Using the enemieslist DNSBL
The enemieslist patterns dataset is made available via DNSBL at g.enemieslist.com for PTR lookups (g for "generic") and h.enemieslist.com for HELO/EHLO lookups (h for "HELO"). Simply pre-pend the hostname or HELO string to the zone and for class information do an A record lookup, or for further information on the technology believed to be in use do a TXT record lookup.
"A" lookup result codes are as follows:
| Code | Meaning |
|---|---|
| 127.0.0.1 | generic |
| 127.0.0.2 | static |
| 127.0.0.3 | dynamic |
| 127.0.0.4 | spammer (known spam sources or former spam sources as determined by the host themselves, e.g. sprintnet.ru has hosts with names like "spam-source") |
| 127.0.0.7 | resnet |
| 127.0.0.8 | unassigned |
| 127.0.0.9 | NAT/proxy |
| 127.0.0.10 | mixed static/dynamic |
| 127.0.0.11 | bad rDNS format (usually misconfigured, in-addr.arpa screwups, no TLD, etc.) |
| 127.0.0.12 | "cloud" computing platform |
| 127.0.1.5 | compact (left-anchored, currently unused) |
| 127.0.1.6 | right-anchored substring (currently unused) |
| 127.0.2.2 | webhost (shared web hosting provider) |
| 127.0.2.3 | dedhost (dedicated web hosting) |
| 127.0.2.11 | legitimate mail source |
Explanation of "A" lookup return code classifications
The return codes represent classifications of naming conventions. These classes range from the standard understanding of assignment type in terms of staticity or dynamicity, to generic, provider-assigned rDNS without indicated static or dynamic status, to other, more specific types such as resnet, webhost, or legitimate mail source, to NAT or PAT or proxy hosts (which may be static but likely emit traffic from hosts of various types behind them), to hosts whose naming indicates that the range is unused or otherwise not assigned (but obviously in use, suggesting either hijacked or not well monitored). What follows is a short explanation of each type.
| generic | Provider-assigned, generically named rDNS; naming gives no indication of static or dynamic nature. Could be either end-user/customer space or LAN/WAN space within a telco or isp or corporation or other organization. |
| static | Believed to be statically assigned, based either on naming or on research such as information found on a Web site or obtained from sources familiar with the nature of assignment (as with DSL in the Netherlands, which is nearly always statically assigned even to consumer end users). |
| dynamic | Believed to be dynamically assigned, based either on naming or on research such as information found on a Web site or obtained from sources familiar with the nature of assignment (as with ADSL in much of the US). |
| spammer | The provider has explicitly marked this host as one from which you should not accept mail because it belongs or belonged to a spammer. |
| resnet | RESidential NETworks, provided to students by universities. The source of a great deal of spam and abuse especially during semester changeovers, when what may be a statically assigned IP in a dorm is now in use by another computer (and more often than not, poorly secured by the new owner). |
| unassigned | Naming indicates that the host is not assigned by the ISP, and so is either poorly maintained (assigned but name has not been updated to reflect that fact) or possibly hijacked. |
| NAT/proxy | Host is a NAT, PAT, proxy, or other fixed IP with unknown mail and abuse sources behind it. Suffers from poor security in many cases due to lack of preventative measures taken on the LAN side; hosts inside the network are allowed to emit SMTP outbound without restriction. |
| mixed static/dynamic | Host naming reflects static but hosts are known to be dynamically assigned, or vice versa, or naming is generic but provider does not make an effort to indicate and distinguish static versus dynamic hosts. |
| "bad rDNS" | Laughably mangled PTRs, invalid or missing top level domains, etc. |
| compact | Regex is left-anchored and only extends to the first 'dot' in name. (currently not implemented in DNSBL). |
| rightanchor | Substring (e.g. "dyn.example.net") that doesn't require regular expressions to match. Longer substrings are MORE specific, so that "dyn.dsl.example.net", if also present with "dsl.example.net", should match BEFORE the latter. (currently not implemented in DNSBL). |
| webhost | Naming in use by mass virtual hosting providers. Likely sources of legitimate mail (so, especially likely to be found in HELO during legitimate mail) but also high probability of phishing scam mail. Also contains hosts that are Web servers; use tech to distinguish. |
| dedhost | For dedicated or co-located servers on Web hosting and colo providers with generic naming. Distinct from webhost where possible. Formerly static/colo, may also describe some patterns formerly thought of as webhost. |
| legitimate mail source | Mass webmail or other hosted mail solution, ISP/telco mail server farm, other large-scale mail hosting operation. |
| cloud | Possibly dynamically allocated "cloud" computing; may also refer to statics. |
Explanation of "TXT" lookup responses
| activehunter | this IP is running ActiveHunter antispam software |
| antivirus | this IP is running antivirus software |
| argosoft | this IP is running ArGoSoft Mail Server |
| atm | this IP is an ATM link |
| avas | this IP is running antivirus/antispam software |
| barracuda | this IP is running a Barracuda appliance |
| borderware | this IP is running Borderware |
| broadband | this IP is generic broadband |
| cable | this IP is a cable link |
| canit | this IP is running a CanIT SMTP server |
| cellopoint | this IP is a Cellopoint Email Firewall |
| cisco | this IP is running a Cisco appliance |
| cobalt | this IP is a Cobalt firewall appliance |
| colo | this IP is allocated to a colocation service |
| communigatepro | this IP is running CommuniGate Pro mail server |
| commercial | this IP sends business-to-consumer mail |
| confixx | this webhost is using Parallels Confixx |
| copier | this IP is a copier/td> |
| corporate | this IP is a corporate mail server/td> |
| cpanel | this IP is running the cPanel Web hosting software |
| dav | this IP is serving DAV (distributed authoring and versioning) clients |
| dialup | this IP is a dialup |
| directadmin | this webhost is running the DirectAdmin control panel for Red Hat Enterprise Linux and FreeBSD |
| dsl | this IP is a DSL line |
| eims | this IP is running the Eudora Internet Mail Server |
| ensim | this IP is a Web host running Ensim |
| ethernet | this IP is an ethernet link (probably Metro Ethernet) |
| exim | this IP is running Exim |
| expressmail | this IP is running Express Mail Server |
| fiber | this IP is a fiber link |
| frame | this IP is a frame relay link |
| fsecure | this IP is running F-Secure SMTP server |
| gprs | this IP is a mobile phone |
| gridserver | this IP is a "cloud" computing webhost |
| groupwise | this IP is running Novell Groupwise |
| hsphere | this webhost is running the HSphere control panel |
| imail | this IP is running IPSwitch IMail |
| imsva | this outmx is running Trend Micro's InterScan Messaging Security Virtual Appliance |
| infrastructure | this IP is network infrastructure |
| iplanet | this outmx is running the Sun iPlanet server |
| ironport | this IP is an Ironport antispam appliance |
| isdn | this IP is ISDN |
| isp | this IP is a hosted/outsourced email service for an ISP |
| interscan | this IP is running Trend Micro Interscan server |
| javamail | this IP is running Sun JavaMail |
| joomla | this IP is running Joomla |
| kerio | this IP is running a Kerio security appliance |
| lan | this IP is on a LAN |
| leasedline | this IP is on a leased line |
| linux | this IP is running Linux |
| litemail | this outmx is running the LiteMail mail server |
| lotusdomino | this outmx is running Lotus Domino |
| lotusnotes | this outmx is running Lotus Notes |
| lyris | this outmx is running Lyris mailing list software |
| mail2000 | this outmx is running Mail2000 SMTP server |
| mailcleaner | this outmx is running Mailcleaner SMTP server |
| mailenable | this outmx is running MailEnable SMTP server |
| mailmarshal | this outmx is running MailMarshal mail server software |
| mailmax | this outmx is running MailMax mail server software |
| mailsite | this outmx is running the MailSite Fusion mail server software |
| mdaemon | this outmx is running the MDaemon mail server |
| merak | this outmx is running Merak mail server |
| microsoftmail | this IP is running Microsoft Mail Service |
| mirapoint | this IP is a Mirapoint appliance |
| modusmail | this IP is running ModusMail mail server |
| msexchange | this outmx is running Microsoft Exchange |
| nameserver | this IP is a DNS nameserver |
| natproxy | this IP is a NAT, PAT or proxy |
| netscaler | this IP is running the Citrix NetScaler load balancing software |
| netstation | this IP is running the NetStation Mailer mail server software |
| network | this IP is on a LAN or VLAN |
| novonyx | this outmx is running the Netscape/Novell Novonyx server |
| ntmail | this outmx is running NTMail |
| outlookwebaccess | this IP is running the Microsoft Outlook Web Access service |
| p2p | this IP is running a peer-to-peer server |
| pat | this IP is providing PAT service |
| pix | this IP is a Cisco PiX firewall device |
| plesk | this IP is running the Plesk Web hosting software |
| pmdf | this outmx is running the Process Software PMDF mail server software |
| postfix | this outmx is running Postfix |
| postoffice | this outmx is running Post.Office SMTP server |
| powermta | this outmx is running the PowerMTA mail server gateway |
| pppoe | this IP is a PPP over ethernet link |
| pptp | this IP is a Point to Point Tunneling Protocol endpoint |
| printer | this IP is a printer |
| proxmox | this IP is running proxmox |
| proxy | this IP is running proxy software |
| qmail | this IP is running qmail |
| qpsmtpd | this IP is running the qpsmtpd mail server software |
| raq | this IP is a Cobalt / Sun RaQ server |
| redcondor | this outmx is a RedCondor appliance |
| resnet | this IP is a university residential network |
| router | this IP is a router |
| satellite | this IP is a satellite link |
| sendmail | this IP is running sendmail |
| serial | this IP is a serial line |
| server | this IP is a server |
| smarthost | this IP is an SMTP smarthost |
| smoothzap | this IP is running SmoothZap SMTP server |
| sonicwall | this IP is a SonicWall firewall appliance |
| sophosmail | this IP is running Sophos Mail server |
| stalker | this IP is running the Stalker mail server |
| strongmail | this outmx is a Strongmail mail appliance |
| surgemail | this outmx is running the Surgemail mail server |
| symantecmail | this outmx is running the Symantec mail server |
| t1 | this IP is a trunk line |
| trendmicro | this IP is running Trend Micro mail software |
| unix | this IP is running a variety of Unix |
| unknown | the technology in use on hosts with this naming is unknown |
| virtuozzo | this webhost is running the Parallels Virtuozzo control panel |
| voip | this IP is providing Voice over IP service |
| vpn | this IP is a VPN gateway |
| vps | this IP is a Virtual Private Server |
| wan | this IP is part of a Wide Area Network |
| webhost | this IP is allocated to a Web hosting provider |
| webmail | this IP is a webmail gateway |
| webshield | this IP is running the McAfee Webshield antivirus mail server software |
| wifi | this IP is provided via Wifi |
| wimax | this IP is a WiMax node |
| windows | this IP is running a Microsoft Windows OS |
| windowsxp | this IP is running Microsoft Windows XP OS |
| wireless | this IP is a wireless link |
| xwall | this IP is running the XWall mail server software |
| zmailer | this IP is running the ZMailer mail server software |
Occasionally, as needs warrant, we will further subdivide or introduce new classifications for this portion of the dataset.
Note: the "callback" DNS logging has been removed from the sendmail package as of serial 20110517. Thanks for all the fish.