Common Responses from DNSBLs/Blacklists And Their Meaning

Did you get a 127.0.0.1 error in a blacklist and not sure what it means?

Each DNS-based blacklist (DNSBL) provider may have its own set of return codes and meanings. While some patterns might be similar across different DNSBLs, the specific codes and their meanings can vary.

Before we begin, here are some of the most common and impactful RBLs:

1. Spamhaus

  • Impact: High

  • Description: Spamhaus is one of the most respected and widely used RBLs. It maintains several lists, including the Spamhaus Block List (SBL), Exploits Block List (XBL), and Policy Block List (PBL).

  • URL: Spamhaus

2. Barracuda Reputation Block List (BRBL)

  • Impact: High

  • Description: Barracuda Networks provides this RBL, which is used by many organizations to block IPs that are known sources of spam.

  • URL: BarracudaCentral

3. SpamCop Blocking List (SCBL)

  • Impact: High

  • Description: SpamCop is a popular RBL that aggregates spam reports from users to identify and block spammers.

  • URL: SpamCop

4. SORBS (Spam and Open Relay Blocking System)

  • Impact: Moderate to High

  • Description: SORBS maintains multiple lists, including those for spam sources, open relays, and dynamic IP addresses.

  • URL: SORBS

5. UCEPROTECT

  • Impact: Moderate

  • Description: UCEPROTECT offers three levels of blacklists, with Level 1 being the most strict. It focuses on blocking IPs involved in spam activities.

  • URL: UCEPROTECT

6. DNSBL (DNS Blackhole List)

  • Impact: Moderate

  • Description: This is a generic term for DNS-based blacklists. Multiple organizations maintain these lists, and they are used by various email servers.

  • URL: Varies by provider

7. CBL (Composite Blocking List)

  • Impact: High

  • Description: The CBL is maintained by Spamhaus and lists IPs exhibiting characteristics of open proxies, spam bots, and other unwanted email activity.

  • URL: CBL

8. Invaluement

  • Impact: Moderate

  • Description: Invaluement maintains multiple RBLs, including ivmSIP (for spam sources) and ivmURI (for spamvertized URLs).

  • URL: Invaluement

9. PSBL (Passive Spam Block List)

  • Impact: Moderate

  • Description: PSBL is a lightweight RBL that lists IPs based on spam reports and activity.

  • URL: PSBL

10. NJABL (Not Just Another Bogus List)

  • Impact: Moderate

  • Description: NJABL was historically popular, although it ceased operations in 2013. Its historical impact was significant, and some older systems might still reference it.

  • URL: NJABL

Breaking Down Common DNSBLs and Their Return Codes

Spamhaus

  • 127.0.0.2: Listed on the SBL (general spam source).

  • 127.0.0.3: Listed on the PBL. (Policy Block List)

  • 127.0.0.4: Listed on the XBL (compromised or infected machine).

  • 127.0.0.5: Listed on the PBL.

  • 127.0.0.6: Listed on both SBL and XBL.

  • 127.0.0.7: Listed on SBL, XBL, and PBL.

  • 127.0.0.9: Listed on SBL and PBL.

  • 127.0.0.10: Listed on the XBL (other exploit activities).

  • 127.255.255.254: Query was blocked or rate-limited by Spamhaus.

Other Common DNSBLs

Different DNSBL providers have their own set of return codes. Here are examples from a few other providers:

SpamCop

  • 127.0.0.2: Listed (general spam source).

Barracuda

  • 127.0.0.2: Listed (general spam source).

SORBS

  • 127.0.0.2: Dynamic IP ranges.

  • 127.0.0.3: Non-mail servers.

  • 127.0.0.4: Spam database.

  • 127.0.0.5: Exploitable servers.

  • 127.0.0.6: Hijacked IP space.

  • 127.0.0.7: SMTP servers.

Example Return Codes for Custom RBLs

Here are some example mappings for custom RBLs based on typical configurations. You would need to confirm these with each RBL provider:

abuse.ro URI RBL

  • 127.0.0.2: URI blacklisted (spam or phishing).

cantv.net dul

  • 127.0.0.2: Dynamic IP address (should not be sending mail directly).

cantv.net hog

  • 127.0.0.2: IP address involved in high-volume spamming.

cantv.net rhsbl

  • 127.0.0.2: Right-hand side blacklist (domain or IP listed for abuse).

To Dig Further On Their Meanings

These are "generic" and can change from RBL to RBL so use the below as nothing but a soft guide. The ideal approach here would be to review the docs of the specific RBLs you've been listed for.

  1. 127.0.0.2 - Open Relay

    • The IP address has been detected as an open relay, meaning it allows anyone to send email through it without authentication. This is a common tactic used by spammers.

  2. 127.0.0.3 - Known Spam Operation or Open Relay

    • The IP address has been identified as a source of spam. This could be due to a high volume of unsolicited emails originating from this address.

  3. 127.0.0.4 - Dynamic IP, Open Proxy, or Detected in CBL

    • The IP address is an open proxy. Open proxies allow unauthenticated users to route their traffic, often used by spammers to disguise their true origin. Or to explain in another way the IP is part of a dynamic IP range, detected as an open proxy, or listed in the Composite Blocking List due to malicious activity.

  4. 127.0.0.5 - Malware, Formmail Spam, or Proxy Detection

    • The IP address is an open Socks proxy. Similar to open proxies, these allow users to relay their traffic anonymously, often for nefarious purposes.

  5. 127.0.0.6 - Dynamic IP or Policy Violation

    • The IP is part of a dynamic range or violates the RBL’s policy for acceptable email sending.

  6. 127.0.0.7 - Formmail Spam

    • The IP address has been used to exploit web formmail scripts to send spam.

  7. 127.0.0.8 - Virus Infected

    • The IP address has been flagged for sending virus-infected emails. This often indicates a compromised machine.

  8. 127.0.0.9 - Dictionary Attack

    • The IP address has been used in dictionary attacks, where spammers attempt to guess email addresses by systematically combining common names and domains.

  9. 127.0.0.10 - Spamvertised Site

    • The IP address is associated with a website that is heavily advertised in spam emails.

  10. 127.0.0.11 - Hijacked IP Space

    • The IP address is part of an IP range that has been hijacked for malicious use.

  11. 127.0.0.12 - Phishing

    • The IP address has been identified as a source of phishing emails, attempting to steal personal information.

  12. 127.0.0.13 - Malware Hosting

    • The IP address is associated with hosting or distributing malware.

  13. 127.0.0.14 - Botnet C&C

    • The IP address is a known command and control server for a botnet, used to control infected machines.

  14. 127.0.0.15 - Dynamic IP Address

    • The IP address is part of a dynamic IP range typically assigned to residential customers, often flagged due to the potential for abuse.

Did this answer your question?
😞
😐
😁