Zones

Combined Blocklist

Description

This list is used for inbound mail and aggregates all of our recommended IP lists into a single query for convenience and speed. The "combined" list includes the black, exploit, and policy IP lists.

Spam Blocklist

Description

This list contains the IP addresses of hosts that have sent emails to our primary traps. These traps are domains that have never been used for genuine mail or have rejected all mail for over a year. The list also includes some manual network entries that we maintain.

Common causes for being listed here include compromised accounts, infected hosts, botnets, spam gangs, purchased email address lists, poor sign-up processes, open web forms, open proxies, TOR exit nodes, and VPNs.

If this data find any matching IP address, it will return 127.0.0.2.

In addition, some automated heuristics use all of our trap networks and partner transaction feeds to look for IP addresses with very low reputation or IPs in the same vicinity of hosts hitting our primary traps. IPs found in this data will return 127.0.0.3.

We also maintain a number of semi-permanent manual listings, which will return 127.0.0.200.

This list can also be safely used to check each "Received" header hop found within a message if your MTA or spam filter can do so.

Example query:

$ host  2.0.0.127.<APIKEY>.black.mail.abusix.zone.
2.0.0.127.<APIKEY>.black.mail.abusix.zone has address 127.0.0.2
2.0.0.127.<APIKEY>.black.mail.abusix.zone has address 127.0.0.3
2.0.0.127.<APIKEY>.black.mail.abusix.zone has address 127.0.0.200

Exploit Blocklist

Description

This list is generated by monitoring the behavior of hosts that connect to our traps and our partner's mail services. It includes any IP address that exhibits behavior specific to compromised hosts, botnet/virus infections, proxies, VPNs, TOR exit nodes, or IPs that are NAT'ing for these hosts. These behaviors are not expected from a genuine SMTP client.

You can also use this list to check each "Received" header hop found within a message safely.

Example query:

$ host 2.0.0.127.<APIKEY>.exploit.mail.abusix.zone.
2.0.0.127.<APIKEY>.exploit.mail.abusix.zone has address 127.0.0.4

Policy Blocklist

Description

This zone is our email "Policy" blocklist. It contains a list of all IP addresses that should not be connecting directly to external SMTP servers. Instead, they should use their ISP or mailbox provider's smarthost to relay messages using some form of SMTP authentication.

The purpose of this list is to preemptively identify any IP that is unsuitable for use with an SMTP server. This helps to immediately catch newly compromised hosts, hijacked IP space, and other threats without requiring trap hits for listings.

The list is built by constantly scanning the entire IPv4 range and applying a policy that states:

• An IP address MUST have rDNS.

• rDNS must not be 'templated,' e.g., two or more octets of the IP address MUST NOT appear (this can be in hex, decimal, etc.) within the rDNS label (there are exceptions for static* mail* mx* smtp*, etc.) and should reflect the hostname of the SMTP server.

• Contiguous ranges of IP addresses MUST NOT have the same rDNS.

127.0.0.11 is returned for hosts with generic rDNS.

127.0.0.12 is returned for hosts with no rDNS.

Delisting

Anyone can request a delisting from this zone, and a semi-permanent exception will be created automatically. Exceptions are only pruned when they are no longer necessary. Still, in the future, we may require that Policy exceptions are revalidated once per year to prevent them from becoming stale.

Example query:

$ host 2.0.0.127.<APIKEY>.dynamic.mail.abusix.zone.
2.0.0.127.<APIKEY>.dynamic.mail.abusix.zone has address 127.0.0.11
2.0.0.127.<APIKEY>.dynamic.mail.abusix.zone has address 127.0.0.12

Domain Blocklist

Description

This list applies to both inbound and outbound mail and contains domains and IP addresses found in the message body of spam received by our primary traps. We also follow any short URL links found in spam and list any intermediate or destination domains.

127.0.1.1 is returned for domains/IPs found in the message body.

127.0.1.2 is returned for newly observed domains (found using other trap types).

127.0.1.3 is returned for domains found by following short URLs.

Example query:

$ host 2.0.0.127.<APIKEY>.dblack.mail.abusix.zone.
2.0.0.127.<APIKEY>.dblack.mail.abusix.zone has address 127.0.1.1
2.0.0.127.<APIKEY>.dblack.mail.abusix.zone has address 127.0.1.2
2.0.0.127.<APIKEY>.dblack.mail.abusix.zone has address 127.0.1.3

Shorthash Blocklist (short URLs)

Description

This list applies to both inbound and outbound mail. Its purpose is to block short URLs seen in the message body of spam sent to our primary traps.

The domain blacklist is complemented by this list because short URLs have become a common way for spammers to avoid domain blacklisting by hiding behind these services. However, listing some short URL domains may cause significant false positives. Additionally, these shortening services are usually very poor at handling abuse of their services.

Since it is impossible to represent a full URL in a DNS query, the short URLs are first normalized, then SHA-1 hashed, and the hash value is used for lookup instead of the URL.

To normalize the short URL, remove the scheme, then take only the "hostname" (in lowercase) and "pathname", and then calculate the SHA-1 hash of the result.

http://BiT.do/e3s49?foo=bar&bar=baz → SHA1(bit.do/e3s49)
= bb395cece75455415de5f3b6f75c13352586788c

Diskhash Blocklist (drive URLs)

Description

This list applies to both inbound and outbound mail. Its purpose is to identify and list URLs for online file storage services that appear in the message body of spam that is sent to our primary traps.

This list is complementary to the domain blacklist, as spammers often use online file storage services like Google Drive and Yandex Disk to avoid IP and domain blacklisting by hiding behind these services. Unfortunately, these services are often poor at handling abuse of their services.

Since it is impossible to represent a full URL in a DNS query, the URLs are first normalized, then SHA-1 hashed, and the hash value is used for lookup instead of the URL.

To normalize the short URL, remove the scheme, then take only the "hostname" (in lowercase) and "pathname", and finally calculate the SHA-1 hash of the result.

https://drive.google.com/file/d/0B6aqsaIzsR0CZlpxYUZSWDRyRGc/view
→ SHA1(drive.google.com/file/d/0B6aqsaIzsR0CZlpxYUZSWDRyRGc/view)
= f947e57d2326ca86ba9bead20696a9208a7acdd6

Authbl Blocklist

Description

This list is used for outbound mail and is a subset of the exploit zone. However, it only includes hosts that have been seen in the last 12 hours, instead of the usual 5.2 days. The shorter listing time is intended to avoid false positives where an IP address is returned to a DHCP pool.

The list includes the IP addresses of infected hosts, botnet members, proxies, VPNs, TOR exit nodes, and hosts attempting to authenticate to our honeypots. It is intended to be used for identifying and preventing account compromises or as a blocklist for preventing listed hosts from authenticating to your services running on HTTP, IMAP, SMTP, SSH, etc. This can prevent dictionary attacks, brute force, or logging in with phished credentials, among other things.

Postfix

In Postfix, you may use this list to prevent authenticated users from relaying mail from listed IPs (e.g., where the account could be compromised).

In main.cf you would set "smtpd_relay_restrictions" to the following (or add this if missing):

smtpd_relay_restrictions = permit_mynetworks reject_rbl_client <APIKEY>.authbl.mail.abusix.zone permit_sasl_authenticated defer_unauth_destination

Replace <APIKEY> with the key from your account in app.abusix.com.

rsync

For those with rsync access, this zone is an rbldnsd zone, like our other lists. However, you can post-process the zone file and use it as an access control list for many other services by stripping out the rbldnsd metadata. To do this, run:

grep -Pv '^(\#|\$|:[^:]|127\.0\.0\.[24]|::FFFF:7F00:[24])' authbl.zone > authbl_ip_list

authbl_ip_list will contain just the IP addresses and can be imported into other software.

Welcome List

Description

This list aggregates multiple whitelist sources, including IPv4, IPv6, and domains.

All sources return the same return code.

The sources of this list are:

• DNSWL (IP)

• Return-Path Whitelist (IP)

• Return-Path Whitelist (Domain)

• Abusix Whitelist (IP)

• Abusix Whitelist (Domain)

DNSWL List

Description

This is our mirror of www.dnswl.org

Return Codes

The return codes of dnswl are structured as 127.0.x.y, with “x” indicating the category of an entry and “y” indicating how trustworthy an entry has been judged.

Categories (127.0.X.y)

2 – Financial services

3 – Email Service Providers

4 – Organisations (both for-profit [i.e., companies] and non-profit)

5 – Service/network providers

6 – Personal/private servers

7 – Travel/leisure industry

8 – Public sector/governments

9 – Media and Tech companies

10 – some special cases

11 – Education, academic

12 – Healthcare

13 – Manufacturing/Industrial

14 – Retail/Wholesale/Services

15 – Email Marketing Providers

20 – Added through Self Service without a specific category

Trustworthiness / Score (127.0.x.Y)

0 = none – only avoid outright blocking (e.g., large ESP mailservers, -0.1)

1 = low – reduce the chance of false positives (-1.0)

2 = medium – make sure to avoid false positives but allow override for clear cases (-10.0)

3 = high – avoid override (-100.0).

nod List (Newly Observed Domains)

Description

This list includes all newly observed domains, with each domain wildcarded. Being listed does not necessarily mean that the domain is bad, but knowing a new domain can be helpful for other things like scoring or meta-rules.

The data for this list is provided by our partner, Farsight Security, using their massive real-time Passive DNS sensor network. The list includes domains from every TLD and ccTLD. This also means that a domain could have been registered months previously but has only been entered into use for an email in the last 25 hours.

noip List (Newly Observed IPs)

Description

This list contains all newly observed IP addresses. Being listed doesn't necessarily mean that the IP address is bad. However, this information is helpful for scoring and metarules, especially when combined with other data.

We store every IP address that sends SMTP traffic to our traps or partners over the last 30 days to build this list. Then, any new IPs that we observe and have not seen before are listed for 25 hours.

Learn more about Abusix Mail Intelligence