logo
home
datafeed
about
usage
mirrors
rss feeds
help us
links
contact
faq

login | register | lookup uri | submit uri
 

About URIBL



Services

Public DNS Service

For low volume end users, we provide public DNS mirrors distributed around the world to answer your queries through products like SpamAssassin which have built in support for URIBL.COM. Many other commercial anti-spam products support realtime DNS blacklists. Consult your documentation on how to configure your software to utilize multi.uribl.com for domain reputation.

RSS Feed Service

URIBL provides an abundance of information on its RSS Feeds Website, in both HTML and XML formats for automation purpose. Our summary reports track the most abused nameservers, IP addresses, MX Records, Whois Nameservers and Whois Registrars for the last 8 hours, 24 hours, 7 days, and 14 days.

Blacklisted domains by Nameserver allow nameserver operators to track abuse on their networks by simply subscribing to the RSS Feed for the nameservers they are responsible for. We also provide lists of blacklisted domains by Registrar, so abuse managers can subscribe to these feeds and easily action domains that are abusing their Terms of Service, as well as Freeweb abuse for sites like Geocities and Tripod which have a good amount of abuse to keep track of.

Lookup and Submission Forms

The URIBL website offers a lookup page to check domains listing status, and submission services to delist domains from URIBL. A login is required to submit delist requests, you can Register for one here.

Commercial Data Feed Service

For high volume users (see info on abuse), we offer commerical Data Feed Services over RSYNC and DNS. Datafeed over RSYNC allows companies to run URIBL.COM data in-house, increasing speed and spam accuracy both. Datafeed service also provides extra datasets and prelist data that is not available in public DNS, improving spam accuracy even more! Datafeed over DNS provides the same great information over existing public DNS, without the need for setting up or maintaining your own hardware to download and serve the zone data.

Click here for more information on datafeed service.


List Information

URIBL lists domains that appear in spam, NOT where they were sent from. Our lists are intended to be used with antispam software to help TAG emails as spam. We do not BLOCK. If you are being blocked by someone because you are on our list, take it up with the person blocking you, not us!

Public URIBL Lists:

  • black.uribl.com - This lists contains domain names belonging to and used by spammers, including but not restricted to those that appear in URIs found in Unsolicited Bulk and/or Commercial Email (UBE/UCE). This list has a goal of zero False Positives. This zone rebuilds frequently as new data is added.
  • grey.uribl.com - This lists contains domains found in UBE/UCE, and possibly honour opt-out requests. It may include ESPs which allow customers to import their recipient lists and may have no control over the subscription methods. This list can and probably will cause False Positives depending on your definition of UBE/UCE. This zone rebuilds several times a day as necessary.
  • red.uribl.com - This list contains domains that actively show up in mail flow, are not listed on URIBL black, and are either: being monitored, very young (domain age via whois), or use whois privacy features to protect their identity. This list is automated in nature, so please use at your own risk.
  • white.uribl.com - This list contains legit domain names that we do not want to show up on any other URIBL lists. This list is pretty static, with only a handful of changes per day. URIBL white is not currently bitmasked into multi.uribl.com. If you want to query it, you have to send a seperate query. This zone rebuilds as needed.
  • multi.uribl.com - Which checks to see if a domain is on any of our lists. This zone rebuilds if any of the above zones are rebuilt, with the exception of white.

Private URIBL Lists:

    Access to this zone data is currently only available via Data Feed Service.
  • df.uribl.com - This zone is a drop in replacement for "multi.uribl.com". It contains everything multi does, and adds additional return bits for Gold (127.0.0.16), black_a (127.0.0.32), black_ns (127.0.0.64), and black_nsip (127.0.0.128).
  • gold.uribl.com - This list contains proactive black listings, with the goal of reducing miss rate associated with reactive listings due to the build and replication delay. Once a domain in this list begins to show up in mail flow, it will be moved over to the public black.uribl.com list. This zone rebuilds frequently as new data is added.
  • Extra Datasets - Datafeed users have access to additional datasets such as black_ns.txt and black_nsip.txt, which can be utilized by SpamAssassin for identifying new spam domains based on their nameserver or nameserver ip. These zones, along with the Gold prelist data, help to reduce the lag time of getting new spam domains rebuilt into the zone data.


Implementation

To utilize these lists, please see the Usage page

Our lists only have the top level domain information. We strip all hostparts from URIs before addition, with the exception of a few domain names which tend to be heavily abused (see https://rss.uribl.com/hosters/). In those cases, we do list the subdomain prior to the abused domain name. So when you query our lists, make sure you have done proper scrubbing of the URI before submitting the query, or you may not get the results you expect.

We do list IP addresses! Not where the mail was sent from, but where the URI in the body is trying to take you. To query a IP address on our list, we use the reversed ipv4 dotted decimal address. For example, 1.2.3.4 should be queried as 4.3.2.1.multi.uribl.com.

multi.uribl.com list contains all of the list data, and is the list that we recommend you query to produce your results instead of making seperate requests to each list. If a domain is found on multi, it will return a IP address of 127.0.0.X where X is the value for what list it is on. See the following reference.. 

X   Binary    On List
---------------------------------------------------------
1   00000001  Query blocked, possibly due to high volume
2   00000010  black
4   00000100  grey
8   00001000  red
14  00001110  black,grey,red (for testpoints)
---------------------------------------------------------

Other bitmasked values, such as 6, 10, and 12 should no longer occur, as we have no reason to cross-list domains on multiple lists. Our testpoints (2.0.0.127 and test.uribl.com) are the only items that are cross listed, and they should return the bitmasked value for the combined hits, currently 127.0.0.14.


Testing

To test functionality of the lists, we have published test points on each zone. 2.0.0.127 and test.uribl.com. Using the host or dig command can be your friend... If you need to lookup a domain in our database and do not want to mess with a DNS call, please use our Lookup Form. 


LISTED TEST RESULTS

  # host -tA 2.0.0.127.multi.uribl.com
  2.0.0.127.multi.uribl.com has address 127.0.0.14

  # ping 2.0.0.127.multi.uribl.com
  PING 2.0.0.127.multi.uribl.com (127.0.0.2) 56(84) bytes of data.
  64 bytes from 127.0.0.14: icmp_seq=0 ttl=64 time=0.033 ms

NOT LISTED TEST RESULTS

  # host -tA domain.tld.multi.uribl.com
  Host domain.tld.multi.uribl.com not found: 3(NXDOMAIN)

  # ping domain.tld.multi.uribl.com
  ping: unknown host domain.tld.multi.uribl.com

TEST POINTS

  # host -tTXT test.uribl.com.multi.uribl.com
  test.uribl.com.multi.uribl.com text "permanent testpoint"

  # host -tTXT 2.0.0.127.multi.uribl.com
  2.0.0.127.multi.uribl.com text "permanent testpoint"

Abuse

Our public mirror infastructure consists of donated hardware and bandwidth. If you abuse it, we will block your IP, or your nameserver IP that is producing the excessive queries.

Disable DNSBL Queries in SpamAssassin
To prevent SpamAssassin from sending DNS queries to our public mirrors, one should zero out the following URIBL tests by adding them to your local.cf 

  score URIBL_BLACK 0
  score URIBL_RED 0
  score URIBL_GREY 0
  score URIBL_BLOCKED 0

Blocked Query Testing
One can use the following tests below to see if they are being blocked from querying the public mirrors. 


NOT BLOCKED

  # host -tA 2.0.0.127.multi.uribl.com
  2.0.0.127.multi.uribl.com has address 127.0.0.14

BLOCKED - NEGATIVE RESPONSE ACL

  # host -tA 2.0.0.127.multi.uribl.com
  Host 2.0.0.127.multi.uribl.com not found: 3(NXDOMAIN)

  * Negative response ACLs will be converted to split-horizon filtering if no action is taken.

BLOCKED - SPLIT-HORIZON DNS FILTER

  # host -tA blocked.uribl.com
  blocked.uribl.com has address 127.0.0.255

  * A 'ping' instead of 'host -tA' will also work.
  * A negative response means the NS is not bLocked at this level.

BLOCKED - POSITIVE RESPONSE ACL

  # host -tA 2.0.0.127.multi.uribl.com
  2.0.0.127.multi.uribl.com has address 127.0.0.255 127.0.0.1 (As supported by SpamAssassin)

  # host -tTXT 2.0.0.127.multi.uribl.com
  2.0.0.127.multi.uribl.com descriptive text "1.2.3.4 has been block due to excessive queries."

  * Positive ACLs will only be used for extreme cases.
If you use your ISP Nameservers for resolution, and they are blocked, consider running your own caching nameserver. Otherwise, consider the commercial datafeed service to run local copies of the URIBL zones and keep your queries on your own network.
 
Copyright 2005 URIBL.COM All rights reserved
Read the License and Disclaimer before using our service..
webmaster@uribl.com