Blacklists

Posted on by

I don’t put a lot of faith in DNSBLs, which are blacklists of spammer IPs. (They’re hosted as nameserver entries; you’d submit a DNS lookup for 4.3.2.1.example.com, where example.com was the DNSBL, to see if 1.2.3.4 was in the list; if it was, you’d get an “A” record of 127.0.0.2 (customary) back as a match.)

My concern is mostly that, historically, DNSBL providers have gotten carried away and started to list whole netblocks, and then whole netblocks of their enemies who aren’t sending spam… And pretty soon, you’re getting a lot of false positives. (Non-spammers who falsely test “positive” in spam checks.) In other words, you start rejecting legitimate e-mail because the blacklists tell you it’s spam. That’s a risk I’m not willing to take, and it’s an even more unacceptable risk for a business to take.

Other blacklists just don’t work. They match something like 10% of spammers. One blacklist I looked at rejects something like 40% of spam, and 50% of legitimate mail. (Yes, that’s right: it rejects more legitimate mail than spam.) So you probably won’t be surprised to learn that I don’t use any blacklists, other than a running list of people who have sent me obvious spam in the past 14 days. (I should probably lower the time period to something like 5 days, but I’m really not in a hurry to.)

But there are some blacklists that aren’t evil. Take these stats with a grain of salt, because they don’t check for false positives, and because they’re based on a limited sample, but I’ve found the following lists to be reliable:

  • zen.spamhaus.org: 100.00% matches, 101.77 ms. average response time. This merges all the Spamhaus zones, which include not only a list of known, persistent spammers, but also a list of exploited machines, and their “Policy Blacklist,” of things like cable modem netblocks.
  • t1.dnsbl.net.au: 100.00% matches, 260.61 ms. average response time. This is also an aggregate zone of an Australian DNSBL provider, with very good results.
  • karmasphere.email-sender.dnsbl.karmasphere.com: 100.00% matches, 96.31 ms. average response time.
  • hostkarma.junkemailfilter.com: 85.71% matches, 552.92 ms. average response time. It’s very slow to load for me, for some reason, but it has good results.
  • psbl.surriel.com: 50.00% matches, 394.72 ms. average response time. An automated blacklist based on Spamikaze. Incidentally, Spakikaze reports some other blacklists using their code, which I might want to evaluate, too.
  • ubl.unsubscore.com: 42.86% matches, 52.75 ms. average response time. A bit about the list is published on the excellent OpenRBL Wiki. Even though it comes after a list of DNSBLs with “100%” matches, 42.86% is actually very good in the real world.

Between the OpenRBL site and Spamikaze’s list, I do have some more that I’d like to experiment with. I should again reiterate that this was a very non-scientific test; it evaluated fewer than 20 IP addresses which have been blacklisted by my servers in the past few days. It assumes that their servers get spam from the same sources that I do; given that many large blacklists contain millions of IPs, this isn’t an accurate assumption at all. All these statistics are really good for is pointing out blacklists that are worth taking a look at.

Leave a Reply

Your email address will not be published. Required fields are marked *