The spam blacklist check tool queries several spam blacklists and reports whether they list a specified domain.
In the text box, enter one of:
- A domain name.
- An IP address in standard form.
- An IP address as a single decimal number, with the “Convert Base-10 to IP” box checked.
… and then click “Go.”
When to use it
If you aren’t receiving mail from a sender, or people aren’t receiving yours, it might be because the sender’s mail provider has gotten onto one or more spam blacklists. This command helps you to find it if that has happened. Spam, as far as these lists are concerned, is simply unsolicited bulk email. It could be promoting a cause, advertising a legitimate product or service, promoting a scam, or carrying malware. The blacklists don’t distinguish among them.
What it does
The spam blacklist tool queries the following servers against the specified domain or IP address:
These servers all use different information sets and methods, so a sender may appear on some blacklists but not others. These lists don’t themselves block anything but only act as information sources. Spam lists identify IP addresses, not domains or physical machines.
A deeper look
Each list has its own criteria. Rfc-ignorant.org is no longer in existence and will soon be removed from this tool.
The SpamCop blocking list (SCBL) calls itself an “aggressive spam-fighting tool.” This means that it may have false positives. It relies on user reports, as well as monitoring “spamtrap” addresses that are publicly harvestable but never request mail. In addition, it uses information from queries from some sites that use SCBL and gives “reputation points” for queries on mail which isn’t spam. It weights recent mail most heavily and drops IP addresses which haven’t been reported in 24 hours.
If SpamCop reports an address is on its list, it will send back an IP address, usually 127.0.0.2, as a reply. Its value isn’t important. The reason some spam lists return IP addresses is that they accept nslookup queries, which are normally used for DNS lookup.
Spamhaus maintains five advisory lists, of which we use three: SBL, XBL, and ZEN.
The Spamhaus Block List (SBL) lists “IP addresses from which Spamhaus does not recommend the acceptance of electronic mail.” Inclusion is based on spamtrap email addresses and third-party intelligence.
The Exploits Block List (XBL) lists “IP addresses of hijacked PCs infected by illegal 3rd party exploits.” Addresses that send spam get included when an analysis of their connection indicates the presence of malware or an open proxy.
The Policy Block List (PBL) lists addresses which aren’t supposed to send SMTP mail to any server except their own ISP. A listed address isn’t necessarily actually sending spam. We don’t query this list directly, but it’s included in the Zen list.
The CSS list is a component of the SBL list that covers “IP addresses that are involved in sending low-reputation email.” This list can’t be separately queried, but it’s included in the SBL and Zen lists.
The Zen list combines all the Spamhaus lists and is the one Spamhaus recommends for most situations. It advises against using it in combination with other Spamhaus lists, since that would be a waste of resources. This list returns an IP address which tells you which list the offending address was found on:
- 127.0.0.2: SBL
- 127.0.0.3: CSS
- 127.0.0.4-7: XBL
- 127.0.0.10-11: PBL
Surriel runs the Passive Spam Block List (psbl.surriel.com). It relies entirely on spamtraps to receive unsolicited mail. Whitelisted sources and bounces are filtered out. It will generally give a response of 127.0.0.2 if an address is listed, which doesn’t mean anything more than that it’s listed.
What if you’re blacklisted?
If you find your own site on one or more blacklists, it could cause serious problems. Assuming you aren’t knowingly spamming, many explanations are possible.
Spam could be coming from a user account, even if you don’t know it. One of your users might be spamming without your knowledge, or an outsider could have broken into a user account.
Large mailing lists are risky. If people “sign up” without being aware that they have, they may send in spam complaints. Likewise if they aren’t promptly removed when they unsubscribe. If you have a list of more than a few hundred addresses, you should use a mailing list service, or at least dedicated list management software. Some service providers will object to mail going to a huge number of addresses, even if they’re all legitimate.
There could also be outgoing mail that doesn’t come from any of your users. Malware on your computer could be sending out spam. If one of your users sets up a forwarding address and your system forwards spam to it, it appears as if you’re doing the spamming. that was sent to your users. If you have a dynamic IP address, the spam might not be from your computer at all, but from a spammer who previously used the same address.
Spamhaus provides different return codes that can help identify the problem. You can contact the blacklisting organization and ask to be removed. Some, such as Surriel, will do it just for the asking; others require evidence that the problem has gone away.
If you want to check all your incoming email against blacklists, please don’t create a script to use our tool. It’s very inefficient both for you and for us. Check the information on the respective sites to learn how to query the lists as mail comes in.
The lists don’t themselves block any mail. They provide information which incoming mail servers can use or misuse.
Email spam first became a serious problem in the 1990s. Spam blocking lists date back to 1997, with the creation of the Real-time Blackhole List (RBL) by Paul Vixie and Dave Rand, as part of the Mail Abuse Prevention System (MAPS).
The use of zombie computers, aka bots, arose in the 21st century. It vastly increased the number of computers sending spam, making it harder to identify and block offenders. Spammers and spam blockers have been in an arms race ever since.