Which anti spam DNS blacklists should used?

spam email-server blacklist

Here is my list and why I use them:

zen.spamhaus.org - Comprehensive RBL, catches a ton of spam sources, updated regularly. They have a long history and decent reputation in the spam filtering community. I have heard some negative things about them from time to time, but those are generally without real merit. Downside is that if your volume of traffic is high enough they will block access to the free list and you'll need to setup a paid account. Personal or small business mail servers usually do not have this problem.

b.barracudacentral.org - Another very good list from another major industry player. I've heard a lot of negative things about the Barracuda devices themselves, but their RBL is top-notch. Downside is that you have to register with them in order to use it. We've never had a false positive reported that was caused by this list, and it blocks a lot of traffic for us. See http://www.barracudacentral.org/rbl for details.

We've found that using these two lists alone, we see a significant reduction in spam intake on the server. The other lists that we've tried did not even come close to being as productive as either of these lists and essentially just wasted network resources and time while processing the incoming messages.

Here are some that I do not use and why (your experience may vary):

bl.spamcop.net - Too many false positives for our taste. They rely almost entirely on user submissions to power the list, and the people submitting are usually trigger happy and submit even legitimate messages as spam to their service, causing popular providers to get blocked when they probably shouldn't be. I have heard that this has been improved recently but we got burned too many times to go back and try again just yet.

dnsbl.sorbs.net - They run a comprehensive list, but there are too many options for my taste. They have a lot of coverage, and block a lot of traffic, but finding the right mix of lists that they supply requires a lot of trial and error. The removal process for their spam list requires a verifiable minimum donation to one of their approved charities. If one of my clients ends up on their list (whatever the cause) and we block their traffic, I don't want to have to tell them that they have to donate to a charity to appease a blacklist that we use. They are, of course, free to run their list however they like, but that is not the kind of news I want to deliver to my clients if they end up on the SORBS list and are unable to send me e-mail.


'zen.spamhaus.org' is pretty good. I recommend it.


You shouldn't be using DNSBL's directly. They cause too many false positives. The goal isn't necessarily to block spam, but to let all the good mail through. If you use a blacklist as an authority on what is spam, you'll have your bosses upset and nobody wants that.

Instead, use a composite approach. Tools like Spam Assassin or the various anti spam appliances use multiple sources and techniques. No one test determines if an email is spam.


The goal of using a DNS blacklist should not be to stop all spam -- it should be to block a good percentage of the spam, say 1/2 to maybe 2/3 of it. You're mainly doing this to reduce load on your servers.

The next step, the truly effective spam removal step, is a bayesian filtering engine. See Paul Grahams original article. They main benefit of bayesian filtering is that it provides an individual score for each email, based on the recipients past email history, interests and language.

If you follow the above approach it becomes important to avoid false positives in the first line of defense. You don't really care to maximize the effectiveness of the first filter, as you'll probably catch the remaining spam with the second filter. But you don't want false positives, as they cannot be undone later.

For this reason I like the University of Alberta traplist as my first filter. It contains only entries which have a very big probability of being spammers, and entries are removed if they have not been seen spamming within the last 24 hours.

The list can be downloaded from here. It is created by first greylisting (delaying first-time mail senders) and then greytrapping (if a mail server is already greylisted & it attempts delivery to a non-publicized email address, then greytrap it).

After 24 hours a host is automatically removed from the list, and is free to send emails again. Thus if the spamming has ended (say, a trojan was found and removed), then the host is free to send emails again. And if he's still spamming, then he will most likely just end up in the greytrap again shortly.

As said, I like the University of Alberta traplist a lot, but for completeness I should also mention Spamhaus DROP. It has a more minimalistic approach than most other RBLs, and would also make a good first filter in the above setup.

Related

Who picked 127.0.0.1 to be localhost and why? What meaning does it have?
Find interface for route to specific host
Recursively copying hidden files - Linux
Why don't we study algebraic objects with more than two operations?
Integral $\int_0^\infty\frac{1}{x\,\sqrt{2}+\sqrt{2\,x^2+1}}\cdot\frac{\log x}{\sqrt{x^2+1}}\mathrm dx$
Is positive the same as non-negative?
Are the rationals on a unit circle dense?
Lost anecdote of a mathematician who gave a presentation without saying a word [closed]
Prove that the 25 people can be seated in this way
Is sin(x) necessarily irrational where x is rational?
Differentiation, using d or delta
Is university math all about proofs? [closed]