Home |
About Spam |
About SpamBouncer |
Downloads |
Configuration |
Reference |
Resources
Overview |
Configuration Variables |
Blocked Spammers |
Whitelists |
Blocklists |
Pattern Matching Filters
Blocklists
Supported by the SpamBouncer
This page contains a description of all blocklists supported in the SpamBouncer, and hyperlinks to the blocklist's web page so that you can learn what the blocklist maintainer has to say about blocklist policies and practices. For more information about blocklists in general, what they are, and what they do, see the Filtering page in the About Spam section of the SpamBouncer web site. For more information about any individual supported blocklist or blocklist family, click the heading for that blocklist to go to its home page.
Contents
The Abusive Hosts Blocklist (AHBL) family is one of the most aggressive groups of blocklists supported in the SpamBouncer. They're also aggressively maintained and the operators are responsive when contacted. (They seem especially proud of lawsuit threats from people whose IP blocks and/or domains they've listed and post those prominently on their web site.) I would like to see a clearer statement on the web site of their overall spam philosophy, but I guess it's a bit much to ask that geeks spend time on documentation when they could be catching spammers. <G>
None of these blocklists is enabled by default because they are so aggressive. If you whitelist aggressively, however, you can safely use the AHBL blocklists and catch quite a bit of spam with them. The AHBL itself provides a whitelist especially designed to be used with its blocklists; the AHBL exemptions list. You should also use your .legitlists and .nobounce files (your local whitelists) heavily if you enable any AHBL blocklists.
- Abusive domains. The AHBL abusive domains blocklist lists domains owned by, operated by, or under the control of spammers. Unlike the other AHBL lists, this list is an RHSBL; it lists domains, not IP addresses or IP ranges. It is disabled by default. You can enable it by setting AHBLDOMAINCHECK=yes in the variables section at the top of your .procmailrc file.
- Compromised hosts. The AHBL compromised hosts blocklist lists IPs of computers that have been hacked or are running trojan software. It is disabled by default. You can enable it by setting AHBLDDOSCHECK=yes in the variables section at the top of your .procmailrc file.
- Insecure CGI/web forms. The AHBL insecure CGI blocklist lists IPs of web servers that have insecure CGI scripts or web forms that spammers can abuse to send spam. It is disabled by default. You can enable it by setting AHBLCGICHECK=yes in the variables section at the top of your .procmailrc file.
- Open proxies. The AHBL open proxies blocklist lists IPs of computers that run open proxies, which can be used to send spam and hide the source of the spam from the recipient. It is disabled by default. You can enable it by setting AHBLPROXYCHECK=yes in the variables section at the top of your .procmailrc file.
- Open relays. The AHBL open relays blocklist lists IPs of SMTP servers that are configured to allow anybody to send email to anybody through them. It is disabled by default. You can enable it by setting AHBLRELAYCHECK=yes in the variables section at the top of your .procmailrc file.
- Provisional spam sources. The AHBL provisional spam sources blocklist lists hosts that have sent large quantities of spam and/or viruses recently. It is intended to stop spam or virus floods, and IPs listed on it do not normally remain on it for long. They either deal with the problem and are delisted, or do not and are moved to the spam sources list.
It is disabled by default. You can enable it by setting AHBLPSSLCHECK=yes in the variables section at the top of your .procmailrc file.
- Spam sources. The AHBL spam sources blocklist lists hosts owned by, operated by, or under the control of spammers. It is disabled by default. You can enable it by setting AHBLSPAMCHECK=yes in the variables section at the top of your .procmailrc file.
Return to Table of Contents
The Blitzed Open Proxy Monitor lists open proxies of all kinds, including those created by trojan software. Spammers use open proxies to send spam while hiding the origin of that spam. The BOPM itself is disabled by default only because the SpamHaus XBL, which is enabled by default, contains the BOPM and other, similar data in a single blocklist, making it more efficient to check the XBL. If you prefer to check the BOPM directly, you can enable it by setting OPMBLITZEDCHECK=yes in the variables section at the top of your .procmailrc file.
Return to Table of Contents
The CBL lists open proxies, many of them trojaned and compromised hosts that run open proxy software that spammers use to send spam while hiding the origin of that spam. It is probably the single most effective blocklist in existence at present. Used properly, it catches well over 80% of spam. (At least, that's true of the spam that comes into the SpamBouncer spamtrap.)
The CBL itself is disabled by default only because the SpamHaus XBL, which is enabled by default, contains the CBL and other, similar data in a single blocklist, making it more efficient to check the XBL. If you prefer to check the CBL directly, you can enable it by setting CBLCHECK=yes in the variables section at the top of your .procmailrc file.
Return to Table of Contents
The Completewhois family of blocklists list IPs that send no legitimate email, and that shouldn't be sending email at all. These blocklists are aggressive, and at times have contained listings that were in error and caused false positives, so they are disabled by default. If you use them with caution, however, they can be useful.
- Bogons. IP addresses that belong to IANA reserved or unassigned ranges and that should never appear in the headers of email sent across the Internet. It is disabled by default. You can enable it by setting CWHOISBOGONCHECK=yes in the variables section at the top of your .procmailrc file.
- Hijacked netblocks. IP ranges that have been taken over by a spammer or abuser without the permission of the assigned owner or IANA. It is disabled by default. You can enable it by setting CWHOISHIJACKCHECK=yes in the variables section at the top of your .procmailrc file.
Return to Table of Contents
The DSBL blocklist family has closed. Please disable this blocklist in your SpamBouncer configuration; it will be removed from the next release.
Return to Table of Contents
The Five-Ten Software Group (FTSG) blocklists are probably the most aggressive that the SpamBouncer supports. The maintainer considers sending bulk email to any email address that has not opted in using a closed-loop confirmed opt-in (COI) process ("double opt-in" for you marketers) to be spamming. As I understand it, the maintainers are accessible and communicate their standards clearly, however, so if you use these lists and find them too aggressive, that's your problem. <wry grin>
None of these blocklists is enabled by default because they are so aggressive. If you enable any of the FTSG blocklists, you should whitelist aggressively. You might want to use the AHBL exemptions list in addition to religiously listing any regular correspondents in your .legitlists file (for mailing lists) and .nobounce file (for personal email).
- Dynamic IP ranges. IP addresses belonging to pools assigned dynamically to dial-up users and users of low-end cablemodem and DSL service. These IPs should never send email directly to other systems, but only via their ISP mail server It is disabled by default. You can enable it by setting FTSGDIALCHECK=yes in the variables section at the top of your .procmailrc file.
- Ignores spam complaints. IP ranges that belong to ISPs that ignore spam complaints or fail to remove spammers from their systems within a reasonable period of time. It is disabled by default. You can enable it by setting FTSGIGNORECHECK=yes in the variables section at the top of your .procmailrc file.
- Insecure CGI/web forms. IP addresses belonging to web servers that contain insecure CGI or web forms that allow spammers to send spam. It is disabled by default. You can enable it by setting FTSGWEBFORMCHECK=yes in the variables section at the top of your .procmailrc file.
- Multi-stage open relays. IP addresses belonging to SMTP servers that are themselves secure, but that accept and deliver email from insecure SMTP servers. It is disabled by default. You can enable it by setting FTSGMULTICHECK=yes in the variables section at the top of your .procmailrc file.
- Open relays. IP addresses belonging to mail servers that accept and deliver email from anybody to anybody. It is disabled by default. You can enable it by setting FTSGRSSCHECK=yes in the variables section at the top of your .procmailrc file.
- Opt-out bulk email sources. IP addresses belonging to bulk emailers that do not use closed-loop confirmed opt-in (COI) ("double opt-in") before sending bulk email. You can enable it by setting FTSGOPTOUTCHECK=yes in the variables section at the top of your .procmailrc file.
- Spam sources. IP addresses used to send repeated, multiple spam runs. Since the maintainers consider any non-COI bulk email to be spam, this list contains a number of bulk email sources that send email many people want to get, so you should use it with caution. It is disabled by default. You can enable it by setting FTSGSRCCHECK=yes in the variables section at the top of your .procmailrc file.
The Invaluement blocklist family consists of three blocklists: a conservatively-run blocklist of single IPs that send spam, a more aggressive blocklist of /24 CIDRs that send significant amounts of spam, and a URI blocklist similar to the SURBL and URIBL blocklist. It is a business, not a free service, but the fee structure is reasonable for individual users, small home networks, and small businesses.
These blocklists are new as of 2008, and were created by long-time antispam activist Rob McEwen. McEwen has several good ideas that have led to a blocklist that catches a considerable amount of spam from spammers that often escape listing and filtering, especially mainsleaze spammers and "snowshoe" spammers. I have not used this blocklist yet because Rob has not got public DNSBLs set up for his users, but a number of other antispammers of my acquaintance have downloaded his data and included it in their local blocklists. They have gotten very good results.
I look forward to seeing what these blocklists can do with the next SpamBouncer version!
- ivmURI. Lists domains, hosts, and IP addresses seen in the URIs in spam.
- ivmSIP. Lists IP addresses used only to send spam.
- ivmSIP/24. Lists the /24 for the IP addresses listed on ivmSIP, pre-emptively blocking spam from the "neighborhood" of known spam source IPs.
Return to Table of Contents
The NJABL blocklist family is a good, conservative and well-maintained group of blocklists. Two are enabled by default, and the others are not primarily because enabling too many blocklists slows the SpamBouncer down.
- Dynamic IP ranges. IP addresses assigned dynamically to dial-up users and users with low-end cablemodem and DSL service. It is enabled by default. You can disable it by setting NJABLDULCHECK=no in the variables section at the top of your .procmailrc file, but I recommend leaving it enabled.
- Insecure CGI/web forms. IP addresses of web servers with insecure CGI or web forms that allow spammers to send spam. It is disabled by default. You can enable it by setting NJABLCGICHECK=yes in the variables section at the top of your .procmailrc file.
- Multi-level open SMTP relays. IP addresses of SMTP servers that are themselves secure, but that accept email from customers with open relays. It is disabled by default. You can enable it by setting NJABLMULTICHECK=yes in the variables section at the top of your .procmailrc file.
- Open proxies. IP addresses of computers that operate as open proxies. The NJABL open proxies list is slightly more aggressive than the XBL, CBL, or OPM, primarily because it does not automatically "time out" listings as quickly. It is nonetheless enabled by default in the SpamBouncer. You can disable it by setting NJABLPROXYCHECK=no in the variables section at the top of your .procmailrc file, but I recommend leaving it enabled.
- Open SMTP relays. IP addresses of SMTP servers that allow anybody to send email to anybody. It is disabled by default. You can enable it by setting NJABLRSSCHECK=yes in the variables section at the top of your .procmailrc file.
- Spam sources. IP addresses used to send repeated, multiple spam runs. Slightly more aggressive than the SBL, but still conservative and effective. It is disabled by default. You can enable it by setting NJABLSRCCHECK=yes in the variables section at the top of your .procmailrc file.
Return to Table of Contents
Blocklist of single-stage open relays. It tests SMTP servers on request, and lists those that are open relays. The ORDB is somewhat more aggressive than the DSBL, and also more narrowly focused, since it lists only open SMTP relays, not open proxies, compromised hosts, or web servers with insecure CGI. It is probably the largest and most widely used list of open relays on the Internet.
It is disabled by default. You can enable it by setting ORDBCHECK=yes in the variables section at the top of your .procmailrc file.
Return to Table of Contents
The RFC Ignorant blocklists are unique -- they target computer systems and services that do not properly implement the RFCs (the "building blocks" of the Internet), rather than those that send spam. The theory is that systems that do not implement the RFCs properly often are misconfigured in other ways and therefore easily abused by spammers. In addition, many of these systems lack any publicly available, valid email addresses that you can use to contact the system administrator when there's a problem.
In my experience over the years, there is some overlap between the systems listed in one or more of the RFC Ignorant blocklists and systems that send spam. Unfortunately, there are also a lot of mail systems that violate one or more of these RFCs and yet do not send spam and do respond to spam complaints. I expect that the RFC Ignorant lists will be extremely helpful for certain types of spam reporting as that feature develops and is implemented in SpamBouncer 2.1 and following, but they are aggressive and prone to false positives when used to block email.
If you enable the RFC Ignorant blocklists, you should whitelist aggressively. You might want to enable the AHBL exemptions list, in addition to whitelisting your regular correspondents locally using your .legitlists file (for bulk email) and .nobounce file (for personal email).
- No Abuse@ address. Domains that lack an abuse@ address entirely, or have an abuse@ address but have an autoresponder answering it instead of a live human being. It is disabled by default. You can enable it by setting RFCABUSECHECK=yes in the variables section at the top of your .procmailrc file.
- No Postmaster@ address. Domains that lack a postmaster@ address entirely, or have a postmaster@ address but have an autoresponder answering it instead of a live human being. It is disabled by default. You can enable it by setting RFCPOSTMASTERCHECK=yes in the variables section at the top of your .procmailrc file.
- No or Invalid Whois information. Domains that lack valid Whois information. This list contains domains whose Whois information is either obviously forged or has been demonstrated to be incorrect, such as invalid postal addresses or phone numbers in the Whois record. It is disabled by default. You can enable it by setting RFCWHOISCHECK=yes in the variables section at the top of your .procmailrc file.
- Rejects bounces. IPs of mail servers that reject properly-formatted bounce messages. It is disabled by default. You can enable it by setting RFCDSNCHECK=yes in the variables section at the top of your .procmailrc file.
Return to Table of Contents
The Spam and Open Relay Blocking System (SORBS) blocklists are among the most aggressive that the SpamBouncer supports. The maintainer has little or no patience with mail systems that hesitate to remove spammers or take any necessary measures to secure their systems against abuse by spammers. The web site states a policy of requiring systems correctly listed for spamming or failure to secure their systems against spammers to pay a fee under some circumstances to get unlisted. I'm not entirely comfortable with this, although I have been told by people I trust that the maintainer is conscientious, fairly easy to work with otherwise, and applies the fee only in circumstances when the listed system was clearly at fault.
On the unambiguously positive side, SORBS operates a wonderful set of open proxies blocklists. It has three of them, all well-maintained and helpful in stopping spam. Even users whose personal standards of spamminess are considerably more conservative than those of SORBS are likely to find these lists helpful if the SpamHaus XBL and NJABL Open Proxies lists do not catch all of the open proxy spam coming into mailboxes.
None of these blocklists is enabled by default because they are so aggressive. If you enable any of the SORBS blocklists, you should whitelist aggressively. You might want to use the AHBL exemptions list in addition to religiously listing any regular correspondents in your .legitlists file (for mailing lists) and .nobounce file (for personal email).
- Dynamic IP ranges. IP addresses assigned dynamically to dial-up users and users with low-end cablemodem and DSL service. It is disabled by default. You can enable it by setting SORBSDYNCHECK=yes in the variables section at the top of your .procmailrc file.
- Insecure CGI/web forms. IP addresses of web servers with insecure CGI or web forms that allow spammers to send spam. It is disabled by default. You can enable it by setting SORBSCGICHECK=yes in the variables section at the top of your .procmailrc file.
- Open HTTP proxies. IP addresses of computers that operate open HTTP proxies. This is a large and well-maintained list of these proxies; even users whose standards of spamminess are considerably less strict than those of SORBS might find this helpful. It is disabled by default in the SpamBouncer. You can enable it by setting SORBSPROXYCHECK=yes in the variables section at the top of your .procmailrc file.
- Open proxies of other types. IP addresses of computers that operate open proxies other than HTTP proxies or Winsocks proxies. Many of these computers are trojaned or exploited computers. This list is well maintained and contains no listings from which you normally would want to accept email directly. It is disabled by default in the SpamBouncer. You can enable it by setting SORBSPROXY2CHECK=yes in the variables section at the top of your .procmailrc file.
- Open SMTP relays. IP addresses of SMTP servers that allow anybody to send email to anybody. It is disabled by default. You can enable it by setting SORBSRELAYCHECK=yes in the variables section at the top of your .procmailrc file.
- Open winsocks proxies. IP addresses of computers that operate open winsocks proxies, usually badly misconfigured and exploitable Windows-based client systems with broadband connections. This list is well maintained and contains no listings from which you normally would want to accept email directly. It is disabled by default in the SpamBouncer. You can enable it by setting SORBSSOCKSCHECK=yes in the variables section at the top of your .procmailrc file.
- Spam sources. IP addresses used to send repeated, multiple spam runs. This is a very aggressive spam sources list; it is safest to assume that any site that sends any significant quantity of bulk email without a verifiable closed-loop confirmed opt-in (COI) process ("double opt-in" for marketers) is vulnerable to listing here. It is disabled by default. You can enable it by setting SORBSSPAMCHECK=yes in the variables section at the top of your .procmailrc file.
Return to Table of Contents
The Spamcop blocklist contains the IPs of mail servers that its users report were used to send spam recently. It is an "early warning system" blocklist, prone to false positives, but also frequently containing spamming IPs that have not made it into the more conservative blocklists yet. It was founded by Julian Haight, and is currently owned by Ironport Systems, a manufacturer of high-end mail servers that also operates the Senderbase email traffic monitoring system. You should use the Spamcop blocklist with caution, but you can use it to good effect if you whitelist aggressively.
It is disabled by default. You can enable it by setting SPAMCOPCHECK=yes in the variables section at the top of your .procmailrc file.
Return to Table of Contents
SpamHaus is highly respected, and deserves to be for a number of reasons, only one of which is the blocklists it runs. SpamHaus follows a conservative policy to minimize false positives when listing spam sources, although a low false positive rate should be expected when using the SpamHaus Blocklist (SBL). It is one of the three most useful blocklists the SpamBouncer supports, and one of the other two is the SpamHaus eXploits Blocklist (XBL). The two together catch by far the majority of spam.
- SBL. The SBL contains IP addresses used to send repeated, multiple spam runs or that host web sites advertised via spamming. It is enabled by default. You can disable it by setting SPAMHAUSORGCHECK=no in the variables section at the top of your .procmailrc file, but I strongly recommend leaving it enabled.
- XBL. The XBL contains IP addresses belonging to computers that function as open proxies. (Many of these computers are hacked or trojaned workstations running Microsoft Windows.) It is a composite list containing all data from the CBL and the OPM, and selected data from the NJABL Open Proxies list. The XBL is enabled by default. You can disable it by setting XBLCHECK=no in the variables section at the top of your .procmailrc file, but I strongly recommend leaving it enabled.
Return to Table of Contents
The Spam Prevention Early Warning System (SPEWS) blocklist has closed. Please disable it in your SpamBouncer configuration. It will be removed from the next release.
The SURBL blocklist family is the first of a growing group of blocklists that lists, not IPs or domains in the headers of spam, but IPs and domains found in the message bodies of spam. These IPS and domains normally belong to the spammers, and are used as URLs to web sites owned or operated by the spammers. There are six SURBL blocklists at present, each representing data taken from a different source. The SURBL blocklists are conservative -- their stated aim is "no false positives," meaning that no false positives should be caused by reliance on any listing on any SURBL. My experience is that false positives traceable to a SURBL listing are, in fact, extremely rare. In addition, SURBLs catch a truly amazing amount of spam.
The SURBLs are the most useful and effective blocklists in the SpamBouncer other than the SBL and XBL. All six SURBL blocklists are enabled by default.
- Abuse Butler. The Abuse Butler list contains domains and IPs from spam received by the Abuse Butler service. It is enabled by default. You can disable it by setting SURBLABCHECK=no in the variables section at the top of your .procmailrc file, but I strongly recommend leaving it enabled.
- Outblaze. The Outblaze list contains domains and IPs from spam received by the Outblaze abuse department. Outblaze is the world's largest email services provider, and is rabidly anti-spam. It is enabled by default. You can disable it by setting SURBLOBCHECK=no in the variables section at the top of your .procmailrc file, but I strongly recommend leaving it enabled.
- Phishing. The Phishing list contains domains and IPs from phishes received by the Australian anti-virus and anti-spam service MailSecurity. It is enabled by default. You can disable it by setting SURBLPHCHECK=no in the variables section at the top of your .procmailrc file, but I strongly recommend leaving it enabled.
- SA-Blacklist. The SA-Blacklist SURBL contains domains and IPs from spam received by the spamtraps of Bill Stearns, maintainer of the SA-Blacklist module for SpamAssassin, and several smaller sources of data, most of them also used to create SpamAssassin modules in the past. It is enabled by default. You can disable it by setting SURBLWSCHECK=no in the variables section at the top of your .procmailrc file, but I strongly recommend leaving it enabled.
- Spamcop. The Spamcop list contains domains and IPs from the message bodies of spam reported to the Spamcop service by its users. It is enabled by default. You can disable it by setting SURBLSCCHECK=no in the variables section at the top of your .procmailrc file, but I strongly recommend leaving it enabled.
NOTE: The Spamcop SURBL is not the same thing as the Spamcop blocklist. The Spamcop blocklist lists the IPs of mail servers that sent spam; the Spamcop SURBL lists domains and IPs that appear in the message bodies of spam. In my experience, the Spamcop blocklist is aggressive and prone to false positives; the Spamcop SURBL is conservative and rarely leads to any false positives.
- Wein/Dijkxhoorn. The Wein/Dijkxhoorn list contains domains and IPs from spam received by the spamtraps of Joe Wein, maintainer of the SpamSpy program, and Raymond Dijkxhoorn at Prolocation, an anti-spam web hosting service in the Netherlands. It is enabled by default. You can disable it by setting SURBLPJCHECK=no in the variables section at the top of your .procmailrc file, but I strongly recommend leaving it enabled.
Return to Table of Contents
The Trend Micro MAPS blocklist family was the original DNS-based blocklist family, back in the depths of Internet time. (Eight or nine years ago.) <G> Originally a free service, the first of its lists -- the venerable MAPS RBL -- was developed by Paul Vixie. It was probably the single most effective tool against spam at the time. Understandably, it attracted a lot of spammer ire, and a great deal of community support.
Some years ago MAPS went commercial and private, Vixie left, and it was taken over by others under circumstances that remain murky, but were clearly unfriendly. At least two lawsuits were involved, and many (most) of the original MAPS crew left. (To their credit, most remained active in anti-spam work.) The SpamBouncer supported MAPS near its inception, and the code to support its blocklists remains, although I have been unable to test that code for years and cannot guarantee that it will work.
NOTE: You must have a subscription to MAPS and Trend must have configured the MAPS servers to allow access to the server running the SpamBouncer, or none of the MAPS blocklists will work.
- Dynamic IP ranges. IP addresses assigned dynamically to dial-up users and users with low-end cablemodem and DSL service. It is disabled by default. You can enable it by setting DULCHECK=yes in the variables section at the top of your .procmailrc file.
- Open relays. IP addresses that belong to open SMTP relays, SMTP servers configured to allow anybody to send email to anybody through them. It is disabled by default. You can enable it by setting RSSCHECK=yes in the variables section at the top of your .procmailrc file.
- Spam sources. IP addresses belonging to spammers or used in repeat, multiple spam runs. It is disabled by default. You can enable it by setting RBLCHECK=yes in the variables section at the top of your .procmailrc file.
Return to Table of Contents
The URIBL blocklist family lists, not IPs or domains in the headers of spam, but IPs and domains found in the message bodies of spam. These IPS and domains normally belong to the spammers, and are used as URLs to web sites owned or operated by the spammers. It was started in early 2005 by SARE members Chris Santerre and Dallas Engelken, and others who wanted a SURBL-type blocklist that was less conservative and allowed a larger degree of public participation.
Unlike the SURBL lists, the URIBL lists are not divided by data source, but by expected level of risk associated with blocking based on a particular domain or IP. The URIBL lists are URIBL Black, URIBL Grey, and URIBL Red. Although the URIBL is more of a grass-roots operation than the SURBL, in practice I have not seen a significantly greater rate of false positives from the URIBL Black list than from the SURBL lists, and it has a policy of "no false positives" as well. The URIBL Grey list contains domains and IPs that belong to companies that are involved in spam, but appear in both spam and legitimate email. If you use this list, you should expect a certain rate of false positives. The URIBL Red list contains domains that have the same registration information as domains in the URIBL Black list. It is risky, and should be considered experimental at present.
- Black. The Black list contains domains and IPs that belong to spammers and that should appear only in spam. It is enabled by default. You can disable it by setting URIBLCHECK=no in the variables section at the top of your .procmailrc file, but I recommend leaving it enabled.
- Grey. The Grey list contains domains and IPs that belong to spammers, but that might appear in legitimate email as well as in spam. It is disabled by default. You can enable it by setting URIBLGREYCHECK=yes in the variables section at the top of your .procmailrc file.
- Red. The Red list contains domains that have the same Whois data as domains in the Black list, and that often are hosted in the same IP block. It is disabled by default. You can enable it by setting URIBLREDCHECK=yes in the variables section at the top of your .procmailrc file.
Return to Table of Contents