Probably the most common way of detecting spam is rejecting mail that comes from mail servers known (or believed) to send spam. This is done by taking the IP address of the remote mail server, converting it to a domain name using the ip4r format (a.b.c.d becomes d.c.b.a.lookupdomain.com), and seeing if that domain name exists.
The following are the ip4r DNS lookup services that we know about, along with the differences between each one.
| Name/link | lookup domain | Description | |
|---|---|---|---|
| RBL | blackholes.mail-abuse.org | MAPS RBL (Realtime Blackhole List) is probably the most important ip4r DNS lookup. It lists networks known to be friendly or neutral to spammers. In most cases, it is very good about only listing mail servers that send out a lot of spam, and not simply open relays that get hijacked once and then are secured. Because of this, we recommend using the RBL test. | |
| DUL | dialups.mail-abuse.org | MAPS DUL (Dialup User List) is another very important ip4r DNS lookup. It lists the IP addresses of lots of "dialup lines" -- the connections that individuals get when then dial into the Internet. Although lots of legitimate E-mail originates from dialup lines, legitimate users very rarely if ever send mail directly to the receiving SMTP server; they send mail to their ISP's mail server. Therefore, it is safe to say that if anyone listed in DUL connects to your mail server, they are not sending legitimate E-mail. We recommend using the DUL test. | |
| RSS | relays.mail-abuse.org | MAPS RSS (Relay Spam Stopper) lists spam-relaying mail servers. These are open relays that have been known to send spam. They may well be legitimate mail servers that were open relays, and may be closed soon. However, they were open relays and did send spam. This is similar to RBL, except that the mail servers may be anti-spam and quick to fix the problem. In that case, you may be blocking legitimate mail until the problem is fixed. There is no grace period, so if the server is caught sending spam and is still an open relay, it will be listed immediately. In June, 2001 it contained about 100,000 mail servers! | |
| MAPS RBL+ | rbl-plus.mail-abuse.org | MAPS RBL+ is a service that apparently combines RBL, RSS, and DUL into a single lookup. | |
| OSRELAY | relays.osirusoft.com | Osirusoft's list of verified open relays. This should be very similar to the ORBSMAIN test. We do not recommend using this, unless you simply warn the recipient. | |
| OSDUL | relays.osirusoft.com | Osirusoft's Dialup Spam Source list. This is similar to the DUL test, except that some entries are added manually. We recommend treating it similarly to the MAPS DUL test. | |
| OSSRC | relays.osirusoft.com | Osirusoft's Confirmed Spam Source list. These are sites that continually spam and have been manually added, after multiple nominations. We recommend using this listed to harshly treat incoming E-mail. | |
| OSSMART | relays.osirusoft.com | Osirusoft's Smart Host list (planned). A list of smart hosts (hosts that are secure, but relay for other mail servers that are not secure). | |
| OSSOFT | relays.osirusoft.com | Osirusoft's list of Spamware Software Developers. It is believed that these are IP ranges of companies that are known to produce spam software. | |
| OSLIST | relays.osirusoft.com | Osirusoft's list of listservers that opt users in without confirmation. | |
| OSFORM | relays.osirusoft.com | Osirusoft's list of insecure formmail.cgi script sites (planned). | |
| DORKS | orbs.dorkslayers.com | Dorkslayers recently added their ORBS-like database. This one lists open relays outside of the United States (apparently so they won't get sued). It seems as though they only list "bad" open relays, rather than all known ones. They do not recommend using their service, interestingly. About 8,000 mail servers were listed as of November, 2000. | |
| ORDB | relays.ordb.org | Open Relay Database. Lists open relays. Has corresponding TXT records. Has about 81,000 entries as of 7/23/01. | |
| ORBL | or.orbl.org | ORBL is a spinoff based on ORBS, that was formed after ORBS was shut down. Lists any open relays that it knows about, even large ISPs. Lists both inputs and outputs. | |
| ORBZINPUTS | orbz.gst-group.co.uk | ORBZ (ORB UK) is a spinoff based on ORBS, that was formed after ORBS was shut down. This database lists open relay inputs. No TXT records. | |
| ORBZOUPUTS | orbz.gst-group.co.uk | ORBZ (ORB UK) is a spinoff based on ORBS, that was formed after ORBS was shut down. This database lists open relay outputs. No TXT records. | |
| ORBZPOST | orbz.gst-group.co.uk | ORBZPOST (part of ORB UK) lists mail servers that refuse or bounce mail to postmaster@. No TXT records. | |
| V6NET | spammers.v6net.org | Unknown; no web site up yet (but database is operational). No TXT records. Willing to block large ISPs. | |
| DEVNULL | dev.null.dk | Lists open relays, most/all from Denmark. | |
| FIVETENSRC | blackholes.five-ten-sg.com | Lists direct spam sources. | |
| FIVETENDUL | blackholes.five-ten-sg.com | Lists spam sites before they get into DUL; includes some DSL IPs. | |
| FIVETENOPTIN | blackholes.five-ten-sg.com | Lists bulk mailers that don't use confirmed opt-in. | |
| FIVETENOTHER | blackholes.five-ten-sg.com | Lists servers that should be in ORBS, RSS, or RBL. | |
| ZONEIN | inputs.orbz.org | Lists known open relay inputs. | |
| ZONEOUT | outputs.orbz.org | Lists known open relay outputs. |
| Name/link | lookup domain | Description | |
|---|---|---|---|
| DSN | dsn.rfc-ignorant.org | Lists domains that do not accept Delivery Status Notifications (DSNs), such as bounce messages. | |
| NOPOSTMASTER | postmaster.rfc-ignorant.org | Lists domains that do not accept E-mail to postmaster@. | |
| NOABUSE | abuse.rfc-ignorant.org | Lists domains that do not accept E-mail to abuse@. | |
| BADWHOIS | whois.rfc-ignorant.org | Lists domains that have incorrect or otherwise bad information in their whois data. WE STRONGLY DISCOURAGE USING THIS; it blocks all of .uk, .us, and other TLDs. | |
| IPWHOIS | ipwhois.rfc-ignorant.org | Lists domains that have incorrect or otherwise bad information in their IP whois data. WE DISCOURAGE USING THIS; it probably has the same flaw as the BADWHOIS test and could list major portions of the Internet. |
| SPAMROUTING | Looks for E-mail that takes a very poorly defined path that wastes bandwidth. For example, a U.S. spammer sending to a recipient in the U.S., but relaying through a server in China would trigger this test. | ||
| REVDNS | This tests to see if there is a valid reverse DNS entry for the email server. Many ISP's do not properly have Reverse DNS setup and will catch a lot of valid email. | ||
| SPAMHEADERS | This test checks the E-mail for headers headers that are common in spam, but not common in legitimate E-mail. This test is very similar to the BADHEADERS test, except the problems this test looks for are not RFC violations, so there's a chance you could catch a small amount of legitimate E-mail. | ||
| MAILFROM | This test checks the SMTP envelope "Mail From:" address (which should be the sender of the E-mail) and makes sure that the domain name it is coming from is valid. This way, if mail is sent from "user@$$$success$$$.com", it will get caught (since "$$$success$$$.com" is not a valid domain). | ||
| badheaders | Looks for broken E-mail headers, that are common in spam as spammers try to forge headers. This test can't accidentally catch any legitimate mail (except mail from broken E-mail clients, probably beta versions). |
Dead/Nonworking/untestable/broken listings:
| Name/link | lookup domain | Description | |
|---|---|---|---|
| ORBS (down) | [various] | ORBS used to be one of the best known spam databases. However, it has been closed (most likely permanently). | |
| ORBZMAN | manual.orbz.gst-group.co.uk | ORBZ MANUAL is a spinoff based on the ORBS "manual entries" list, that was formed after ORBS was shut down. | |
| ZTA | zta.birdsong.org | "Zero Tolerance Advisory". Could not confirm that it is up (7/23/01). |