Zones

Combined Blocklist

Description

This list is applied to inbound mail. It is an aggregate list that combines all our recommended IP lists into a single query for convenience and speed. The IP lists aggregated into “combined” are black, exploit, and policy.

Spam Blocklist

Description

This list contains the IP addresses of hosts that have sent emails to our primary traps (only our trap domains that have never been used for genuine mail or have been rejecting all mail for >1 year), along with some manual network entries that we maintain.

Common causes for being listed here include compromised accounts, infected hosts, botnets, spam gangs, purchased email address lists, poor sign-up processes, bad web forms, open proxies, TOR exit nodes, and VPNs.

Any matching IP address found by this data will return 127.0.0.2.

Additionally, some automated heuristics use all of our trap networks, and partner transaction feeds to look for IP addresses with very low reputation or IPs in the same vicinity of hosts hitting our primary traps. IPs found in this data will return 127.0.0.3.

We also maintain a number of semi-permanent manual listings which will return 127.0.0.200.

This list can also be safely used to check each "Received" header hop found within a message if your MTA or spam filter can do so.

Example query:

$ host  2.0.0.127.<APIKEY>.black.mail.abusix.zone.
2.0.0.127.<APIKEY>.black.mail.abusix.zone has address 127.0.0.2
2.0.0.127.<APIKEY>.black.mail.abusix.zone has address 127.0.0.3
2.0.0.127.<APIKEY>.black.mail.abusix.zone has address 127.0.0.200

Exploit Blocklist

Description

This list is built by observing the behavior of hosts connecting to our traps and our partner's mail services.

It contains any IP address we observe that behaves in specific ways that a genuine SMTP client never would, so any IPs found on this list will be compromised, botnet/virus-infected, proxies, VPNs, TOR exit nodes or IPs that are NAT'ing for these hosts.

This list can also be safely used to check each "Received" header hop found within a message.

Example query:

$ host 2.0.0.127.<APIKEY>.exploit.mail.abusix.zone.
2.0.0.127.<APIKEY>.exploit.mail.abusix.zone has address 127.0.0.4

Policy Blocklist

Description

This zone is our email "Policy” blocklist which lists all IP addresses that should not be connecting directly to external SMTP servers but should instead be using their ISP or mailbox provider’s smarthost to relay messages using some form of SMTP authentication.

This list is designed to preemptively list any IP that does not appear suitable for use with an SMTP server; this is to immediately catch newly compromised hosts, hijacked IP space, etc., without requiring trap hits for listings.

The list is built by constantly scanning the entire IPv4 range and applying a policy that states:

• An IP address MUST have rDNS.

• rDNS must not be 'templated,' e.g., two or more octets of the IP address MUST NOT appear (this can be in hex, decimal, etc.) within the rDNS label (there are exceptions for static* mail* mx* smtp*, etc.) and should reflect the hostname of the SMTP server.

• Contiguous ranges of IP addresses MUST NOT have the same rDNS.

127.0.0.11 is returned for hosts with generic rDNS.

127.0.0.12 is returned for hosts with no rDNS.

Delisting

Anyone can request a delisting from this zone, and a semi-permanent exception will be created automatically. Exceptions are only pruned when they are no longer necessary. Still, in the future, we may require that Policy exceptions are revalidated once per year to prevent them from becoming stale.

Example query:

$ host 2.0.0.127.<APIKEY>.dynamic.mail.abusix.zone.
2.0.0.127.<APIKEY>.dynamic.mail.abusix.zone has address 127.0.0.11
2.0.0.127.<APIKEY>.dynamic.mail.abusix.zone has address 127.0.0.12

Domain Blocklist

Description

This list is applied to inbound and outbound mail and holds domains and IP addresses found in the message body of spam received by our primary traps. Any short URL links found in spam are followed, and any intermediate or destination domains are listed.

127.0.1.1 is returned for domains/IPs found in the message body.

127.0.1.2 is returned for newly observed domains (found using other trap types).

127.0.1.3 is returned for domains found by following short URLs.

Example query:

$ host 2.0.0.127.<APIKEY>.dblack.mail.abusix.zone.
2.0.0.127.<APIKEY>.dblack.mail.abusix.zone has address 127.0.1.1
2.0.0.127.<APIKEY>.dblack.mail.abusix.zone has address 127.0.1.2
2.0.0.127.<APIKEY>.dblack.mail.abusix.zone has address 127.0.1.3

Shorthash Blocklist (short URLs)

Description

This list is applied to inbound and outbound mail. We developed this list so that Short URLs seen in the message body of spam sent to our primary traps could be blocked.

This list compliments the domain blacklist as using short URLs has become a common way for spam to avoid domain blacklisting by hiding behind these services. It is only possible to list some Short URL domains by causing significant false positives.  Additionally, these shortening services are usually very poor at handling abuse of their services.

Since it is impossible to represent a full URL in a DNS query, the Short URLs are normalized first, then SHA-1 hashed, and the hash value is used for lookup instead of the URL.

To normalize the short URL, remove the scheme, then take only the “hostname” (lowercased) and “pathname” and then calculate the SHA-1 hash of the result:

http://BiT.do/e3s49?foo=bar&bar=baz → SHA1(bit.do/e3s49)
= bb395cece75455415de5f3b6f75c13352586788c

Diskhash Blocklist (drive URLs)

Description

This list is applied to inbound and outbound mail. We developed this list to list “Online file storage” URLs seen in the message body of spam sent to our primary traps.

This list compliments the domain blacklist as using Online file storage services like Google Drive and Yandex Disk has become a common way for spam to avoid IP and domain blacklisting by hiding behind these services. Additionally, these services are usually very poor at handling abuse of their services.

Since it is impossible to represent a full URL in a DNS query, the URLs are first normalized, then SHA-1 hashed, and the hash value is used for lookup instead of the URL.

To normalize the short URL, remove the scheme, then take only the “hostname” (lowercased) and “pathname” and then calculate the SHA-1 hash of the result:

https://drive.google.com/file/d/0B6aqsaIzsR0CZlpxYUZSWDRyRGc/view
→ SHA1(drive.google.com/file/d/0B6aqsaIzsR0CZlpxYUZSWDRyRGc/view)
= f947e57d2326ca86ba9bead20696a9208a7acdd6

Authbl Blocklist

Description

This list is applied to outbound mail and is a subset of the exploit zone but only lists hosts seen within the last 12 hours instead of the usual 5.2 days. The listing time is shorter to avoid false positives where the listed IP is returned to a DHCP pool.

The list contains the IP addresses of infected hosts, botnet members, proxies, VPNs, TOR exit nodes, and hosts attempting to authenticate to our honeypots. Thus, it is intended to be used to identify and prevent account compromises or as a blocklist to prevent listed hosts from authenticating to your services running on HTTP, IMAP, SMTP, SSH, etc., to prevent dictionary attacks, brute force, or logging in with phished credentials, etc.

Postfix

In Postfix, you may use this list to prevent authenticated users from relaying mail from listed IPs (e.g., where the account could be compromised).

In main.cf you would set "smtpd_relay_restrictions" to the following (or add this if missing):

smtpd_relay_restrictions = permit_mynetworks reject_rbl_client <APIKEY>.authbl.mail.abusix.zone permit_sasl_authenticated defer_unauth_destination

Replace <APIKEY> with the key from your account in app.abusix.com.

rsync

For those with rsync access, this zone is an rbldnsd zone like our other lists. However, you can post-process the zone file and use it as an access control list for many other services by stripping out the rbldnsd metadata by running:

grep -Pv '^(\#|\$|:[^:]|127\.0\.0\.[24]|::FFFF:7F00:[24])' authbl.zone > authbl_ip_list

authbl_ip_list will contain just the IP addresses and can be imported into other software.

Welcome List

Description

This list aggregates multiple whitelist sources and includes IPv4, IPv6, and domains.

All sources return the same return code.

The sources of this list are:

• DNSWL (IP)

• Return-Path Whitelist (IP)

• Return-Path Whitelist (Domain)

• Abusix Whitelist (IP)

• Abusix Whitelist (Domain)

DNSWL List

Description

This is our mirror of www.dnswl.org

Return Codes

The return codes of dnswl are structured as 127.0.x.y, with “x” indicating the category of an entry and “y” indicating how trustworthy an entry has been judged.

Categories (127.0.X.y)

2 – Financial services

3 – Email Service Providers

4 – Organisations (both for-profit [i.e., companies] and non-profit)

5 – Service/network providers

6 – Personal/private servers

7 – Travel/leisure industry

8 – Public sector/governments

9 – Media and Tech companies

10 – some special cases

11 – Education, academic

12 – Healthcare

13 – Manufacturing/Industrial

14 – Retail/Wholesale/Services

15 – Email Marketing Providers

20 – Added through Self Service without a specific category

Trustworthiness / Score (127.0.x.Y)

0 = none – only avoid outright blocking (e.g., large ESP mailservers, -0.1)

1 = low – reduce the chance of false positives (-1.0)

2 = medium – make sure to avoid false positives but allow override for clear cases (-10.0)

3 = high – avoid override (-100.0).

nod List (Newly Observed Domains)

Description

This list contains all newly observed domains, with each domain wildcarded. Being listed doesn't necessarily mean that the domain is bad, but knowing a new domain can be helpful for other things like scoring or meta-rules.

The list is built from data provided by our partner Farsight Security using their massive real-time Passive DNS sensor network and is not reliant on any data from WHOIS.  This list includes domains from every TLD and ccTLD; it also means that a domain could have been registered months previously but has only been entered into use for an email in the last 25 hours.

noip List (Newly Observed IPs)

Description

This list contains all newly observed IP Addresses. Being listed doesn't necessarily mean that the IP address is bad, but this is useful for scoring and metarules, especially when combined with other data.

This list is built by storing every IP address we have seen sending SMTP traffic to our traps or partners over the last 30 days. Then, any new IPs we observe that have not been seen prior are listed for 25 hours.

Learn more about Abusix Mail Intelligence