Status:  Production
Type:  
Domain, IPv4

Cloud DNS:  <key>.dblack.mail.abusix.zone.
Rsync File
:  lists/dblack.zone

Return Codes:  127.0.1.1, 127.0.1.2, 127.0.1.3
Test Points
:  *.test, 127.0.0.2, 127.0.1.1, 127.0.1.2, 127.0.1.3

Listing duration:  Approximately 5.2 days after last seen

Description

This list holds wildcarded domains and IP addresses found in the message body of spam received to our “pristine”traps.

Any short URL links found in spam are also followed and any intermediate or destination domains are also listed.

This list should be used as a URI DNSBL (e.g. checking domain names or IP addresses found in the message body), but can also be used as an RHSBL where the rDNS, SMTP HELO, MAIL FROM domain, DKIM d= domain, Message-ID domain and List-Unsubscribe headers are checked against it.

It should not be used to check the connecting IP address though, only IP addresses found in the message body.

127.0.1.1 is returned for domains/IPs found in the message body.
127.0.1.2 is returned for domains that are newly observed (found by using other trap types).
127.0.1.3 is returned for domains found by following short URLs.

NOTE: as this list uses wildcard domains, it lists the parent domain and anysub-domains, so you do not need to normalize the domain name in anyway. 

Example query:

$ host 2.0.0.127.<key>.dblack.mail.abusix.zone.
2.0.0.127.<key>.dblack.mail.abusix.zone has address 127.0.1.1
2.0.0.127.<key>.dblack.mail.abusix.zone has address 127.0.1.2
2.0.0.127.<key>.dblack.mail.abusix.zone has address 127.0.1.3

Note:

When creating this list, we found that a lot of spam goes to great lengths to evade detection and uses open redirectors, short URLs and online drive services like Google Drive and Yandex Disk.   To address this we created several new types of list to combat this, see the shorthash and diskhash lists.

When dblack, shorthash and drivehash are used in combination - you will get the best possible coverage and protection available.

Did this answer your question?