DNSWL.org Announces Changes

Whitelist provider DNSWL.org announced changes to its operating model. Who is DNSWL.org? "Dnswl.org is the leading whitelist provider for email filtering. It is being used by over 50'000 organisations worldwide, and contains close to 100'000 entries of 'good mailservers.' Your email filter should try to avoid tagging messages as spam, if they come from one of those good mailservers."

As announced on their website and on multiple mailing lists today: "As announced earlier, dnswl.org will change it's operating model. "Heavy users" (defined as those doing > 100'000 queries/24 hours on the public nameservers) and vendors of anti-spam products and services will need a paid subscription.

We are now ready to implement the model and will gradually start to enforce it. Since we do not know the current users (all we have are IPs and sometimes hostnames), we will also need to "cut off" users if our attempts at identifying and notifying them fail.

The "cut off" may have two of effects: 1) rsync suddenly stops working 2) queries on the public nameservers are refused. We may be able to reinstate access on a case by case basis.

As usual, we can be reached at admins/at/dnswl.org (or office/at/dnswl.org for direct access to the people handling the subscriptions). All details are available from http://www.dnswl.org/ "

Spews.org Domain Expired

Thanks for Joe Sniderman for the tip that the domain spews.org has expired and was grabbed up by somebody that appears to be a domain speculator or parked domain monetizer. The SPEWS blocking list is long-dead, since August, 2006.

Status of ybl.megacity.org: DEAD

There once was a DNSBL called ybl.megacity.org. Exactly when it was created is lost to the mists of time, but I'm guessing it was somewhere around the end of 2001 or beginning of 2002, after its maintainer, Derek Balling, parted ways with Yahoo. I recall that the point of the list was to be able to reject mail from Yahoo.

Today, reader John Carver kindly wrote in to let me know that this blocking list is indeed defunct and has "listed the world," installing a wildcard DNS record with the result that if you use ybl.megacity.org in your mail server configuration, you're going to reject 100% of your mail. Query of any domain or IP address under ybl.megacity.org will result in a "127.0.0.2" positive response, that will make a mail server think it should reject the email message in question.

If you use ybl.megacity.org as a DNSBL list in your mail server configuration, I strongly recommend you remove it immediately. The list is long dead, and use of the list will result in you accidentally rejecting 100% of inbound mail.

As recently as 2006, the DNSBL also responded with text warning that it was defunct: "521 The IP is Blacklisted by ybl.megacity.org. This zone has been deprecated for about two years. Maybe if it starts blocking your mail you'll notice and stop using it." This is no longer the case; the text record does not seem to be present.

See also the Ipswitch ImailServer knowledge base article on this topic.

Beware: "Fake" Blocking list at nszones.com

Spamhaus reports that they have "uncovered a fake spam filter company which was pirating and selling DNSBL data stolen from major anti-spam systems including Spamhaus, CBL and SURBL, republishing the stolen data under the name 'nszones.com.'"

Ouch. I guess if you publish a free or easily accessed spam filtering tool, it is inevitable that at some point somebody would try to take the data and repackage it against copyright and against the data owner's wishes.

If you find yourself listed on this blocking list; don't fret. If what Spamhaus says is true (and I have little reason to doubt them), then this list is not really being used to block email. (And should not be used to block email.) Ignore it, stay listed, and eventually they'll move on to easier targets.

If you're a system administrator, DO NOT use any of the DNSBL zones at nszones.com for spam filtering purposes. As its intent may not be above-board, I would have strong concerns about the possibility of listing things only to engender a payment for delisting -- for reasons having nothing to do with spam fighting.

SURBL Announces New Experimental Blocking List

Today, the team behind the SURBL domain blaclists announced a new, experimental blocking list: xs.surbl.org.

As announced on the SURBL-Announce list: "An experimental source of some snowshoe and pill domains is now being published in xs.surbl.org.  SURBL considers this feed to be experimental and would very much welcome feedback about it, particularly about any false positives.  Does anyone know anyone who actually wants to receive snowshoe messages?"

You can read the entire announcement here.

Status of dnsbl.karmasphere.com: SHUTTING DOWN

As messaged to the Karmasphere-Users and Karmasphere-Announce mailing lists, the Karmasphere Reputation Services data feeds are being retired. This means that the associated blocking list(s), including the karmasphere.email-sender.dnsbl.karmasphere.com DNSBL zone, and any other DNSBL/DNSWL zones under karmasphere.com. It is unclear to the author if karmasphere.org is similarly affected.

Karmasphere has indicated that the feed service will be discontinued on November 16, 2009. It's very important that all Karmasphere-using mail administrators remove any Karmasphere-hosted DNSBLs from their configuration before that date, else inbound receipt of legitimate email messages could be delayed or otherwise impacted.

For more information, click on over to Spam Resource to read a copy of the Karmasphere notice.

Status of rbl.cluecentral.net: DEAD

The rbl.cluecentral.net DNSBLs were created in 2001 or 2002 by Sabri Berisha. The goal: To list "all known assigned IPv4 address space, by originating AS and by country. [This is based on] a full routing view is extracted daily from a router in the default free zone. The AS->country mapping is done via the statistics which are being provided by the four RIR's, ARIN, APNIC, LACNIC and RIPE."

Today, the website warns that the rbl.cluecentral.net service is closed. Sabri notes that "[it has become] more and more difficult and time-consuming to maintain a trustworthy list I started to notice more and more errors. The list is no longer of the quality needed to use in a production environment."

The website warns that if DNS queries continue at a high level, the DNS servers are likely to be configured in a way that will cause 100% of inbound mail attempts to be rejected, for all mail servers still using rbl.cluecentral.net. This makes it imperative that you remove any rbl.cluecentral.net zones from your mail server configuration, as soon as possible.

Status of blackholes.us: DEAD

Created by Matthew Evans in 2002, the goal of the blackholes.us site was "to create (yet more) DNS blocklists of spammers, spam supporting ISPs, spamware hosts, dialup networks, and other notorious email abusers originating in the United States." Matthew published many different DNSBL zones, listing various countries, ISPs, netblocks, etc.

Status of vox.schpider.com: DEAD

Scott Glassbrook writes: "I ran a dnsbl, vox.schpider.com many many years ago. I stopped the DNSBL back in June of 2006, and shut down the server it was running on. 

"Since that time, all queries to vox.schpider.com have timed out. I made an attempt to bring the domain name back up in 2008, only to find that people are still trying to query the domain name. [...] Because of that, I see no other option than to start returning positives for *any* query issued to vox.schpider.com, beginning 10/16/2009. If you happen to be trying to use a dead DNSBL, please update your mail server configuration."

Scott indicates that random mail administrators are still "pounding the hell" out of his DNSBL hundreds fo times per second, all day and all night, ever day. Not cool.

If you're still querying this DNSBL, it's important that you immediately remove it from your mail server configuration. As of October 16th, use of this DNSBL will result in you rejecting 100% of your inbound email.

Status of bl.open-whois.org: DEAD

As of July, it looks like a popular blocking list used in default SpamAssassin installations is no more. Users were reporting false positive issues, where every message checked by SpamAssassin would receive a score of 2.43, supposedly due to the sender being listed in the blocking list bl.open-whois.org.

The Open Whois list appears to have been created in 2007, with a goal of promoting transparency in domain registrations. According to the (now deceased) website, "It is a list of domains which are privately (or anonymously) registered, e.g. through services such as Domains By Proxy, or Moniker Privacy Protection."

As of July 18, 2009, it appears that a squatter has taken over the open-whois.org domain name. At first, the new owner of the domain used a "wildcard" DNS record, resulting in the return of a positive response for any DNS query. The net effect is that every domain checked against this blocking list results in a DNS response that makes your spam filter think that the domain is listed, usually incorrectly so.

Since the issue was first observed, the squatter must have noticed all of this DNS traffic coming from SpamAssassin users and decided that the traffic was undesirable, so they've modified the domain in whois so that its name servers point at obviously invalid IP addresses.

That's good, because it means there shouldn't be any more false positive issues, for now. But, it does mean that your SpamAssassin checks take longer than usual, as queries against this dead list will time out. (And who is to say the squatter won't resurrect the domain with valid DNS servers and perhaps another DNS wildcard, causing a whole new batch of false positives for a whole bunch of SpamAssassin users.)

If you're a SpamAssassin user, it would be wise to remove or disable the SpamAssassin rule that check for that list. The rule you're looking for is located in the "72_active.cf" file in the rules subdirectory of your SA installation.

To disable this check in your SpamAssassin installation (manually), move or delete the "72_active.cf" file from your rules directory. Where this directory is exactly located is going to depend on your installation. On my friend's Linux installation, the directory path is /etc/mail/spamassassin/rules .

The better thing to do, I was advised by friendly SpamAssassin user Phil Randal, is to run sa-update. It's best practice for SA users to run sa-update every week or few to load the latest "in between-release" updates. Running sa-update will ensure that the bl.open-whois.org check is disabled.

I suspect that this blocking list check will be removed from SpamAssassin in future releases, but as of today (8/18/2009), the check is still in the most recent version available for download (3.2.5). As long as you run sa-update or manually disable this check, you should be all set.

TQMCUBE Status Updated

Here's a quick note to let you know that I've updated my page of information on the long-dead TQMCUBE blocking list. Click here for more information.

SORBS Status: Shutting Down or For Sale

As reported on Spamtacular and on SORBS' website:

"ANNOUNCEMENT: Possible SORBS Closure... It comes with great sadness that I have to announce the imminent closure of SORBS. The University of Queensland have decided not to honor their agreement with myself and SORBS and terminate the hosting contract.