RBLs in use

Chris Lewis clewis at nortelnetworks.com
Thu Nov 20 17:06:35 UTC 2003

Suresh Ramasubramanian wrote:

> You need a fairly wide coverage of BLs.

> # Open proxies - http://opm.blitzed.org and 
> http://proxies.blackholes.easynet.nl

I would add the SORBS http and SORBS socks lists to this.

> # Open relays - http://www.ordb.org

I'd add VISI to that too.

> # Dialup and DSL/cable dynamic IPs - http://dynablock.easynet.nl
> # Current spam sources - http://cbl.abuseat.org [strongly recommended]

CBL tends to list only open proxies and spam trojans, but there's a few 
"classic viri emitters" (ie: Yaha) and a _very_ small number of "grossly 
misconfigured mail servers" in it too.  All of which you want to know 
about anyway.

What you can do is do zone downloads of the open relay/proxy/CBL lists 
above and correlate them to your own netblocks.  _Very_ helpful in 
finding compromised systems.

With dynablock, you may want to audit it for accuracy against your IP 
allocations.  They're responsive to update requests.

SBL/SPEWS identifies your spammers.  But as Suresh says, be careful to 
interpret the SPEWS listings correctly, so you nail the spammer, not the 
collateral damage.

There are a lot more DNSBLs, but the above ones are the most respected, 
important and useful for your purposes.  XBL & Spambag, for example, are 
too rabid to worry about.  Anybody who uses them gets what they deserve.

More information about the NANOG mailing list