All about DNSBLs, aka blocklists/blacklists // Since 2001 // Published by Al Iverson
Thanks for visiting! Remember that nowadays, (most) blocklists don't really govern deliverability and inbox placement. Want to learn more about email marketing best practices, email technology, and deliverability troubleshooting? Then you'll want to check out my other site, Spam Resource. |
SORBS: Changes?
Newsgroup participant Ian Manners reports that SORBS maintainer Matthew Sullivan posted about this to the SORBS-Announce mailing list:
Some of you have noticed that the DUHL (dul.dnsbl.sorbs.net) and Spam (*.spam.dnsbl.sorbs.net) zones are empty on the Rsync and DNS server. This is quite deliberate and I apologise for not posting a message about it previously.
Ian goes on to explain that he believes Matthew is "taking a break due to emotional and SORBS stress and has emptied those databases that need his constant attention."
From review of the data I track on SORBS main DNSBL zone (dnsbl.sorbs.net), it's clear that changes started taking place on July 9th. Since then, the false positive rate as dropped to zero, and the effectiveness rate has also plummeted (from around 47% percent effectiveness on recent 7 day averages, down to 14-19% effectiveness on recent daily averages). Based on the fact that dnsbl.sorbs.net is a combined zone, I would suspect that this is in line with the SORBS maintainer removing the significant amounts of data provided by the "spam" and "DUHL" zones.
Over the past thirteen weeks, my measured effectiveness of the main SORBS zone had been on a slight, but steady, decline. From 56% effective in March, to 47% effective for the week before the data changes took place. False positives (measured against the solicited mail I sign up for, of course), varied slightly but generally were around 9% week over week.
I've been reading all I can on the topic of SORBS lately (and engaging in occasionally-heated discussions with Matthew, learning more on how he runs things), with the intent of writing a more detailed review. I'm not quite ready to do that yet, and these changes suggest that I should wait and see what happens, first. Stay tuned for more on this topic in the future.
Changes at UCEPROTECT
Whatever your opinion of UCEPROTECT, hold on to your hat, as things are apparently about to change.
This posting to the USENET newsgroup news.admin.net-abuse.email indicates that Johann Steigenberger is no longer involved with UCEPROTECT. Going forward, Claus v. Wolfhausen has indicated that he is charge of the lists.At first there was some concern that this post wasn’t true, that it was a deception. I’ve spoken to Claus via email, and that, along with other information, leads me to believe that this is in fact true and correct. (I’ve met neither individual in person, so I suppose this could be a giant hoax, but I’ve got no reason to believe so at this time.)
Claus indicates that UCEPROTECT will no longer list for backscatter and sender verification callouts. These two listing criteria were controversial and I am told that they resulted in numerous complaints of false positives relating to UCEPROTECT. These data relating to listings based on these criteria are being repurposed into a new blocking list at www.backscatterer.org.
He went on to say due to his intervention, UCEPROTECT has ceased publishing the controversial “anonymous” APEWS blocklist data, and that he is unsure if UCEPROTECT will again publish the APEWS data in the future. APEWS, an “anonymous” list widely thought to be created as a replacement for the defunct SPEWS, has been regularly criticized by respected anti-spam advocates such as Steve Linford of Spamhaus and Suresh Ramasubramanian of ISP Outblaze. Controversy includes listing policies considered to be broad and inaccurate, and contact/removal policies perceived as cruel to listees (by deflecting all contact away from the blocklist and toward public discussion forums where listees are often subject to abuse from unrelated parties).
I have yet to write and post reviews of UCEPROTECT or APEWS for dnsbl.com. Look for this in the future.
Status of dnsbl.tqmcube.com: DEAD
From 2007: Various sources and my own investigation show that the website seems to be running on autopilot with nobody at the helm.
A postmaster at a large ISP contacted me and indicated that he had received no response to DNSBL remove requests submitted to TQM. Those requests were submitted on March 27th, and it is now June 30th (2007) that I write this article.
Other data points showing that the list appears to be unmanned and likely abandoned:
The list's website has a "last update" date of March 11, 2007.
The last known response received in reply to a blocking list remove request seems to have been in February, 2007.
I contacted David Cary Hart via email to the address on his domain registration on June 20th, 2007, and have not received a reply.
I contacted the abuse desk of his ISP (Fortress ITX) and asked them to confirm that he was alive. This was on June 24th. I received a ticket number but no other response.
The DNSBL's experimental world zone has not been operational since December, 2006.
The last known sighting of Mr. Hart online appears to be here, from April 2007.
This newsgroup posting from Colin Leroy on June 14, 2007 indicates that Colin had last seen email from Mr. Hart back in December, 2006. The email was a message posted to a mailing list that they both participate in.
- Others have indicated to me that they have called the telephone number in the TQMCUBE domain registration, and that the voice mail box associated with this phone number is full, no longer accepting new messages.
This thread in the news.admin.net-abuse.email newsgroup wondering why the list's administrators are non-responsive is typical of the discussion I've come across during my investigation. I am receiving numerous reports of issues with listings going unresolved. Additionally, when checked against my personal spamtrap data (8000+ spams/day) I am seeing the effectiveness of this list trending downward over the past few weeks.
After careful consideration of all of the facts and discussion surrounding the status of TQM and its maintainer, I do not think it is wise to use the TQMCUBE DNSBL.
November 25, 2007 update: Within the past week, a large number of entries have been removed from the TQMCUBE blocking list database. The Internet Wayback Machine suggests that TQMCUBE had 1.37 million IP addresses listed on August 29, 2007. As of today, November 25th, the TQMCUBE website suggests that there are approximately 851,000 active listings.
Status of blackholes.intersil.net: DEAD
Status of blacklist.spambag.org: DEAD
Spambag, created and run by Sam Varshavchik, developer of the Courier mail server, has been operating this list since at least November, 2001.
The list had the following listing criteria: "[Spambag is my] personal list of networks who I block from sending me mail or accessing my web servers, because I believe the networks actively or passively allow abusive or antisocial behavior. Examples of what I consider abusive or antisocial behavior are: spamming, mailbombing, mail server dictionary attacks, and web page E-mail address harvesting."
I last noted a hit against this DNSBL on May 26th, at 1:34 am US central time. Note that I was not a user of this list; I simply measure its effectiveness and status, like I do for many other lists.
This post to news.admin.net-abuse.email explains that Sam Varshavchik shut the list down, and that he felt his efforts had not been as productive as he would've liked them to be.
I would recommend removing blacklist.spambag.org from your list of DNSBLs to check, as it is no longer in operation.
Spamcop BL: Take Another Look (It’s Accurate!)
If you know me, you know that in the past, I’ve made no secret of my disdain for the Spamcop DNSBL, aka the SCBL.
I was trying to do the right thing. I was implementing what Spamcop (and other anti-spam groups) want: confirmed opt-in/double opt-in. Yet Spamcop was listing the servers and subsequent mailings regardless. It made me really frustrated, and I was very disappointed. See, it’s not really fighting spam. It’s just blocking mail you don’t like, or don’t care about. While perfectly allowed, I am of the opinion that it’s lame to do so under the banner of “fighting the good fight” to stop spam. I’ve shared my thoughts on this topic in just about every available forum—websites, blogs, discussion lists. I know I’ve personally guided many sysadmins away from using the SCBL in the past, because it was easily, demonstrably, listing things that were obviously not spam.
In February 2007, I found that Microsoft was using the SCBL to filter/reject inbound corporate email. (Note that I said corporate email—mail sent to users at micrsoft.com, not users of MSN or Hotmail. I don’t know whether or not SCBL data is used in MSN Hotmail delivery determination, but from what I’ve observed, it doesn’t seem to be.) This started me off on another rant on how ill-advised I felt this was, based on my prior experiences with Spamcop. Some kindly folks (and some less kindly) suggested that I needed to revisit my opinion of the Spamcop blocking list, because things have changed.
DNSBL | Spam hits | Acc % | Ham hits | Failure Rate |
Spamcop SCBL | 156194 | 49.37% | 0 | 0.00% |
Spamhaus ZEN | 255521 | 80.77% | 5 | 0.10% |
Spamcop+ZEN | 267795 | 84.65% | 5 | 0.10% |
| | | | |
Range: | ~ 74 days | | | |
Total Spam | 316348 | | | |
Total Ham | 4999 | | | |
As you can see, Spamcop helps you attack nearly 50% of spam received, while affecting no legitimate senders. Very few lists do better. Spamhaus ZEN (which combines multiple lists) does better, but will occasionally have a false positive, based on some reputational issue perceived with a given sender.
Spamcop Roundup http://www.dnsbl.com/2007/03/spamcop-roundup.html Spamcop BL: A blocklist with a hair trigger http://www.dnsbl.com/2007/02/spamcop-bl-list-with-hair-trigger.html Microsoft using Spamcop BL http://www.spamresource.com/2007/02/microsoft-using-spamcop-and-spamhaus.html My Problems with Spamcop http://www.spamresource.com/2003/03/problems-with-spamcop.html
Status of relays.orbs.org: Shut down, legal troubles in 2001
People keep asking me about the situation regarding ORBS and its eventual downfall. It happened so long ago, that I don't feel that it would be appropriate to try to fill people in from memory alone. Instead, here's links to a lot of the articles I've found regarding Alan Brown and ORBS. If you have any others, drop me a line and I'll add them to this page.
- Wikipedia's page on ORBS.
- Thread from the newsgroup nz.comp that discusses the shutdown and contains opinions regarding ORBS' listing policies.
- Here's an overview of legal action against Alan Brown, I believe around the same times as ORBS was imploding. Apparently he was sued for defamation over this newsgroup post, and lost. (More commentary on that here, from someone else involved, writing about it a couple of years after the fact.)
- This Register article talks about the legal action against Alan Brown and ORBS regarding Alan's listing of Xtra and Actrix. Courts found that they were falsely listed on the ORBS blocking list.
- An Actrix rep points out that the reason they were listed is due to getting sucked into the disagreement between Alan Brown and Domainz Followups from others indicate that the Actrix IP address was listed as an open relay input. According to Actrix, it was not an open relay.
- Some newsgroup commentary regarding the defamation suit and ORBS listing policies.
- Tom Betz posts Alan Brown's statement to SPAM-L encouraging the blocking of Telecom NZ and indicating that he's no longer in New Zealand.
- Here's an interesting article about ORBS and the controversy surrounding its practices, from Salon.com.
Status of rbl.cluecentral.net: ALIVE
The DNSBL “rbl.cluecentral.net” has been revived. Its maintainer, Sabri Berisha, had previously shut it down in November 2005.
This list aims to allow you to allow or block mail from specific countries, or from certain routers (by AS number).
For example, if you wish to block all mail from the
Note that while these lists may be used to block spam, they're not exactly spam-blocking lists. Rejecting all mail from China simply means that you're going to reject all mail from China, spam or non-spam. It's up to you to determine whether or not this is an acceptable compromise. I assume, like with users of korea.services.net, administrators who choose to use this list are fed up with spam from a certain country's servers, and receive little enough legitimate mail from a country that the risk of false positives is considered acceptable.
Which DNSBLs work well?
And I'm tired of taking other peoples' word for it that a certain blocklist works well or doesn't work well -- I've been burned a number of times by people listing stuff on a blocklist outside of a list's defined charter. It's very frustrating. And lots of people publish stats on how much mail they block with a given list, which is an incomplete measure of whether or not a list is any good. Think about it. If you block all mail, you're going to block all spam. But you're going to block all the rest of your inbound mail, too. And when you block mail with a DNSBL, you don't always have an easy way to tell if that mail was actually wanted or not.
So, I decided to tackle it a bit differently than other folks have. See, I have my own very large spamtrap, and the ability to compare lots of data on the fly.
For this project, I've created two feeds. One is a spam feed, composed of mail received by my many spamtrap addresses, with lots of questionable mail and obvious non-spam weeded out. I then created a non-spam feed. In this “hamtrap” I am directed solicited mail that I signed up for from over 400 senders, big and small. Now, I just have to sit back, watch the mail roll in, and watch the data roll up.
For the past week or so, I’ve been checking every piece of mail received at either the spamtrap or hamtrap against a bunch of different blocklists. I wrote software to ensure that the message is checked within a few minutes of receipt, a necessary step to gather accurate blocklist “hit” data.
After that first week, here’s what I’ve found. It might be obvious to you, or it might not: Spamhaus is a very accurate blocklist, and some others...aren't. Spamhaus’s “ZEN” blocklist correctly tagged about two-thirds of my spam, and tagged no desired mail incorrectly. Fairly impressive, especially when compared to some other blocklists. SORBS correctly tagged 55% of my spam mail, but got it wrong on the non-spam side of things ten percent of the time. If you think throwing away ten percent of the mail you want is troublesome, how about rejecting a third of desired mail? That’s what happens if you use the Fiveten blocklist. It correctly would block 58% of my spam during the test period, but with a false positive rate of 34%, that would make it unacceptable blocklist to use in any corporate environment where you actually want to receive mail your users asked to receive.
One fairly surprising revelation is that Spamcop’s blocklist is nowhere as bad as I had previously believed it to be. I’ve complained periodically here about how Spamcop’s math is often wrong, how it too often lists confirmed opt-in senders, how it is too aggressive against wanted mail, but...my data (so far) shows a complete lack of false positives. This is a nice change, and it makes me very happy to see. Assuming this trend keeps up, I think you'll see me rewriting and putting disclaimers in front of some of my previous rants on that topic.
NJABL Dynablock List Now Obsolete
If you use or know people who use dynablock.njabl.org, this is important information:
With the advent of Spamhaus's PBL (http://spamhaus.org/pbl/), dynablock.njabl.org has become obsolete. Rather than maintain separatesimilar DNSBL zones, NJABL will be working with Spamhaus on the PBL. Effective immediately, dynablock.njabl.org exists as a copy of the Spamhaus PBL. After dynablock users have had ample time to update their configurations, the dynablock.njabl.org zone will be emptied.
Other NJABL zones (i.e. dnsbl, combined, bhnc, and the qw versions) will continue, business as usual, except that combined will eventually lose its dynablock component.
If you currently use dynablock.njabl.org we recommend you switch immediately to pbl.spamhaus.org.
If you currently use combined.njabl.org, we recommend you add pbl.spamhaus.org to the list of DNSBLs you use.
You may also want to consider using zen.spamhaus.org, which is a combination zone consisting of Spamhaus's SBL, XBL, and PBL zones.
(Editor's note: I'm very happy with ZEN so far. See this post detailing my recent experiences.)
Spamcop Roundup
5/22/2007: This information is out of date. Please click here for my latest take on Spamcop's SCBL.
My most recent take on Spamcop, from February 2007, can be found here. In that commentary, I talk about the history of the Spamcop spam reporting service, its current corporate ownership, and my take on how this type of DNSBL works, especially as to how it relates to to the impact against solicited (wanted) mail.
In February 2007, I found that Microsoft is using Spamcop to filter inbound (corporate) mail. By corporate mail, I mean mail to microsoft.com users, not mail to MSN/Hotmail users. This surprised me, because of what I believe are aggressive listing practices on the part of Spamcop. Indeed, how the issue was brought to my attention was by an unhappy person mad because he couldn't send one-to-one mail to Microsoft, because Spamcop blocked it.
Also, back in 2003, I published an article about the ongoing issues I was having with Spamcop blocking opt-in confirmation requests. Back then I found (through some admittedly unscientific survey techniques) that admins using the SCBL seemed to assume that all blocked mail must be spam because Spamcop blocked it. Not a very encouraging find. It was also a bit insulting to be lectured on how confirmed opt-in worked by people who were blocking confirmed opt-in requests, especially considering I've been pushing senders to implement and utilize confirmed opt-in/double opt-in for many years.
Spamhaus ZEN: Recommended
Until then, feel free to bop on over to Spam Resource, where I talk about my experience using the Spamhaus ZEN list to tag and filter inbound mail to our abuse desk. I've been quite pleased with the results.
Also of note is that Microsoft is using both Spamcop and Spamhaus to reject mail to their corporate users. (They're NOT using it on MSN Hotmail.)
Update: Find my full review of Spamhaus ZEN here on DNSBL Resource.