DNS Blacklists

Our anti-spam system uses DNSBLs (Domain Name Service Black Lists) to block email from spammers.

By default we use three lists:

  • zen.spamhaus.org
  • combined.njabl.org
  • list.dsbl.org

The benifit of these three lists is that they are good at catching spam but have an extremely low rate of false positives (legitimate email that's incorrectly blocked).

You have the ability to change the DNSBLs that currently affect your email. You can also change the default action our servers perform on email sent from someone on one of your chosen lists.

DNS Blacklist Levels

0 - Disabled
No DNSBLs are applied to your email.
1 - Default
This is our default setting. It is very conservative. It blocks most sources of spam, but very rarely blocks legitimate email.
2 - Robust
This is a more robust setting. It has a higher chance of blocking legitimate email from advertisers and newsletters, but will stop a lot more spam.
3 - Aggressive
This setting is very aggressive. It will block most sources of bulk mail, big newsletters, periodicals, and advertising. Some consider this email spam. This setting may also block mail from small companies and misconfigured servers.
4 - Strict
This setting is not recommended unless you want to filter out most sources of email from reaching your inbox. If you choose this setting it is recommended that you set your default action (see below) to Quarantine.
5 - Draconian
This setting is extremely aggressive! It is VERY prone to false positives and can block entire ISPs because they've had one abusive user. This setting is not generally recommended for most users.
x - Advanced
The advanced setting allows you to pick and choose which DNSBLs your email account uses. We've rated each one in order of how aggressive we think it is. A list that's large but not too aggressive is ideal for general email. However, some of these lists are designed to block specific types of spam.

DNS Blacklist Actions

You can choose what action is taken by our servers when a sender matches one of the DNSBLs.

Our default action is to reject email. However, you may choose any one of these four options:

Disabled
Allow through and do not do anything - the DNSBL is not checked.
Tag
The message is tagged with a special header, but there is no other action. You can set up your own filters to look for tagged mail, or just ignore it.
Quarantine
The email is accepted, but sent directly to your quarantine. This is the recommended action for very aggressive DNSBLs, as they are more prone to false positives.
Reject
The email is rejected by our server, and an error is sent to the sender.

DNS Blacklists

zen.spamhaus.org

Size:
Large
Aggressiveness:
Low
Link:
http://www.spamhaus.org/

Spamhaus has several lists, which are updated via multiple methods.

zen.spamhaus.org is their compilation list, containing entries from each of their other ones. It's a large list but it is very clean. The lists it is built from are:

sbl.spamhaus.org
Spam block list
xbl.spamhaus.org
Exploit block list
pbl.spamhaus.org
Policy block list

These lists are very effective at catching spam, and while large, are not prone to false positives.

dnsbl.njabl.org

Size:
Medium
Aggressiveness:
Low
Link:
http://njabl.org/

NJABL tracks open relays, known spam sources, passively detected "bad hosts" (misconfigured email servers or active spam proxies), systems with insecure formmail.cgi or similar CGI scripts which turn them into open relays, and open proxy servers.

Usually when email comes from a server that falls into one of these categories, it is spam. Servers on well managed networks don't have any of these issues.

list.dsbl.org

Size:
Small
Aggressiveness:
Low
Link:
http://dsbl.org/

DSBL is a server that listens for specific 'listme' messages and blocks email servers that send them.

"List" only accepts these messages from "Trusted Testers" who test servers and verify that they are open relays.

These servers are not necessarily sending spam, but they have the potential to do so. Basically, List is good at stopping spammers before they get started. It's neither aggressive nor prone to false positives.

multihop.dsbl.org

Size:
Small
Aggressiveness:
Low
Link:
http://www.dsbl.org/

DSBL is a server that listens for specific 'listme' messages and blocks email servers that send them.

Multihop is maintained by "Trusted Testers" and blocks email sent from chains of servers. These servers have the potential to send spam, although they haven't yet.

Multihop servers send spam from server to server until they find one that will let them send spam to a legitimate user. They do this to A) confuse anyone who might try to track them down and B) to spread out their resources so if one server gets shut down, they can still send through another one. This list only accepts entries from "Trusted Testers" so it is not very agressive. Still, a legitimate server might be part of the chain, so you could have false positives.

bl.csma.biz

Size:
Very Small
Aggressiveness:
Low
Link:
http://bl.csma.biz/

This is a list provided by McFadden Associates reflecting what they are currently blocking on their own servers. They use open source software to gather this information.

bhnc.njabl.org

Size:
Small
Aggressiveness:
Low
Link:
http://njabl.org/

This DNSBL tracks mail servers that act in a suspicious way. Either they use very poorly written software, have been involved in hacking attempts, or they are spam proxies.

dnsbl.ahbl.org

Size:
Small
Aggressiveness:
Medium
Link:
http://www.ahbl.org/

The AHBL is a database of hosts that have been known to cause various forms of abuse on the Internet which includes UCE/UBE/spam, Denial of Service attacks and cracking attempts.

This list takes the point of view that if a server has done something bad in the past, it is more likely to send spam in the future. This list is good at heading off potential spammers, but can also block servers that were unknowingly used in an attack in the past, and are now clean.

dnsbl.sorbs.net

Size:
Medium
Aggressiveness:
Medium
Link:
http://www.sorbs.net/

SORBS blocks open relays, open proxy servers, and machines that appear to be hacked sources of spam. SORBS blocks all open relays, even those not currently sending spam.

SORBS is well known, and a lot of people use it. However, it is very likely to block a host who made a mistake and got compromised, but now is clean. This can block some legitimate mail.

dhcp.tqmcube.com

Size:
Medium
Aggressiveness:
Medium
Link:
http://www.tqmcube.com/

A dynamic IP address blacklist.

This list blocks a lot of known sources of spam. However, it may block people who run their own servers, or servers located at ISPs that don't properly update their information.

ubl.unsubscore.com

Size:
Medium
Aggressiveness:
Medium
Link:
http://www.lashback.com/ubl.html

This list blocks email servers that abuse unsubscribe requests. They have four pieces of criteria:

  • Senders who fail to provide a working unsubscribe mechanism
  • Senders who do not honor unsubscribe requests within 10 business days
  • Senders who allow consumer's unsubscribe request to be abused (i.e. shared with other parties to send more spam)
  • Senders who are taking suppression lists from other organizations and sending email to these lists

spam.tqmcube.com

Size:
Medium
Aggressiveness:
Medium
Link:
http://www.tqmcube.com/

A spam blacklist that uses honeypots. It considers unsolicited bounced messages, vacation notifications and challenge/response emails as spam.

bl.spamcannibal.org

Size:
Small
Aggressiveness:
Medium
Link:
http://www.spamcannibal.org/

Spamcannibal uses a system of tarpits on honeypots that try to tie up email servers that are sending spam. They publish a blacklist that reflects the current list of mailservers that they consider abusive.

dnsbl-1.uceprotect.net

Size:
Large
Aggressiveness:
Medium
Link:
http://www.uceprotect.net/

UCE is a blacklist that uses honeypots to find spammers. They have three levels of protection; the third one is very, very aggressive. People normally have to pay to get removed immediately, otherwise their IP address or netblock is removed after a week.

This DNSBL keeps track of unique ip addresses from known spammers for a week. This list isn't very aggressive, but it can block servers that have been infected with viruses or were otherwise compromised. Most servers are cleaned up after a couple days, so you could lose legitimate email while they are on the list waiting to get off.

dnsbl-2.uceprotect.net

Size:
Large
Aggressiveness:
High
Link:
http://www.uceprotect.net/

UCE's Second level DNSBL. If an IP address has sent spam, this will list the neighboring IP addresses. This list is very aggressive. It assumes that spammers have compromised the entire network, not just a single server. You could get email blocked from someone who has the bad luck of having an IP address that is close to a spammer's IP address.

unconfirmed.dsbl.org

Size:
Small
Aggressiveness:
High
Link:
http://www.dsbl.org/

DSBL is a server that listens for specific 'listme' messages and blocks email servers that send them.

Unconfirmed accepts these messages from anyone who discovers an open relay, and is able to send mail through it.

bl.spamcop.net

Size:
Large
Aggressiveness:
High
Link:
http://www.spamcop.net/

SpamCop is an organization of users, admins, and servers that wish to eliminate spam. They maintain a blacklist of ip addresses from people they consider to be spammers. Most of the spammers are reported by SpamCop users, so they may or may not be actually sending out spam.

dnsbl-3.uceprotect.net

Size:
Large
Aggressiveness:
Extreme
Link:
http://www.uceprotect.net/

UCE's Third Level DNSBL, It uses a bad IP to block its entire neighborhood. This list not only assumes that spammers have compromised entire networks, but also entire companies! If you select this list, you will not be able to recieve email from certian companies that may have had one bad spammer or compromised machine.

Glossary

Honeypot
A domain that is set up like any other domain, but which doesn't have any users. Any email sent to a honeypot is unsolicited. Many DNSBLs use Honeypots to expose spammers.
Open Relay
An email server that accepts mail from anyone, and sends it to anyone.
SMTP Proxy
Also known as a spam proxy, a compromised server used to send spam and obscure where it's coming from.
Tarpit
A tarpit is a type of honeypot designed to delay any server that connects to it. They are designed to force spammers to waste time and resources that would otherwise be used to send spam.