> ## Documentation Index > Fetch the complete documentation index at: https://docs.abusix.com/llms.txt > Use this file to discover all available pages before exploring further. # Production Zones > A comprehensive reference of Abusix’s production-ready DNS blocklists and whitelists, detailing list types, usage scenarios, return codes, and integration guidelines for email security infrastructure. # **Zones** ## **Combined Blocklist** **Status:** Production **Type:** [IPv4](https://abusix.com/glossary/internet-protocol-version-4/), [IPv6](https://abusix.com/glossary/internet-protocol-version-6/) [******Cloud DNS namespace:******](https://abusix.com/glossary/domain-name-system/) \.[combined.mail.abusix.zone](http://combined.mail.abusix.zone). **Rsync File:** lists/[black.zone](http://black.zone), lists/[exploit.zone](http://exploit.zone), lists/[dynamic.zone](http://dynamic.zone) **Return Codes:** 127.0.0.2, 127.0.0.3, 127.0.0.200, 127.0.0.4, 127.0.0.11, 127.0.0.12 **Test Points:** 127.0.0.2, 127.0.0.3, 127.0.0.200, 127.0.04, 127.0.0.11, 127.0.0.12, ::FFFF:7F00:2, ::FFFF:7F00:3, ::FFFF:7F00:4 **Listing Duration:** Varies (see individual list for details) **Description** This list is used for inbound mail and aggregates all of our recommended [IP](https://abusix.com/glossary/internet-protocol-address/) lists into a single query for convenience and speed. The “combined” list includes the black, exploit, and policy [IP](https://abusix.com/glossary/internet-protocol-address/) lists. *** ### **Spam Blocklist** **Status:** Production **Type:** [IPv4](https://abusix.com/glossary/internet-protocol-version-4/), [IPv6](https://abusix.com/glossary/internet-protocol-version-6/) [******Cloud DNS namespace:******](https://abusix.com/glossary/domain-name-system/) \.[black.mail.abusix.zone](http://black.mail.abusix.zone). **Rsync File:** lists/[black.zone](http://black.zone) **Return Codes:** 127.0.0.2, 127.0.0.3, 127.0.0.200 **Test Points:** 127.0.0.2, 127.0.0.3, 127.0.0.200, ::FFFF:7F00:2, ::FFFF:7F00:3 **Listing Duration:** Approximately 5.2 days from when traffic was last seen **Description** This list contains the [IP](https://abusix.com/glossary/internet-protocol-address/) addresses of hosts that have sent emails to our primary traps. These traps are domains that have never been used for genuine mail or have rejected all mail for over a year. The list also includes some manual network entries that we maintain. Common causes for being listed here include [compromised accounts](https://abusix.com/glossary/compromised-accounts/), infected hosts, [botnets](https://abusix.com/glossary/botnets/), [spam](https://abusix.com/glossary/spam/) gangs, purchased email address lists, poor sign-up processes, open web forms, open proxies, TOR exit nodes, and VPNs. If this data find any matching [IP](https://abusix.com/glossary/internet-protocol-address/) address, it will return 127.0.0.2. In addition, some automated heuristics use all of our trap networks and partner transaction feeds to look for [IP](https://abusix.com/glossary/internet-protocol-address/) addresses with very low reputation or [IPs](https://abusix.com/glossary/intrusion-prevention-systems/) in the same vicinity of hosts hitting our primary traps. [IPs](https://abusix.com/glossary/intrusion-prevention-systems/) found in this data will return 127.0.0.3. We also maintain a number of semi-permanent manual listings, which will return 127.0.0.200. This list can also be safely used to check each “Received” header hop found within a message if your [MTA](https://abusix.com/glossary/mail-transfer-agent/) or [spam](https://abusix.com/glossary/spam/) filter can do so. *Example query:* ``` $ host 2.0.0.127..black.mail.abusix.zone. 2.0.0.127..black.mail.abusix.zone has address 127.0.0.2 2.0.0.127..black.mail.abusix.zone has address 127.0.0.3 2.0.0.127..black.mail.abusix.zone has address 127.0.0.200 ``` *** ### **Exploit Blocklist** **Status:** Production **Type:** [IPv4](https://abusix.com/glossary/internet-protocol-version-4/), [IPv6](https://abusix.com/glossary/internet-protocol-version-6/) [******Cloud DNS namespace:******](https://abusix.com/glossary/domain-name-system/) \.[exploit.mail.abusix.zone](http://exploit.mail.abusix.zone). **Rsync File:** lists/[exploit.zone](http://exploit.zone) **Return Codes:** 127.0.0.4 **Test Points:** 127.0.0.2, 127.0.0.4, ::FFFF:7F00:2, ::FFFF:7F00:4 **Listing Duration:** Approximately 5.2 days from when traffic was last seen **Description** This list is generated by monitoring the behavior of hosts that connect to our traps and our partner’s mail services. It includes any [IP](https://abusix.com/glossary/internet-protocol-address/) address that exhibits behavior specific to compromised hosts, botnet/virus infections, proxies, VPNs, TOR exit nodes, or [IPs](https://abusix.com/glossary/intrusion-prevention-systems/) that are NAT’ing for these hosts. These behaviors are not expected from a genuine [SMTP](https://abusix.com/glossary/simple-mail-transfer-protocol/) client. You can also use this list to check each “Received” header hop found within a message safely. *Example query:* ``` $ host 2.0.0.127..exploit.mail.abusix.zone. 2.0.0.127..exploit.mail.abusix.zone has address 127.0.0.4 ``` *** ### **Policy Blocklist** **Status:** Production **Type:** [IPv4](https://abusix.com/glossary/internet-protocol-version-4/) only [******Cloud DNS namespace:******](https://abusix.com/glossary/domain-name-system/) \.[dynamic.mail.abusix.zone](http://dynamic.mail.abusix.zone). **Rsync File:** lists/[dynamic.zone](http://dynamic.zone) **Return Codes:** 127.0.0.11, 127.0.0.12 **Test Points:** 127.0.0.2, 127.0.0.11, 127.0.0.12 **Listing Duration:** Indefinitely **Description** This zone is our email “Policy” [blocklist](https://abusix.com/glossary/real-time-blocklist/). It contains a list of all [IP](https://abusix.com/glossary/internet-protocol-address/) addresses that should not be connecting directly to external [SMTP](https://abusix.com/glossary/simple-mail-transfer-protocol/) servers. Instead, they should use their [ISP](https://abusix.com/glossary/internet-service-provider/) or mailbox provider’s smarthost to relay messages using some form of [SMTP](https://abusix.com/glossary/simple-mail-transfer-protocol/) authentication. The purpose of this list is to preemptively identify any [IP](https://abusix.com/glossary/internet-protocol-address/) that is unsuitable for use with an [SMTP](https://abusix.com/glossary/simple-mail-transfer-protocol/) server. This helps to immediately catch newly compromised hosts, hijacked [IP](https://abusix.com/glossary/internet-protocol-address/) space, and other threats without requiring trap hits for listings. > 💡 It is **normal** for a non-SMTP server [IP](https://abusix.com/glossary/internet-protocol-address/) to be listed in this zone. This will not cause any ill-effects, e.g. it will not prevent mail from being sent from this [IP](https://abusix.com/glossary/internet-protocol-address/) or range. The list is built by constantly scanning the entire [IPv4](https://abusix.com/glossary/internet-protocol-version-4/) range and applying a policy that states: * \[[*****An IP address MUST have rDNS.*****](https://abusix.com/glossary/reverse-dns/)]\([https://abusix.com/glossary/internet-protocol-address/](https://abusix.com/glossary/internet-protocol-address/)) * [*rDNS*](https://abusix.com/glossary/reverse-dns/)\_ must not be ‘templated,’ e.g., two or more octets of the [**IP**](https://abusix.com/glossary/internet-protocol-address/) address MUST NOT appear (this can be in hex, decimal, etc.) within the [**rDNS**](https://abusix.com/glossary/reverse-dns/) label (there are exceptions for static\* mail\* [**mx**](https://abusix.com/glossary/mail-exchanger/)\* [**smtp**](https://abusix.com/glossary/simple-mail-transfer-protocol/)\*, etc.) and should reflect the hostname of the [**SMTP**](https://abusix.com/glossary/simple-mail-transfer-protocol/) server.\_ * \[[*****Contiguous ranges of IP addresses MUST NOT have the same rDNS.*****](https://abusix.com/glossary/reverse-dns/)]\([https://abusix.com/glossary/internet-protocol-address/](https://abusix.com/glossary/internet-protocol-address/)) 127.0.0.11 is returned for hosts with generic [rDNS](https://abusix.com/glossary/reverse-dns/). 127.0.0.12 is returned for hosts with no [rDNS](https://abusix.com/glossary/reverse-dns/). > ❗ **Warning** This zone should only be used on border [SMTP](https://abusix.com/glossary/simple-mail-transfer-protocol/) hosts, not smart hosts or [SMTP](https://abusix.com/glossary/simple-mail-transfer-protocol/) AUTH outbound servers, as you could block your customers. This list should never be used for Received headers hops or for anything other than checking [IP](https://abusix.com/glossary/internet-protocol-address/) addresses that hand off to your mail server(s), as doing so will cause significant numbers of false positives. **Delisting** Anyone can request a delisting from this zone, and a semi-permanent exception will be created automatically. Exceptions are only pruned when they are no longer necessary. Still, in the future, we may require that Policy exceptions are revalidated once per year to prevent them from becoming stale. > 💡 **Note** We do not allow delists of [CIDR](https://abusix.com/glossary/classless-inter-domain-routing/) ranges from the Policy list. Only [IPs](https://abusix.com/glossary/intrusion-prevention-systems/) that meet the policy requirements are delisted. If you have updated your [rDNS](https://abusix.com/glossary/reverse-dns/) recently and would like us to re-scan it, please get in touch with us via our support channels, and we will do this for you. *Example query:* ``` $ host 2.0.0.127..dynamic.mail.abusix.zone. 2.0.0.127..dynamic.mail.abusix.zone has address 127.0.0.11 2.0.0.127..dynamic.mail.abusix.zone has address 127.0.0.12 ``` > 💡 **Note to Rsync users**You will also see a zone file called “ [policy.zone](http://policy.zone)” which is now deprecated. This was a stricter version of the Policy [Blacklist](https://abusix.com/glossary/real-time-blocklist/), including hosts with “static” within their [rDNS](https://abusix.com/glossary/reverse-dns/)labels. Please check that you are using the correct zone file, as the “ [policy.zone](http://policy.zone)” will be removed in the future to save bandwidth and confusion. *** ## **Domain Blocklist** **Status:** Production **Type:** Domain, [IPv4](https://abusix.com/glossary/internet-protocol-version-4/) [******Cloud DNS namespace:******](https://abusix.com/glossary/domain-name-system/) \.[dblack.mail.abusix.zone](http://dblack.mail.abusix.zone). **Rsync File:** lists/[dblack.zone](http://dblack.zone) **Return Codes:** 127.0.1.1, 127.0.1.2, 127.0.1.3 **Test Points:** \*.test, 127.0.0.2, 127.0.1.1, 127.0.1.2, 127.0.1.3 **Listing Duration:** Approximately 5.2 days after last seen **Description** This list applies to both inbound and outbound mail and contains domains and [IP](https://abusix.com/glossary/internet-protocol-address/) addresses found in the message body of [spam](https://abusix.com/glossary/spam/) received by our primary traps. We also follow any [short URL](https://abusix.com/glossary/short-url/) links found in [spam](https://abusix.com/glossary/spam/) and list any intermediate or destination domains. > 💡 **Info** This list should be used as a URI [DNSBL](https://abusix.com/glossary/domain-name-system-blocklist/) (e.g., checking domain names or [IP](https://abusix.com/glossary/internet-protocol-address/) addresses found in the message body), but can also be used as an RHSBL where the [rDNS](https://abusix.com/glossary/reverse-dns/), [SMTP](https://abusix.com/glossary/simple-mail-transfer-protocol/) HELO, MAIL FROM domain, [DKIM](https://abusix.com/glossary/domain-keys-identified-mail/) d= domain, Message-ID domain, and List-Unsubscribe headers are checked against it. The list should **not** be used to check the connecting [IP](https://abusix.com/glossary/internet-protocol-address/) address, though only [IP](https://abusix.com/glossary/internet-protocol-address/) addresses are in the message body. 127.0.1.1 is returned for domains/[IPs](https://abusix.com/glossary/intrusion-prevention-systems/) found in the message body. 127.0.1.2 is returned for newly observed domains (found using other trap types). 127.0.1.3 is returned for domains found by following short URLs. > 💡 **Info** The list of wildcards domains to make this list as easy to implement as possible. That means the zone lists the parent domain *and any sub-domains*, so you don’t need to normalize the hostname or domain name before querying. *Example query:* ``` $ host 2.0.0.127..dblack.mail.abusix.zone. 2.0.0.127..dblack.mail.abusix.zone has address 127.0.1.1 2.0.0.127..dblack.mail.abusix.zone has address 127.0.1.2 2.0.0.127..dblack.mail.abusix.zone has address 127.0.1.3 ``` > 💡**Note** When creating the domain list, we found that many spams go to great lengths to evade detection, using open redirectors, short URLs, and online drive services like Google Drive and Yandex Disk. Thus, we created several lists to combat this; see the shorthash and diskhash lists. When dblack, shorthash, and drivehash are combined, you will get the best possible coverage and protection available. *** ## **Shorthash Blocklist (short URLs)** **Status:** Production **Type:** SHA-1 Hash [******Cloud DNS namespace:******](https://abusix.com/glossary/domain-name-system/) \.[shorthash.mail.abusix.zone](http://shorthash.mail.abusix.zone). **Rsync File:** lists/[shorthash.zone](http://shorthash.zone) **Return Codes:** 127.0.3.1 **Test Points:** 127.0.02, 127.0.3.1, \*.test, d2e4345eef7b21a542ed6d7c3dd191585b344461 (abusix.ai/testpoint), f4d986915d728956d139397effd00fee0e3725e4 (abusix.ai/testpoint/hash/short) **Listing Duration:** Approximately 5.2 days after last seen **Description** This list applies to both inbound and outbound mail. Its purpose is to block short URLs seen in the message body of [spam](https://abusix.com/glossary/spam/) sent to our primary traps. The domain [blacklist](https://abusix.com/glossary/real-time-blocklist/) is complemented by this list because short URLs have become a common way for spammers to avoid domain blacklisting by hiding behind these services. However, listing some [short URL](https://abusix.com/glossary/short-url/) domains may cause significant false positives. Additionally, these shortening services are usually very poor at handling abuse of their services. Since it is impossible to represent a full URL in a [DNS](https://abusix.com/glossary/domain-name-system/) query, the short URLs are first normalized, then SHA-1 hashed, and the hash value is used for lookup instead of the URL. To normalize the [short URL](https://abusix.com/glossary/short-url/), remove the scheme, then take only the “hostname” (in lowercase) and “pathname”, and then calculate the SHA-1 hash of the result. ``` http://BiT.do/e3s49?foo=bar&bar=baz → SHA1(bit.do/e3s49) = bb395cece75455415de5f3b6f75c13352586788c ``` > 💡**Info** As this is an entirely new type of anti-spam check, it will require support to be added to your chosen mail platform. \*\*Rspamd \*\*Please look at our set-up instructions for rspamd, which contains the necessary code to do these lookups. See link *** ## **Diskhash Blocklist (drive URLs)** **Status:** Production **Type:** SHA-1 Hash [******Cloud DNS namespace:******](https://abusix.com/glossary/domain-name-system/) \.[diskhash.mail.abusix.zone](http://diskhash.mail.abusix.zone). **Rsync File:** lists/[diskhash.zone](http://diskhash.zone) **Return Codes:** 127.0.3.2 **Test Points:** 127.0.0.2, 127.0.3.2, \*.test, d2e4345eef7b21a542ed6d7c3dd191585b344461 (abusix.ai/testpoint), 2f07095f95bc86bc310febc625ee9327a69fde0b (abusix.ai/testpoint/hash/disk) **Listing Duration:** Approximately 5.2 days after last seen **Description** This list applies to both inbound and outbound mail. Its purpose is to identify and list URLs for online file storage services that appear in the message body of [spam](https://abusix.com/glossary/spam/) that is sent to our primary traps. This list is complementary to the domain [blacklist](https://abusix.com/glossary/real-time-blocklist/), as spammers often use online file storage services like Google Drive and Yandex Disk to avoid [IP](https://abusix.com/glossary/internet-protocol-address/) and domain blacklisting by hiding behind these services. Unfortunately, these services are often poor at handling abuse of their services. Since it is impossible to represent a full URL in a [DNS](https://abusix.com/glossary/domain-name-system/) query, the URLs are first normalized, then SHA-1 hashed, and the hash value is used for lookup instead of the URL. To normalize the [short URL](https://abusix.com/glossary/short-url/), remove the scheme, then take only the “hostname” (in lowercase) and “pathname”, and finally calculate the SHA-1 hash of the result. ``` https://drive.google.com/file/d/0B6aqsaIzsR0CZlpxYUZSWDRyRGc/view → SHA1(drive.google.com/file/d/0B6aqsaIzsR0CZlpxYUZSWDRyRGc/view) = f947e57d2326ca86ba9bead20696a9208a7acdd6 ``` > 💡**Info** As this is an entirely new type of anti-spam check, it will require support to be added to your chosen mail platform. \*\*Rspamd \*\*Please look at our set-up instructions for rspamd, which contains the necessary code to do these lookups. See link *** ## **Authbl Blocklist** **Status:** Production **Type:** [IPv4](https://abusix.com/glossary/internet-protocol-version-4/), [IPv6](https://abusix.com/glossary/internet-protocol-version-6/) [******Cloud DNS namespace:******](https://abusix.com/glossary/domain-name-system/) \.[authbl.mail.abusix.zone](http://authbl.mail.abusix.zone). **Rsync File:** lists/[authbl.zone](http://authbl.zone) **Return Codes:** 127.0.0.4 **Test Points:** 127.0.0.2, 127.0.0.4, ::FFFF:7F00:2, ::FFFF:7F00:4 **Listing Duration:** Approximately 12 hours from when traffic was last seen **Description** This list is used for outbound mail and is a subset of the *exploit* zone. However, it only includes hosts that have been seen in the last 12 hours, instead of the usual 5.2 days. The shorter listing time is intended to avoid false positives where an [IP](https://abusix.com/glossary/internet-protocol-address/) address is returned to a DHCP pool. The list includes the [IP](https://abusix.com/glossary/internet-protocol-address/) addresses of infected hosts, botnet members, proxies, VPNs, TOR exit nodes, and hosts attempting to authenticate to our honeypots. It is intended to be used for identifying and preventing account compromises or as a [blocklist](https://abusix.com/glossary/real-time-blocklist/) for preventing listed hosts from authenticating to your services running on HTTP, IMAP, [SMTP](https://abusix.com/glossary/simple-mail-transfer-protocol/), [SSH](https://abusix.com/glossary/secure-shell-protocol/), etc. This can prevent dictionary attacks, brute force, or logging in with phished credentials, among other things. **Postfix** In Postfix, you may use this list to prevent authenticated users from relaying mail from listed [IPs](https://abusix.com/glossary/intrusion-prevention-systems/) (e.g., where the account could be compromised). In [*main.cf*](http://main.cf) you would set “smtpd\_relay\_restrictions” to the following (or add this if missing): ``` smtpd_relay_restrictions = permit_mynetworks reject_rbl_client .authbl.mail.abusix.zone permit_sasl_authenticated defer_unauth_destination ``` Replace \ with the key from your account in [app.abusix.com](http://app.abusix.com). **rsync** For those with rsync access, this zone is an rbldnsd zone, like our other lists. However, you can post-process the zone file and use it as an access control list for many other services by stripping out the rbldnsd metadata. To do this, run: ``` grep -Pv '^(\#|\$|:[^:]|127\.0\.0\.[24]|::FFFF:7F00:[24])' authbl.zone > authbl_ip_list ``` authbl\_ip\_list will contain just the [IP](https://abusix.com/glossary/internet-protocol-address/) addresses and can be imported into other software. *** ## **Welcome List** **Status:** Production **Type:** [IPv4](https://abusix.com/glossary/internet-protocol-version-4/), [IPv6](https://abusix.com/glossary/internet-protocol-version-6/), Domain [******Cloud DNS namespace:******](https://abusix.com/glossary/domain-name-system/) \.[white.mail.abusix.zone](http://white.mail.abusix.zone). **Rsync File:** lists/[white.zone](http://white.zone) **Return Codes:** 127.0.2.1 **Test Points:** 127.0.0.2, ::FFFF:7F00:2, 127.0.2.1 **Listing Duration:** Varies **Description** This list aggregates multiple [whitelist](https://abusix.com/glossary/welcome-list/) sources, including [IPv4](https://abusix.com/glossary/internet-protocol-version-4/), [IPv6](https://abusix.com/glossary/internet-protocol-version-6/), and domains. All sources return the same return code. The sources of this list are: * [DNSWL](http://www.dnswl.org/) ([IP](https://abusix.com/glossary/internet-protocol-address/)) * Return-Path [Whitelist](https://abusix.com/glossary/welcome-list/) ([IP](https://abusix.com/glossary/internet-protocol-address/)) * Return-Path [Whitelist](https://abusix.com/glossary/welcome-list/) (Domain) * Abusix [Whitelist](https://abusix.com/glossary/welcome-list/) ([IP](https://abusix.com/glossary/internet-protocol-address/)) * Abusix [Whitelist](https://abusix.com/glossary/welcome-list/) (Domain) ❗ **Warning** This list is not supposed to be used as a “this [IP](https://abusix.com/glossary/internet-protocol-address/) or domain never sends [spam](https://abusix.com/glossary/spam/)” list or to allow any listed [IP](https://abusix.com/glossary/internet-protocol-address/) or domain free passage through your filtering systems. Every good [blocklist](https://abusix.com/glossary/real-time-blocklist/) starts with a great [welcome list](https://abusix.com/glossary/welcome-list/), as there are lots of [IPs](https://abusix.com/glossary/intrusion-prevention-systems/) and domains you would want to avoid blocking, as doing so would cause significant false positives. We publish this zone for completeness. 💡 **Tip** A good use for this zone would be to exclude listed hosts from being greylisted. *** ## **DNSWL List** **Status:** Production **Type:** [IPv4](https://abusix.com/glossary/internet-protocol-version-4/), [IPv6](https://abusix.com/glossary/internet-protocol-version-6/) [******Cloud DNS namespace:******](https://abusix.com/glossary/domain-name-system/) \.[dnswl.mail.abusix.zone](http://dnswl.mail.abusix.zone). **Rsync File:** lists/[dnswl.zone](http://dnswl.zone) **Return Codes:** Varies (see below) **Test Points:** 127.0.0.2, ::2, ::FFFF:7F00:2 **Listing Duration:** Varies **Description** This is our mirror of [www.dnswl.org](http://www.dnswl.org) **Return Codes** The return codes of dnswl are structured as 127.0.x.y, with “x” indicating the category of an entry and “y” indicating how trustworthy an entry has been judged. **Categories (127.0.X.y)** 2 – Financial services 3 – Email Service Providers 4 – Organisations (both for-profit \[i.e., companies] and non-profit) 5 – Service/network providers 6 – Personal/private servers 7 – Travel/leisure industry 8 – Public sector/governments 9 – Media and Tech companies 10 – some special cases 11 – Education, academic 12 – Healthcare 13 – Manufacturing/Industrial 14 – Retail/Wholesale/Services 15 – Email Marketing Providers 20 – Added through Self Service without a specific category **Trustworthiness / Score (127.0.x.Y)** 0 = none – only avoid outright blocking (e.g., large [ESP](https://abusix.com/glossary/email-service-provider/) mailservers, -0.1) 1 = low – reduce the chance of false positives (-1.0) 2 = medium – make sure to avoid false positives but allow override for clear cases (-10.0) 3 = high – avoid override (-100.0). *** ## **nod List (Newly Observed Domains)** **Status:** Production **Type:** Domain [******Cloud DNS namespace:******](https://abusix.com/glossary/domain-name-system/) \.[nod.mail.abusix.zone](http://nod.mail.abusix.zone). **Rsync File:** lists/[nod.zone](http://nod.zone) **Return Codes:** 127.0.1.2 **Test Points:** .test **Listing Duration:** 25 hours **Description** This list includes all newly observed domains, with each domain wildcarded. Being listed does not necessarily mean that the domain is bad, but knowing a new domain can be helpful for other things like scoring or meta-rules. The data for this list is provided by our partner, [Farsight Security](https://www.farsightsecurity.com/), using their massive real-time Passive [DNS](https://abusix.com/glossary/domain-name-system/) sensor network. The list includes domains from every [TLD](https://abusix.com/glossary/top-level-domain/) and ccTLD. This also means that a domain could have been registered months previously but has only been entered into use for an email in the last 25 hours. 💡 **Info** Our domain [blocklist](https://abusix.com/glossary/real-time-blocklist/) (dblack) already contains newly observed domains that have been seen sending mail to any of our traps. To implement this list as easily as possible, it wildcards all domains. This means the parent domain and any sub-domains are listed, so you do not need to normalize the hostname or domain name before querying it. *** ## **noip List (Newly Observed IPs)** **Status:** Production **Type:** [IPv4](https://abusix.com/glossary/internet-protocol-version-4/), [IPv6](https://abusix.com/glossary/internet-protocol-version-6/) [******Cloud DNS namespace:******](https://abusix.com/glossary/domain-name-system/) \.[noip.mail.abusix.zone](http://noip.mail.abusix.zone). **Rsync File:** lists/[noip.zone](http://noip.zone) **Return Codes:** 127.0.0.100 **Test Points:** 127.0.0.2, 127.0.0.100 **Listing Duration:** 25 hours **Description** This list contains all newly observed [IP](https://abusix.com/glossary/internet-protocol-address/) addresses. Being listed doesn’t necessarily mean that the [IP](https://abusix.com/glossary/internet-protocol-address/) address is bad. However, this information is helpful for scoring and metarules, especially when combined with other data. We store every [IP](https://abusix.com/glossary/internet-protocol-address/) address that sends [SMTP](https://abusix.com/glossary/simple-mail-transfer-protocol/) traffic to our traps or partners over the last 30 days to build this list. Then, any new [IPs](https://abusix.com/glossary/intrusion-prevention-systems/) that we observe and have not seen before are listed for 25 hours.