Monday, November 23, 2009

Blacklists Compared

SkyHi @ Monday, November 23, 2009
Survey results for all known public IP-based DNS blacklists. Lookups were done on connecting IP addresses. The "union of most IP zones" line excludes the hostkarma.junkemailfilter.com (all results but 127.0.0.2, 127.0.0.3, and 127.0.0.4), exemptions.ahbl.org, query.bondedsender.org, list.dnswl.org, accredit.habeas.com, iadb.isipp.com, and iadb2.isipp.com zones because they are not blacklists. Because it is too aggressive to be widely useful the l2.apews.org zone is also excluded from the union.

Hits DNS Zone
170583 (total number of IP addresses tested, including 182 at SDSC)
167027 (union of most IP zones)
154048 b.barracudacentral.org
151539 zen.spamhaus.org (union of all results)
143380 l2.apews.org
116790 cbl.abuseat.org
116704 zen.spamhaus.org (result 127.0.0.4 = Composite Blocking List)
110585 dnsbl-3.uceprotect.net
109629 dnsbl-1.uceprotect.net
108983 hostkarma.junkemailfilter.com (result 127.0.0.2 = spam source)
108857 dnsbl-2.uceprotect.net
106530 dnsbl.sorbs.net (union of all results)
98651 zen.spamhaus.org (result 127.0.0.11 = Spamhaus PBL, Spamhaus entry)
98430 psbl.surriel.com
81072 dnsbl.sorbs.net (result 127.0.0.7 = hacked/vulnerable)
80507 ubl.unsubscore.com
64818 bl.spameatingmonkey.net
49453 blackholes.five-ten-sg.com (union of all results)
45645 blackholes.five-ten-sg.com (result 127.0.0.2 = spam source)
44228 hostkarma.junkemailfilter.com (result 127.0.1.1 = MTA sends QUIT)
40680 no-more-funn.moensted.dk (union of all results)
38401 db.wpbl.info
38043 dnsbl.sorbs.net (result 127.0.0.10 = dialup)
33895 bl.spamcop.net
31653 bl.score.senderscore.com
25521 no-more-funn.moensted.dk (result 127.0.0.3 = dialup)
24715 zen.spamhaus.org (result 127.0.0.10 = Spamhaus PBL, ISP contributed)
20635 spam.dnsbl.sorbs.net
18567 hostkarma.junkemailfilter.com (result 127.0.1.2 = MTA does not send QUIT)
18243 ix.dnsbl.manitu.net
13565 mail-abuse.blacklist.jippg.org
11004 no-more-funn.moensted.dk (result 127.0.0.2 = spam source)
10832 dnsbl.inps.de
10276 korea.services.net
9766 bl.spamcannibal.org
7878 ips.backscatterer.org
4963 spamsources.fabel.dk
3838 list.dnswl.org (not a blacklist!)
2880 hostkarma.junkemailfilter.com (result 127.0.0.1 = whitelisted)
2815 blackholes.five-ten-sg.com (result 127.0.0.9 = misc)
2565 no-more-funn.moensted.dk (result 127.0.0.10 = open proxy)
2266 dnsbl.njabl.org (union of all results)
2166 hostkarma.junkemailfilter.com (result 127.0.0.5 = do not blacklist)
2028 hostkarma.junkemailfilter.com (result 127.0.0.3 = mix of spam and nonspam)
1853 dnsbl.njabl.org (result 127.0.0.9 = open proxy)
1420 no-more-funn.moensted.dk (result 127.0.0.9 = misc)
1378 tr.countries.nerd.dk
1134 zen.spamhaus.org (union of SBL and SBLCSS results)
976 blackholes.five-ten-sg.com (result 127.0.0.4 = unconfirmed opt-in)
801 zen.spamhaus.org (result 127.0.0.2 = Spamhaus SBL)
574 aspews.ext.sorbs.net
512 accredit.habeas.com (not a blacklist!)
462 l2.bbfh.ext.sorbs.net
459 dnsbl.sorbs.net (result 127.0.0.6 = spam source)
404 query.bondedsender.org (not a blacklist!)
333 zen.spamhaus.org (result 127.0.0.3 = Spamhaus SBLCSS)
240 no-more-funn.moensted.dk (result 127.0.0.7 = spam haven)
213 dnsbl.njabl.org (result 127.0.0.4 = spam source)
200 dnsbl.njabl.org (result 127.0.0.2 = open relay)
180 l1.bbfh.ext.sorbs.net
167 dnsbl.ahbl.org (union of all results)
161 iadb2.isipp.com (not a blacklist!)
139 dnsbl.ahbl.org (result 127.0.0.3 = open proxy)
130 iadb.isipp.com (not a blacklist!)
96 hostkarma.junkemailfilter.com (result 127.0.0.4 = spam source aspirant)
95 tor.dnsbl.sectoor.de (result 127.0.0.2 = /24 contains a Tor server)
95 tor.dnsbl.sectoor.de (union of all results)
53 bl.deadbeef.com
32 dnsbl.sorbs.net (result 127.0.0.3 = open socks proxy)
31 dnsbl.sorbs.net (result 127.0.0.2 = open http proxy)
28 dnsbl-0.uceprotect.net
28 dnsbl.ahbl.org (result 127.0.0.4 = spam source)
18 multi.uribl.com (union of all results)
17 multi.uribl.com (result 127.0.0.2 = spam resource)
14 blackholes.five-ten-sg.com (result 127.0.0.12 = spam-friendly freemail provider)
10 blackholes.brainerd.net
9 zen.spamhaus.org (result 127.0.0.5 = time-expired NJABL open proxy)
4 hostkarma.junkemailfilter.com (result 127.0.2.3 = domain first seen more than 7 days ago)
3 multi.surbl.org
3 spamguard.leadmon.net (union of all results)
2 dnsbl.sorbs.net (result 127.0.0.4 = open proxy)
2 spamguard.leadmon.net (result 127.0.0.7 = spam source netblock)
2 blackholes.five-ten-sg.com (result 127.0.0.11 = TCPA violator)
1 multi.uribl.com (result 127.0.0.8 = new domain or concealed contact)
1 dnsbl.sorbs.net (result 127.0.0.9 = zombie network)
1 dnsbl.sorbs.net (result 127.0.0.5 = open relay)
1 spamguard.leadmon.net (result 127.0.0.8 = open proxy)
1 no-more-funn.moensted.dk (result 127.0.0.4 = unconfirmed opt-in)
1 blackholes.five-ten-sg.com (result 127.0.0.6 = open relay)
Survey results for all known public domain-name-based DNS blacklists. Lookups were done on the domain names of connecting IP addresses. The "union of most domain zones" line includes data from the hostkarma.junkemailfilter.com zone only when the results are 127.0.0.2, 127.0.0.3, or 127.0.0.4 because other results are not blacklists.

Hits DNS Zone
170583 (total number of IP addresses whose names were tested, including 182 at SDSC)
99463 hostkarma.junkemailfilter.com (result 127.0.2.3 = domain first seen more than 7 days ago)
87202 hostkarma.junkemailfilter.com (result 127.0.1.1 = MTA sends QUIT)
81646 (union of most domain zones)
70614 l1.apews.org
66144 abuse.rfc-ignorant.org
31279 dynamic.rhs.mailpolice.com
27920 whois.rfc-ignorant.org (union of all results)
20975 whois.rfc-ignorant.org (result 127.0.0.7 = no whois data at all)
10228 hostkarma.junkemailfilter.com (result 127.0.0.5 = do not blacklist)
6946 whois.rfc-ignorant.org (result 127.0.0.5 = bad whois data)
3726 webmail.rhs.mailpolice.com
3049 hostkarma.junkemailfilter.com (result 127.0.0.1 = whitelisted)
846 adv.rhs.mailpolice.com
752 hostkarma.junkemailfilter.com (result 127.0.1.4 = no verify host)
643 hostkarma.junkemailfilter.com (result 127.0.0.2 = spam source)
571 urired.spameatingmonkey.net
344 hostkarma.junkemailfilter.com (result 127.0.0.3 = mix of spam and nonspam)
340 hostkarma.junkemailfilter.com (result 127.0.1.2 = MTA does not send QUIT)
294 bl.deadbeef.com
206 hostkarma.junkemailfilter.com (result 127.0.2.2 = domain first seen in last 7 days)
149 rhsbl.sorbs.net (result 127.0.0.11 = domain uses bad address space)
149 rhsbl.sorbs.net (union of all results)
72 postmaster.rfc-ignorant.org
43 bogusmx.rfc-ignorant.org
41 bulk.rhs.mailpolice.com
40 dsn.rfc-ignorant.org (zone not intended for this use)
39 multi.surbl.org
36 multi.uribl.com (result 127.0.0.2 = spam resource)
36 multi.uribl.com (union of all results)
34 rhsbl.ahbl.org
19 fresh.spameatingmonkey.net
16 dob.sibl.support-intelligence.net
9 hostkarma.junkemailfilter.com (result 127.0.2.1 = domain first seen today)
5 porn.rhs.mailpolice.com
Survey results for all known public domain-name-based DNS blacklists. Lookups were done on SMTP sender domains. The "union of most domain zones" line includes data from the hostkarma.junkemailfilter.com zone only when the results are 127.0.0.2, 127.0.0.3, or 127.0.0.4 because other results are not blacklists.

Hits DNS Zone
74060 (total number of domains tested, including 164 at SDSC)
68987 hostkarma.junkemailfilter.com (result 127.0.2.3 = domain first seen more than 7 days ago)
19002 (union of most domain zones)
8577 hostkarma.junkemailfilter.com (result 127.0.1.1 = MTA sends QUIT)
7303 whois.rfc-ignorant.org (union of all results)
6826 whois.rfc-ignorant.org (result 127.0.0.7 = no whois data at all)
6567 hostkarma.junkemailfilter.com (result 127.0.0.5 = do not blacklist)
4738 urired.spameatingmonkey.net
4271 abuse.rfc-ignorant.org
3073 hostkarma.junkemailfilter.com (result 127.0.0.1 = whitelisted)
2348 l1.apews.org
1710 postmaster.rfc-ignorant.org
1614 hostkarma.junkemailfilter.com (result 127.0.0.2 = spam source)
1361 bogusmx.rfc-ignorant.org
1276 multi.surbl.org
1035 multi.uribl.com (union of all results)
1023 multi.uribl.com (result 127.0.0.2 = spam resource)
1007 webmail.rhs.mailpolice.com
807 hostkarma.junkemailfilter.com (result 127.0.2.2 = domain first seen in last 7 days)
654 hostkarma.junkemailfilter.com (result 127.0.0.3 = mix of spam and nonspam)
568 dsn.rfc-ignorant.org
477 whois.rfc-ignorant.org (result 127.0.0.5 = bad whois data)
336 adv.rhs.mailpolice.com
283 dynamic.rhs.mailpolice.com
252 porn.rhs.mailpolice.com
100 bulk.rhs.mailpolice.com
51 hostkarma.junkemailfilter.com (result 127.0.1.2 = MTA does not send QUIT)
42 hostkarma.junkemailfilter.com (result 127.0.1.4 = no verify host)
37 fresh.spameatingmonkey.net
34 rhsbl.sorbs.net (result 127.0.0.11 = domain uses bad address space)
34 rhsbl.sorbs.net (union of all results)
28 hostkarma.junkemailfilter.com (result 127.0.2.1 = domain first seen today)
28 dob.sibl.support-intelligence.net
20 ex.dnsbl.org
20 rhsbl.ahbl.org
12 multi.uribl.com (result 127.0.0.4 = opt-out spam resource)
2 fraud.rhs.mailpolice.com
2 bl.deadbeef.com
1 hostkarma.junkemailfilter.com (result 127.0.1.3 = MTA somtimes sends QUIT)