Monday, November 23, 2009

Other DNSBLs?

SkyHi @ Monday, November 23, 2009
We believe that an effective spam filtering system is a hybrid of a number of techniques, you should never put all your eggs in one basket. See Effective Spam Filtering for an excellent discussion of modern spam fighting techniques along with other tools.

In addition to the excellent SpamHaus SBL, XBL and PBL subzones, here are a few other DNSBLs that you may wish to consider. It is extremely important that you evaluate them according to your needs. Some of these lists are NOT appropriate for certain environments.

Before using DNSBLs, we recommend becoming familiar with the DNSBL lookup tools on dnsstuff.com.

Jeff Makey provides a useful Blacklists Compared page.

Only those DNSBLs we have personal experience with are listed here. While reading these, consider your options - they can either be used in a full blocking mode (a DNSBL hit means the email is blocked), or, as part of a scoring system (a DNSBL hit plus other "scores" are required for a block).

1. NJABL. Like Spamhaus, NJABL is a reliable and responsible DNSBL has a number of subzones. The NJABL proxy DNSBL is incorporated in the Spamhaus XBL (along with CBL). The NJABL Dynablock list has been decommissioned in favor of the Spamhaus PBL, and is now just a mirror of the PBL. If you're using NJABL Dynablock, replace it with PBL lookup/naming conventions, some time in the not too distant future, the "NJABL named" version of the PBL will probably disappear. The NJABL open relay DNSBL is also good, but does not yield many hits these days.
2. WPBL. This is a good, reliable and responsible DNSBL, however, as it has very low thresholds (and somewhat limited coverage) it is strongly recommended that it not be used as a single reason for email rejection - this is discussed on their web page. It should be used in a scoring system such as SpamAssassin.
3. Spamcop. SpamCop is a good, solid, professionally operated DNSBL. Due to the way it's implemented, it used to occasionally "throw" undesirable false positives, and it was best used in a scoring system. Since then, changes have been made, and using it as an outright blocking mechanism is a reasonable choice.
4. Invaluement DNSBL [Note: Commercial] ivmURI and ivmSIP are good solid and professionally operated lists. ivmURI is a URI (domain) DNSBL like SURBL or URIBL, with high effectiveness (comparable with URIBL/SURBL), extremely low false positives, and quick to list. ivmSIP is a IP-based DNSBL which is particularly good at catching "new" emitters. Its FP rate is quite low. Both of which shouldn't be considered substitutes for Zen/Spamcop, but do complement them well.
5. SORBS The SORBS open relay, open socks and open proxy lists are good (noting that listing expiration is extremely long), but the other lists should not be used (especially dynamic), except in a scoring system with "moderate" scores.
6. SPEWS The SPEWS list is dead - DO NOT USE. The SPEWS downloadable zone hasn't been updated since August of 2006, and most mirrors have emptied the zone. In its heydey (years ago), SPEWS was reasonably reliable, but generally not useable except in hobbyist mail server situations because of false positives and the difficulty in getting delistings, and otherwise only useable as part of a scoring system.
7. APEWS When it became apparent that SPEWS was no longer being maintained, someone, or a group of someones, copied the SPEWS web pages and presumably the SPEWS list of the time, and operated it as a new DNSBL "APEWS". The new operators are far more aggressive than SPEWS ever was, and will list large chunks of net space over a single third party incident report that may not have had anything to do with spam. Eg: APEWS has been known to list entire netblocks because of a single out of date CERT report of a single IP acting as a bot C&C.

APEWS is reportedly blocking 2/3rds of all useable Internet IP space.

APEWS false positives in most situations are extremely high, and it should not be used except in some very specific circumstances (eg: single user systems via scoring). The main reason we mention APEWS is that DNSSTUFF queries APEWS listings, and it tends to alarm listees and cause long flamewars on the only places that people can find to discuss them (eg: news.admin.net-abuse.email), with no useful result. APEWS provides no mechanism for appealing listings, and we believe that is not best practise for DNSBL operation.

As far as we can determine, few (if any) mail servers actually use APEWS, so, an APEWS listing is largely meaningless. Getting out of APEWS is very difficult, and APEWS can just about be completely ignored as being irrelevant.

Most recent news: APEWS may no longer be queriable - most, if not all, of it's "mirror/publishers" have withdrawn offering it (eg: APEWS listed at least one of its own mirrors).
8. TQMcube lists (it has several) appeared popular and reasonably effective, however, the admin has completely vanished (we're rather worried about him), and the list appears to be on autopilot now.
9. Regional DNSBLs. In some cases it may be desirable to use a DNSBL that lists certain regions of the world - for example, if you don't need or want to correspond in email with anyone in China, you can use a DNSBL specifically designed to list all IPs in China.

There are a number of these lists, the best known is korea.services.net,

WARNING: blackholes.us has gone out of service, and briefly it was blacklisting the world.

BE AWARE that if you use such a service, you will get very little if any email from these regions. These list IPs in those regions, not IPs in those regions known to spam. Use them at your own risk. Or in a scoring system.
10. ORDB, OSIRUS, MONKEYS, DSBL: just in case: these DNSBLs are defunct and should NOT be used.