Home | Contact Us | Download | Support | Purchase | Shopping Cart | Products

Contact Us
Docs
Download
Examples
FAQ
Overview
Purchase
Licensing
Support
Spam Checking
Mailing List
Product List
aspNetDns
aspNetEmail
aspNetIMAP
aspNetMime
aspNetMX
aspNetPing
aspNetPOP3
aspNetTraceRoute
aspNetWhois
ListNanny
  "It's hard to get across via an e-mail how thankful and grateful I am for your unending efforts. THANK YOU SO MUCH!"
Andrew Lau
Datahouse 		 
More
Testimonials
  DNSbl - DNS Black List Spam Checking
    

Spam Checking
aspNetPOP3 has built-in spam checking using DNSbl servers. This brief summary will talk about checking messages for spam.

What is DNSbl?
DNSbl stands for DNS Blackl-ist or Block-list. It is a way of using DNS servers, as a database, to keep track of IPs that produce spam. Various organizations maintain these DNS servers for their own, and sometimes public, use. A listing of DNS servers that we tested can be found below.

How do you use it?
Basically you query one of these DNS server database, using the ip4r format. If the DNS responds with an agreed upon result, the IP address can be considered a source of spam.

Ok, so what does it really mean?
You grab the IP address an email came from, query a special DNS server, designated as a DNSbl, and the DNS server's response tells you if the IP Address is a previous source of spam. But we've done all the hard work for you.

How do you use the aspNetPOP3 DNSbl Features?
The POP3 object has a new property called the BlackListChecker and a new method called CheckBlackList. This object is responsible for DNSbl lookups and parsing. Basically you populate the BlackListChecker with the DNSbl servers of your preference (see some DNSbl servers below), and pass a message index to the POP3 object. Here are two quick code snippets:
[C#] 

static void Main(string[] args){
    POP3 p = new POP3( true, false );
    p.BlackListChecker = CreateChecker();
    p.Connect();
    
    //check to see if the message is spam
    bool result = p.CheckBlackList( 0 );
    p.Disconnect(); 
    Console.WriteLine( "Message 0 is considered spam: {0}", result );
}
 
static BlackListChecker CreateChecker()
{
    BlackListChecker blc = new BlackListChecker();
 
    //add a few DNSbl servers
    blc.AddDNSBlackList( "sbl-xbl.spamhaus.org", "127.0.0.2" );
    blc.AddDNSBlackList( "dnsbl.sorbs.net", "127.0.0.2, 127.0.0.3, 127.0.0.4, 
    127.0.0.5, 127.0.0.6, 127.0.0.7, 127.0.0.8, 127.0.0.9, 127.0.0.10, 127.0.0.11, 127.0.0.12" );
 
    return blc;
 
}
[VB.NET] 
Public Overloads Shared Sub Main()  
   Dim p As New POP3(True, False)
   p.BlackListChecker = CreateChecker()
   p.Connect()

   'check to see if the message is spam
   Dim result As Boolean = p.CheckBlackList(0)
   p.Disconnect()   
   Console.WriteLine("Message 0 is considered spam: {0}", result)
   
End Sub 'Main
 
 
 
Shared Function CreateChecker() As BlackListChecker
   Dim blc As New BlackListChecker()
   
   'add a few DNSbl servers
   blc.AddDNSBlackList("sbl-xbl.spamhaus.org", "127.0.0.2")
   blc.AddDNSBlackList("dnsbl.sorbs.net", "127.0.0.2, 127.0.0.3, 127.0.0.4, 127.0.0.5, 
   127.0.0.6, 127.0.0.7, 127.0.0.8, 127.0.0.9, 127.0.0.10, 127.0.0.11, 127.0.0.12")
   
   Return blc
End Function 'CreateChecker

Other DNSbl Lists
Want some more listings of DNS servers? Here are a few more lists.
http://www.declude.com/Articles.asp?ID=97
http://www.moensted.dk/spam/
http://www.dnsstuff.com/

Below is a table of DNSbl servers. We recommend you visit the links listed below and determine the best DNSbl for your scenario  Some servers are extreme, and blacklist on the smallest infraction, while others take a while to get listed. If you are aware a DNSbl, not listed below, feel free to email us, so we can update the list.


NOTE: We have no affilation with any of the DNSbl servers listed below. We do not promote one over the other. If you are listed on any of these servers DO NOT EMAIL US. Contact the respective owner.
DNSbl Service Results Comments (taken from respective DNSbl website)
ADNSBL
http://antispam.or.id/

Lookup Server:
dnsbl.antispam.or.id 		127.0.0.2 We identify spam sources - whether intentional or not - at the time they are sending spam. Not before and not after.
Since knowing EXACTLY when a host is sending spam is as easy as sending people to Pluto, we decide to do the next best thing. We ESTIMATE when a host is sending spam or not based on the number of recent spam samples from that particular host.
AHBL
Abusive Hosts Blocking List
www.ahbl.org

Lookup Server:
dnsbl.ahbl.org		 127.0.0.2 - Open Relay
127.0.0.3 - Open Proxy
127.0.0.4 - Spam Source
127.0.0.5 - Provisional Spam Source Listing block (will be removed if spam stops)
127.0.0.6 - Formmail Spam
127.0.0.7 - Spam Supporter
127.0.0.8 - Spam Supporter (indirect)
127.0.0.9 - End User (non mail system)
127.0.0.10 - Shoot On Sight
127.0.0.11 - Non-RFC Compliant (missing postmaster or abuse)
127.0.0.12 - Does not properly handle 5xx errors
127.0.0.13 - Other Non-RFC Compliant
127.0.0.14 - Compromised System - DDoS
127.0.0.15 - Compromised System - Relay
127.0.0.16 - Compromised System - Autorooter/Scanner
127.0.0.17 - Compromised System - Worm or mass mailing virus
127.0.0.18 - Compromised System - Other virus
127.0.0.127 - Other		 The AHBL is a project of the Summit Open Source Development Group. It is designed to replace the old and no longer functional blackholes.2mbit.com (AKA Summit BL).
More Info www.ahbl.org
Blars Block List
www.blars.org

Lookup Server:
block.blars.org		 127.0.0.1 Spam sending domain
127.0.0.2 Multi-hop relay
127.0.0.4 Dialups not in MAPS DUL
127.0.0.8 Wants spam compainers to jump through hoops
127.0.0.16 No working abuse address
127.0.0.32 Hosts spamers web sites
127.0.0.64 Hosts spammers email dropboxes
127.0.0.128 breakin attempts
-------------------------------
127.0.1.x sued or prosecuted DNSBL lister
127.0.2.x DOS attack
127.0.4.x supplier of spamware
127.0.8.x knowingly supports spammers
127.0.16.x Legal threats
127.0.32.x attempted mail relay exploits
127.0.64.x attempted formmail exploits 		The BlarsBL is maintained by Blars at his wim. Use for any purpouse should be done at your own risk, and Blars is not responsible for use by anyone but himself.

In general, an entire netblock is added rather than just a single IP or customer of a larger ISP. (For example, if hugeisp has a /16 that they allocate a single /24 to spamcustomer, the /16 will be listed rather than just the /24.) An entire ISP may be added if they show a pattern of rejecting valid spam complaints for invalid reasons.
Blitzed Open Proxy Monitor
opm.blitzed.org
 

Lookup Server:
opm.blitzed.org.		 In opm.blitzed.org, the A record has an IP address of 127.1.0.x where x is a bitmask of the types of proxy that have been reported to be running on the host. The values of the bitmask are as follows:
WinGate 1
SOCKS 2
HTTP CONNECT 4
Router 8
HTTP POST 16

 

 Blitzed is an IRC network, and therefore the DNSBL was originally focused on and built from evidence of IRC abuse. Very quickly however it became obvious that spamtraps could provide just as much (if not more) evidence of open proxy abuse, and now more than 50% of our list content comes from spam.
Composite Blocking List
cbl.abuseat.org

Lookup Server:
cbl.abuseat.org		 127.0.0.2 The CBL takes its source data from very large spamtraps, and only lists IPs exhibiting characteristics which are specific to open proxies of various sorts (HTTP, socks, AnalogX, wingate etc) which have been abused to send spam, worms/viruses that do their own direct mail transmission, or some types of trojan-horse or "stealth" spamware, without doing open proxy tests of any kind.
CSMA
bl.csma.biz

Lookup Server:
bl.csma.biz		 127.0.0.2 McFadden Associates professionally manages a number of high-volume Internet mail servers. These servers run software packages including MailScanner and SpamAssassin to scan all mail passing through these servers. Based on a number of algorithms, a "score" is assigned to each e-mail. Whenever a "high sscoring" SPAM is received--mail that is junk beyond reasonable doubt--it is filtered and its details recorded in this database. (For more information on MailScanner and SpamAssassin, see their respective websites.)

We currently maintain two databases: bl.csma.biz and sbl.csma.biz. The first database contains only aggressive hosts that have spammed repeatedly during a short timeframe. The second database is a bit more aggressive, recording all hosts that have generated spam within a 45-day period.
CSMA
bl.csma.biz

Lookup Server:
sbl.csma.biz		 127.0.0.2 The more aggressive of the McFadden Associates databases, recording all hosts that have generated spam within a 45-day period.
DeadBeef.Com
spam.deadbeef.com
 

Lookup Server:
bl.deadbeef.com 		127.0.0.2 Why do I have a blacklist? Because I don't want to get spam from irresponsable ISPs. Basically, if there is no way to contact an ISP to report abuse, then they are auto-blacklisted.
Distributed Server Boycott List
dsbl.org

Lookup Server:
list.dsbl.org 		127.0.0.2
  • (trusted users only):
    • single stage open smtp relays
    • open proxies allowing the CONNECT command
    • webservers using a non-secure formmail
Distributed Server Boycott List
dsbl.org

Lookup Server:
multihop.dsbl.org		 127.0.0.2
  •  (trusted users only):
    • outputs of multi-hop open relay
Distributed Server Boycott List
dsbl.org/usage

Lookup Server:
unconfirmed.dsbl.org		 127.0.0.2
  • open smtp relays
  • open proxies allowing the CONNECT command
  • webservers using a non-secure formmail
  • servers with unaccountable users, since a user of an ISP will be able to submit the mail servers of his/her own ISP for inclusion into DSBL; this will probably get many of the free email services and free ISPs listed, especially the unattentive ones that let spammers use their services
JAMM Consulting's spam blocklist
www.jammconsulting.com

Lookup Server:
dnsbl.jammconsulting.com		 127.0.0.2 This blocklist is very aggressive and will likely lead to false positives. Anyone using it understands and agrees:
Anyone using this list does so at their own volition and JAMM Consulting is not liable for any outcomes from the use and/or misuse of this list.  If you disagree with this policy, do not use this list for any purposes whatsoever.
kundenserver
relaytest.kundenserver.de

Lookup Server:
relays.bl.kundenserver.de 		127.0.0.2 When our mail cluster receives mail from a host, this host is scheduled to be checked for being an open relay (see http://mail-abuse.org/tsi/ for closer information on the subject of such unsecured mail servers and how to fix this security problem). Relaytest.kundenserver.de attempts to relay a mail via this host and as soon as the mail is received at relaytest.kundenserver.de, we'll list the affected host as an open relay.
LNSG
www.leadmon.net

Lookup Server:
spamguard.leadmon.net
 		 127.0.0.2
127.0.0.3
127.0.0.4
127.0.0.5
127.0.0.6
 		 This is a personal RBL, not intended for any specific usage. If you use this list, then use it at your own risk, as it's here for me to personally use to stop SPAM to my personal servers.. I do my best to not list any innocents, only legit sites that fit the categories below. Still I can't assure anyone of 100% accuracy.

Comments on the results

  1. Dial-Up/Cable/DSL IP Addresses. These are generally determined by manually looking at the reverse DNS names. If you have a real mail server in one of these blocks, please let me know so I can correct this list, but you will also be tested to verify you're not an open relay. Note that this list contains Cable Modems, DSL, Dial-Up netblocks. Being on this list does NOT mean you are a SPAMMER, it means you are connected to the net via DSL/Cable/Dial-Up Modem, and your DNS shows this to be the case. You *should* be using your upstream ISP's mailserver. So writing to us cursing that we are acusing you of being a SPAMMER and to remove you from this list will not get a reply. We don't force any ISP to use this part of the list, it's here for information only, people can do what they please with it.

    The IP returned by this list on a positive query is 127.0.0.2 if you care to test for it specifically.
     
  2. Individual SPAM Sources. The addresses in here are gotten from E-Mail that I have received that was SPAM. If you have inherited such IP address space, please let me know and we will remove you, but should we get additional SPAM from your IP will be added back to the list.

    The IP returned by this list on a positive query is 127.0.0.3 if you care to test for it specifically.

     
  3. Bulk mailers that don't require confirmed opt-in from their customers, or that have allowed known spammers to become clients and abuse their services.

    The IP returned by this list on a positive query is 127.0.0.4 if you care to test for it specifically.

     
  4. Single-Stage Open Relays that are not listed on one of the other active RBL's.

    The IP returned by this list on a positive query is 127.0.0.5 if you care to test for it specifically.

     
  5. Multi-Stage Open Relays. chains that have sent spam to us, and are not listed on of the other active RBL's.

    The IP returned by this list on a positive query is 127.0.0.6 if you care to test for it specifically.

     
  6. SpamBlock Sites Sites on this listing have sent us direct SPAM, but when looking up the rDNS information on the spam's IP, we realize it's an entire Class-C that has NO DNS mappings as well. So as it's a range with identified SPAM, and no way to isolate the range, we block the entire block.
     
NETHER
puck.nether.net

Lookup Server:
relays.nether.net		 127.0.0.2 Any host that sends e-mail to an invalid username @ puck.nether.net or @nether.net is tested to insure that it is not an open-relay. due to the proliferation of spam due to open-relays we have found this to be a necessity.
NJABL Not Just Another Bogus List
njabl.org

Lookup Server:
dnsbl.njabl.org		 127.0.0.2 - open relays
127.0.0.3 - dial-up/dynamic IP ranges 
127.0.0.4 - Spam Sources
127.0.0.5 - Multi-stage open relays
127.0.0.8 - Systems with insecure formmail.cgi 127.0.0.9 - Open proxy servers 		NJABL.ORG is Not Just Another Bogus List. This effort began out of frustration with the amount of spam coming into our networks and with the lack of options for an existing dnsbl with policies and stability we could live with.
ORDB
www.ordb.org

Lookup Server:
relays.ordb.org		 127.0.0.2 ORDB.org is the Open Relay Database. ORDB.org is a non-profit organisation which stores a IP-addresses of verified open SMTP relays.
Passive Spam Block List
psbl.surriel.com

Lookup Server:
psbl.surriel.com		 127.0.0.2 An easy-on, easy-off blacklist that doesn't rely on testing and should reduce false positives because any user can remove their ISP's mail server from the list.
RANGERS
rbl.rangers.eu.org

Lookup Server:
rbl.rangers.eu.org		 127.0.0.1 see TXT record
127.0.0.2 spam source
127.0.0.3 spam supporting ISP
127.0.0.4 dynamic IP range, dial-up or DSL line with randomly assigned address
127.0.0.5 multistage open-relay
127.0.0.6 abusable web2email gateway
127.0.0.7 abusable unconfirmed subscription
127.0.0.8 other spam source
127.0.0.9 virus/worm source
127.0.0.10 misconfigured anti-virus scanner sending false notifications
 		 IP addresses and ranges are listed based on spam received by users of several mail servers and a number of published and unpublished spamtraps (reactive listings) as well as publicly available evidence of spammer operations (preventive listings). No nominations are accepted.
Spamhaus
www.spamhaus.org

Lookup Server:
sbl-xbl.spamhaus.org		 127.0.0.2 The SBL is a realtime database of IP addresses of verified spam sources (including spammers, spam gangs and spam support services), maintained by the Spamhaus Project team and supplied as a free service to help email administrators better manage incoming email streams.
SORBS
www.dnsbl.us.sorbs.net

Lookup Server:
dnsbl.sorbs.net		 127.0.0.2 - Spam and Open Relays
127.0.0.3 - Open SOCKS servers
127.0.0.4 - Open Proxy Servers
127.0.0.5 - Open SMTP Relays
127.0.0.6 - Sent SPAM to SORBS admins
127.0.0.7 - Vulnerable Lists
127.0.0.8 - Blocks
127.0.0.9 - Network Hijacked
127.0.0.10 - Dynamic IP
127.0.0.11 - Bad DNS Setup
127.0.0.12 - No Mail Should be Sent from this Domain
 		 SORBS is an acronym for Spam and Open Relay Blocking System. This is not strictly accurate as a description though, as it stops Open Proxy servers and machines that appear to be hacked sorces of spam, as well as Open Relays.
SPAMBAG
www.spambag.org 

Lookup Server:
blacklist.spambag.org 		127.0.0.2 This is the traditional distribution method, via a DNS zone. The DNS zone is blacklist.spambag.org. It is suitable to be used as a typical E-mail filters, and most popular mail servers already have the ability to access DNS-based lists.
SpamCannibal
www.spamcannibal.org

Lookup Server:
bl.spamcannibal.org		 127.0.0.2 SpamCannibal is a free software toolkit to help stop DoS attacks, UBE (Unsolicited Bulk Email), UCE (Unsolicited Commercial Email), and other spam from reaching your network and your mail servers.
SpamCop
www.spamcop.net

Lookup Server:
bl.spamcop.net		 127.0.0.2 This blocking list is somewhat experimental. This system and most other spam-filtering systems should not be used in a production environment where legitimate email must be delivered. Many end-users and administrators have decided that risking the loss of legitimate email is worth the benefit of blocking most spam. As a result, this list is now used widely and it's reputation for blocking spam while reducing the risk of erronious blocking is growing.
SPEWS1
www.spews.org

Lookup Server:
l1.spews.dnsbl.sorbs.net		 127.0.0.2 The SPEWS Level 1 & Level 2 data can be accessed from their multi-zone spam prevention database (l1.spews.dnsbl.sorbs.net / l2.spews.dnsbl.sorbs.net). Use of their system is also free.
SPEWS2
www.spews.org

Lookup Server:
l2.spews.dnsbl.sorbs.net		 127.0.0.2 A less strict list of l1 (contains all of l1's entries).
UCEB
www.uceb.org

Lookup Server:
blackholes.uceb.org		 127.0.0.2: The address is known to us as an open SMTP relay server.
127.0.0.3: The address is known to us as a host that has sent spam in the past.
127.0.0.4: The address is known to us as part of a network of spam originating hosts.
127.0.0.5: The address identified as dial-up host that has sent spam in the past.
127.0.0.6: The ISP that holds this address is not willing to undertake any actions against spam or does not answer spam complaints.
127.0.0.7: The holder of this address asked us not to test the SMTP servers open relay status.
127.0.0.8: The address is known to us as a host that has sent spam in the past and fakes the SMTP head to prevent domain name based spam 		In late summer 2001 I started a new blackhole list of sites that send SPAM to me. I add any IP addresses of mailservers that are used to send SPAM, mailservers that are used as relay to send SPAM and mailservers of organizations that support or even make money with sending these floods of commercial emails!

I am a "hardcore spam blocker". My motto is: first block the access, then talk. If I recevie a SPAM mail I add the senders address to my list without informing any abuse@ or postmaster@ accounts or ISP's who own the address.
 
WPBL - Weighted Private Block List
http://www.wpbl.info/

Lookup Server:
db.wpbl.info		 127.0.0.2 WPBL is a fully automated real-time blocklist that uses distributed mail sightings from many users to list IP addresses that are relaying spam. Our goal is to list individual IP addresses that are actual spam sources as judged by highly accurate statistical (mostly bayesian) filters running on real email accounts.
      


The box is not shipped. aspNetPOP3 is a downloadable product.