Spam-DNS-Blocking-List (SpamDNSBL) lists IP addresses which have transmitted spam e-Mail. E-Mail Service providers and individual users can use SpamDNSBL to block and filter unwanted email. The SpamDNSBL is a fast and automatic list of sites sending reported mail, fueled by a number of sources, including automated reports and SpamDNSBL user submissions. The SpamDNSBL is time-based, resulting in quick and automatic delisting of these sites when reports stop.
How SpamDNSBL Works
SpamDNSBL is a list of IP addresses which have transmitted reported email to SpamDNSBL users. The sending system can be a direct email source (such as a site's primary mail server) or an indirect source (such as an open proxy or open relay that has been abused to send spam). The SpamDNSBL weights the number of reports referencing an IP against a sample of the total amount of email sent by that IP. This method is not perfect. For example, some IPs which send a significant amount of reported mail may rarely or never be listed in the SpamDNSBL because those IPs also send a lot of non-reported mail.
SpamDNSBL uses a number of report sources, including SpamDNSBL users, spamtraps and websites that use the SpamDNSBL-System. Spamtraps are email addresses that spammers have harvested or created, but the owner of these email addresses never used them to receive wanted email or to subscribe intentionally to mailing lists. SpamDNSBL also monitors queries from a sample of sites that use the SpamDNSBL. SpamDNSBL users query the SpamDNSBL nameservers during every SMTP transaction. We count the total number of queries for each IP address and whether or not that IP address appears on the SpamDNSBL, to generate an estimate of how much email is transmitted by each IP. When a sampled site queries the SpamDNSBL about an IP address sending mail which is not reported mail, that host is given a reputation point.
Most of the sites SpamDNSBL monitors send either mostly reported email or mostly non-reported email. The difficult part is deciding what to do with ones in the middle. These few systems account for the most email.
Some blocking lists block mail from misconfigured or insecure servers (such as open proxies or open relays), or from certain classes of machines (such as machines with dynamically-assigned IP addresses). The SCBL does not consider these characteristics. Instead, the SCBL lists only IP addresses of machines that are sending reported email. As a result, IP addresses which do not host a misconfigured or insecure server, but do send reported mail, may be listed. An insecure machine that has never been abused would not be listed.
Timeliness is key to the SCBL's value. The automated queries results in fast listing of spam, which increases the accuracy of the SCBL. Also, without any additional reports, a reported address stays on the SCBL for only 24 hours. This limits the amount of damage if users make a mistake and report legitimate mail using SpamDNSBL.