Abusix Mail Intelligence
This list combines all our email blacklists. This is the recommended list to use on most SMTP servers.
This is our traditional blacklist which contains the IP addresses of any hosts that have recently sent spam to our traps.
All of our trap domains have never been genuinely used for mail and never originate mail. It is also our policy that we never use typo domains (e.g. domain names similar to large services are blacklist traps).
Any host, therefore, sending mail to our traps are either infected, compromised, spam from purchased lists or spam from services that do not do confirmed opt-in (e.g. validating the email address of new sign-ups before allowing access or adding the address to CRM systems, etc.).
To avoid listing large mail providers such as Google, Microsoft Office 365 or any other multi-tenant mail services that might have compromised accounts or fraudulent sign-ups, we have extensive whitelists which prevent these hosts from being listed.
This blacklist lists all IP addresses that are unlikely to be used by a legitimate mail server. Legitimate mail servers should use a static IP address with a non-generic PTR record and that reflect the host and domain name of the mail server and ideally should match the forward lookup for the same name (FCrDNS).
It is designed to catch botnet traffic, compromised hosts, hijacked IP space and compute/VPS hosts.
This list is generated by running a reverse DNS lookup for every IPv4 IP address and lists IPs with:
- no PTR record
- PTR record with an invalid top-level domain (TLD)
- PTR record contains part of the IP address (e.g. 127-0-0-1.example.com)
- PTR indicates dynamic IP (e.g. subdomain contains: dynamic, dyn, cable, generic-host, nothing, dsl, dial, dhcp, unallocated, broadband, internetdsl, gprs, no-dns-yet, unassigned, unknown, ipngn, ...)
Any host containing smtp, mail, mx, mta is automatically excluded.
For this list, we observe the behavior of SMTP clients connecting to our traps and our partners' mail services. It lists any IP exhibiting irregular SMTP client behaviour in a way that indicates that it is either a compromised host or service (including IoT devices), open-proxy, VPN, TOR exit node, viruses/worms or botnet infected.