enemieslist

Email security & antispam

Using the enemieslist DNSBL

The enemieslist patterns dataset is made available via DNSBL at g.enemieslist.com for PTR lookups (g for "generic") and h.enemieslist.com for HELO/EHLO lookups (h for "HELO"). Simply pre-pend the hostname or HELO string to the zone and for class information do an A record lookup, or for further information on the technology believed to be in use do a TXT record lookup.

"A" lookup result codes are as follows:

CodeMeaning
127.0.0.1generic
127.0.0.2static
127.0.0.3dynamic
127.0.0.4spammer (known spam sources or former spam sources as determined by the host themselves, e.g. sprintnet.ru has hosts with names like "spam-source")
127.0.0.7resnet
127.0.0.8unassigned
127.0.0.9NAT/proxy
127.0.0.10mixed static/dynamic
127.0.0.11bad rDNS format (usually misconfigured, in-addr.arpa screwups, no TLD, etc.)
127.0.0.12"cloud" computing platform
127.0.1.5compact (left-anchored, currently unused)
127.0.1.6right-anchored substring (currently unused)
127.0.2.2webhost (shared web hosting provider)
127.0.2.3dedhost (dedicated web hosting)
127.0.2.11legitimate mail source

Explanation of "A" lookup return code classifications

The return codes represent classifications of naming conventions. These classes range from the standard understanding of assignment type in terms of staticity or dynamicity, to generic, provider-assigned rDNS without indicated static or dynamic status, to other, more specific types such as resnet, webhost, or legitimate mail source, to NAT or PAT or proxy hosts (which may be static but likely emit traffic from hosts of various types behind them), to hosts whose naming indicates that the range is unused or otherwise not assigned (but obviously in use, suggesting either hijacked or not well monitored). What follows is a short explanation of each type.

generic Provider-assigned, generically named rDNS; naming gives no indication of static or dynamic nature. Could be either end-user/customer space or LAN/WAN space within a telco or isp or corporation or other organization.
static Believed to be statically assigned, based either on naming or on research such as information found on a Web site or obtained from sources familiar with the nature of assignment (as with DSL in the Netherlands, which is nearly always statically assigned even to consumer end users).
dynamic Believed to be dynamically assigned, based either on naming or on research such as information found on a Web site or obtained from sources familiar with the nature of assignment (as with ADSL in much of the US).
spammer The provider has explicitly marked this host as one from which you should not accept mail because it belongs or belonged to a spammer.
resnet RESidential NETworks, provided to students by universities. The source of a great deal of spam and abuse especially during semester changeovers, when what may be a statically assigned IP in a dorm is now in use by another computer (and more often than not, poorly secured by the new owner).
unassigned Naming indicates that the host is not assigned by the ISP, and so is either poorly maintained (assigned but name has not been updated to reflect that fact) or possibly hijacked.
NAT/proxy Host is a NAT, PAT, proxy, or other fixed IP with unknown mail and abuse sources behind it. Suffers from poor security in many cases due to lack of preventative measures taken on the LAN side; hosts inside the network are allowed to emit SMTP outbound without restriction.
mixed static/dynamic Host naming reflects static but hosts are known to be dynamically assigned, or vice versa, or naming is generic but provider does not make an effort to indicate and distinguish static versus dynamic hosts.
"bad rDNS" Laughably mangled PTRs, invalid or missing top level domains, etc.
compact Regex is left-anchored and only extends to the first 'dot' in name. (currently not implemented in DNSBL).
rightanchor Substring (e.g. "dyn.example.net") that doesn't require regular expressions to match. Longer substrings are MORE specific, so that "dyn.dsl.example.net", if also present with "dsl.example.net", should match BEFORE the latter. (currently not implemented in DNSBL).
webhost Naming in use by mass virtual hosting providers. Likely sources of legitimate mail (so, especially likely to be found in HELO during legitimate mail) but also high probability of phishing scam mail. Also contains hosts that are Web servers; use tech to distinguish.
dedhost For dedicated or co-located servers on Web hosting and colo providers with generic naming. Distinct from webhost where possible. Formerly static/colo, may also describe some patterns formerly thought of as webhost.
legitimate mail source Mass webmail or other hosted mail solution, ISP/telco mail server farm, other large-scale mail hosting operation.
cloud Possibly dynamically allocated "cloud" computing; may also refer to statics.

Explanation of "TXT" lookup responses

activehunterthis IP is running ActiveHunter antispam software
antivirusthis IP is running antivirus software
argosoftthis IP is running ArGoSoft Mail Server
atmthis IP is an ATM link
avasthis IP is running antivirus/antispam software
barracudathis IP is running a Barracuda appliance
borderwarethis IP is running Borderware
broadbandthis IP is generic broadband
cablethis IP is a cable link
canitthis IP is running a CanIT SMTP server
cellopointthis IP is a Cellopoint Email Firewall
ciscothis IP is running a Cisco appliance
cobaltthis IP is a Cobalt firewall appliance
colothis IP is allocated to a colocation service
communigateprothis IP is running CommuniGate Pro mail server
commercialthis IP sends business-to-consumer mail
confixxthis webhost is using Parallels Confixx
copierthis IP is a copier
corporatethis IP is a corporate mail server
cpanelthis IP is running the cPanel Web hosting software
davthis IP is serving DAV (distributed authoring and versioning) clients
dialupthis IP is a dialup
directadminthis webhost is running the DirectAdmin control panel for Red Hat Enterprise Linux and FreeBSD
dslthis IP is a DSL line
eimsthis IP is running the Eudora Internet Mail Server
ensimthis IP is a Web host running Ensim
ethernetthis IP is an ethernet link (probably Metro Ethernet)
eximthis IP is running Exim
expressmailthis IP is running Express Mail Server
fiberthis IP is a fiber link
framethis IP is a frame relay link
froxlorthis IP is a webhost running Froxlor control panel
fsecurethis IP is running F-Secure SMTP server
gprsthis IP is a mobile phone
gridserverthis IP is a "cloud" computing webhost
groupwisethis IP is running Novell Groupwise
hspherethis webhost is running the HSphere control panel
imailthis IP is running IPSwitch IMail
imsvathis outmx is running Trend Micro's InterScan Messaging Security Virtual Appliance
indimailthis IP is running IndiMail
infrastructurethis IP is network infrastructure
iplanetthis outmx is running the Sun iPlanet server
ironportthis IP is an Ironport antispam appliance
isdnthis IP is ISDN
ispthis IP is a hosted/outsourced email service for an ISP
interscanthis IP is running Trend Micro Interscan server
javamailthis IP is running Sun JavaMail
joomlathis IP is running Joomla
keriothis IP is running a Kerio security appliance
lanthis IP is on a LAN
leasedlinethis IP is on a leased line
linuxthis IP is running Linux
litemailthis outmx is running the LiteMail mail server
lotusdominothis outmx is running Lotus Domino
lotusnotesthis outmx is running Lotus Notes
lyristhis outmx is running Lyris mailing list software
mail2000this outmx is running Mail2000 SMTP server
mailcleanerthis outmx is running Mailcleaner SMTP server
mailenablethis outmx is running MailEnable SMTP server
mailmarshalthis outmx is running MailMarshal mail server software
mailmaxthis outmx is running MailMax mail server software
mailsitethis outmx is running the MailSite Fusion mail server software
mplusthis outmx is running the M+ mail server software
mdaemonthis outmx is running the MDaemon mail server
merakthis outmx is running Merak mail server
microsoftmailthis IP is running Microsoft Mail Service
mirapointthis IP is a Mirapoint appliance
modusmailthis IP is running ModusMail mail server
msexchangethis outmx is running Microsoft Exchange
nameserverthis IP is a DNS nameserver
natproxythis IP is a NAT, PAT or proxy
netscalerthis IP is running the Citrix NetScaler load balancing software
netstationthis IP is running the NetStation Mailer mail server software
networkthis IP is on a LAN or VLAN
novonyxthis outmx is running the Netscape/Novell Novonyx server
ntmailthis outmx is running NTMail
outlookwebaccessthis IP is running the Microsoft Outlook Web Access service
p2pthis IP is running a peer-to-peer server
patthis IP is providing PAT service
pixthis IP is a Cisco PiX firewall device
pleskthis IP is running the Plesk Web hosting software
pmdfthis outmx is running the Process Software PMDF mail server software
postfixthis outmx is running Postfix
postofficethis outmx is running Post.Office SMTP server
powermtathis outmx is running the PowerMTA mail server gateway
pppoethis IP is a PPP over ethernet link
pptpthis IP is a Point to Point Tunneling Protocol endpoint
printerthis IP is a printer
proxmoxthis IP is running proxmox
proxythis IP is running proxy software
qmailthis IP is running qmail
qpsmtpdthis IP is running the qpsmtpd mail server software
raqthis IP is a Cobalt / Sun RaQ server
redcondorthis outmx is a RedCondor appliance
resnetthis IP is a university residential network
routerthis IP is a router
satellitethis IP is a satellite link
sendmailthis IP is running sendmail
serialthis IP is a serial line
serverthis IP is a server
smarthostthis IP is an SMTP smarthost
smoothzapthis IP is running SmoothZap SMTP server
sonicwallthis IP is a SonicWall firewall appliance
sophosmailthis IP is running Sophos Mail server
spanelthis IP is a webhost running the Spanel control panel
stalkerthis IP is running the Stalker mail server
strongmailthis outmx is a Strongmail mail appliance
surgemailthis outmx is running the Surgemail mail server
symantecmailthis outmx is running the Symantec mail server
t1this IP is a trunk line
trendmicrothis IP is running Trend Micro mail software
unixthis IP is running a variety of Unix
unknownthe technology in use on hosts with this naming is unknown
virtuozzothis webhost is running the Parallels Virtuozzo control panel
voipthis IP is providing Voice over IP service
vpnthis IP is a VPN gateway
vpsthis IP is a Virtual Private Server
wanthis IP is part of a Wide Area Network
webhostthis IP is allocated to a Web hosting provider
webmailthis IP is a webmail gateway
webshieldthis IP is running the McAfee Webshield antivirus mail server software
wifithis IP is provided via Wifi
wimaxthis IP is a WiMax node
windowsthis IP is running a Microsoft Windows OS
windowsxpthis IP is running Microsoft Windows XP OS
wirelessthis IP is a wireless link
xwallthis IP is running the XWall mail server software
zmailerthis IP is running the ZMailer mail server software

Occasionally, as needs warrant, we will further subdivide or introduce new classifications for this portion of the dataset.

Note: the "callback" DNS logging has been removed from the sendmail package as of serial 20110517. Thanks for all the fish.