of January 1st. This means that AHBL will be effectively "listing the world;" any site still using any of the AHBL DNSBL zones will reject all inbound mail until the AHBL DNSBL zones are removed from that mail server's configuration.

Brielle Bruns posted the following to the SDLU mailing list on 12/26/14: "Figured I'd give one last notice that I'm about to wildcard all of the public AHBL zones on Jan 1st, 2015.

"If you are still using them in your mail servers, or know someone who is, now would be a good time to remove them. Most of the major packages that came with configuration options for using the AHBL have long since removed them (such as SpamAssassin), but there are still many many people out there who make no effort to maintain their services and/or don't upgrade/check configurations.

The private zones which some people know of and have access to will not be affected by this wildcarding, as they are still considered 'active' and 'maintained'."

Status of rbl.orbitrbl.com: DEAD

Today, Mark E. Jeftovic of EasyDNS warned readers of the Mailop list that it is unwise to use the DNSBL "rbl.orbitrbl.com" due to a combination of abandonment and administrative issues.

He writes: "As some of you may know, we recently took over ZoneEdit.com and it's customer base.

We've found a domain on the system: rbl.orbitrbl.com which is delegated to zoneedit nameservers, broken (it is not allowed to zone transfer from it's designated master), unresponsive (account owner is not answering email, has an address in Sri Lanka and no telephone number), is using excessive queries (~ >500M queries per day on a "free dns" domain) and attracting repeated, multiple DDoS attacks.

As such, we will be wildcarding this zone and setting a long TTL fairly soon.

If you're actually using this RBL in your MTAs, now's a good time to stop. (this RBL is broken on 5 out of it's 6 delegated nameservers across 3 separate providers)."

Status of dnsbl.ahbl.org: SHUTTING DOWN

On March 26, 2014, DNSBL administrator Brielle Bruns announced that the Abusive Hosts Blocking List DNSBLs are to be shut down.

In email to me, she explained:

"After quite a bit of thought and consideration, I've decided that it is time to wind down some of the AHBL's public DNSbl services - specifically the dnsbl, ircbl, and rhsbl.

We've had a good 11 year run with the lists. Times have changed -- with the deployment of IPv6 moving full speed ahead, I don't feel that the current implementation of our DNSbl services are suited to the task.

This doesn't mean that the AHBL is going away - we'll still be around, just focusing our efforts on a mix of other anti-abuse related things and a relaunch of the RHSbl (likely in 2-3 months, possibly sooner).

I look forward to continuing to work with the community, and appreciate and value the feedback I've received over the years."

As a result, the lists dnsbl.ahbl.org, ircbl.ahbl.org and rhsbl.ahbl.org, and associated public look up tools are being retired.

I've known Brielle for many years and my interactions with her have been universally positive. Congratulations on a long eleven year run with AHBL, and I hope whatever she works on next is something she finds fun and fulfilling.

Status of dnsblchile.org: ALIVE

DNSBL Chile, created in 2011, appears to be a Chilean homegrown effort to tackle spamblocking from a local perspective. As they explain on their website: "Existing DNSBL services aim to block spam based on the type and origin affecting certain types of user. Chilean spam is generally ignored by these DNSBLs, mainly because of the language barrier. This raises the need for a specific DNSBL for Chile, which is able to investigate cases of spam in South-American Spanish."

The DNSBL zone is just "dnsblchile.org" and they report a few different types of responses: 127.0.0.2 and 127.0.0.3 for "verified spam sources," 127.0.0.5 for "verified scam sources," and 127.0.0.10 and 127.0.0.11 for DUL/PBL-like dynamic/"should not be running an MTA" entries.

I don't know much about this list in particular but it's always nice to see somebody attempt to address a previously segment or region's spam problem. If you have any thoughts or details around this list, don't hesitate to drop me a line.

(Crappy translation above courtesy of my high school Spanish + a little help from Google Translate.)

Status of APEWS: ????

Long-standing (though not very accurate) blocking list APEWS seemed to be down for the count. Their website at www.apews.org has been down since March 15th, according to David Ritz.

My recommendation to mail administrators is to stop using APEWS. But then again, was anybody using APEWS recently, anyway?

For history's sake, here's a link to the article I published long ago, explaining what to do if you find yourself listed by APEWS.

APEWS was previously down for three weeks in August, 2010.

Update: APEWS appears to have returned somewhere around May 1st, 2013.

It goes down, it comes back up, it goes down again, it comes back up again. At this point I think we'll just call it a status of "?????"

Status of spamtrap.trblspam.com: DEAD

The DNSBL spamtrap.trblspam.com appears to have gone offline as of April 2, 2013. It appears to have been created in early 2011 by somebody known as "Tom from TRBL," whom I observed participating in various email discussion lists. I've emailed Tom and will update this page if I receive any further details.

I recommend removing spamtrap.trblspam.com from any blocklist checking you're doing. Any time a list is shut down, there's a chance that they will end up putting in a wildcard DNS record, which ends up effectively "listing the world" and causing problems for any receiving sites who still have that DNSBL configured in their mail server configuration.

(Thanks to Martijn Grooten for the heads up.)

Status of dnsbl.njabl.org: DEAD

It is with sadness that I report on the closure of Jon Lewis's NJABL blocking list. From the NJABL website: "March 1, 2013: NJABL is in the process of being shut down. The DNSBL zones have been emptied. After "the Internet" has had some time to remove NJABL from server configs, the NS's will be pointed off into unallocated space (192.0.2.0/24 TEST-NET-1) to hopefully make the shutdown obvious to those who were slower to notice."

NJABL (Not Just Another Bogus List) had been in existence from at least January 2002. Congrats to Jon and team for a pretty good run of eleven years.

Update: I received this in email: "Today, April 29, 2013, NS for the NJABL DNSBL zones is being pointed into 192.0.2.0/24 (TEST-NET-1) which is unrouted IP space. This will likely cause any systems using the NJABL DNSBL zones to experience long delays in DNS resolution of NJABL DNSBL lookups. This is being done both to sink the DNS query traffic and to hopefully be noticed by the owners/managers of those systems."

(H/T: Laura Atkins and others.)

Status of bl.csma.biz: DEAD

An entity called McFadden Associates had been publishing two different, spamtrap-driven DNSBL zones starting from October 2003. Almost ten years later, it appears that these blocklist zones are no more.

The McFadden CSMA blocking list encompassed two different DNSBL zones. The primary zone, bl.csma.biz, contained only "aggressive" hosts that have spammed repeatedly during a short (recent) timeframe. An additional zone, sbl.csma.biz, had a broader listing criteria, noted by the publisher as more suitable for scoring in a filtering system than outright blocking.

As of January 2013, querying either zone will result in a false positive response, showing that an IP address is blocked, due to a wildcard DNS entry. This means that you should immediately stop using either DNSBL in your spam blocking configuration, otherwise you will reject all inbound mail, legitimate or not.

It's fairly common for a list, when dying, to intentionally or un-intentionally "list the world," answering any DNS lookup request with what amounts to a "yep, that's blocked" response. This regularly causes problems for unsuspecting email system administrators who may still be querying blocking lists that are now out of commission. That's why it's important to periodically review your inbound mail server's configuration to revisit what DNSBL lists you might be using and whether or not it makes sense to continue to use them.

In this case, these lists are no more, and should be removed from any mail server configurations where they may still linger.

I've reached out to the one-time publisher of these lists, and I will follow up with more information if he's able to provide more details.

Status of rfc-ignorant.org: SHUTTING DOWN

One-time Yahoo administrator Derek Balling has announced that the RFC Ignorant blocking list is being shut down. This blocking list had existed since at least late 2001. Its listing criteria including things like not having an "abuse" or "postmaster"address that accepted mail. Listing criteria didn't necessarily overlap with the generally accepted criteria for fighting spam, so my guess is that this blocking list's lack of usefulness as a spam fighting tool had finally diminished past the point of no useful return. As Derek himself says, "the usefulness of a DNSBL is greatly diminished," and of the old hardware running the service, "the value proposition just isn't there."

I blogged about the RFC Ignorant blocking list back in 2006.

Status of blackholes.five-ten-sg.com: DEAD

The "Fiveten" Blocklist (blackholes.five-ten-sg.com) was a combination anti-spam blocking list run by Carl Byington, publishing under the name of "510 Software Group." This blocking list has been available since at least February, 2001, and it appears to have been retired as of April 2012.

As of late April, 2012, any attempt to look up an entry on the list results in output indicating that "The blackholes.five-ten-sg.com list is retired. No ip address is listed here." Meaning, the list is no longer in operation.

I had previously written about this list back in October, 2007, and my 2007-2008 DNSBL statistics project data showed that the list may not be suitable for broad production use if one wishes to receive requested email messages. The list has been up and down at various other times, most recently being taken offline for a period in November 2010.

(Hat tip: Word to the Wise)

DNSWL.org Announces Changes

Whitelist provider DNSWL.org announced changes to its operating model. Who is DNSWL.org? "Dnswl.org is the leading whitelist provider for email filtering. It is being used by over 50'000 organisations worldwide, and contains close to 100'000 entries of 'good mailservers.' Your email filter should try to avoid tagging messages as spam, if they come from one of those good mailservers."

As announced on their website and on multiple mailing lists today: "As announced earlier, dnswl.org will change it's operating model. "Heavy users" (defined as those doing > 100'000 queries/24 hours on the public nameservers) and vendors of anti-spam products and services will need a paid subscription.

We are now ready to implement the model and will gradually start to enforce it. Since we do not know the current users (all we have are IPs and sometimes hostnames), we will also need to "cut off" users if our attempts at identifying and notifying them fail.

The "cut off" may have two of effects: 1) rsync suddenly stops working 2) queries on the public nameservers are refused. We may be able to reinstate access on a case by case basis.

As usual, we can be reached at admins/at/dnswl.org (or office/at/dnswl.org for direct access to the people handling the subscriptions). All details are available from http://www.dnswl.org/ "

Spews.org Domain Expired

Thanks for Joe Sniderman for the tip that the domain spews.org has expired and was grabbed up by somebody that appears to be a domain speculator or parked domain monetizer. The SPEWS blocking list is long-dead, since August, 2006.

Status of ybl.megacity.org: DEAD

There once was a DNSBL called ybl.megacity.org. Exactly when it was created is lost to the mists of time, but I'm guessing it was somewhere around the end of 2001 or beginning of 2002, after its maintainer, Derek Balling, parted ways with Yahoo. I recall that the point of the list was to be able to reject mail from Yahoo.

Today, reader John Carver kindly wrote in to let me know that this blocking list is indeed defunct and has "listed the world," installing a wildcard DNS record with the result that if you use ybl.megacity.org in your mail server configuration, you're going to reject 100% of your mail. Query of any domain or IP address under ybl.megacity.org will result in a "127.0.0.2" positive response, that will make a mail server think it should reject the email message in question.

If you use ybl.megacity.org as a DNSBL list in your mail server configuration, I strongly recommend you remove it immediately. The list is long dead, and use of the list will result in you accidentally rejecting 100% of inbound mail.

As recently as 2006, the DNSBL also responded with text warning that it was defunct: "521 The IP is Blacklisted by ybl.megacity.org. This zone has been deprecated for about two years. Maybe if it starts blocking your mail you'll notice and stop using it." This is no longer the case; the text record does not seem to be present.

See also the Ipswitch ImailServer knowledge base article on this topic.

Beware: "Fake" Blocking list at nszones.com

Spamhaus reports that they have "uncovered a fake spam filter company which was pirating and selling DNSBL data stolen from major anti-spam systems including Spamhaus, CBL and SURBL, republishing the stolen data under the name 'nszones.com.'"

Ouch. I guess if you publish a free or easily accessed spam filtering tool, it is inevitable that at some point somebody would try to take the data and repackage it against copyright and against the data owner's wishes.

If you find yourself listed on this blocking list; don't fret. If what Spamhaus says is true (and I have little reason to doubt them), then this list is not really being used to block email. (And should not be used to block email.) Ignore it, stay listed, and eventually they'll move on to easier targets.

If you're a system administrator, DO NOT use any of the DNSBL zones at nszones.com for spam filtering purposes. As its intent may not be above-board, I would have strong concerns about the possibility of listing things only to engender a payment for delisting -- for reasons having nothing to do with spam fighting.

SURBL Announces New Experimental Blocking List

Today, the team behind the SURBL domain blaclists announced a new, experimental blocking list: xs.surbl.org.

As announced on the SURBL-Announce list: "An experimental source of some snowshoe and pill domains is now being published in xs.surbl.org. SURBL considers this feed to be experimental and would very much welcome feedback about it, particularly about any false positives. Does anyone know anyone who actually wants to receive snowshoe messages?"

You can read the entire announcement here.

Status of dnsbl.karmasphere.com: SHUTTING DOWN

As messaged to the Karmasphere-Users and Karmasphere-Announce mailing lists, the Karmasphere Reputation Services data feeds are being retired. This means that the associated blocking list(s), including the karmasphere.email-sender.dnsbl.karmasphere.com DNSBL zone, and any other DNSBL/DNSWL zones under karmasphere.com. It is unclear to the author if karmasphere.org is similarly affected.

Karmasphere has indicated that the feed service will be discontinued on November 16, 2009. It's very important that all Karmasphere-using mail administrators remove any Karmasphere-hosted DNSBLs from their configuration before that date, else inbound receipt of legitimate email messages could be delayed or otherwise impacted.

For more information, click on over to Spam Resource to read a copy of the Karmasphere notice.

Status of rbl.cluecentral.net: DEAD

The rbl.cluecentral.net DNSBLs were created in 2001 or 2002 by Sabri Berisha. The goal: To list "all known assigned IPv4 address space, by originating AS and by country. [This is based on] a full routing view is extracted daily from a router in the default free zone. The AS->country mapping is done via the statistics which are being provided by the four RIR's, ARIN, APNIC, LACNIC and RIPE."

Today, the website warns that the rbl.cluecentral.net service is closed. Sabri notes that "[it has become] more and more difficult and time-consuming to maintain a trustworthy list I started to notice more and more errors. The list is no longer of the quality needed to use in a production environment."

The website warns that if DNS queries continue at a high level, the DNS servers are likely to be configured in a way that will cause 100% of inbound mail attempts to be rejected, for all mail servers still using rbl.cluecentral.net. This makes it imperative that you remove any rbl.cluecentral.net zones from your mail server configuration, as soon as possible.

Status of blackholes.us: DEAD

Created by Matthew Evans in 2002, the goal of the blackholes.us site was "to create (yet more) DNS blocklists of spammers, spam supporting ISPs, spamware hosts, dialup networks, and other notorious email abusers originating in the United States." Matthew published many different DNSBL zones, listing various countries, ISPs, netblocks, etc.

Status of vox.schpider.com: DEAD

Scott Glassbrook writes: "I ran a dnsbl, vox.schpider.com many many years ago. I stopped the DNSBL back in June of 2006, and shut down the server it was running on.

"Since that time, all queries to vox.schpider.com have timed out. I made an attempt to bring the domain name back up in 2008, only to find that people are still trying to query the domain name. [...] Because of that, I see no other option than to start returning positives for *any* query issued to vox.schpider.com, beginning 10/16/2009. If you happen to be trying to use a dead DNSBL, please update your mail server configuration."

Scott indicates that random mail administrators are still "pounding the hell" out of his DNSBL hundreds fo times per second, all day and all night, ever day. Not cool.

If you're still querying this DNSBL, it's important that you immediately remove it from your mail server configuration. As of October 16th, use of this DNSBL will result in you rejecting 100% of your inbound email.

Status of bl.open-whois.org: DEAD

As of July, it looks like a popular blocking list used in default SpamAssassin installations is no more. Users were reporting false positive issues, where every message checked by SpamAssassin would receive a score of 2.43, supposedly due to the sender being listed in the blocking list bl.open-whois.org.

The Open Whois list appears to have been created in 2007, with a goal of promoting transparency in domain registrations. According to the (now deceased) website, "It is a list of domains which are privately (or anonymously) registered, e.g. through services such as Domains By Proxy, or Moniker Privacy Protection."

As of July 18, 2009, it appears that a squatter has taken over the open-whois.org domain name. At first, the new owner of the domain used a "wildcard" DNS record, resulting in the return of a positive response for any DNS query. The net effect is that every domain checked against this blocking list results in a DNS response that makes your spam filter think that the domain is listed, usually incorrectly so.

Since the issue was first observed, the squatter must have noticed all of this DNS traffic coming from SpamAssassin users and decided that the traffic was undesirable, so they've modified the domain in whois so that its name servers point at obviously invalid IP addresses.

That's good, because it means there shouldn't be any more false positive issues, for now. But, it does mean that your SpamAssassin checks take longer than usual, as queries against this dead list will time out. (And who is to say the squatter won't resurrect the domain with valid DNS servers and perhaps another DNS wildcard, causing a whole new batch of false positives for a whole bunch of SpamAssassin users.)

If you're a SpamAssassin user, it would be wise to remove or disable the SpamAssassin rule that check for that list. The rule you're looking for is located in the "72_active.cf" file in the rules subdirectory of your SA installation.

To disable this check in your SpamAssassin installation (manually), move or delete the "72_active.cf" file from your rules directory. Where this directory is exactly located is going to depend on your installation. On my friend's Linux installation, the directory path is /etc/mail/spamassassin/rules .

The better thing to do, I was advised by friendly SpamAssassin user Phil Randal, is to run sa-update. It's best practice for SA users to run sa-update every week or few to load the latest "in between-release" updates. Running sa-update will ensure that the bl.open-whois.org check is disabled.

I suspect that this blocking list check will be removed from SpamAssassin in future releases, but as of today (8/18/2009), the check is still in the most recent version available for download (3.2.5). As long as you run sa-update or manually disable this check, you should be all set.

TQMCUBE Status Updated

Here's a quick note to let you know that I've updated my page of information on the long-dead TQMCUBE blocking list. Click here for more information.

SORBS Status: Shutting Down or For Sale

As reported on Spamtacular and on SORBS' website:

"ANNOUNCEMENT: Possible SORBS Closure... It comes with great sadness that I have to announce the imminent closure of SORBS. The University of Queensland have decided not to honor their agreement with myself and SORBS and terminate the hosting contract.

Status of dnsbl.net.au: DEAD

The blocking list at dnsbl.net.au has announced it is winding down. As noted in a February 25, 2009 posting on its website, "Please note that as of Wednesday, April 1, 2009 the DNSBL.NET.AU blacklist will cease to exist."

As of this writing on April 29th, 2009, I do still see active entries when querying via DNS, but I assume that these are likely to go away soon. If you utilize this list, I'd recommend removing it from your MTA or spam filter configuration.

Status of DSBL: DEAD

The DNSBL called "DSBL" is no more. As of March 11, 2009, their website reports: "DSBL is GONE and highly unlikely to return. Please remove it from your mail server configuration."

Shutting Down Blocklists

As I often do, today I'm receiving reports about a DNSBL (which I've previously warned was dead) is returning false positive entries for those still using it today.

What does this mean?

Security Sage Update

It seems today as though the Security Sage domains have expired and/or replaced by "placeholder" pages by their registrar. Net result: Bad things. If you were still using their BL, you're probably having problems receiving inbound mail right about now.

DSBL Current Status: DEAD

DSBL, the Distributed Sender Blackhole List, seems to have gone missing. The list appears to have been in operation since at least May, 2002.

Help, we're listed on ORDB!

I've received multiple queries about this today, so I figured it would be wise to put up a quick message about this.

ORDB is a long dead blocking list, gone for more than a year.

Recently, they started "listing the world" -- meaning everybody using ORDB is now blocking 100% of inbound mail. Blocking lists do this to shed themselves of any excess DNS query traffic from sites who haven't yet ceased querying their data. It can very much be considered a slap in the face -- hey, we tried shutting down the nice way, but since you're not listening, we're going to make all your mail bounce.

But what does that mean? Why am I listed?

You're not actually listed on ORDB. ORDB is returning a "yup, they're listed" answer for any IP address that people check. Meaning the whole world is listed. Everybody, not just you. It's not because they hate you, it's because they want people to stop querying their DNSBL.

If you received bounces from somebody that suggests that you're listed on ORDB, here's what to do:

Call that person on the phone, if you can. Tell them all of their inbound mail is probably not working, and won't work, until they stop using ORDB. Point them to this page for more information.
Don't worry. The person who bounced your mail is suddenly now having problems receiving any mail at all. They're likely to figure this out very quickly and fix it. Try your mail again, in a day or two.

Status of rbl.spamhaus.org: NOT A BLOCKING LIST

My friend Mickey Chandler pointed out recently that he's been seeing some unusual bounces that look like this:

Host blacklisted - Found on Realtime Black List server blocklist.address.is.wrong.spamhaus.org