It is with sadness that I report on the closure of Jon Lewis's NJABL blocking list. From the NJABL website: "March 1, 2013: NJABL is in the process of being shut down. The DNSBL zones have been emptied. After "the Internet" has had some time to remove NJABL from server configs, the NS's will be pointed off into unallocated space (192.0.2.0/24 TEST-NET-1) to hopefully make the shutdown obvious to those who were slower to notice."
NJABL (Not Just Another Bogus List) had been in existence from at least January 2002. Congrats to Jon and team for a pretty good run of eleven years.
Update: I received this in email: "Today, April 29, 2013, NS for the NJABL DNSBL zones is being pointed into 192.0.2.0/24 (TEST-NET-1) which is unrouted IP space. This will likely cause any systems using the NJABL DNSBL zones to experience long delays in DNS resolution of NJABL DNSBL lookups. This is being done both to sink the DNS query traffic and to hopefully be noticed by the owners/managers of those systems."
(H/T: Laura Atkins and others.)
All about DNSBLs, aka blocklists/blacklists // Since 2001 // Published by Al Iverson
Thanks for visiting! Remember that nowadays, (most) blocklists don't really govern deliverability and inbox placement. Want to learn more about email marketing best practices, email technology, and deliverability troubleshooting? Then you'll want to check out my other site, Spam Resource. |
Status of bl.csma.biz: DEAD
An entity called McFadden Associates had been publishing two different, spamtrap-driven DNSBL zones starting from October 2003. Almost ten years later, it appears that these blocklist zones are no more.
The McFadden CSMA blocking list encompassed two different DNSBL zones. The primary zone, bl.csma.biz, contained only "aggressive" hosts that have spammed repeatedly during a short (recent) timeframe. An additional zone, sbl.csma.biz, had a broader listing criteria, noted by the publisher as more suitable for scoring in a filtering system than outright blocking.
As of January 2013, querying either zone will result in a false positive response, showing that an IP address is blocked, due to a wildcard DNS entry. This means that you should immediately stop using either DNSBL in your spam blocking configuration, otherwise you will reject all inbound mail, legitimate or not.
It's fairly common for a list, when dying, to intentionally or un-intentionally "list the world," answering any DNS lookup request with what amounts to a "yep, that's blocked" response. This regularly causes problems for unsuspecting email system administrators who may still be querying blocking lists that are now out of commission. That's why it's important to periodically review your inbound mail server's configuration to revisit what DNSBL lists you might be using and whether or not it makes sense to continue to use them.
In this case, these lists are no more, and should be removed from any mail server configurations where they may still linger.
I've reached out to the one-time publisher of these lists, and I will follow up with more information if he's able to provide more details.
The McFadden CSMA blocking list encompassed two different DNSBL zones. The primary zone, bl.csma.biz, contained only "aggressive" hosts that have spammed repeatedly during a short (recent) timeframe. An additional zone, sbl.csma.biz, had a broader listing criteria, noted by the publisher as more suitable for scoring in a filtering system than outright blocking.
As of January 2013, querying either zone will result in a false positive response, showing that an IP address is blocked, due to a wildcard DNS entry. This means that you should immediately stop using either DNSBL in your spam blocking configuration, otherwise you will reject all inbound mail, legitimate or not.
It's fairly common for a list, when dying, to intentionally or un-intentionally "list the world," answering any DNS lookup request with what amounts to a "yep, that's blocked" response. This regularly causes problems for unsuspecting email system administrators who may still be querying blocking lists that are now out of commission. That's why it's important to periodically review your inbound mail server's configuration to revisit what DNSBL lists you might be using and whether or not it makes sense to continue to use them.
In this case, these lists are no more, and should be removed from any mail server configurations where they may still linger.
I've reached out to the one-time publisher of these lists, and I will follow up with more information if he's able to provide more details.
Status of rfc-ignorant.org: SHUTTING DOWN
One-time Yahoo administrator Derek Balling has announced that the RFC Ignorant blocking list is being shut down. This blocking list had existed since at least late 2001. Its listing criteria including things like not having an "abuse" or "postmaster"address that accepted mail. Listing criteria didn't necessarily overlap with the generally accepted criteria for fighting spam, so my guess is that this blocking list's lack of usefulness as a spam fighting tool had finally diminished past the point of no useful return. As Derek himself says, "the usefulness of a DNSBL is greatly diminished," and of the old hardware running the service, "the value proposition just isn't there."
I blogged about the RFC Ignorant blocking list back in 2006.
I blogged about the RFC Ignorant blocking list back in 2006.
Labels:
dead dnsbls,
derek balling; rfc-ignorant,
dnsbl
Status of blackholes.five-ten-sg.com: DEAD
The "Fiveten" Blocklist (blackholes.five-ten-sg.com) was a combination anti-spam blocking list run by Carl Byington, publishing under
the name of "510 Software Group." This blocking list has been available since at least February, 2001, and it appears to have been retired as of April 2012.
As of late April, 2012, any attempt to look up an entry on the list results in output indicating that "The blackholes.five-ten-sg.com list is retired. No ip address is listed here." Meaning, the list is no longer in operation.
I had previously written about this list back in October, 2007, and my 2007-2008 DNSBL statistics project data showed that the list may not be suitable for broad production use if one wishes to receive requested email messages. The list has been up and down at various other times, most recently being taken offline for a period in November 2010.
(Hat tip: Word to the Wise)
As of late April, 2012, any attempt to look up an entry on the list results in output indicating that "The blackholes.five-ten-sg.com list is retired. No ip address is listed here." Meaning, the list is no longer in operation.
I had previously written about this list back in October, 2007, and my 2007-2008 DNSBL statistics project data showed that the list may not be suitable for broad production use if one wishes to receive requested email messages. The list has been up and down at various other times, most recently being taken offline for a period in November 2010.
(Hat tip: Word to the Wise)
DNSWL.org Announces Changes
Whitelist provider DNSWL.org announced changes to its operating model. Who is DNSWL.org? "Dnswl.org is the leading whitelist provider for email filtering. It is being used by over 50'000 organisations worldwide, and contains close to 100'000 entries of 'good mailservers.' Your email filter should try to avoid tagging messages as spam, if they come from one of those good mailservers."
As announced on their website and on multiple mailing lists today: "As announced earlier, dnswl.org will change it's operating model. "Heavy users" (defined as those doing > 100'000 queries/24 hours on the public nameservers) and vendors of anti-spam products and services will need a paid subscription.
We are now ready to implement the model and will gradually start to enforce it. Since we do not know the current users (all we have are IPs and sometimes hostnames), we will also need to "cut off" users if our attempts at identifying and notifying them fail.
The "cut off" may have two of effects: 1) rsync suddenly stops working 2) queries on the public nameservers are refused. We may be able to reinstate access on a case by case basis.
As usual, we can be reached at admins/at/dnswl.org (or office/at/dnswl.org for direct access to the people handling the subscriptions). All details are available from http://www.dnswl.org/ "
As announced on their website and on multiple mailing lists today: "As announced earlier, dnswl.org will change it's operating model. "Heavy users" (defined as those doing > 100'000 queries/24 hours on the public nameservers) and vendors of anti-spam products and services will need a paid subscription.
We are now ready to implement the model and will gradually start to enforce it. Since we do not know the current users (all we have are IPs and sometimes hostnames), we will also need to "cut off" users if our attempts at identifying and notifying them fail.
The "cut off" may have two of effects: 1) rsync suddenly stops working 2) queries on the public nameservers are refused. We may be able to reinstate access on a case by case basis.
As usual, we can be reached at admins/at/dnswl.org (or office/at/dnswl.org for direct access to the people handling the subscriptions). All details are available from http://www.dnswl.org/ "
Spews.org Domain Expired
Thanks for Joe Sniderman for the tip that the domain spews.org has expired and was grabbed up by somebody that appears to be a domain speculator or parked domain monetizer. The SPEWS blocking list is long-dead, since August, 2006.
Status of ybl.megacity.org: DEAD
There once was a DNSBL called ybl.megacity.org. Exactly when it was created is lost to the mists of time, but I'm guessing it was somewhere around the end of 2001 or beginning of 2002, after its maintainer, Derek Balling, parted ways with Yahoo. I recall that the point of the list was to be able to reject mail from Yahoo.
Today, reader John Carver kindly wrote in to let me know that this blocking list is indeed defunct and has "listed the world," installing a wildcard DNS record with the result that if you use ybl.megacity.org in your mail server configuration, you're going to reject 100% of your mail. Query of any domain or IP address under ybl.megacity.org will result in a "127.0.0.2" positive response, that will make a mail server think it should reject the email message in question.
If you use ybl.megacity.org as a DNSBL list in your mail server configuration, I strongly recommend you remove it immediately. The list is long dead, and use of the list will result in you accidentally rejecting 100% of inbound mail.
As recently as 2006, the DNSBL also responded with text warning that it was defunct: "521 The IP is Blacklisted by ybl.megacity.org. This zone has been deprecated for about two years. Maybe if it starts blocking your mail you'll notice and stop using it." This is no longer the case; the text record does not seem to be present.
See also the Ipswitch ImailServer knowledge base article on this topic.
Today, reader John Carver kindly wrote in to let me know that this blocking list is indeed defunct and has "listed the world," installing a wildcard DNS record with the result that if you use ybl.megacity.org in your mail server configuration, you're going to reject 100% of your mail. Query of any domain or IP address under ybl.megacity.org will result in a "127.0.0.2" positive response, that will make a mail server think it should reject the email message in question.
If you use ybl.megacity.org as a DNSBL list in your mail server configuration, I strongly recommend you remove it immediately. The list is long dead, and use of the list will result in you accidentally rejecting 100% of inbound mail.
As recently as 2006, the DNSBL also responded with text warning that it was defunct: "521 The IP
Beware: "Fake" Blocking list at nszones.com
Spamhaus reports that they have "uncovered a fake spam filter company which was pirating and selling DNSBL data stolen from major anti-spam systems including Spamhaus, CBL and SURBL, republishing the stolen data under the name 'nszones.com.'"
Ouch. I guess if you publish a free or easily accessed spam filtering tool, it is inevitable that at some point somebody would try to take the data and repackage it against copyright and against the data owner's wishes.
If you find yourself listed on this blocking list; don't fret. If what Spamhaus says is true (and I have little reason to doubt them), then this list is not really being used to block email. (And should not be used to block email.) Ignore it, stay listed, and eventually they'll move on to easier targets.
If you're a system administrator, DO NOT use any of the DNSBL zones at nszones.com for spam filtering purposes. As its intent may not be above-board, I would have strong concerns about the possibility of listing things only to engender a payment for delisting -- for reasons having nothing to do with spam fighting.
Ouch. I guess if you publish a free or easily accessed spam filtering tool, it is inevitable that at some point somebody would try to take the data and repackage it against copyright and against the data owner's wishes.
If you find yourself listed on this blocking list; don't fret. If what Spamhaus says is true (and I have little reason to doubt them), then this list is not really being used to block email. (And should not be used to block email.) Ignore it, stay listed, and eventually they'll move on to easier targets.
If you're a system administrator, DO NOT use any of the DNSBL zones at nszones.com for spam filtering purposes. As its intent may not be above-board, I would have strong concerns about the possibility of listing things only to engender a payment for delisting -- for reasons having nothing to do with spam fighting.
SURBL Announces New Experimental Blocking List
Today, the team behind the SURBL domain blaclists announced a new, experimental blocking list: xs.surbl.org.
As announced on the SURBL-Announce list: "An experimental source of some snowshoe and pill domains is now being published in xs.surbl.org. SURBL considers this feed to be experimental and would very much welcome feedback about it, particularly about any false positives. Does anyone know anyone who actually wants to receive snowshoe messages?"
You can read the entire announcement here.
As announced on the SURBL-Announce list: "An experimental source of some snowshoe and pill domains is now being published in xs.surbl.org. SURBL considers this feed to be experimental and would very much welcome feedback about it, particularly about any false positives. Does anyone know anyone who actually wants to receive snowshoe messages?"
You can read the entire announcement here.
Status of dnsbl.karmasphere.com: SHUTTING DOWN
As messaged to the Karmasphere-Users and Karmasphere-Announce mailing lists, the Karmasphere Reputation Services data feeds are being retired. This means that the associated blocking list(s), including the karmasphere.email-sender.dnsbl.karmasphere.com DNSBL zone, and any other DNSBL/DNSWL zones under karmasphere.com. It is unclear to the author if karmasphere.org is similarly affected.
Karmasphere has indicated that the feed service will be discontinued on November 16, 2009. It's very important that all Karmasphere-using mail administrators remove any Karmasphere-hosted DNSBLs from their configuration before that date, else inbound receipt of legitimate email messages could be delayed or otherwise impacted.
For more information, click on over to Spam Resource to read a copy of the Karmasphere notice.
Karmasphere has indicated that the feed service will be discontinued on November 16, 2009. It's very important that all Karmasphere-using mail administrators remove any Karmasphere-hosted DNSBLs from their configuration before that date, else inbound receipt of legitimate email messages could be delayed or otherwise impacted.
For more information, click on over to Spam Resource to read a copy of the Karmasphere notice.
Status of rbl.cluecentral.net: DEAD
The rbl.cluecentral.net DNSBLs were created in 2001 or 2002 by Sabri Berisha. The goal: To list "all known assigned IPv4 address space, by originating AS and by country. [This is based on] a full routing view is extracted daily from a router in the default free zone. The AS->country mapping is done via the statistics which are being provided by the four RIR's, ARIN, APNIC, LACNIC and RIPE."
Today, the website warns that the rbl.cluecentral.net service is closed. Sabri notes that "[it has become] more and more difficult and time-consuming to maintain a trustworthy list I started to notice more and more errors. The list is no longer of the quality needed to use in a production environment."
The website warns that if DNS queries continue at a high level, the DNS servers are likely to be configured in a way that will cause 100% of inbound mail attempts to be rejected, for all mail servers still using rbl.cluecentral.net. This makes it imperative that you remove any rbl.cluecentral.net zones from your mail server configuration, as soon as possible.
Today, the website warns that the rbl.cluecentral.net service is closed. Sabri notes that "[it has become] more and more difficult and time-consuming to maintain a trustworthy list I started to notice more and more errors. The list is no longer of the quality needed to use in a production environment."
The website warns that if DNS queries continue at a high level, the DNS servers are likely to be configured in a way that will cause 100% of inbound mail attempts to be rejected, for all mail servers still using rbl.cluecentral.net. This makes it imperative that you remove any rbl.cluecentral.net zones from your mail server configuration, as soon as possible.
Status of blackholes.us: DEAD
Created by Matthew Evans in 2002, the goal of the blackholes.us site was "to create (yet more) DNS blocklists of spammers, spam supporting ISPs, spamware hosts, dialup networks, and other notorious email abusers originating in the United States." Matthew published many different DNSBL zones, listing various countries, ISPs, netblocks, etc.
Subscribe to:
Posts (Atom)