What is blacklist.zap?

Here's a blast from the past: Remember blacklist.zap?

There were various "blacklist.zap" lists and they were all indicative of blocking when sending to mailboxes hosted behind "FrontBridge" anti-spam and security protection:
  • The list 85.blacklist.zap specifically referred to FrontBridge's use of the Composite Blocking List (CBL). If you were blocked by 85.blacklist.zap, it meant that your sending IP address was listed on the CBL.
  • The list 86.blacklist.zap specifically referred to FrontBridge's use of the Spamhaus Block List (SBL). If you were blocked by 86.blacklist.zap, it meant that your sending IP address was listed on the SBL.
  • The list 87.blacklist.zap specifically referred to FrontBridge's use of the Spamhaus Exploits Block List (SBL). If you were blocked by 87.blacklist.zap, it meant that your sending IP address was listed on the XBL.
  • The list 88.blacklist.zap specifically referred to FrontBridge's own internally-generated blacklist of sending IP addresses noted to be spammy, usually based on a high percentage of mail from that IP address being denoted as spammy.
FrontBridge was later acquired by Microsoft and I think it's been a long time since anybody has seen blacklist.zap blocking in a bounce message, but I thought it would be good to keep a record of this for posterity's sake.

Status of dnsbl.burnt-tech.com: DEAD

Uh-oh! On or about September 19th, the domain burnt-tech.com seems to have expired. Now when you visit the website, you are informed that the domain is for sale. Also, you'll now find a wildcard A record in DNS, meaning that any lookup of any host name in DNS under burnt-tech.com will result in a positive response being returned.

The net result here is that due to the domain now having a wildcard A record, any users of the Burnt Tech DNSBL now find that they are blocking all inbound mail. If you were using the dnsbl.burnt-tech.com blocking list to filter inbound spam, you'll need to remove it from your mail server or spam filter configuration immediately, as it is going to impede your ability to receive any mail.

Reviewing Internet Archive versions of the Burnt Tech DNSBL website, it appears that the list has been in action since at least 2006. From a 2015 archived copy of the website: "The Block List runs entirely automated and designed to avoid listings of spamtrap hits due to bounces of forged spam, virus bounces, and "real" mail servers emitting the occasional spam. It tries very hard to avoid listing legitimate mail sources. It does not attempt to list every possible spam source."

No other information was available regarding ownership, listing criteria or history of this DNSBL.

(H/T: Matthew Vernhout)

Status of truncate.gbudb.net: ALIVE

The "Truncate" DNSBL (zone truncate.gbudb.net) lists IPv4 addresses that have been observed transmitting "email containing spam, scams, viruses, or other malware based on statistics in the global GBUdb network." This "Good, Bad, Ugly database (GBUdb)" is a "real-time collaborative IP reputation system," based on statistics collected by email threat protection software Message Sniffer.

If you're listed on the Truncate DNSBL, can you request removal? No, explains the website. IP addresses are removed automatically, usually within a couple of days of the bad activity having ceased. They warn, however, that in some instances, if enough bad activity was denoted, it may take longer for an IP address to automatically disappear from their list.

Have any more information you'd like to share about this blocking list? Please feel free to contact me and I'll be happy to update this page with your additional information.

Status of dul.ru: DEAD

As noted by participants of the SDLU mailing list, the Russian Dial-up User List at the domain dul.ru is no more.

The Russian Dial-up User List website is no longer to be found at dul.ru; when you visit that domain you find a simple Russian-language "this domain is for sale" page.

As of May 19, 2015, this domain seems to have been set to "wildcard" status in DNS. This means that DUL.ru is effectively "listing the world;" any site still using the DUL.ru DNSBL zone will reject all inbound mail until this DNSBL is removed from that mail server's configuration.

The Russian Dial-up User list appears to have been a dialup or dynamic blocking list. The intent of this type of anti-spam tool is usually to block SMTP connections from hosts that aren't typically expected to be running mail services.

H/T: Neil Schwartzman

Reminder: AHBL is Shutting Down

As previously reported, the AHBL DNSBL has been shut down.

Please note that the publisher of the AHBL DNSBL has indicated that she will set all of the DNS zones to "wildcard" status as of January 1st. This means that AHBL will be effectively "listing the world;" any site still using any of the AHBL DNSBL zones will reject all inbound mail until the AHBL DNSBL zones are removed from that mail server's configuration.

Brielle Bruns posted the following to the SDLU mailing list on 12/26/14: "Figured I'd give one last notice that I'm about to wildcard all of the public AHBL zones on Jan 1st, 2015.

"If you are still using them in your mail servers, or know someone who is, now would be a good time to remove them.  Most of the major packages that came with configuration options for using the AHBL have long since removed them (such as SpamAssassin), but there are still many many people out there who make no effort to maintain their services and/or don't upgrade/check configurations.

The private zones which some people know of and have access to will not be affected by this wildcarding, as they are still considered 'active' and 'maintained'."

Status of rbl.orbitrbl.com: DEAD

Today, Mark E. Jeftovic of EasyDNS warned readers of the Mailop list that it is unwise to use the DNSBL "rbl.orbitrbl.com" due to a combination of abandonment and administrative issues.

He writes: "As some of you may know, we recently took over ZoneEdit.com and it's customer base.

We've found a domain on the system: rbl.orbitrbl.com which is delegated to zoneedit nameservers, broken (it is not allowed to zone transfer from it's designated master), unresponsive (account owner is not answering email, has an address in Sri Lanka and no telephone number), is using excessive queries (~ >500M queries per day on a "free dns" domain) and attracting repeated, multiple DDoS attacks.

As such, we will be wildcarding this zone and setting a long TTL fairly soon.

If you're actually using this RBL in your MTAs, now's a good time to stop. (this RBL is broken on 5 out of it's 6 delegated nameservers across 3 separate providers)."

Status of dnsbl.ahbl.org: SHUTTING DOWN

On March 26, 2014, DNSBL administrator Brielle Bruns announced that the Abusive Hosts Blocking List DNSBLs are to be shut down.

In email to me, she explained:
"After quite a bit of thought and consideration, I've decided that it is time to wind down some of the AHBL's public DNSbl services - specifically the dnsbl, ircbl, and rhsbl. 
We've had a good 11 year run with the lists.  Times have changed -- with the deployment of IPv6 moving full speed ahead, I don't feel that the current implementation of our DNSbl services are suited to the task. 
This doesn't mean that the AHBL is going away - we'll still be around, just focusing our efforts on a mix of other anti-abuse related things and a relaunch of the RHSbl (likely in 2-3 months, possibly sooner). 
I look forward to continuing to work with the community, and appreciate and value the feedback I've received over the years."
As a result, the lists dnsbl.ahbl.org, ircbl.ahbl.org and rhsbl.ahbl.org, and associated public look up tools are being retired.

I've known Brielle for many years and my interactions with her have been universally positive. Congratulations on a long eleven year run with AHBL, and I hope whatever she works on next is something she finds fun and fulfilling.

Status of dnsblchile.org: ALIVE

DNSBL Chile, created in 2011, appears to be a Chilean homegrown effort to tackle spamblocking from a local perspective. As they explain on their website: "Existing DNSBL services aim to block spam based on the type and origin affecting certain types of user. Chilean spam is generally ignored by these DNSBLs, mainly because of the language barrier. This raises the need for a specific DNSBL for Chile, which is able to investigate cases of spam in South-American Spanish."

The DNSBL zone is just "dnsblchile.org" and they report a few different types of responses: 127.0.0.2 and 127.0.0.3 for "verified spam sources," 127.0.0.5 for "verified scam sources," and 127.0.0.10 and 127.0.0.11 for DUL/PBL-like dynamic/"should not be running an MTA" entries.

I don't know much about this list in particular but it's always nice to see somebody attempt to address a previously segment or region's spam problem.  If you have any thoughts or details around this list, don't hesitate to drop me a line.

(Crappy translation above courtesy of my high school Spanish + a little help from Google Translate.)

Status of APEWS: ????

Long-standing (though not very accurate) blocking list APEWS seemed to be down for the count. Their website at www.apews.org has been down since March 15th, according to David Ritz.

My recommendation to mail administrators is to stop using APEWS. But then again, was anybody using APEWS recently, anyway?

For history's sake, here's a link to the article I published long ago, explaining what to do if you find yourself listed by APEWS.

APEWS was previously down for three weeks in August, 2010.

Update: APEWS appears to have returned somewhere around May 1st, 2013.

It goes down, it comes back up, it goes down again, it comes back up again. At this point I think we'll just call it a status of "?????"

Status of spamtrap.trblspam.com: DEAD

The DNSBL spamtrap.trblspam.com appears to have gone offline as of April 2, 2013. It appears to have been created in early 2011 by somebody known as "Tom from TRBL," whom I observed participating in various email discussion lists. I've emailed Tom and will update this page if I receive any further details.

I recommend removing spamtrap.trblspam.com from any blocklist checking you're doing. Any time a list is shut down, there's a chance that they will end up putting in a wildcard DNS record, which ends up effectively "listing the world" and causing problems for any receiving sites who still have that DNSBL configured in their mail server configuration.

(Thanks to Martijn Grooten for the heads up.)

Status of dnsbl.njabl.org: DEAD

It is with sadness that I report  on the closure of Jon Lewis's NJABL blocking list.  From the NJABL website: "March 1, 2013: NJABL is in the process of being shut down. The DNSBL zones have been emptied. After "the Internet" has had some time to remove NJABL from server configs, the NS's will be pointed off into unallocated space (192.0.2.0/24 TEST-NET-1) to hopefully make the shutdown obvious to those who were slower to notice."

NJABL (Not Just Another Bogus List) had been in existence from at least January 2002. Congrats to Jon and team for a pretty good run of eleven years.

Update: I received this in email: "Today, April 29, 2013, NS for the NJABL DNSBL zones is being pointed into 192.0.2.0/24 (TEST-NET-1) which is unrouted IP space.  This will likely cause any systems using the NJABL DNSBL zones to experience long delays in DNS resolution of NJABL DNSBL lookups.  This is being done both to sink the DNS query traffic and to hopefully be noticed by the owners/managers of those systems."

(H/T: Laura Atkins and others.)

Status of bl.csma.biz: DEAD

An entity called McFadden Associates had been publishing two different, spamtrap-driven DNSBL zones starting from October 2003. Almost ten years later, it appears that these blocklist zones are no more.

The McFadden CSMA blocking list encompassed two different DNSBL zones. The primary zone, bl.csma.biz, contained only "aggressive" hosts that have spammed repeatedly during a short (recent) timeframe. An additional zone, sbl.csma.biz, had a broader listing criteria, noted by the publisher as more suitable for scoring in a filtering system than outright blocking.

As of January 2013, querying either zone will result in a false positive response, showing that an IP address is blocked, due to a wildcard DNS entry. This means that you should immediately stop using either DNSBL in your spam blocking configuration, otherwise you will reject all inbound mail, legitimate or not.

It's fairly common for a list, when dying, to intentionally or un-intentionally "list the world," answering any DNS lookup request with what amounts to a "yep, that's blocked" response. This regularly causes problems for unsuspecting email system administrators who may still be querying blocking lists that are now out of commission. That's why it's important to periodically review your inbound mail server's configuration to revisit what DNSBL lists you might be using and whether or not it makes sense to continue to use them.

In this case, these lists are no more, and should be removed from any mail server configurations where they may still linger.

I've reached out to the one-time publisher of these lists, and I will follow up with more information if he's able to provide more details.