Popular topics: Abuse Contact Validation black

policy

IP policy blocklist (dynamic.mail.abusix.zone)

Status: Production
Type: IPv4 only
Cloud DNS namespace: <key>.dynamic.mail.abusix.zone.
Rsync File: lists/dynamic.zone
Return Codes: 127.0.0.11, 127.0.0.12
Test Points: 127.0.0.2, 127.0.0.11, 127.0.0.12
Listing Duration: Indefinitely

Description

This is our email "Policy” blocklist which aims to list all IP addresses that should not be connecting directly to external SMTP servers, but should instead be using their ISP or mail providers smarthost to relay messages using some form of SMTP authentication.

This list is designed to preemptively list any IP that does not appear to be suitable for use with an SMTP server, this is to catch newly compromised hosts, hijacked IP space etc. immediately without requiring trap hits for listings.

It is built by constantly scanning the entire IPv4 range and applying a policy that states:  

  • An IP address MUST have rDNS.
  • rDNS must not be 'templated' e.g. two or more octets of the IP address MUST NOT appear (this can be in hex, decimal etc.) within the rDNS label (there are exceptions for static* mail* mx* smtp* etc.) and should reflect the hostname of the SMTP server.
  • Contiguous ranges of IP addresses MUST NOT have the same rDNS.

127.0.0.11 is returned for hosts with generic rDNS.

127.0.0.12 is returned for hosts with no rDNS.

Warning

This zone should only be used on border SMTP hosts, it should not be used on smarthosts or SMTP AUTH outbound servers as you could block your own customers.

This list should never be used for Received headers hops, or for anything other than checking IP addresses that hand-off to your mail server(s) as doing so will cause significant numbers of false-positives.

Delisting

Anyone can request a delist from this zone and a semi-permanent exception will be created automatically.  Exceptions are only pruned when they are no longer necessary, but in the future we may require that Policy exceptions are revalidated once per year to prevent them from becoming stale.

Note for rsync users

There is also a zone file called "policy.zone" which is now deprecated.  This was a stricter version of the Policy Blacklist which also included hosts which contained "static" within their rDNS labels.   Please check that you are using the correct zone file as "policy.zone" will be removed in the future to save bandwidth and confusion.

Example query:

$ host 2.0.0.127.<key>.dynamic.mail.abusix.zone.
2.0.0.127.<key>.dynamic.mail.abusix.zone has address 127.0.0.11
2.0.0.127.<key>.dynamic.mail.abusix.zone has address 127.0.0.12

Was this article helpful?

Can’t find what you’re looking for?

Our award-winning customer care team is here for you.

Contact Support