Status:  Production
Type:  
IPv4, IPv6

Cloud DNS:  <key>.black.mail.abusix.zone.
Rsync File
:  lists/black.zone

Return Codes:  127.0.0.2, 127.0.0.3
Test Points
:  127.0.0.2, 127.0.0.3, ::FFFF:7F00:2, ::FFFF:7F00:3

Listing duration:  Approximately 5.2 days from when traffic was last seen 

Description

This list contains the IP addresses of hosts that have sent email to our “pristine” traps (only our trap domains that have never been used for genuine mail) along with some network entries that we manually maintain.  

Common causes for being listed here include compromised accounts, infected hosts, botnets, spam gangs, purchased email address lists, poor sign-up processes, bad webforms, open proxies, TOR exit nodes and VPNs

Any matching IP address found by this data will return 127.0.0.2.

Additionally, there is also some automated heuristics which use all of our trap network and partner transaction feeds to look for IP addresses with very low reputation and IPs found in this data will return 127.0.0.3.

This list can also be safely used to check each  "Received" header hop found within a message.

Example query:

$ host  2.0.0.127.<key>.black.mail.abusix.zone.
2.0.0.127.<key>.black.mail.abusix.zone has address 127.0.0.2
2.0.0.127.<key>.black.mail.abusix.zone has address 127.0.0.3

Did this answer your question?