Production Zones

Zones

Combined Blocklist

Status:

Production

Type:

Cloud DNS namespace:

<APIKEY>.combined.mail.abusix.zone.

Rsync File:

lists/black.zone, lists/exploit.zone, lists/dynamic.zone

Return Codes:

127.0.0.2, 127.0.0.3, 127.0.0.200, 127.0.0.4, 127.0.0.11, 127.0.0.12

Test Points:

127.0.0.2, 127.0.0.3, 127.0.0.200, 127.0.04, 127.0.0.11, 127.0.0.12, ::FFFF:7F00:2, ::FFFF:7F00:3, ::FFFF:7F00:4

Listing Duration:

Varies (see individual list for details)

Description

This list is used for inbound mail and aggregates all of our recommended IP lists into a single query for convenience and speed. The “combined” list includes the black, exploit, and policy IP lists.


Spam Blocklist

Status:

Production

Type:

Cloud DNS namespace:

<APIKEY>.black.mail.abusix.zone.

Rsync File:

lists/black.zone

Return Codes:

127.0.0.2, 127.0.0.3, 127.0.0.200

Test Points:

127.0.0.2, 127.0.0.3, 127.0.0.200, ::FFFF:7F00:2, ::FFFF:7F00:3

Listing Duration:

Approximately 5.2 days from when traffic was last seen

Description

This list contains the IP addresses of hosts that have sent emails to our primary traps. These traps are domains that have never been used for genuine mail or have rejected all mail for over a year. The list also includes some manual network entries that we maintain.

Common causes for being listed here include compromised accounts, infected hosts, botnets, spam gangs, purchased email address lists, poor sign-up processes, open web forms, open proxies, TOR exit nodes, and VPNs.

If this data find any matching IP address, it will return 127.0.0.2.

In addition, some automated heuristics use all of our trap networks and partner transaction feeds to look for IP addresses with very low reputation or IPs in the same vicinity of hosts hitting our primary traps. IPs found in this data will return 127.0.0.3.

We also maintain a number of semi-permanent manual listings, which will return 127.0.0.200.

This list can also be safely used to check each “Received” header hop found within a message if your MTA or spam filter can do so.

Example query:

$ host  2.0.0.127.<APIKEY>.black.mail.abusix.zone.
2.0.0.127.<APIKEY>.black.mail.abusix.zone has address 127.0.0.2
2.0.0.127.<APIKEY>.black.mail.abusix.zone has address 127.0.0.3
2.0.0.127.<APIKEY>.black.mail.abusix.zone has address 127.0.0.200

Exploit Blocklist

Status:

Production

Type:

Cloud DNS namespace:

<APIKEY>.exploit.mail.abusix.zone.

Rsync File:

lists/exploit.zone

Return Codes:

127.0.0.4

Test Points:

127.0.0.2, 127.0.0.4, ::FFFF:7F00:2, ::FFFF:7F00:4

Listing Duration:

Approximately 5.2 days from when traffic was last seen

Description

This list is generated by monitoring the behavior of hosts that connect to our traps and our partner’s mail services. It includes any IP address that exhibits behavior specific to compromised hosts, botnet/virus infections, proxies, VPNs, TOR exit nodes, or IPs that are NAT’ing for these hosts. These behaviors are not expected from a genuine SMTP client.

You can also use this list to check each “Received” header hop found within a message safely.

Example query:

$ host 2.0.0.127.<APIKEY>.exploit.mail.abusix.zone.
2.0.0.127.<APIKEY>.exploit.mail.abusix.zone has address 127.0.0.4

Policy Blocklist

Status:

Production

Type:

IPv4 only

Cloud DNS namespace:

<APIKEY>.dynamic.mail.abusix.zone.

Rsync File:

lists/dynamic.zone

Return Codes:

127.0.0.11, 127.0.0.12

Test Points:

127.0.0.2, 127.0.0.11, 127.0.0.12

Listing Duration:

Indefinitely

Description

This zone is our email “Policy” blocklist. It contains a list of all IP addresses that should not be connecting directly to external SMTP servers. Instead, they should use their ISP or mailbox provider’s smarthost to relay messages using some form of SMTP authentication.

The purpose of this list is to preemptively identify any IP that is unsuitable for use with an SMTP server. This helps to immediately catch newly compromised hosts, hijacked IP space, and other threats without requiring trap hits for listings.

💡
It is normal for a non-SMTP server IP to be listed in this zone. This will not cause any ill-effects, e.g. it will not prevent mail from being sent from this IP or range.

The list is built by constantly scanning the entire IPv4 range and applying a policy that states:

  • An IP address MUST have rDNS.
  • rDNS must not be ‘templated,’ e.g., two or more octets of the IP address MUST NOT appear (this can be in hex, decimal, etc.) within the rDNS label (there are exceptions for static* mail* mx* smtp*, etc.) and should reflect the hostname of the SMTP server.
  • Contiguous ranges of IP addresses MUST NOT have the same rDNS.

127.0.0.11 is returned for hosts with generic rDNS.

127.0.0.12 is returned for hosts with no rDNS.

Warning This zone should only be used on border SMTP hosts, not smart hosts or SMTP AUTH outbound servers, as you could block your customers. This list should never be used for Received headers hops or for anything other than checking IP addresses that hand off to your mail server(s), as doing so will cause significant numbers of false positives.

Delisting

Anyone can request a delisting from this zone, and a semi-permanent exception will be created automatically. Exceptions are only pruned when they are no longer necessary. Still, in the future, we may require that Policy exceptions are revalidated once per year to prevent them from becoming stale.

💡
Note We do not allow delists of CIDR ranges from the Policy list. Only IPs that meet the policy requirements are delisted. If you have updated your rDNS recently and would like us to re-scan it, please get in touch with us via our support channels, and we will do this for you.

Example query:

$ host 2.0.0.127.<APIKEY>.dynamic.mail.abusix.zone.
2.0.0.127.<APIKEY>.dynamic.mail.abusix.zone has address 127.0.0.11
2.0.0.127.<APIKEY>.dynamic.mail.abusix.zone has address 127.0.0.12
💡
Note to Rsync users You will also see a zone file called “policy.zone” which is now deprecated. This was a stricter version of the Policy Blacklist, including hosts with “static” within their rDNS labels. Please check that you are using the correct zone file, as the “policy.zone” will be removed in the future to save bandwidth and confusion.

Domain Blocklist

Status:

Production

Type:

Domain, IPv4

Cloud DNS namespace:

<APIKEY>.dblack.mail.abusix.zone.

Rsync File:

lists/dblack.zone

Return Codes:

127.0.1.1, 127.0.1.2, 127.0.1.3

Test Points:

*.test, 127.0.0.2, 127.0.1.1, 127.0.1.2, 127.0.1.3

Listing Duration:

Approximately 5.2 days after last seen

Description

This list applies to both inbound and outbound mail and contains domains and IP addresses found in the message body of spam received by our primary traps. We also follow any short URL links found in spam and list any intermediate or destination domains.

💡
Info This list should be used as a URI DNSBL (e.g., checking domain names or IP addresses found in the message body), but can also be used as an RHSBL where the rDNS, SMTP HELO, MAIL FROM domain, DKIM d= domain, Message-ID domain, and List-Unsubscribe headers are checked against it. The list should not be used to check the connecting IP address, though only IP addresses are in the message body.

127.0.1.1 is returned for domains/IPs found in the message body.

127.0.1.2 is returned for newly observed domains (found using other trap types).

127.0.1.3 is returned for domains found by following short URLs.

💡
Info The list of wildcards domains to make this list as easy to implement as possible. That means the zone lists the parent domain and any sub-domains, so you don’t need to normalize the hostname or domain name before querying.

Example query:

$ host 2.0.0.127.<APIKEY>.dblack.mail.abusix.zone.
2.0.0.127.<APIKEY>.dblack.mail.abusix.zone has address 127.0.1.1
2.0.0.127.<APIKEY>.dblack.mail.abusix.zone has address 127.0.1.2
2.0.0.127.<APIKEY>.dblack.mail.abusix.zone has address 127.0.1.3
💡
Note When creating the domain list, we found that many spams go to great lengths to evade detection, using open redirectors, short URLs, and online drive services like Google Drive and Yandex Disk. Thus, we created several lists to combat this; see the shorthash and diskhash lists. When dblack, shorthash, and drivehash are combined, you will get the best possible coverage and protection available.

Shorthash Blocklist (short URLs)

Status:

Production

Type:

SHA-1 Hash

Cloud DNS namespace:

<APIKEY>.shorthash.mail.abusix.zone.

Rsync File:

lists/shorthash.zone

Return Codes:

127.0.3.1

Test Points:

127.0.02, 127.0.3.1, *.test, d2e4345eef7b21a542ed6d7c3dd191585b344461 (abusix.ai/testpoint), f4d986915d728956d139397effd00fee0e3725e4 (abusix.ai/testpoint/hash/short)

Listing Duration:

Approximately 5.2 days after last seen

Description

This list applies to both inbound and outbound mail. Its purpose is to block short URLs seen in the message body of spam sent to our primary traps.

The domain blacklist is complemented by this list because short URLs have become a common way for spammers to avoid domain blacklisting by hiding behind these services. However, listing some short URL domains may cause significant false positives. Additionally, these shortening services are usually very poor at handling abuse of their services.

Since it is impossible to represent a full URL in a DNS query, the short URLs are first normalized, then SHA-1 hashed, and the hash value is used for lookup instead of the URL.

To normalize the short URL, remove the scheme, then take only the “hostname” (in lowercase) and “pathname”, and then calculate the SHA-1 hash of the result.

http://BiT.do/e3s49?foo=bar&bar=baz → SHA1(bit.do/e3s49)
= bb395cece75455415de5f3b6f75c13352586788c
💡
Info As this is an entirely new type of anti-spam check, it will require support to be added to your chosen mail platform. Rspamd Please look at our set-up instructions for rspamd, which contains the necessary code to do these lookups. See link

Diskhash Blocklist (drive URLs)

Status:

Production

Type:

SHA-1 Hash

Cloud DNS namespace:

<APIKEY>.diskhash.mail.abusix.zone.

Rsync File:

lists/diskhash.zone

Return Codes:

127.0.3.2

Test Points:

127.0.0.2, 127.0.3.2, *.test, d2e4345eef7b21a542ed6d7c3dd191585b344461 (abusix.ai/testpoint), 2f07095f95bc86bc310febc625ee9327a69fde0b (abusix.ai/testpoint/hash/disk)

Listing Duration:

Approximately 5.2 days after last seen

Description

This list applies to both inbound and outbound mail. Its purpose is to identify and list URLs for online file storage services that appear in the message body of spam that is sent to our primary traps.

This list is complementary to the domain blacklist, as spammers often use online file storage services like Google Drive and Yandex Disk to avoid IP and domain blacklisting by hiding behind these services. Unfortunately, these services are often poor at handling abuse of their services.

Since it is impossible to represent a full URL in a DNS query, the URLs are first normalized, then SHA-1 hashed, and the hash value is used for lookup instead of the URL.

To normalize the short URL, remove the scheme, then take only the “hostname” (in lowercase) and “pathname”, and finally calculate the SHA-1 hash of the result.

https://drive.google.com/file/d/0B6aqsaIzsR0CZlpxYUZSWDRyRGc/view
→ SHA1(drive.google.com/file/d/0B6aqsaIzsR0CZlpxYUZSWDRyRGc/view)
= f947e57d2326ca86ba9bead20696a9208a7acdd6
💡
Info As this is an entirely new type of anti-spam check, it will require support to be added to your chosen mail platform. Rspamd Please look at our set-up instructions for rspamd, which contains the necessary code to do these lookups. See link

Authbl Blocklist

Status:

Production

Type:

Cloud DNS namespace:

<APIKEY>.authbl.mail.abusix.zone.

Rsync File:

lists/authbl.zone

Return Codes:

127.0.0.4

Test Points:

127.0.0.2, 127.0.0.4, ::FFFF:7F00:2, ::FFFF:7F00:4

Listing Duration:

Approximately 12 hours from when traffic was last seen

Description

This list is used for outbound mail and is a subset of the exploit zone. However, it only includes hosts that have been seen in the last 12 hours, instead of the usual 5.2 days. The shorter listing time is intended to avoid false positives where an IP address is returned to a DHCP pool.

The list includes the IP addresses of infected hosts, botnet members, proxies, VPNs, TOR exit nodes, and hosts attempting to authenticate to our honeypots. It is intended to be used for identifying and preventing account compromises or as a blocklist for preventing listed hosts from authenticating to your services running on HTTP, IMAP, SMTP, SSH, etc. This can prevent dictionary attacks, brute force, or logging in with phished credentials, among other things.

Postfix

In Postfix, you may use this list to prevent authenticated users from relaying mail from listed IPs (e.g., where the account could be compromised).

In main.cf you would set “smtpd_relay_restrictions” to the following (or add this if missing):

smtpd_relay_restrictions = permit_mynetworks reject_rbl_client <APIKEY>.authbl.mail.abusix.zone permit_sasl_authenticated defer_unauth_destination

Replace <APIKEY> with the key from your account in app.abusix.com.

rsync

For those with rsync access, this zone is an rbldnsd zone, like our other lists. However, you can post-process the zone file and use it as an access control list for many other services by stripping out the rbldnsd metadata. To do this, run:

grep -Pv '^(\#|\$|:[^:]|127\.0\.0\.[24]|::FFFF:7F00:[24])' authbl.zone > authbl_ip_list

authbl_ip_list will contain just the IP addresses and can be imported into other software.


Welcome List

Status:

Production

Type:

IPv4, IPv6, Domain

Cloud DNS namespace:

<APIKEY>.white.mail.abusix.zone.

Rsync File:

lists/white.zone

Return Codes:

127.0.2.1

Test Points:

127.0.0.2, ::FFFF:7F00:2, 127.0.2.1

Listing Duration:

Varies

Description

This list aggregates multiple whitelist sources, including IPv4, IPv6, and domains.

All sources return the same return code.

The sources of this list are:

Warning This list is not supposed to be used as a “this IP or domain never sends spam” list or to allow any listed IP or domain free passage through your filtering systems. Every good blocklist starts with a great welcome list, as there are lots of IPs and domains you would want to avoid blocking, as doing so would cause significant false positives. We publish this zone for completeness.
💡
Tip A good use for this zone would be to exclude listed hosts from being greylisted.

DNSWL List

Status:

Production

Type:

Cloud DNS namespace:

<APIKEY>.dnswl.mail.abusix.zone.

Rsync File:

lists/dnswl.zone

Return Codes:

Varies (see below)

Test Points:

127.0.0.2, ::2, ::FFFF:7F00:2

Listing Duration:

Varies

Description

This is our mirror of www.dnswl.org

Return Codes

The return codes of dnswl are structured as 127.0.x.y, with “x” indicating the category of an entry and “y” indicating how trustworthy an entry has been judged.

Categories (127.0.X.y)

2 – Financial services

3 – Email Service Providers

4 – Organisations (both for-profit [i.e., companies] and non-profit)

5 – Service/network providers

6 – Personal/private servers

7 – Travel/leisure industry

8 – Public sector/governments

9 – Media and Tech companies

10 – some special cases

11 – Education, academic

12 – Healthcare

13 – Manufacturing/Industrial

14 – Retail/Wholesale/Services

15 – Email Marketing Providers

20 – Added through Self Service without a specific category

Trustworthiness / Score (127.0.x.Y)

0 = none – only avoid outright blocking (e.g., large ESP mailservers, -0.1)

1 = low – reduce the chance of false positives (-1.0)

2 = medium – make sure to avoid false positives but allow override for clear cases (-10.0)

3 = high – avoid override (-100.0).


nod List (Newly Observed Domains)

Status:

Production

Type:

Domain

Cloud DNS namespace:

<APIKEY>.nod.mail.abusix.zone.

Rsync File:

lists/nod.zone

Return Codes:

127.0.1.2

Test Points:

.test

Listing Duration:

25 hours

Description

This list includes all newly observed domains, with each domain wildcarded. Being listed does not necessarily mean that the domain is bad, but knowing a new domain can be helpful for other things like scoring or meta-rules.

The data for this list is provided by our partner, Farsight Security, using their massive real-time Passive DNS sensor network. The list includes domains from every TLD and ccTLD. This also means that a domain could have been registered months previously but has only been entered into use for an email in the last 25 hours.

💡
Info Our domain blocklist (dblack) already contains newly observed domains that have been seen sending mail to any of our traps. To implement this list as easily as possible, it wildcards all domains. This means the parent domain and any sub-domains are listed, so you do not need to normalize the hostname or domain name before querying it.

noip List (Newly Observed IPs)

Status:

Production

Type:

Cloud DNS namespace:

<APIKEY>.noip.mail.abusix.zone.

Rsync File:

lists/noip.zone

Return Codes:

127.0.0.100

Test Points:

127.0.0.2, 127.0.0.100

Listing Duration:

25 hours

Description

This list contains all newly observed IP addresses. Being listed doesn’t necessarily mean that the IP address is bad. However, this information is helpful for scoring and metarules, especially when combined with other data.

We store every IP address that sends SMTP traffic to our traps or partners over the last 30 days to build this list. Then, any new IPs that we observe and have not seen before are listed for 25 hours.