|
|
Spam Checking
aspNetPOP3 has built-in spam checking using DNSbl servers. This brief summary
will talk about checking messages for spam.
What is DNSbl?
DNSbl stands for DNS Blackl-ist or Block-list. It is a way of using DNS
servers, as a database, to keep track of IPs that produce spam. Various
organizations maintain these DNS servers for their own, and sometimes public,
use. A listing of DNS servers that we tested can be found below.
How do you use it?
Basically you query one of these DNS server database, using the ip4r format. If
the DNS responds with an agreed upon result, the IP address can be considered a
source of spam.
Ok, so what does it really mean?
You grab the IP address an email came from, query a special DNS server,
designated as a DNSbl, and the DNS server's response tells you if the IP
Address is a previous source of spam. But we've done all the hard work for you.
How do you use the aspNetPOP3 DNSbl Features?
The POP3 object has a new property called the BlackListChecker and a new
method called CheckBlackList. This object is responsible for DNSbl
lookups and parsing. Basically you populate the BlackListChecker with the DNSbl
servers of your preference (see some DNSbl servers below),
and pass a message index to the POP3 object. Here are two quick code snippets:
[C#]
static void Main(string[] args){
POP3 p = new POP3( true, false );
p.BlackListChecker = CreateChecker();
p.Connect();
//check to see if the message is spam
bool result = p.CheckBlackList( 0 );
p.Disconnect();
Console.WriteLine( "Message 0 is considered spam: {0}", result );
}
static BlackListChecker CreateChecker()
{
BlackListChecker blc = new BlackListChecker();
//add a few DNSbl servers
blc.AddDNSBlackList( "sbl-xbl.spamhaus.org", "127.0.0.2" );
blc.AddDNSBlackList( "dnsbl.sorbs.net", "127.0.0.2, 127.0.0.3, 127.0.0.4,
127.0.0.5, 127.0.0.6, 127.0.0.7, 127.0.0.8, 127.0.0.9, 127.0.0.10, 127.0.0.11, 127.0.0.12" );
return blc;
}
[VB.NET]
Public Overloads Shared Sub Main()
Dim p As New POP3(True, False)
p.BlackListChecker = CreateChecker()
p.Connect()
'check to see if the message is spam
Dim result As Boolean = p.CheckBlackList(0)
p.Disconnect()
Console.WriteLine("Message 0 is considered spam: {0}", result)
End Sub 'Main
Shared Function CreateChecker() As BlackListChecker
Dim blc As New BlackListChecker()
'add a few DNSbl servers
blc.AddDNSBlackList("sbl-xbl.spamhaus.org", "127.0.0.2")
blc.AddDNSBlackList("dnsbl.sorbs.net", "127.0.0.2, 127.0.0.3, 127.0.0.4, 127.0.0.5,
127.0.0.6, 127.0.0.7, 127.0.0.8, 127.0.0.9, 127.0.0.10, 127.0.0.11, 127.0.0.12")
Return blc
End Function 'CreateChecker
Other DNSbl Lists
Want some more listings of DNS servers? Here are a few more lists.
http://www.declude.com/Articles.asp?ID=97
http://www.moensted.dk/spam/
http://www.dnsstuff.com/
Below is a table of DNSbl servers. We recommend you visit the links listed below
and determine the best DNSbl for your scenario Some servers are extreme,
and blacklist on the smallest infraction, while others take a while to get
listed. If you are aware a DNSbl, not listed below, feel free to email us, so
we can update the list.
NOTE: We have no affilation with any of the DNSbl servers listed below. We do not promote one over the other. If you are listed on any of these
servers DO NOT EMAIL US. Contact the respective owner.
DNSbl Service |
Results  |
Comments (taken from respective DNSbl website) |
ADNSBL
http://antispam.or.id/
Lookup Server:
dnsbl.antispam.or.id
|
127.0.0.2 |
We identify spam sources - whether intentional or not - at the
time they are sending spam. Not before and not after.
Since knowing EXACTLY when a host is sending spam is as easy as sending people
to Pluto, we decide to do the next best thing. We ESTIMATE when a host is
sending spam or not based on the number of recent spam samples from that
particular host. |
AHBL
Abusive Hosts Blocking List
www.ahbl.org
Lookup Server:
dnsbl.ahbl.org |
127.0.0.2 - Open Relay
127.0.0.3 - Open Proxy
127.0.0.4 - Spam Source
127.0.0.5 - Provisional Spam Source Listing block (will be removed if spam
stops)
127.0.0.6 - Formmail Spam
127.0.0.7 - Spam Supporter
127.0.0.8 - Spam Supporter (indirect)
127.0.0.9 - End User (non mail system)
127.0.0.10 - Shoot On Sight
127.0.0.11 - Non-RFC Compliant (missing postmaster or abuse)
127.0.0.12 - Does not properly handle 5xx errors
127.0.0.13 - Other Non-RFC Compliant
127.0.0.14 - Compromised System - DDoS
127.0.0.15 - Compromised System - Relay
127.0.0.16 - Compromised System - Autorooter/Scanner
127.0.0.17 - Compromised System - Worm or mass mailing virus
127.0.0.18 - Compromised System - Other virus
127.0.0.127 - Other |
The AHBL is a project of the Summit Open Source Development Group.
It is designed to replace the old and no longer functional blackholes.2mbit.com
(AKA Summit BL).
More Info www.ahbl.org
|
Blars Block List
www.blars.org
Lookup Server:
block.blars.org |
127.0.0.1 Spam sending domain
127.0.0.2 Multi-hop relay
127.0.0.4 Dialups not in MAPS DUL
127.0.0.8 Wants spam compainers to jump through hoops
127.0.0.16 No working abuse address
127.0.0.32 Hosts spamers web sites
127.0.0.64 Hosts spammers email dropboxes
127.0.0.128 breakin attempts
-------------------------------
127.0.1.x sued or prosecuted DNSBL lister
127.0.2.x DOS attack
127.0.4.x supplier of spamware
127.0.8.x knowingly supports spammers
127.0.16.x Legal threats
127.0.32.x attempted mail relay exploits
127.0.64.x attempted formmail exploits
|
The BlarsBL is maintained by Blars at his wim. Use for any
purpouse should be done at your own risk, and Blars is not responsible for use
by anyone but himself.
In general, an entire netblock is added rather than just a single IP or
customer of a larger ISP. (For example, if hugeisp has a /16 that they allocate
a single /24 to spamcustomer, the /16 will be listed rather than just the /24.)
An entire ISP may be added if they show a pattern of rejecting valid spam
complaints for invalid reasons.
|
Blitzed Open Proxy Monitor
opm.blitzed.org
Lookup Server:
opm.blitzed.org. |
In opm.blitzed.org, the A record has an IP address of 127.1.0.x
where x is a bitmask of the types of proxy that have been reported to be
running on the host. The values of the bitmask are as follows:
WinGate |
1 |
SOCKS |
2 |
HTTP CONNECT |
4 |
Router |
8 |
HTTP POST |
16 |
|
Blitzed is an IRC network, and therefore the DNSBL was originally
focused on and built from evidence of IRC abuse. Very quickly however it became
obvious that spamtraps could provide just as much (if not more) evidence of
open proxy abuse, and now more than 50% of our list content comes from spam.
|
Composite Blocking List
cbl.abuseat.org
Lookup Server:
cbl.abuseat.org |
127.0.0.2 |
The CBL takes its source data from very large spamtraps, and only
lists IPs exhibiting characteristics which are specific to open proxies of
various sorts (HTTP, socks, AnalogX, wingate etc) which have been abused to
send spam, worms/viruses that do their own direct mail transmission, or some
types of trojan-horse or "stealth" spamware, without doing open proxy
tests of any kind.
|
CSMA
bl.csma.biz
Lookup Server:
bl.csma.biz |
127.0.0.2 |
McFadden Associates professionally manages a number of high-volume
Internet mail servers. These servers run software packages including
MailScanner and SpamAssassin to scan all mail passing through these servers.
Based on a number of algorithms, a "score" is assigned to each
e-mail. Whenever a "high sscoring" SPAM is received--mail that is
junk beyond reasonable doubt--it is filtered and its details recorded in this
database. (For more information on MailScanner and SpamAssassin, see their
respective websites.)
We currently maintain two databases: bl.csma.biz and sbl.csma.biz. The first
database contains only aggressive hosts that have spammed repeatedly during a
short timeframe. The second database is a bit more aggressive, recording all
hosts that have generated spam within a 45-day period. |
CSMA
bl.csma.biz
Lookup Server:
sbl.csma.biz |
127.0.0.2 |
The more aggressive of the McFadden Associates databases,
recording all hosts that have generated spam within a 45-day period. |
DeadBeef.Com
spam.deadbeef.com
Lookup Server:
bl.deadbeef.com
|
127.0.0.2 |
Why do I have a blacklist? Because I don't want to get spam from
irresponsable ISPs. Basically, if there is no way to contact an ISP to report
abuse, then they are auto-blacklisted.
|
Distributed Server Boycott List
dsbl.org
Lookup Server:
list.dsbl.org
|
127.0.0.2 |
-
(trusted users only):
-
single stage open smtp relays
-
open proxies allowing the CONNECT command
-
webservers using a non-secure formmail
|
Distributed Server Boycott List
dsbl.org
Lookup Server:
multihop.dsbl.org |
127.0.0.2 |
-
(trusted users only):
-
outputs of multi-hop open relay
|
Distributed Server Boycott List
dsbl.org/usage
Lookup Server:
unconfirmed.dsbl.org |
127.0.0.2 |
-
open smtp relays
-
open proxies allowing the CONNECT command
-
webservers using a non-secure formmail
-
servers with unaccountable users, since a user of an ISP will be able to submit
the mail servers of his/her own ISP for inclusion into DSBL; this will probably
get many of the free email services and free ISPs listed, especially the
unattentive ones that let spammers use their services
|
JAMM Consulting's spam blocklist
www.jammconsulting.com
Lookup Server:
dnsbl.jammconsulting.com |
127.0.0.2 |
This blocklist is very aggressive and will likely lead to false
positives. Anyone using it understands and agrees:
Anyone using this list does so at their own volition and JAMM Consulting is not
liable for any outcomes from the use and/or misuse of this list. If you
disagree with this policy, do not use this list for any purposes whatsoever.
|
kundenserver
relaytest.kundenserver.de
Lookup Server:
relays.bl.kundenserver.de
|
127.0.0.2 |
When our mail cluster receives mail from a host, this host is
scheduled to be checked for being an open relay (see http://mail-abuse.org/tsi/
for closer information on the subject of such unsecured mail servers and how to
fix this security problem). Relaytest.kundenserver.de attempts to relay a mail
via this host and as soon as the mail is received at relaytest.kundenserver.de,
we'll list the affected host as an open relay.
|
LNSG
www.leadmon.net
Lookup Server:
spamguard.leadmon.net
|
127.0.0.2
127.0.0.3
127.0.0.4
127.0.0.5
127.0.0.6
|
This is a personal RBL, not intended for any specific usage. If
you use this list, then use it at your own risk, as it's here for me to
personally use to stop SPAM to my personal servers.. I do my best to not list
any innocents, only legit sites that fit the categories below. Still I can't
assure anyone of 100% accuracy.
Comments on the results
-
Dial-Up/Cable/DSL IP Addresses. These are generally determined by manually
looking at the reverse DNS names. If you have a real mail server in one of
these blocks, please let me know so I can correct this list, but you will also
be tested to verify you're not an open relay. Note that this list contains
Cable Modems, DSL, Dial-Up netblocks. Being on this list does NOT mean you are
a SPAMMER, it means you are connected to the net via DSL/Cable/Dial-Up Modem,
and your DNS shows this to be the case. You *should* be using your upstream
ISP's mailserver. So writing to us cursing that we are acusing you of being a
SPAMMER and to remove you from this list will not get a reply. We don't force
any ISP to use this part of the list, it's here for information only, people
can do what they please with it.
The IP returned by this list on a positive query is 127.0.0.2 if you care to
test for it specifically.
-
Individual SPAM Sources. The addresses in here are gotten from E-Mail that I
have received that was SPAM. If you have inherited such IP address space,
please let me know and we will remove you, but should we get additional SPAM
from your IP will be added back to the list.
The IP returned by this list on a positive query is 127.0.0.3 if you care to
test for it specifically.
-
Bulk mailers that don't require confirmed opt-in from their customers, or that
have allowed known spammers to become clients and abuse their services.
The IP returned by this list on a positive query is 127.0.0.4 if you care to
test for it specifically.
-
Single-Stage Open Relays that are not listed on one of the other active RBL's.
The IP returned by this list on a positive query is 127.0.0.5 if you care to
test for it specifically.
-
Multi-Stage Open Relays. chains that have sent spam to us, and are not listed
on of the other active RBL's.
The IP returned by this list on a positive query is 127.0.0.6 if you care to
test for it specifically.
-
SpamBlock Sites Sites on this listing have sent us direct SPAM, but when
looking up the rDNS information on the spam's IP, we realize it's an entire
Class-C that has NO DNS mappings as well. So as it's a range with identified
SPAM, and no way to isolate the range, we block the entire block.
|
NETHER
puck.nether.net
Lookup Server:
relays.nether.net |
127.0.0.2 |
Any host that sends e-mail to an invalid username @
puck.nether.net or @nether.net is tested to insure that it is not an
open-relay. due to the proliferation of spam due to open-relays we have found
this to be a necessity.
|
NJABL Not Just Another Bogus List
njabl.org
Lookup Server:
dnsbl.njabl.org |
127.0.0.2 - open relays
127.0.0.3 - dial-up/dynamic IP ranges
127.0.0.4 - Spam Sources
127.0.0.5 - Multi-stage open relays
127.0.0.8 - Systems with insecure formmail.cgi 127.0.0.9 - Open proxy servers
|
NJABL.ORG is Not Just Another Bogus List. This effort began out of
frustration with the amount of spam coming into our networks and with the lack
of options for an existing dnsbl with policies and stability we could live
with.
|
ORDB
www.ordb.org
Lookup Server:
relays.ordb.org |
127.0.0.2 |
ORDB.org is the Open Relay Database. ORDB.org is a non-profit
organisation which stores a IP-addresses of verified open SMTP relays. |
Passive Spam Block List
psbl.surriel.com
Lookup Server:
psbl.surriel.com |
127.0.0.2 |
An easy-on, easy-off blacklist that doesn't rely on testing and
should reduce false positives because any user can remove their ISP's mail
server from the list.
|
RANGERS
rbl.rangers.eu.org
Lookup Server:
rbl.rangers.eu.org |
127.0.0.1 see TXT record
127.0.0.2 spam source
127.0.0.3 spam supporting ISP
127.0.0.4 dynamic IP range, dial-up or DSL line with randomly assigned address
127.0.0.5 multistage open-relay
127.0.0.6 abusable web2email gateway
127.0.0.7 abusable unconfirmed subscription
127.0.0.8 other spam source
127.0.0.9 virus/worm source
127.0.0.10 misconfigured anti-virus scanner sending false notifications
|
IP addresses and ranges are listed based on spam received by users
of several mail servers and a number of published and unpublished spamtraps
(reactive listings) as well as publicly available evidence of spammer
operations (preventive listings). No nominations are accepted.
|
Spamhaus
www.spamhaus.org
Lookup Server:
sbl-xbl.spamhaus.org |
127.0.0.2 |
The SBL is a realtime database of IP addresses of verified spam
sources (including spammers, spam gangs and spam support services), maintained
by the Spamhaus Project team and supplied as a free service to help email
administrators better manage incoming email streams. |
SORBS
www.dnsbl.us.sorbs.net
Lookup Server:
dnsbl.sorbs.net |
127.0.0.2 - Spam and Open Relays
127.0.0.3 - Open SOCKS servers
127.0.0.4 - Open Proxy Servers
127.0.0.5 - Open SMTP Relays
127.0.0.6 - Sent SPAM to SORBS admins
127.0.0.7 - Vulnerable Lists
127.0.0.8 - Blocks
127.0.0.9 - Network Hijacked
127.0.0.10 - Dynamic IP
127.0.0.11 - Bad DNS Setup
127.0.0.12 - No Mail Should be Sent from this Domain
|
SORBS is an acronym for Spam and Open Relay Blocking System. This
is not strictly accurate as a description though, as it stops Open Proxy
servers and machines that appear to be hacked sorces of spam, as well as Open
Relays.
|
SPAMBAG
www.spambag.org
Lookup Server:
blacklist.spambag.org
|
127.0.0.2 |
This is the traditional distribution method, via a DNS zone. The
DNS zone is blacklist.spambag.org. It is suitable to be used as a typical
E-mail filters, and most popular mail servers already have the ability to
access DNS-based lists. |
SpamCannibal
www.spamcannibal.org
Lookup Server:
bl.spamcannibal.org |
127.0.0.2 |
SpamCannibal is a free software toolkit to help stop DoS attacks,
UBE (Unsolicited Bulk Email), UCE (Unsolicited Commercial Email), and other
spam from reaching your network and your mail servers.
|
SpamCop
www.spamcop.net
Lookup Server:
bl.spamcop.net |
127.0.0.2 |
This blocking list is somewhat experimental. This system and most
other spam-filtering systems should not be used in a production environment
where legitimate email must be delivered. Many end-users and administrators
have decided that risking the loss of legitimate email is worth the benefit of
blocking most spam. As a result, this list is now used widely and it's
reputation for blocking spam while reducing the risk of erronious blocking is
growing.
|
SPEWS1
www.spews.org
Lookup Server:
l1.spews.dnsbl.sorbs.net |
127.0.0.2 |
The SPEWS Level 1 & Level 2 data can be accessed from their
multi-zone spam prevention database (l1.spews.dnsbl.sorbs.net /
l2.spews.dnsbl.sorbs.net). Use of their system is also free. |
SPEWS2
www.spews.org
Lookup Server:
l2.spews.dnsbl.sorbs.net |
127.0.0.2 |
A less strict list of l1 (contains all of l1's entries). |
UCEB
www.uceb.org
Lookup Server:
blackholes.uceb.org |
127.0.0.2: The address is known to us as an open SMTP relay
server.
127.0.0.3: The address is known to us as a host that has sent spam in the past.
127.0.0.4: The address is known to us as part of a network of spam originating
hosts.
127.0.0.5: The address identified as dial-up host that has sent spam in the
past.
127.0.0.6: The ISP that holds this address is not willing to undertake any
actions against spam or does not answer spam complaints.
127.0.0.7: The holder of this address asked us not to test the SMTP servers
open relay status.
127.0.0.8: The address is known to us as a host that has sent spam in the past
and fakes the SMTP head to prevent domain name based spam
|
In late summer 2001 I started a new blackhole list of sites that
send SPAM to me. I add any IP addresses of mailservers that are used to send
SPAM, mailservers that are used as relay to send SPAM and mailservers of
organizations that support or even make money with sending these floods of
commercial emails!
I am a "hardcore spam blocker". My motto is: first block the access,
then talk. If I recevie a SPAM mail I add the senders address to my list
without informing any abuse@ or postmaster@ accounts or ISP's who own the
address.
|
WPBL - Weighted Private Block List
http://www.wpbl.info/
Lookup Server:
db.wpbl.info |
127.0.0.2 |
WPBL is a fully automated real-time blocklist that uses
distributed mail sightings from many users to list IP addresses that are
relaying spam. Our goal is to list individual IP addresses that are actual spam
sources as judged by highly accurate statistical (mostly bayesian) filters
running on real email accounts. |
|