Popular topics: Abuse Contact Validation black


Status: Production
Type: IPv4, IPv6
Cloud DNS namespace: <key>.authbl.mail.abusix.zone.
Rsync File: lists/authbl.zone
Return Codes:
Test Points:,, ::FFFF:7F00:2, ::FFFF:7F00:4
Listing Duration: Approximately 12 hours from when traffic was last seen


This list is a subset of the exploit zone but only lists hosts which have been seen within the last 12 hours, instead of the usual 5.2 days.  The listing time is shorter to avoid false-positives where the listed IP is returned back to a DHCP pool.

It contains IP addresses of hosts that are infected, botnet members, proxies, VPNs, TOR exit nodes and hosts that have been attempting to authenticate to our honeypots.

It is intended to be used to identify and prevent account compromises or as a blacklist to prevent listed hosts from authenticating to your services running on HTTP, IMAP, SMTP, SSH etc. to prevent dictionary attacks, brute force or logging in with phished credentials etc.

This zone is provided as a rbldnsd combined zone like our other lists, however you can post-process the zone file and use it as an access control list for many other services by stripping out the rbldnsd metadata by running:

grep -Pv '^(\#|\$|:[^:]|127\.0\.0\.[24]|::FFFF:7F00:[24])' authbl.zone > authbl_ip_list

authbl_ip_list will then contain just the IP addresses and can be imported into other software.


To use this in Postfix to prevent authenticated users from relaying mail from listed IPs (e.g. where the account could be compromised), in main.cf you would set "smtpd_relay_restrictions" to the following (or add this if missing):

smtpd_relay_restrictions = permit_mynetworks reject_rbl_client <key>.authbl.mail.abusix.zone permit_sasl_authenticated defer_unauth_destination

(replace <key> with your API/Query key which can be found in the Dashboard)

Was this article helpful?

Can’t find what you’re looking for?

Our award-winning customer care team is here for you.

Contact Support