Each DNS-based blacklist (DNSBL) provider may have its own set of return codes and meanings. While some patterns might be similar across different DNSBLs, the specific codes and their meanings can vary.
Before we begin, here are some of the most common and impactful RBLs:
Impact: High
Description: Spamhaus is one of the most respected and widely used RBLs. It maintains several lists, including the Spamhaus Block List (SBL), Exploits Block List (XBL), and Policy Block List (PBL).
URL: Spamhaus
Impact: High
Description: Barracuda Networks provides this RBL, which is used by many organizations to block IPs that are known sources of spam.
URL: BarracudaCentral
Impact: High
Description: SpamCop is a popular RBL that aggregates spam reports from users to identify and block spammers.
URL: SpamCop
Impact: Moderate to High
Description: SORBS maintains multiple lists, including those for spam sources, open relays, and dynamic IP addresses.
URL: SORBS
Impact: Moderate
Description: UCEPROTECT offers three levels of blacklists, with Level 1 being the most strict. It focuses on blocking IPs involved in spam activities.
URL: UCEPROTECT
Impact: Moderate
Description: This is a generic term for DNS-based blacklists. Multiple organizations maintain these lists, and they are used by various email servers.
URL: Varies by provider
Impact: High
Description: The CBL is maintained by Spamhaus and lists IPs exhibiting characteristics of open proxies, spam bots, and other unwanted email activity.
URL: CBL
Impact: Moderate
Description: Invaluement maintains multiple RBLs, including ivmSIP (for spam sources) and ivmURI (for spamvertized URLs).
URL: Invaluement
Impact: Moderate
Description: PSBL is a lightweight RBL that lists IPs based on spam reports and activity.
URL: PSBL
Impact: Moderate
Description: NJABL was historically popular, although it ceased operations in 2013. Its historical impact was significant, and some older systems might still reference it.
URL: NJABL
Spamhaus
127.0.0.2: Listed on the SBL (general spam source).
127.0.0.3: Listed on the PBL. (Policy Block List)
127.0.0.4: Listed on the XBL (compromised or infected machine).
127.0.0.5: Listed on the PBL.
127.0.0.6: Listed on both SBL and XBL.
127.0.0.7: Listed on SBL, XBL, and PBL.
127.0.0.9: Listed on SBL and PBL.
127.0.0.10: Listed on the XBL (other exploit activities).
127.255.255.254: Query was blocked or rate-limited by Spamhaus.
Other Common DNSBLs
Different DNSBL providers have their own set of return codes. Here are examples from a few other providers:
SpamCop
127.0.0.2: Listed (general spam source).
Barracuda
127.0.0.2: Listed (general spam source).
SORBS
127.0.0.2: Dynamic IP ranges.
127.0.0.3: Non-mail servers.
127.0.0.4: Spam database.
127.0.0.5: Exploitable servers.
127.0.0.6: Hijacked IP space.
127.0.0.7: SMTP servers.
Here are some example mappings for custom RBLs based on typical configurations. You would need to confirm these with each RBL provider:
abuse.ro URI RBL
127.0.0.2: URI blacklisted (spam or phishing).
cantv.net dul
127.0.0.2: Dynamic IP address (should not be sending mail directly).
cantv.net hog
127.0.0.2: IP address involved in high-volume spamming.
cantv.net rhsbl
127.0.0.2: Right-hand side blacklist (domain or IP listed for abuse).
These are "generic" and can change from RBL to RBL so use the below as nothing but a soft guide. The ideal approach here would be to review the docs of the specific RBLs you've been listed for.
127.0.0.2 - Open Relay
The IP address has been detected as an open relay, meaning it allows anyone to send email through it without authentication. This is a common tactic used by spammers.
127.0.0.3 - Known Spam Operation or Open Relay
The IP address has been identified as a source of spam. This could be due to a high volume of unsolicited emails originating from this address.
127.0.0.4 - Dynamic IP, Open Proxy, or Detected in CBL
The IP address is an open proxy. Open proxies allow unauthenticated users to route their traffic, often used by spammers to disguise their true origin. Or to explain in another way the IP is part of a dynamic IP range, detected as an open proxy, or listed in the Composite Blocking List due to malicious activity.
127.0.0.5 - Malware, Formmail Spam, or Proxy Detection
The IP address is an open Socks proxy. Similar to open proxies, these allow users to relay their traffic anonymously, often for nefarious purposes.
127.0.0.6 - Dynamic IP or Policy Violation
The IP is part of a dynamic range or violates the RBL’s policy for acceptable email sending.
127.0.0.7 - Formmail Spam
The IP address has been used to exploit web formmail scripts to send spam.
127.0.0.8 - Virus Infected
The IP address has been flagged for sending virus-infected emails. This often indicates a compromised machine.
127.0.0.9 - Dictionary Attack
The IP address has been used in dictionary attacks, where spammers attempt to guess email addresses by systematically combining common names and domains.
127.0.0.10 - Spamvertised Site
The IP address is associated with a website that is heavily advertised in spam emails.
127.0.0.11 - Hijacked IP Space
The IP address is part of an IP range that has been hijacked for malicious use.
127.0.0.12 - Phishing
The IP address has been identified as a source of phishing emails, attempting to steal personal information.
127.0.0.13 - Malware Hosting
The IP address is associated with hosting or distributing malware.
127.0.0.14 - Botnet C&C
The IP address is a known command and control server for a botnet, used to control infected machines.
127.0.0.15 - Dynamic IP Address
The IP address is part of a dynamic IP range typically assigned to residential customers, often flagged due to the potential for abuse.
