👋 How can we help you?

Production Zones

A list of our Production Lists

Zones

Combined Blocklist

Status:

Production

Type:

IPv4, IPv6

Cloud DNS namespace:

<APIKEY>.combined.mail.abusix.zone.

Rsync File:

lists/black.zone, lists/exploit.zone, lists/dynamic.zone

Return Codes:

127.0.0.2, 127.0.0.3, 127.0.0.200, 127.0.0.4, 127.0.0.11, 127.0.0.12

Test Points:

127.0.0.2, 127.0.0.3, 127.0.0.200, 127.0.04, 127.0.0.11, 127.0.0.12, ::FFFF:7F00:2, ::FFFF:7F00:3, ::FFFF:7F00:4

Listing Duration:

Varies (see individual list for details)

 
 

Description

This list is applied to inbound mail. It is an aggregate list that combines all our recommended IP lists into a single query for convenience and speed. The IP lists aggregated into “combined” are black, exploit, and policy.

 

 
 

Spam Blocklist

Status:

Production

Type:

IPv4, IPv6

Cloud DNS namespace:

<APIKEY>.black.mail.abusix.zone.

Rsync File:

lists/black.zone

Return Codes:

127.0.0.2, 127.0.0.3, 127.0.0.200

Test Points:

127.0.0.2, 127.0.0.3, 127.0.0.200, ::FFFF:7F00:2, ::FFFF:7F00:3

Listing Duration:

Approximately 5.2 days from when traffic was last seen

 

Description

This list contains the IP addresses of hosts that have sent emails to our primary traps (only our trap domains that have never been used for genuine mail or have been rejecting all mail for >1 year), along with some manual network entries that we maintain.

Common causes for being listed here include compromised accounts, infected hosts, botnets, spam gangs, purchased email address lists, poor sign-up processes, bad web forms, open proxies, TOR exit nodes, and VPNs.

Any matching IP address found by this data will return 127.0.0.2.

Additionally, some automated heuristics use all of our trap networks, and partner transaction feeds to look for IP addresses with very low reputation or IPs in the same vicinity of hosts hitting our primary traps. IPs found in this data will return 127.0.0.3.

We also maintain a number of semi-permanent manual listings which will return 127.0.0.200.

This list can also be safely used to check each "Received" header hop found within a message if your MTA or spam filter can do so.

Example query:

$ host  2.0.0.127.<APIKEY>.black.mail.abusix.zone.
2.0.0.127.<APIKEY>.black.mail.abusix.zone has address 127.0.0.2
2.0.0.127.<APIKEY>.black.mail.abusix.zone has address 127.0.0.3
2.0.0.127.<APIKEY>.black.mail.abusix.zone has address 127.0.0.200
 

 
 

Exploit Blocklist

Status:

Production

Type:

IPv4, IPv6

Cloud DNS namespace:

<APIKEY>.exploit.mail.abusix.zone.

Rsync File:

lists/exploit.zone

Return Codes:

127.0.0.4

Test Points:

127.0.0.2, 127.0.0.4, ::FFFF:7F00:2, ::FFFF:7F00:4

Listing Duration:

Approximately 5.2 days from when traffic was last seen

 

Description

This list is built by observing the behavior of hosts connecting to our traps and our partner's mail services.

It contains any IP address we observe that behaves in specific ways that a genuine SMTP client never would, so any IPs found on this list will be compromised, botnet/virus-infected, proxies, VPNs, TOR exit nodes or IPs that are NAT'ing for these hosts.

This list can also be safely used to check each "Received" header hop found within a message.

Example query:

$ host 2.0.0.127.<APIKEY>.exploit.mail.abusix.zone.
2.0.0.127.<APIKEY>.exploit.mail.abusix.zone has address 127.0.0.4
 

 
 

Policy Blocklist

Status:

Production

Type:

IPv4 only

Cloud DNS namespace:

<APIKEY>.dynamic.mail.abusix.zone.

Rsync File:

lists/dynamic.zone

Return Codes:

127.0.0.11, 127.0.0.12

Test Points:

127.0.0.2, 127.0.0.11, 127.0.0.12

Listing Duration:

Indefinitely

 

Description

This zone is our email "Policy” blocklist which lists all IP addresses that should not be connecting directly to external SMTP servers but should instead be using their ISP or mailbox provider’s smarthost to relay messages using some form of SMTP authentication.

This list is designed to preemptively list any IP that does not appear suitable for use with an SMTP server; this is to immediately catch newly compromised hosts, hijacked IP space, etc., without requiring trap hits for listings.

💡
It is normal for a non-SMTP server IP to be listed in this zone. This will not cause any ill-effects, e.g. it will not prevent mail from being sent from this IP or range.

The list is built by constantly scanning the entire IPv4 range and applying a policy that states:

  • An IP address MUST have rDNS.
  • rDNS must not be 'templated,' e.g., two or more octets of the IP address MUST NOT appear (this can be in hex, decimal, etc.) within the rDNS label (there are exceptions for static* mail* mx* smtp*, etc.) and should reflect the hostname of the SMTP server.
  • Contiguous ranges of IP addresses MUST NOT have the same rDNS.

127.0.0.11 is returned for hosts with generic rDNS.

127.0.0.12 is returned for hosts with no rDNS.

Warning This zone should only be used on border SMTP hosts and not on smart hosts or SMTP AUTH outbound servers, as you could block your customers. This list should never be used for Received headers hops or for anything other than checking IP addresses that hand off to your mail server(s), as doing so will cause significant numbers of false positives.

Delisting

Anyone can request a delisting from this zone, and a semi-permanent exception will be created automatically. Exceptions are only pruned when they are no longer necessary. Still, in the future, we may require that Policy exceptions are revalidated once per year to prevent them from becoming stale.

💡
Note We do not allow delists of CIDR ranges from the Policy list. Only IPs that meet the policy requirements are delisted. If you have updated your rDNS recently and would like us to re-scan it, please get in touch via our support channels, and we will do this for you.

Example query:

$ host 2.0.0.127.<APIKEY>.dynamic.mail.abusix.zone.
2.0.0.127.<APIKEY>.dynamic.mail.abusix.zone has address 127.0.0.11
2.0.0.127.<APIKEY>.dynamic.mail.abusix.zone has address 127.0.0.12
 
💡
Note to Rsync users You will also see a zone file called "policy.zone" which is now deprecated. This was a stricter version of the Policy Blacklist, including hosts with "static" within their rDNS labels. Please check that you are using the correct zone file, as the "policy.zone" will be removed in the future to save bandwidth and confusion.
 

 
 

Domain Blocklist

Status:

Production

Type:

Domain, IPv4

Cloud DNS namespace:

<APIKEY>.dblack.mail.abusix.zone.

Rsync File:

lists/dblack.zone

Return Codes:

127.0.1.1, 127.0.1.2, 127.0.1.3

Test Points:

*.test, 127.0.0.2, 127.0.1.1, 127.0.1.2, 127.0.1.3

Listing Duration:

Approximately 5.2 days after last seen

 

Description

This list is applied to inbound and outbound mail and holds domains and IP addresses found in the message body of spam received by our primary traps. Any short URL links found in spam are followed, and any intermediate or destination domains are listed.

💡
Info This list should be used as a URI DNSBL (e.g., checking domain names or IP addresses found in the message body), but can also be used as an RHSBL where the rDNS, SMTP HELO, MAIL FROM domain, DKIM d= domain, Message-ID domain, and List-Unsubscribe headers are checked against it. The list should not be used to check the connecting IP address, though only IP addresses are found in the message body.
 

127.0.1.1 is returned for domains/IPs found in the message body.

127.0.1.2 is returned for newly observed domains (found using other trap types).

127.0.1.3 is returned for domains found by following short URLs.

 
💡
Info The list wildcards domains to make this list as easy to implement as possible. That means the zone lists the parent domain and any sub-domains, so you don't need to normalize the hostname or domain name before querying.

Example query:

$ host 2.0.0.127.<APIKEY>.dblack.mail.abusix.zone.
2.0.0.127.<APIKEY>.dblack.mail.abusix.zone has address 127.0.1.1
2.0.0.127.<APIKEY>.dblack.mail.abusix.zone has address 127.0.1.2
2.0.0.127.<APIKEY>.dblack.mail.abusix.zone has address 127.0.1.3
 
💡
Note When creating the domain list, we found that many spams go to great lengths to evade detection, using open redirectors, short URLs, and online drive services like Google Drive and Yandex Disk. Thus, we created several new types of lists to combat this; see the shorthash and diskhash lists. When dblack, shorthash, and drivehash are combined, you will get the best possible coverage and protection available.
 

 
 

Shorthash Blocklist (short URLs)

Status:

Production

Type:

SHA-1 Hash

Cloud DNS namespace:

<APIKEY>.shorthash.mail.abusix.zone.

Rsync File:

lists/shorthash.zone

Return Codes:

127.0.3.1

Test Points:

127.0.02, 127.0.3.1, *.test, d2e4345eef7b21a542ed6d7c3dd191585b344461 (abusix.ai/testpoint), f4d986915d728956d139397effd00fee0e3725e4 (abusix.ai/testpoint/hash/short)

Listing Duration:

Approximately 5.2 days after last seen

 
 

Description

This list is applied to inbound and outbound mail. We developed this list so that Short URLs seen in the message body of spam sent to our primary traps could be blocked.

This list compliments the domain blacklist as using short URLs has become a common way for spam to avoid domain blacklisting by hiding behind these services. It is only possible to list some Short URL domains by causing significant false positives.  Additionally, these shortening services are usually very poor at handling abuse of their services.

Since it is impossible to represent a full URL in a DNS query, the Short URLs are normalized first, then SHA-1 hashed, and the hash value is used for lookup instead of the URL.

To normalize the short URL, remove the scheme, then take only the “hostname” (lowercased) and “pathname” and then calculate the SHA-1 hash of the result:

http://BiT.do/e3s49?foo=bar&bar=baz → SHA1(bit.do/e3s49)
= bb395cece75455415de5f3b6f75c13352586788c
 
💡
Info As this is an entirely new type of anti-spam check, it will require support to be added to your chosen mail platform. Rspamd Please look at our set-up instructions for rspamd, which contains the necessary code to do these lookups. See link
 

 
 

Diskhash Blocklist (drive URLs)

Status:

Production

Type:

SHA-1 Hash

Cloud DNS namespace:

<APIKEY>.diskhash.mail.abusix.zone.

Rsync File:

lists/diskhash.zone

Return Codes:

127.0.3.2

Test Points:

127.0.0.2, 127.0.3.2, *.test, d2e4345eef7b21a542ed6d7c3dd191585b344461 (abusix.ai/testpoint), 2f07095f95bc86bc310febc625ee9327a69fde0b (abusix.ai/testpoint/hash/disk)

Listing Duration:

Approximately 5.2 days after last seen

 
 

Description

This list is applied to inbound and outbound mail. We developed this list to list “Online file storage” URLs seen in the message body of spam sent to our primary traps.

This list compliments the domain blacklist as using Online file storage services like Google Drive and Yandex Disk has become a common way for spam to avoid IP and domain blacklisting by hiding behind these services. Additionally, these services are usually very poor at handling abuse of their services.

Since it is impossible to represent a full URL in a DNS query, the URLs are first normalized, then SHA-1 hashed, and the hash value is used for lookup instead of the URL.

To normalize the short URL, remove the scheme, then take only the “hostname” (lowercased) and “pathname” and then calculate the SHA-1 hash of the result:

https://drive.google.com/file/d/0B6aqsaIzsR0CZlpxYUZSWDRyRGc/view
→ SHA1(drive.google.com/file/d/0B6aqsaIzsR0CZlpxYUZSWDRyRGc/view)
= f947e57d2326ca86ba9bead20696a9208a7acdd6
 
💡
Info As this is an entirely new type of anti-spam check, it will require support to be added to your chosen mail platform. Rspamd Please look at our set-up instructions for rspamd, which contains the necessary code to do these lookups. See link
 

 
 

Authbl Blocklist

Status:

Production

Type:

IPv4, IPv6

Cloud DNS namespace:

<APIKEY>.authbl.mail.abusix.zone.

Rsync File:

lists/authbl.zone

Return Codes:

127.0.0.4

Test Points:

127.0.0.2, 127.0.0.4, ::FFFF:7F00:2, ::FFFF:7F00:4

Listing Duration:

Approximately 12 hours from when traffic was last seen

 
 

Description

This list is applied to outbound mail and is a subset of the exploit zone but only lists hosts seen within the last 12 hours instead of the usual 5.2 days. The listing time is shorter to avoid false positives where the listed IP is returned to a DHCP pool.

The list contains the IP addresses of infected hosts, botnet members, proxies, VPNs, TOR exit nodes, and hosts attempting to authenticate to our honeypots. Thus, it is intended to be used to identify and prevent account compromises or as a blocklist to prevent listed hosts from authenticating to your services running on HTTP, IMAP, SMTP, SSH, etc., to prevent dictionary attacks, brute force, or logging in with phished credentials, etc.

 

Postfix

In Postfix, you may use this list to prevent authenticated users from relaying mail from listed IPs (e.g., where the account could be compromised).

In main.cf you would set "smtpd_relay_restrictions" to the following (or add this if missing):

smtpd_relay_restrictions = permit_mynetworks reject_rbl_client <APIKEY>.authbl.mail.abusix.zone permit_sasl_authenticated defer_unauth_destination

Replace <APIKEY> with the key from your account in app.abusix.com.

rsync

For those with rsync access, this zone is an rbldnsd zone like our other lists. However, you can post-process the zone file and use it as an access control list for many other services by stripping out the rbldnsd metadata by running:

grep -Pv '^(\#|\$|:[^:]|127\.0\.0\.[24]|::FFFF:7F00:[24])' authbl.zone > authbl_ip_list

authbl_ip_list will contain just the IP addresses and can be imported into other software.


 
 

Welcome List

Status:

Production

Type:

IPv4, IPv6, Domain

Cloud DNS namespace:

<APIKEY>.white.mail.abusix.zone.

Rsync File:

lists/white.zone

Return Codes:

127.0.2.1

Test Points:

127.0.0.2, ::FFFF:7F00:2, 127.0.2.1

Listing Duration:

Varies

Description

This list aggregates multiple whitelist sources and includes IPv4, IPv6, and domains.

All sources return the same return code.

The sources of this list are:

  • Return-Path Whitelist (IP)
  • Return-Path Whitelist (Domain)
  • Abusix Whitelist (IP)
  • Abusix Whitelist (Domain)
 
Warning This list is not supposed to be used as a "this IP or domain never sends spam" list or to allow any listed IP or domain free passage through your filtering systems. Every good blocklist starts with a great welcome list, as there are lots of IPs and domains you would not want to block, as doing so would cause significant false positives. We publish this zone for completeness.
 
💡
Tip A good use for this zone would be to exclude listed hosts from being greylisted.
 

 
 

DNSWL List

Status:

Production

Type:

IPv4, IPv6

Cloud DNS namespace:

<APIKEY>.dnswl.mail.abusix.zone.

Rsync File:

lists/dnswl.zone

Return Codes:

Varies (see below)

Test Points:

127.0.0.2, ::2, ::FFFF:7F00:2

Listing Duration:

Varies

 

Description

This is our mirror of www.dnswl.org

 

Return Codes

The return codes of dnswl are structured as 127.0.x.y, with “x” indicating the category of an entry and “y” indicating how trustworthy an entry has been judged.

 

Categories (127.0.X.y)

2 – Financial services

3 – Email Service Providers

4 – Organisations (both for-profit [i.e., companies] and non-profit)

5 – Service/network providers

6 – Personal/private servers

7 – Travel/leisure industry

8 – Public sector/governments

9 – Media and Tech companies

10 – some special cases

11 – Education, academic

12 – Healthcare

13 – Manufacturing/Industrial

14 – Retail/Wholesale/Services

15 – Email Marketing Providers

20 – Added through Self Service without a specific category

 

Trustworthiness / Score (127.0.x.Y)

0 = none – only avoid outright blocking (e.g., large ESP mailservers, -0.1)

1 = low – reduce the chance of false positives (-1.0)

2 = medium – make sure to avoid false positives but allow override for clear cases (-10.0)

3 = high – avoid override (-100.0).

 

 
 

nod List (Newly Observed Domains)

Status:

Production

Type:

Domain

Cloud DNS namespace:

<APIKEY>.nod.mail.abusix.zone.

Rsync File:

lists/nod.zone

Return Codes:

127.0.1.2

Test Points:

.test

Listing Duration:

25 hours

 

Description

This list contains all newly observed domains, with each domain wildcarded. Being listed doesn't necessarily mean that the domain is bad, but knowing a new domain can be helpful for other things like scoring or meta-rules.

The list is built from data provided by our partner Farsight Security using their massive real-time Passive DNS sensor network and is not reliant on any data from WHOIS.  This list includes domains from every TLD and ccTLD; it also means that a domain could have been registered months previously but has only been entered into use for an email in the last 25 hours.

 
💡
Info Our domain blocklist (dblack) already contains any newly observed domains that have been seen sending mail to any of our traps. To implement this list as easily as possible, it wildcards all domains. This means the parent domain is listed and any sub-domains, so you do not need to normalize the hostname or domain name before querying it.


 
 

noip List (Newly Observed IPs)

Status:

Production

Type:

IPv4, IPv6

Cloud DNS namespace:

<APIKEY>.noip.mail.abusix.zone.

Rsync File:

lists/noip.zone

Return Codes:

127.0.0.100

Test Points:

127.0.0.2, 127.0.0.100

Listing Duration:

25 hours

 

Description

This list contains all newly observed IP Addresses. Being listed doesn't necessarily mean that the IP address is bad, but this is useful for scoring and metarules, especially when combined with other data.

This list is built by storing every IP address we have seen sending SMTP traffic to our traps or partners over the last 30 days. Then, any new IPs we observe that have not been seen prior are listed for 25 hours.

Learn more about Abusix Mail Intelligence

Did this answer your question?
😞
😐
🤩