Spamassassin Blacklists

If you're looking for information on setting up Spamassassin, please see my spamassassin-setup.current.html article.

If you came here looking for more information on a spammer...

you're not alone. Please scroll down to the "Finding Spammers" section.


Up one level
README 3027 Feb 1 2004
README.findingspammers.html 1865 Dec 14 2003
README.howtotest.html 2134 Apr 21 2004
README.howtouse.html 7497 Apr 24 2004
README.policy 1400 Feb 1 2004
README.submissions.html 3315 Apr 24 2004
README.thanks.html 1492 Feb 23 2008
archives Sep 26 20:49
bogus-domain-info.txt 55975 Apr 4 2004
cat 0 Oct 16 2007
confused_spammer.jpg 209393 Nov 15 2003
conv-sa-blacklist 10389 Jun 8 2004
conv-sa-blacklist.current 24 Jun 10 2004
conv-sa-blacklist.v0.4.8 9952 Jun 5 2004
conv-sa-blacklist.v0.5.0 10389 Jun 8 2004
dilbert2003071742312.gif 20858 Jul 12 2003
dwinkler-convert-uri-list.pl 1743 Mar 1 2004
favicon.ico 318 Aug 2 2002
filelist.html
index.html
internal-gopher-menu 222 Aug 8 2002
internal-gopher-unknown 196 Aug 8 2002
learn-spam.20031122 2733 Nov 22 2003
learn-spam.current 19 Jun 10 2004
newyorker_spam.jpg 78103 May 5 2003
process Feb 7 2008
random.2004051302.cf 4403 May 13 2004
random.2004052501.cf 4883 May 25 2004
random.cf 4883 May 25 2004
random.current.cf 20 Jun 10 2004
redirector-examples.200405161254.txt 5766 May 16 2004
redirector-examples.200406012131.txt 6326 Jun 1 2004
redirector-examples.current.txt 36 Jun 10 2004
replace_blacklist.current 22 Jun 10 2004
replace_blacklist.v0.1 2600 Apr 2 2003
sa-blacklist.200809251458.action 9145668 Sep 25 15:17
sa-blacklist.200809251458.at-domains 9145747 Sep 25 15:17
sa-blacklist.200809251458.bigevil.cf 663 Sep 25 15:35
sa-blacklist.200809251458.cf 35540423 Sep 25 15:16
sa-blacklist.200809251458.domains 8628354 Sep 25 15:16
sa-blacklist.200809251458.dummy-block 31899305 Sep 25 15:17
sa-blacklist.200809251458.oneperrule.uri.cf 67104163 Sep 25 15:33
sa-blacklist.200809251458.reject 12248439 Sep 25 15:17
sa-blacklist.200809251458.sendmail-access 43793281 Sep 25 15:17
sa-blacklist.200809251458.stats 0 Sep 25 15:16
sa-blacklist.200809251458.uri.cf 9975551 Sep 25 15:34
sa-blacklist.200809251458.ws.surbl.org.bind 47930720 Sep 25 15:34
sa-blacklist.200809251458.ws.surbl.org.rbldnsd 8628901 Sep 25 15:34
sa-blacklist.200809251633.action 9145728 Sep 25 16:49
sa-blacklist.200809251633.at-domains 9145807 Sep 25 16:49
sa-blacklist.200809251633.bigevil.cf 663 Sep 25 17:08
sa-blacklist.200809251633.cf 35540679 Sep 25 16:49
sa-blacklist.200809251633.domains 8628410 Sep 25 16:49
sa-blacklist.200809251633.dummy-block 31899541 Sep 25 16:49
sa-blacklist.200809251633.oneperrule.uri.cf 67104663 Sep 25 17:07
sa-blacklist.200809251633.reject 12248523 Sep 25 16:49
sa-blacklist.200809251633.sendmail-access 43793609 Sep 25 16:49
sa-blacklist.200809251633.stats 0 Sep 25 16:49
sa-blacklist.200809251633.uri.cf 9975607 Sep 25 17:07
sa-blacklist.200809251633.withdead.domains 8789753 Sep 25 16:33
sa-blacklist.200809251633.withdead.uri.cf 68350911 Sep 25 16:49
sa-blacklist.200809251633.ws.surbl.org.bind 47931080 Sep 25 17:08
sa-blacklist.200809251633.ws.surbl.org.rbldnsd 8628957 Sep 25 17:08
sa-blacklist.200809262021.action 9146218 Sep 26 20:50
sa-blacklist.200809262021.at-domains 9146297 Sep 26 20:49
sa-blacklist.200809262021.bigevil.cf 663 Sep 26 21:14
sa-blacklist.200809262021.cf 35542985 Sep 26 20:49
sa-blacklist.200809262021.domains 8628861 Sep 26 20:48
sa-blacklist.200809262021.dummy-block 31901747 Sep 26 20:50
sa-blacklist.200809262021.oneperrule.uri.cf 67109348 Sep 26 21:12
sa-blacklist.200809262021.reject 12249247 Sep 26 20:50
sa-blacklist.200809262021.sendmail-access 43796712 Sep 26 20:50
sa-blacklist.200809262021.stats 0 Sep 26 20:48
sa-blacklist.200809262021.uri.cf 9976063 Sep 26 21:13
sa-blacklist.200809262021.withdead.domains 8790204 Sep 26 20:21
sa-blacklist.200809262021.withdead.uri.cf 68355596 Sep 26 20:48
sa-blacklist.200809262021.ws.surbl.org.bind 47934495 Sep 26 21:13
sa-blacklist.200809262021.ws.surbl.org.rbldnsd 8629408 Sep 26 21:14
sa-blacklist.current 28 Sep 26 20:49
sa-blacklist.current.action 32 Sep 26 20:50
sa-blacklist.current.actions 32 Sep 26 20:50
sa-blacklist.current.at-domains 36 Sep 26 20:49
sa-blacklist.current.bigevil.cf 36 Sep 26 21:14
sa-blacklist.current.cf 28 Sep 26 20:49
sa-blacklist.current.domains 33 Sep 26 20:48
sa-blacklist.current.dummy-block 37 Sep 26 20:50
sa-blacklist.current.reject 32 Sep 26 20:50
sa-blacklist.current.sendmail-access 41 Sep 26 20:50
sa-blacklist.current.uri.cf 32 Sep 26 21:13
sa-blacklist.current.withdead.domains 8790204 Sep 26 20:21
sa-blacklist.current.ws.surbl.org.bind 43 Sep 26 21:13
sa-blacklist.current.ws.surbl.org.rbldnsd 46 Sep 26 21:14
spamip.2004032901.txt 1525309 Mar 29 2004
spamip.2004041601.txt 1730869 Apr 16 2004
spamip.B.20051002.txt 9096305 Oct 2 2005
spamip.B.20060315.txt 13613135 Mar 15 2006
spamip.B.20060417.txt 14163368 Apr 17 2006
spamip.B.txt 14163368 Apr 17 2006
spamip.C.2004032901.txt 1525309 Mar 29 2004
spamip.C.2004041601.txt 1730869 Apr 16 2004
spamip.C.20051002.txt 9470839 Oct 2 2005
spamip.C.20060315.txt 14255469 Mar 15 2006
spamip.C.20060417.txt 14853413 Apr 17 2006
spamip.C.txt 14853413 Apr 17 2006
spamip.current.txt 21 Jun 10 2004
surbl.nameservers 168 Aug 6 2004
uf-spam.gif 20875 Dec 9 2001
uf005742.gif 19552 Jul 12 2003
unescape 6487 Oct 23 2003
ws.surbl.org.rbldnsd.domains 8629164 Sep 26 21:14
ws.surbl.org.rbldnsd.headers 244 Sep 26 21:14

Boldfaced directories have been collapsed into one listing. Click on them to see their contents.



README

	The sa-blacklist.current file in this directory is a blacklist
of spammers in a form suitable for use in the spamassassin mail filter
program ( http://spamassassin.org/ ).

	Many thanks to a growing number of contributors; please see the
blacklist file for their names.  Thanks to all for their contributions!

	Please send additions or corrections to me, William Stearns
<wstearns@pobox.com> .  Please read the README.policy file first.

	Here's the new way of installing the blacklist.  Pick a non-root
user under which this will be done; substitute that user's login name
for non-root-user in the following.  Do this once as root:

touch /etc/mail/spamassassin/50blacklist.cf
chown non-root-user /etc/mail/spamassassin/50blacklist.cf

	, make sure that /etc/sudoers has a line for the above user:

non-root-user        ALL=(root) NOPASSWD: /etc/init.d/spamassassin restart

	, and place all on one line in non-root-user's crontab
(/var/spool/cron/non-root-user):

17 1,7,13,19 * * * sleep $[ $RANDOM / 1024 ] ; rsync -aqL
zaphod.stearns.org::wstearns/sa-blacklist/sa-blacklist.current
/home/non-root-user/50blacklist.cf && cat /home/non-root-user/50blacklist.cf
>/etc/mail/spamassassin/50blacklist.cf && /usr/bin/sudo
/etc/init.d/spamassassin restart >/dev/null 2>/dev/null

	Then get cron to reread the config file by doing this as root:

touch /var/spool/cron

	I'm also providing a list of the domains in sa-blacklist as the
file "sa-blacklist.current.domains".  Squid will gladly use that as a
list of blocked domains; perfect for email clients that will go out to
fetch images stored on spammer web servers.  Set up a regular download
like the above and add these two lines to /etc/squid/squid.conf:

acl spammers url_regex "/etc/squid/sa-blacklist.current.domains"
http_access deny all spammers

	There's also a .uri.cf version of this file that looks for these
domains inside URL's in the message.



README.findingspammers.html

Finding Spammers

I regularly get email from people who are looking for spammers. They've lost money and want to get it back, or they want to find out if a given company is reputable. Let me cover a few things:


README.howtotest.html

Once you have the blackist installed, here's how to test whether it's working or not. Start up the "telnet" program (included in Windows and all Unix flavors) with the command:

telnet {your_mail_server} 25

Your mail server will send back a banner something like:

220 mymailserver.com - Welcome to our Sendmail ESMTP

and it will sit waiting for you. Now we'll feed it the first few lines of an SMTP exchange (you type the lines starting with capitals):

MAIL FROM: martha@sendmails.com
250 ok
RCPT TO: {a_valid_email_address@your.domain}
553 sorry, your envelope sender is in my badmailfrom list (#5.7.1)
QUIT
221 mymailserver.com - Goodbye

In this case, we tried to send mail from an account at a known spammer; sendmails.com. We then told the mail server where the mail needs to go. The mail server then told us that it can't accept mail from sendmails.com because we'd correctly installed the qmail block list.

If, however, you have the blacklist installed in your spam filtering program, instead of giving you a 553 error, the mail server will likely allow you to continue feeding in the message with a prompt like:

250 {a_velid_email_address@your.domain}... Recipient ok

Now you give it the actual message content. The blank line and the line with nothing but a "." are both needed verbatim:

DATA
354 Enter mail, end with "." on a line by itself
From: martha@sendmails.com
Subject: Test mail for blacklist

This is a test message
<a href="http://www.sendmails.com">www.sendmails.com</a>
.
250 2.0.0 i3L3v5c23955 Message accepted for delivery
QUIT
221 mymailserver.com closing connection

The mailserver gives the 354, 250, and 221 lines, you type the rest.

Now go back to your mail software and take a look at the spam score assigned by your spam filter. Look at the list of reasons why it's marked as spam; does it mention the sa-blacklist? Does it say the domain was found on the RBL at surbl.org? If so, the spam filter is successfully using the blacklist.


README.howtouse.html

How to install into your programs

The sa-blacklist files hold lists of spammer domains, in a form suitable for blocking access to those domains. Each one has a datestamp so you can locate a specific version and identify newer and older releases, but you should only need to use the versions with "current" in the name, which always points to the latest release.

Find the program you're using below to decide which one to use.

Exim mail server

Just thought I'd drop you a quick note on how to add your SA black list to Exim. To start with, the Squid list ( sa-blacklist.current.domains ) looks OK to use with Exim. Then, in exim.conf the following is added (near any other deny sections):

deny message = $sender_host_address Blocked by http://www.stearns.org/sa-blacklist/
	hosts = partial()lsearch;/path/to/sa-blacklist.current.domains
I'd like to sincerely thank Daniel Bird for contributing the above instructions.
Postfix mail server

Postfix is chocked full of features to help stem the tide of UCE, if you are already using some of them, you should consider the below recipe a guide and not so much a drop in solution. Take a look at the Postfix UCE docs, available here, (consider using a mirror):

http://www.postfix.org/uce.html

...but for those of us who aren't using any of these conf declarations and would like to drop in Bill's blacklist, the following should suffice, we are going to be filtering based on the envelope sender.

  1. Copy the blacklist sa-blacklist.current.reject to a sensible spot, /etc/postfix/sender_restrictions seams reasonable.
  2. Update main.cf, adding the line:
    smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_restrictions
    
  3. Create the access table hash:
    postmap /etc/postfix/sender_restrictions
    
  4. Have the master daemon reread main.cf:
    postfix reload
    

You are now rejecting envelope senders from the blacklisted domains, they will be rejected with a 554 error. If you would like to test this without actually rejecting mails, you can add `warn_if_reject, ' before the `check_sender_access' token, messages that would be rejected will be logged with a `reject_warning'.

I would like to sincerely thank Jereme Corrado for doing the postfix research and testing, and for contributing the above instructions.
Privoxy http proxy

The Privoxy privacy proxy (based on the Internet Junkbuster) filters outbound http and https requests and inbound replies, allowing you to block access to undesirable sites, block popups, block tracking gifs, etc. To install, place sa-blacklist.current.action in /etc/privoxy/ (your path may differ, based on operating system) and edit the "config" file there (note, this was previously called sa-blacklist.current.actions). Add the:

actionsfile sa-blacklist.current	#spamassassin domain blacklist
line so the file looks like:
actionsfile standard  # Internal purpose, recommended
actionsfile sa-blacklist.current	#spamassassin domain blacklist
actionsfile default   # Main actions file
actionsfile user      # User customizations

Restart Privoxy.

Qmail mail server

Qmail has the ability to unconditionally block mail from spammers based on the envelope sender (which may not be the same as the "From:" field in the header, don't be surprised if this approach misses some emails that you think it should catch). In other words, if the spammers don't lie about their sending domain, qmail may be able to block them before the mail message is even transmitted. This cuts down on things like bounces, and hopefully spam!

To install, locate qmail's "control" directory. Download the sa-blacklist.current.at-domains file, and append it to the "badmailfrom" file there. Restart qmail.

Spamassassin email spam filter
sa-blacklist.current.cf and sa-blacklist.current.uri.cf are the two files formatted for spamassassin. The first looks at the sender domain, but spammers more and more lie about the source so this won't catch everything. The second looks at each url in the message, and is more likely to catch the web sites to which spammers want you to go. These take a lot of processing for each message, so you'll want to give them a try on a sample account first.

As a side note, I also have random.current.cf as a list of tags spammers sometimes forget to convert in spam, also in spamassassin format.

All three files increase the spam score for the message, making it more likely that the spam will get caught.

To install, download the above three files and place them in /etc/mail/spamassassin/ , making sure they each end in ".cf" (spamassassin treats all files ending in .cf as configuration files and loads them all). Restart spamassassin.

A second approach, currently under test, is to publish the sa-blacklist domains as a dns-based RBL. This replaces the use of the .uri.cf file above, but performs the same checks with lower load.

For more information on this approach, installation instructions, and details on using both a dns-rbl-based sa-blacklist and a dns-rbl-based Spamcop database, please see http://www.surbl.org .

Squid web cache

Squid can unconditionally block all outbound requests to certain domains. Privoxy is preferred for this, as privoxy will replace images with images, and squid will put in a dummy html page instead (which just means your pages will have broken images, no big deal). Other than that it will work just fine.

Download sa-blacklist.current.domains to /etc/squid/ (again, path may vary). Edit squid.conf , adding the line:

acl spammers url_regex "/etc/squid/sa-blacklist.current.domains"
in with the other acl lines (order for acl lines doesn't matter), and adding
http_access deny all spammers
above your http_access lines (order does matter here). Restart squid.

Sendmail mail server

Like qmail, sendmail can also inspect the envelope sender address and block based on the domain. Go to the /etc/mail directory, append sa-blacklist.current.sendmail-access to /etc/mail/access, run

make access.db
and restart sendmail.
Bill, what about....?

If you have a spam filtering tool, mail transport agent, http proxy, or any other program that you want to filter spammer domains, no problem. I can provide the list in any format you need. Simply send me the format to use and I'll add it to my build script.


README.policy


	This is a list of domains, hosts, and IP addresses used by
spammers.  This can include bulk email houses, individual companies that
send spam, and servers that are used to host images for spam.  Spam is
strictly defined as Unsolicited Bulk Email, and so I will include
unsolicited mail where the sender is not explicity asking for money,
such as political and religious spam.

	The domains and IP's can be the original ones listed in the
mail, but also include the intermediate redirectors and the final target
site.  If the company is attempting to hide behind a temporary domain
used for email campaign(s), the real company domain is included as well.

	The list does _not_ include hosting services where spammers and
non-spammers can sign up for accounts (geocities, store.yahoo.com, etc.) 
It also does not include counters, ad trackers (although this is
severely borderline), free email services (hotmail, msn, etc.), and
generic ISP's that host normal user accounts (earthlink, etc.).  It does
not include individual email addresses; this takes far too much work for
too little payback.

	In short, I want this list to be a list of domains, hosts, and
IP addresses used exclusively by companies that spam.

	The file is Copyright 2003 William Stearns <wstearns@pobox.com>
and other contributors (see the actual file for their contact
information).  It is made available under the GNU GPL.




README.submissions.html

Submitting new entries and corrections

Here are some guidelines for submission. Please note that these instructions will change in the future; we have an improved approach in the works.

Adding new domains

Please send new domains in an email to wstearns@pobox.com . The domains should be in all lowercase, free from host portions (www. , mx02. , spleen.arctic.mountbatten. , etc.), and have no port numbers at the end (:2700, :8080, etc.), have no directory or file names (/unsubscribe.ddd , /images/a2.jpg, etc.). Please send them in sorted order, and with no duplicates. Please check your list against http://www.stearns.org/sa-blacklist/sa-blacklist.current.domains ; try not to submit domains that are already in the list.

Before sending in domains, please check them. This is critical; submissions from automated scripts without human eyes in the process yield far too many false positives to be useful. Actually go to the web site; is there any content at all, or is it just a blank page? Is there any chance this is an ISP, and the spammer just signed up for cohosting space? Worse yet, did they just sign up for an individual user account? Take a look at the whois record; domains that have been around since 1998 are far less likely to be spammer domains than domains that were first registered in the last two months. In short, if there's any chance this domain is an ISP or an account on someone else's domain, please don't submit it. A list of 20 domains you're absolutely positive about is much more useful than 1000 domains you're 98% sure about.

Here's a sample submission message body:

anotherspammer.biz
spammerdomain.com
thirdspamco.info

Please include the word "blacklist" somewhere in the subject, so it skips by my spam filter, such as:

Subject: [blacklist] 20040423 entries from Bob Smith

If you want to include comments, that's fine, but please place them on separate lines, preferably before the domains start.

Please save at least 1 or 2 of the emails that prompted the domain submission; we may get a false positive report in the future, and whether the report is correct or not, it's helpful to be able to refer to the original email for additional background.

Removing domains

From time to time we'll make a mistake and add a legitimate domain in the list. Please accept our sincere apologies in advance; we know it's frustrating to get your mail blocked.

To get removed, send an email to wstearns@pobox.com , again, with the word "blacklist" somewhere in the subject (if you forget this, the message may land in Bill's spam folder, delaying your request by hours or days). Say which domain you're writing about. You're not required to justify the removal request, but if you send along some supporting evidence of why you should be removed, it'll make the process a little faster.

Your request will be looked into as quickly as possible; we want to resolve the mistake as much as you do; false positives hurt us all.


README.thanks.html

This project has had an immense amount of support. I want to thank all the contributors; the sa-backlist could never have covered as many domains as it had if it had stayed a one-man show.

I'd like to especially thank Panagiotis Christias of the National Technical University of Athens , Raymond Dijkxhoorn of Prolocation.net, and Jens and Guido of Intergenia.de. Since the downloads of the sa-blacklist have crossed the terabyte/month mark, these generous organizations have offered to host the list. Without their generousity, I wouldn't be able to continue to provide the list.

Ironport and Barracuda Networks have also been very generous in donating a number of servers to help the entire project. We truly appreciate the donation.

intergenia AG Barracuda Networks
Generated Fri Sep 26 21:15:15 EDT 2008 by htmlfilelist version 0.8.4