👋 How can we help you?

Production Zones

A list of our Production Zone lists

Last updated on May 24, 2022

Combined blocklist

Status:

Production

Type:

IPv4, IPv6

Cloud DNS namespace:

<key>.combined.mail.abusix.zone.

Rsync File:

lists/black.zone, lists/exploit.zone, lists/dynamic.zone

Return Codes:

127.0.0.2, 127.0.0.3, 127.0.0.4, 127.0.0.11, 127.0.0.12

Test Points:

127.0.0.2, 127.0.0.3, 127.0.04, 127.0.0.11, 127.0.0.12, ::FFFF:7F00:2, ::FFFF:7F00:3, ::FFFF:7F00:4

Listing Duration:

Varies (see individual list for details)

 
 

Description

This is an aggregate list that combines all of our recommended IP lists into a single query for convenience and speed.

The aggregated lists are currently: black, exploit and policy.

 

 
 

Spam blocklist

Status:

Production

Type:

IPv4, IPv6

Cloud DNS namespace:

<key>.black.mail.abusix.zone.

Rsync File:

lists/black.zone

Return Codes:

127.0.0.2, 127.0.0.3

Test Points:

127.0.0.2, 127.0.0.3, ::FFFF:7F00:2, ::FFFF:7F00:3

Listing Duration:

Approximately 5.2 days from when traffic was last seen

 

Description

This list contains the IP addresses of hosts that have sent email to our primary traps (only our trap domains that have never been used for genuine mail or had been rejecting all mail for >1 year) along with some manual network entries that we maintain.

Common causes for being listed here include compromised accounts, infected hosts, botnets, spam gangs, purchased email address lists, poor sign-up processes, bad webforms, open proxies, TOR exit nodes and VPNs.

Any matching IP address found by this data will return 127.0.0.2.

Additionally, there is also some automated heuristics which use all of our trap network and partner transaction feeds to look for IP addresses with very low reputation or IPs in the same vicinity of hosts hitting our primary traps. IPs found in this data will return 127.0.0.3.

This list can also be safely used to check each "Received" header hop found within a message if your MTA or spam filter is capable of doing so.

Example query:

$ host  2.0.0.127.<key>.black.mail.abusix.zone.
2.0.0.127.<key>.black.mail.abusix.zone has address 127.0.0.2
2.0.0.127.<key>.black.mail.abusix.zone has address 127.0.0.3
 

 
 

Exploit Blocklist

Status:

Production

Type:

IPv4, IPv6

Cloud DNS namespace:

<key>.exploit.mail.abusix.zone.

Rsync File:

lists/exploit.zone

Return Codes:

127.0.0.4

Test Points:

127.0.0.2, 127.0.0.4, ::FFFF:7F00:2, ::FFFF:7F00:4

Listing Duration:

Approximately 5.2 days from when traffic was last seen

 

Description

This list is built by observing the behaviour of hosts connecting to our traps and to our partners mail services.

It contains any IP address we observe that behaves in certain ways that a genuine SMTP client never would, so any IPs found on this list will either be compromised, botnet/virus infected, proxies, VPNs, TOR exit nodes or IPs that are NAT'ing for these hosts.

This list can also be safely used to check each "Received" header hop found within a message.

Example query:

$ host 2.0.0.127.<key>.exploit.mail.abusix.zone.
2.0.0.127.<key>.exploit.mail.abusix.zone has address 127.0.0.4
 

 
 

Policy blocklist

Status:

Production

Type:

IPv4 only

Cloud DNS namespace:

<key>.dynamic.mail.abusix.zone.

Rsync File:

lists/dynamic.zone

Return Codes:

127.0.0.11, 127.0.0.12

Test Points:

127.0.0.2, 127.0.0.11, 127.0.0.12

Listing Duration:

Indefinitely

 

Description

This is our email "Policy” blocklist which aims to list all IP addresses that should not be connecting directly to external SMTP servers, but should instead be using their ISP or mail providers smarthost to relay messages using some form of SMTP authentication.

This list is designed to preemptively list any IP that does not appear to be suitable for use with an SMTP server, this is to catch newly compromised hosts, hijacked IP space etc. immediately without requiring trap hits for listings.

It is built by constantly scanning the entire IPv4 range and applying a policy that states:

  • An IP address MUST have rDNS.
  • rDNS must not be 'templated' e.g. two or more octets of the IP address MUST NOT appear (this can be in hex, decimal etc.) within the rDNS label (there are exceptions for static* mail* mx* smtp* etc.) and should reflect the hostname of the SMTP server.
  • Contiguous ranges of IP addresses MUST NOT have the same rDNS.

127.0.0.11 is returned for hosts with generic rDNS.

127.0.0.12 is returned for hosts with no rDNS.

Warning This zone should only be used on border SMTP hosts, it should not be used on smarthosts or SMTP AUTH outbound servers as you could block your own customers. This list should never be used for Received headers hops, or for anything other than checking IP addresses that hand-off to your mail server(s) as doing so will cause significant numbers of false-positives.

Delisting

Anyone can request a delist from this zone and a semi-permanent exception will be created automatically. Exceptions are only pruned when they are no longer necessary, but in the future we may require that Policy exceptions are revalidated once per year to prevent them from becoming stale.

 
💡
Note We do not allow delists of CIDR ranges from the Policy list. Only IPs that meet the policy requirements are delisted. If you have updated your rDNS recently and would like us to re-scan it, then please contact us via our support channels and we will do this for you.
 

Note for rsync users

There is also a zone file called "policy.zone" which is now deprecated. This was a stricter version of the Policy Blacklist which also included hosts which contained "static" within their rDNS labels.

Please check that you are using the correct zone file as "policy.zone" will be removed in the future to save bandwidth and confusion.

Example query:

$ host 2.0.0.127.<key>.dynamic.mail.abusix.zone.
2.0.0.127.<key>.dynamic.mail.abusix.zone has address 127.0.0.11
2.0.0.127.<key>.dynamic.mail.abusix.zone has address 127.0.0.12
 

 
 

Domain blocklist

Status:

Production

Type:

Domain, IPv4

Cloud DNS namespace:

<key>.dblack.mail.abusix.zone.

Rsync File:

lists/dblack.zone

Return Codes:

127.0.1.1, 127.0.1.2, 127.0.1.3

Test Points:

.test, 127.0.0.2, 127.0.1.1, 127.0.1.2, 127.0.1.3

Listing Duration:

Approximately 5.2 days after last seen

 

Description

This list holds domains and IP addresses found in the message body of spam received to our primary traps.

Any short URL links found in spam are also followed and any intermediate or destination domains are also listed.

 
💡
Info This list should be used as a URI DNSBL (e.g. checking domain names or IP addresses found in the message body), but can also be used as an RHSBL where the rDNS, SMTP HELO, MAIL FROM domain, DKIM d= domain, Message-ID domain and List-Unsubscribe headers are checked against it. It should not be used to check the connecting IP address though, only IP addresses found in the message body.
 

127.0.1.1 is returned for domains/IPs found in the message body.

127.0.1.2 is returned for domains that are newly observed (found by using other trap types).

127.0.1.3 is returned for domains found by following short URLs.

 
💡
Info To make this list as easy to implement as possible, it uses wildcard domains. That means it lists the parent domain and any sub-domains, so you don't need to normalize the hostname or domain name before querying.

Example query:

$ host 2.0.0.127.<key>.dblack.mail.abusix.zone.
2.0.0.127.<key>.dblack.mail.abusix.zone has address 127.0.1.1
2.0.0.127.<key>.dblack.mail.abusix.zone has address 127.0.1.2
2.0.0.127.<key>.dblack.mail.abusix.zone has address 127.0.1.3
 
 
💡
Note When creating this list, we found that a lot of spam goes to great lengths to evade detection and uses open redirectors, short URLs and online drive services like Google Drive and Yandex Disk. To address this we created several new types of list to combat this, see the shorthash and diskhash lists. When dblack, shorthash and drivehash are used in combination - you will get the best possible coverage and protection available.
 

 
 

shorthash

Status:

Production

Type:

SHA-1 Hash

Cloud DNS namespace:

<key>.shorthash.mail.abusix.zone.

Rsync File:

lists/shorthash.zone

Return Codes:

127.0.3.1

Test Points:

127.0.02, 127.0.3.1, *.test, d2e4345eef7b21a542ed6d7c3dd191585b344461 (abusix.ai/testpoint), f4d986915d728956d139397effd00fee0e3725e4 (abusix.ai/testpoint/hash/short)

Listing Duration:

Approximately 5.2 days after last seen

 
 

Description

We developed this list so that Short URLs seen in the message body of spam sent to our primary traps could be blocked.

This list compliments the domain blacklist as using Short URLs has become a common way for spam to avoid domain blacklisting by hiding behind these services as it is not possible to list some Short URL domains without causing significant false-positives.  

Additionally, these shortening services are usually very poor at handling abuse of their services.

Because it is not possible to represent a full URL in a DNS query, the Short URLs are normalized first, then SHA-1 hashed and the hash value is used for lookup instead of the URL.

To normalize the short URL, remove the scheme, then take only the “hostname” (lowercased) and “pathname” and then calculate the SHA-1 hash of the result:

http://BiT.do/e3s49?foo=bar&bar=baz → SHA1(bit.do/e3s49)
= bb395cece75455415de5f3b6f75c13352586788c
 
💡
Info As this is a completely new type of anti-spam check, it will require support for this to be added to your chosen mail platform. See below for example code for rspamd.

Rspamd

The following code can be added to /etc/rspamd/rspamd.local.lua to enable rspamd to query this zone. Note that you should replace "<APIKEY>" with your API key or set the "check_shorturls_dns" variable appropriately for your DNS namespace if you are using rsync.

local rregexp = require "rspamd_regexp"
local rlogger = require "rspamd_logger"
local rhash = require "rspamd_cryptobox_hash"
local rutil = require "lua_util"

local re_short_path = rregexp.create_cached('/^(?!(?:[a-z]{3,11}|[A-Z]{3,11}|[0-9]{3,11})$)[a-zA-Z0-9]{3,11}$/')
local check_shorturls_dns = '.<APIKEY>.shorthash.mail.abusix.zone.'

local check_shorturls_cb = function (task)
    local function find_short_urls (url)
        local path = url:get_path();
        if (re_short_path:match(path)) then
        return true
        end
    end
    local shorturls = rutil.extract_specific_urls({
        task = task,
    limit = 5,
        prefix = 'shorturls',
    filter = find_short_urls
    });

    if (not shorturls) then return false end

    local r = task:get_resolver()

    for _, url in pairs(shorturls) do
        -- Normalize
        local surl = url:get_host():lower() .. '/' .. url:get_path()
        local surl_hash = rhash.create_specific('sha1', surl):hex()
        local lookup = surl_hash .. check_shorturls_dns
        local function dns_cb(_,_,results,err)
            if (not results) then return false end
            if (tostring(results[1]) == '127.0.3.1') then
                rlogger.errx('found URL %s (%s) in Short URL blacklist', surl, surl_hash)
                return task:insert_result('RBL_AMI_SHORTURL', 1.0, surl);
            end
        end
        r:resolve_a({ task = task, name = lookup , callback = dns_cb, forced = true })
    end
end

local check_shorturls = rspamd_config:register_symbol({
    name = "RBL_AMI_SHORTURL",
    score = 3.0,
    description = "Short URL found in Abusix Short URL blacklist",
    group = "abusix",
    type = "callback",
    callback = check_shorturls_cb
});
 

 
 

diskhash

Status:

Production

Type:

SHA-1 Hash

Cloud DNS namespace:

<key>.diskhash.mail.abusix.zone.

Rsync File:

lists/diskhash.zone

Return Codes:

127.0.3.2

Test Points:

127.0.0.2, 127.0.3.2, *.test, d2e4345eef7b21a542ed6d7c3dd191585b344461 (abusix.ai/testpoint), 2f07095f95bc86bc310febc625ee9327a69fde0b (abusix.ai/testpoint/hash/disk)

Listing Duration:

Approximately 5.2 days after last seen

 
 

Description

We developed this list to list Online file storage URLs seen in the message body of spam sent to our primary traps.

This list compliments the domain blacklist as using Online file storage services like Google Drive and Yandex Disk has become a common way for spam to avoid IP and domain blacklisting by hiding behind these services. Additionally, these services are usually very poor at handling abuse of their services.

Because it is not possible to represent a full URL in a DNS query, the URLs are normalized first, then SHA-1 hashed and the hash value is used for lookup instead of the URL.

To normalize the short URL, remove the scheme, then take only the “hostname” (lowercased) and “pathname” and then calculate the SHA-1 hash of the result:

https://drive.google.com/file/d/0B6aqsaIzsR0CZlpxYUZSWDRyRGc/view
→ SHA1(drive.google.com/file/d/0B6aqsaIzsR0CZlpxYUZSWDRyRGc/view)
= f947e57d2326ca86ba9bead20696a9208a7acdd6
 
💡
Info As this is a completely new type of anti-spam check, it will require support for this to be added to your chosen mail platform. See below for example code for rspamd.

Rspamd

The following code can be added to /etc/rspamd/rspamd.local.lua to enable rspamd to query this zone. Note that you should replace "<APIKEY>" with your API key or set the "check_diskurls_dns" variable appropriately for your DNS namespace if you are using rsync.

local rregexp = require "rspamd_regexp"
local rlogger = require "rspamd_logger"
local rhash = require "rspamd_cryptobox_hash"
local rutil = require "lua_util"

local re_disk_urls = rregexp.create_cached('/^(?:drive\\.google\\.com$|yadi\\.sk$|disk\\.yandex\\.)/')
local check_diskurls_dns = '.<APIKEY>.diskhash.mail.abusix.zone.'

local check_diskurls_cb = function (task)
    local function find_disk_urls (url)
        local host = url:get_host():lower();
        if (re_disk_urls:match(host)) then
        return true
        end
    end
    local diskurls = rutil.extract_specific_urls({
        task = task,
    limit = 5,
        prefix = 'diskurls',
    filter = find_disk_urls
    });

    if (not diskurls) then return false end

    local r = task:get_resolver()

    for _, url in pairs(diskurls) do
        -- Normalize
        local durl = url:get_host():lower() .. '/' .. url:get_path()
        local durl_hash = rhash.create_specific('sha1', durl):hex()
        local lookup = durl_hash .. check_diskurls_dns
        local function dns_cb(_,_,results,err)
            if (not results) then return false end
            if (tostring(results[1]) == '127.0.3.2') then
                rlogger.errx('found URL %s (%s) in Disk URL blacklist', durl, durl_hash)
                return task:insert_result('RBL_AMI_DISKURL', 1.0, durl);
            end
        end
        r:resolve_a({ task = task, name = lookup , callback = dns_cb, forced = true })
    end
end

local check_diskurls = rspamd_config:register_symbol({
    name = "RBL_AMI_DISKURL",
    score = 3.0,
    description = "Disk URL found in Abusix Disk URL blacklist",
    group = "abusix",
    type = "callback",
    callback = check_diskurls_cb
});
 

 
 

authbl

Status:

Production

Type:

IPv4, IPv6

Cloud DNS namespace:

<key>.authbl.mail.abusix.zone.

Rsync File:

lists/authbl.zone

Return Codes:

127.0.0.4

Test Points:

127.0.0.2, 127.0.0.4, ::FFFF:7F00:2, ::FFFF:7F00:4

Listing Duration:

Approximately 12 hours from when traffic was last seen

 
 

Description

This list is a subset of the exploit zone but only lists hosts which have been seen within the last 12 hours, instead of the usual 5.2 days. The listing time is shorter to avoid false-positives where the listed IP is returned back to a DHCP pool.

It contains IP addresses of hosts that are infected, botnet members, proxies, VPNs, TOR exit nodes and hosts that have been attempting to authenticate to our honeypots.

It is intended to be used to identify and prevent account compromises or as a blocklist to prevent listed hosts from authenticating to your services running on HTTP, IMAP, SMTP, SSH etc. to prevent dictionary attacks, brute force or logging in with phished credentials etc.

For those with rsync access (only available for large companies), this zone is provided as a rbldnsd combined zone like our other lists, however you can post-process the zone file and use it as an access control list for many other services by stripping out the rbldnsd metadata by running:

grep -Pv '^(\#|\$|:[^:]|127\.0\.0\.[24]|::FFFF:7F00:[24])' authbl.zone > authbl_ip_list

authbl_ip_list will then contain just the IP addresses and can be imported into other software.

Postfix

To use this in Postfix to prevent authenticated users from relaying mail from listed IPs (e.g. where the account could be compromised), in main.cf you would set "smtpd_relay_restrictions" to the following (or add this if missing):

smtpd_relay_restrictions = permit_mynetworks reject_rbl_client <key>.authbl.mail.abusix.zone permit_sasl_authenticated defer_unauth_destination

(replace <key> with your API/Query key which can be found in the Dashboard)

 

 
 

Welcome list

Status:

Production

Type:

IPv4, IPv6, Domain

Cloud DNS namespace:

<key>.white.mail.abusix.zone.

Rsync File:

lists/white.zone

Return Codes:

127.0.2.1

Test Points:

127.0.0.2, ::FFFF:7F00:2, 127.0.2.1

Listing Duration:

Varies

Description

This list is an aggregation of multiple whitelist sources and includes IPv4, IPv6 and domains.

All sources return the same return code.

The sources of this list are:

  • Return-Path Whitelist (IP)
  • Return-Path Whitelist (Domain)
  • Abusix Whitelist (IP)
  • Abusix Whitelist (Domain)
 
 
Warning This list is not supposed to be used as a "this IP or domain never sends spam" list or to allow any listed IP or domain free passage through your filtering systems. We publish this zone for completeness. Every good blocklist starts with a great welcomelist as there are lots IPs and domains that you would not want to block as doing so would cause significant false-positives.
 
 
💡
Tip A good use for this zone would be to use it to exclude listed hosts from being greylisted.
 

 
 

dnswl

Status:

Production

Type:

IPv4, IPv6

Cloud DNS namespace:

<key>.dnswl.mail.abusix.zone.

Rsync File:

lists/dnswl.zone

Return Codes:

Varies (see below)

Test Points:

127.0.0.2, ::2, ::FFFF:7F00:2

Listing Duration:

Varies

 

Description

This is our mirror of www.dnswl.org

 

Return Codes

The return codes are structured as 127.0.x.y, with “x” indicating the category of an entry and “y” indicating how trustworthy an entry has been judged.

 

Categories (127.0.X.y)

2 – Financial services

3 – Email Service Providers

4 – Organisations (both for-profit [ie companies] and non-profit)

5 – Service/network providers

6 – Personal/private servers

7 – Travel/leisure industry

8 – Public sector/governments

9 – Media and Tech companies

10 – some special cases

11 – Education, academic

12 – Healthcare

13 – Manufacturing/Industrial

14 – Retail/Wholesale/Services

15 – Email Marketing Providers

20 – Added through Self Service without specific category

 

Trustworthiness / Score (127.0.x.Y)

0 = none – only avoid outright blocking (eg large ESP mailservers, -0.1)

1 = low – reduce chance of false positives (-1.0)

2 = medium – make sure to avoid false positives but allow override for clear cases (-10.0)

3 = high – avoid override (-100.0).

 

 
 

nod

Status:

Production

Type:

Domain

Cloud DNS namespace:

<key>.nod.mail.abusix.zone.

Rsync File:

lists/nod.zone

Return Codes:

127.0.1.2

Test Points:

.test

Listing Duration:

25 hours

 

Description

This list is built from data provided by our partner Farsight Security using their massive real-time Passive DNS sensor network and is not reliant on any data from WHOIS.  This has the advantage that it works across every single TLD and ccTLD, it also means that a domain could have been registered months previously, but not used until now.

This list contains all of the newly observed domains that we received from Farsight within the last 25 hours, with each domain wildcarded - it does not mean the domain is bad, but knowing a domain is new can be useful for other things like scoring or meta rules.

 
💡
Info Our domain blocklist (dblack) already contains any newly observed domains that have been seen sending mail to any of our traps. To make implementation of this list as easy as possible, it wildcards all domains. This means that the parent domain is listed and any sub-domains, so you do not need to normalize the hostname or domain name before querying it.

 
Did this answer your question?
😞
😐
🤩