Spam blacklists

There are quite a few services who allow you to use their frequently updated spam blacklists. Most of these blacklists can be used with MTA programs such as Postfix (see HOWTO Stop spam using Postfix). But some of the blacklists are a bit too wide and block innocent machines as well as those who are guilty of spam. It's generally much easier to get on a blacklist than it is to get off.

Here are some of the blacklists available:

[edit] Spamhaus

This is a great and frequently updated blacklist. It's free for mail servers with less than 100 users. They have 3 blacklists, "Spamhaus Block List", "Exploits Block List" and "Policy Block List". You can use zen.spamhaus.org in your DNSBL configuration to subscribe to these lists^[1] (This list was formerly known as "sbl-xbl.spamhaus.org", this list is now replaced by zen).

[edit] SORBS

SORBS (Spam and Open Relay Blocking System) is a spam fighting service in Australia^[2]. Their list is very effective, too effective for a whole lot of reasons. First of all, they are known to be very quick to blacklist entire IP ranges if there's a spammer on it - and there's been numerous complains about people with static IP's getting their IP-range blocked because of someone else's spamming.

And then there's the Tor-network. Most of the routers in the Tor-network are relay nodes, they don't allow exiting. And the default exit policy for Tor is to disallow port 25, so you can't spam from exit nodes unless the exit node has intentionally configured the router to allow e-mails to be sendt. And about none (perhaps 3) of the around 1000 Tor-routers allow exiting on port 25 - yet SORBS policy regarding Tor is to block all of them, regardless of them allowing exiting or not, and regardless of their exit policy. Now, specifically blocking the Tor-network isn't a big deal, it's a small deal, but it is a typical example of SORBS's blocking policy: When in doubt, block it.

You will get less spam by using SORBS's list. But you may also prevent legitimate e-mail by using this list.

You can use dnsbl.sorbs.net in your DNSBL configuration to subscribe to their list^[3].

[edit] DSBL

DSBL (Distributed Sender Blackhole List)^[4] is a great junk mail sender blacklist who provide three different lists^[5]:

• list.dsbl.org
  • Single stage SMTP relays and open proxies allowing CONNECT. Only trusted testers can add hosts to this list.
• multihop.dsbl.org
  • Suspected multi-hop relays. Only trusted testers can add hosts to the list.
• unconfirmed.dsbl.org
  • This is a very wide list. It includes many free mail servers and free ISPs who are frequently used by spammers.

DSBL's "unconfirmed" list blocks a whole lot of things. It's kind of like SORBS's list; when it doubt: Block it. However, DSBL does have three lists you can use, and their blocking policy is in the order they are listed above.

list.dsbl.org is a great choice. If you use this for a and you feel that you're still getting way too much spam despite using this list then you may want to give multihop.dsbl.org or even unconfirmed.dsbl.org a try.

[edit] SCBL

SpamCop Blocking List (SCBL) story is that "The SCBL is a list of IP addresses which have transmitted reported email to SpamCop users, which in turn is used to block and filter unwanted email."^[6] This should, in theory prevent false positives from automatically entering their list. Add bl.spamcop.net to use their DNSBL.

[edit] CBL

CBL (Composite Blocking List) is a list which only blocks based on traps. Their story is this:

"The CBL takes its source data from very large spamtraps/mail infrastructures, and only lists IPs exhibiting characteristics which are specific to open proxies of various sorts (HTTP, socks, AnalogX, wingate etc) which have been abused to send spam, worms/viruses that do their own direct mail transmission, or some types of trojan-horse or "stealth" spamware, without doing open proxy tests of any kind.

In other words, the CBL only lists IPs that have attempted to send email to one of our servers in such a way as to indicate that the sending IP is infected."^[7]

This is a great way to prevent false positives to be added to the list; if you haven't spammed them then you're not listed by them. Their DNSBL is cbl.abuseat.org

[edit] Dead services

The Open Relay Database (ORDB.org) is now dead, even the website previously at http://www.ordb.org/ is gone. Thus; you should remove relays.ordb.org from your MTA/spamfilter configuration (Remember this if you're a consultant who visit clients who only have someone tune their MTA once a year or so - unless it breaks, of course. ORDB died December 2006, such clients may likely have it in their config).

[edit] One last detail

It's generally a good idea to make sure that users can send to services they can't get mail from because they are blocked. There is such a thing as false positives, specially if you're using SORBS or DSBL's "unconfirmed" list.

[edit] DNSBL's In Bullet Summary

• Spamhaus: zen.spamhaus.org
• Sorbs: dnsbl.sorbs.net
• DSNL: list.dsbl.org
  • multihop.dsbl.org
  • unconfirmed.dsbl.org
• SCBL: bl.spamcop.net
• CBL: cbl.abuseat.org

[edit] How to use DNSBL lists

• Postfix: HOWTO Stop spam using Postfix

[edit] References

1. ↑ The Spamhaus Project: zen.spamhaus.org
2. ↑ SORBS (Spam and Open-Relay Blocking System)
3. ↑ SORBS: Using SORBS
4. ↑ Distributed Sender Blackhole List
5. ↑ DSBL: Usage
6. ↑ What is the SpamCop Blocking List (SCBL)?
7. ↑ CBL - Composite Blocking List