Status of bl.spamcannibal.org: DEAD

Back in 2016, I used this page to report on a temporary system issue with the Spam Cannibal DNSBL.

Today (May 30, 2018) I'm updating this page to let folks know that they should immediately cease using the Spam Cannibal blocking list. The domain spamcannibal.org seems to have expired and been taken over by somebody else. If you decide to visit the website, be careful! It tried to get me to install what I assume to be malware.

If you use this DNSBL in your mail server configuration, you're probably now rejecting all mail, as the domain has a wildcard DNS entry. This kind of thing makes a blocklist look like it has listed the whole world. Every IP address checked usually shows up as listed.

The Spam Cannibal DNSBL has been around since at least 2003. It was started by a gentleman that I think prefers to be anonymous, so I'm choosing not to name him. It was basically spamtrap-driven, though I believe it would sometimes list /24 blocks of IP addresses in response to some spamtrap hits. It wasn't that widely used, but back in the old days, it often put the fear of god into marketing senders when seeing a hit against this list on their favorite DNSBL checking tool. This was also good in that it helped to drive marketer understanding of how sending to bad addresses can cause bad things to happen. As the list was primarily spamtrap-driven, it was mostly safe for hobbyist mail server use (in my opinion, anyway).

I reached out to the publisher of the Spam Cannibal DNSBL He let me know that the DNSBL is dead and gone. It is no longer an ongoing concern.

Fifteen years is a pretty good run, if you ask me. I wish him best of luck on any future projects.

May 31, 2018 update: The operator of Spam Cannibal is working with some smart folks to shut down the list in a graceful fashion. While there is no longer a "wildcard DNS" issue, the list is no longer being updated and is retired; you should still remove it from your mail server configuration.

SURBL: Adding ABUSE sublist, deprecating SC & AB

The domain blocking list SURBL announced today that it is deprecating the SC (Spamcop) and AB (AbuseButler) sublists, migrating their data into a new ABUSE sublist. They note that the WS (Bill Stearns' sa-blacklist) sublist is also going to be migrated into ABUSE in 2016.

SURBL also recently announced the addition of SURBL-specific blocking notification messages to the popular SpamAssassin spam filtering software.

Status of no-more-funn.moensted.dk: DEAD

The "No More Funn" blocking list (DNSBL zone no-more-funn.moensted.dk) was run by a gentleman from Denmark using the alias dr. Jørgen Mash. First observed in 2002, listing criteria included spam sources, IP address ranges that appeared dynamic, bulk mailers not required confirmed opt-in (double opt-in) and more. It was easy for email service providers (ESPs) to end up listed there, and ESP clients would often ask about those listings because they would show up in DNSBL lookups, though it's not clear that the list was widely used for spam blocking.

At some point in 2012, the list was taken offline. At the end of 2015, the website reports that the list is still offline. Thus, I'm going to call this one "dead."

What is blacklist.zap?

Here's a blast from the past: Remember blacklist.zap?

There were various "blacklist.zap" lists and they were all indicative of blocking when sending to mailboxes hosted behind "FrontBridge" anti-spam and security protection:
  • The list 85.blacklist.zap specifically referred to FrontBridge's use of the Composite Blocking List (CBL). If you were blocked by 85.blacklist.zap, it meant that your sending IP address was listed on the CBL.
  • The list 86.blacklist.zap specifically referred to FrontBridge's use of the Spamhaus Block List (SBL). If you were blocked by 86.blacklist.zap, it meant that your sending IP address was listed on the SBL.
  • The list 87.blacklist.zap specifically referred to FrontBridge's use of the Spamhaus Exploits Block List (SBL). If you were blocked by 87.blacklist.zap, it meant that your sending IP address was listed on the XBL.
  • The list 88.blacklist.zap specifically referred to FrontBridge's own internally-generated blacklist of sending IP addresses noted to be spammy, usually based on a high percentage of mail from that IP address being denoted as spammy.
FrontBridge was later acquired by Microsoft and I think it's been a long time since anybody has seen blacklist.zap blocking in a bounce message, but I thought it would be good to keep a record of this for posterity's sake.

Status of dnsbl.burnt-tech.com: DEAD

Uh-oh! On or about September 19th, the domain burnt-tech.com seems to have expired. Now when you visit the website, you are informed that the domain is for sale. Also, you'll now find a wildcard A record in DNS, meaning that any lookup of any host name in DNS under burnt-tech.com will result in a positive response being returned.

The net result here is that due to the domain now having a wildcard A record, any users of the Burnt Tech DNSBL now find that they are blocking all inbound mail. If you were using the dnsbl.burnt-tech.com blocking list to filter inbound spam, you'll need to remove it from your mail server or spam filter configuration immediately, as it is going to impede your ability to receive any mail.

Reviewing Internet Archive versions of the Burnt Tech DNSBL website, it appears that the list has been in action since at least 2006. From a 2015 archived copy of the website: "The Block List runs entirely automated and designed to avoid listings of spamtrap hits due to bounces of forged spam, virus bounces, and "real" mail servers emitting the occasional spam. It tries very hard to avoid listing legitimate mail sources. It does not attempt to list every possible spam source."

No other information was available regarding ownership, listing criteria or history of this DNSBL.

(H/T: Matthew Vernhout)