UnrealIRCd Forums

I found this BL zones usefull , take a look on their websites ferequently for their dns replies ..


****************************
dnsbl.sorbs.net
127.0.0.2 = "HTTP"
127.0.0.3 = "Socks"
127.0.0.4 = "misc"
****************************
dnsbl.ahbl.org
127.0.0.3 = "Open Proxy"
127.0.0.19 = "Open Proxy"
****************************
dnsbl.njabl.org
127.0.0.9 = "Open proxy"
****************************
bl.spamcop.net
127.0.0.2 = "Blocked"
****************************
dnsbl-1.uceprotect.net
127.0.0.2 = "Black Listed"


there are much more , but use them with care , some listed whole ISP's or they have old IP's in their lists .

if you like just to see who uses Open Proxy/Black Listed IP (in defined channel in conf file) and not Gline/Zline it , in kline part just put " " , e.g:
kline = " ";
there are some other ways , but needs code changing in scan.c dnsbl.c ...

heh, I did this a while back... http://searchirc.com/boards/viewtopic.php?t=2499

What are the best DNSBL to use be ?

and what other ones to use ?


dnsbl.sorbs.net
tor.dnsbl.sectoor.de
cbl.abuseat.org
dnsbl.njabl.org
list.dsbl.org
Node Rebellion DroneBL
AHBL - ircbl.ahbl.org / tor.ahbl.org

The best DNSBL's would be a matter of personal choice to be honest. So it really all depends on which ones work best for you and your network. So i would suggest giving them a trial period to see which ones give you the most false positives and then dont use those.

dnsbl.sorbs.net sux, too many false positives, that wasn't checked again since 2002.

bl.spamcop.net - most common usage - DNSBL for mail, not for IRC.

cbl.abuseat.org - vewy-vewy good BlockList.
ircbl.ahbl.org - the same

AHBL is said to be ok.
opm.blitzed was good but is dead now, as you might know.

SORBS, NJABL, spamcop are ones I would never run, and probably nobody else should either[*]. Too many false positives (innocent users being banned), as mentioned by pretty much everyone who has used it :P.

The TOR blacklists can be a good addition as well. Haven't tried them. Be sure you use the correct replies though (see documentation of the blacklist), because some have the option to mark the whole subnet a TOR server is on as blacklisted, which is IMO a bad idea (server at 1.2.3.4 would also tag 1.2.3.5 as bad).

[*] You can still make BOPM send a notice or whatever instead of klining, if it matches such blacklists.

If you want information on the Tor black lists have a look at this thread: http://forums.unrealircd.com/viewtopic. ... =tor+dnsbl

I've been gathering up some good DNSBL to use - seeing what is good and what not --- personal choice.


the ones to use

cbl.abuseat.org
ircbl.ahbl.org
tor.dnsbl.sectoor.de - exit server

personally i've found ABHL to give way more positives that real proxies, and have stopped using it, as they don't seem to do anything about dynamic ip addresses.

tor.dnsbl.sectoor.de also has exitnodes.tor.dnsbl.sectoor.de which just lists the exit nodes themselves without responding for the whole subnet/class

For the Tor DNSBL's you can chose whether to block the whole subnet or just the exit node depending on the response you get back from the DNSBL.

I stopped using sectoor.de BL today.... 98% of lookups were timed out.

Now switching to another one for testing.

A list of DNSBLs I found the other day http://rbl.efnet.org

JanisB wrote:
cbl.abuseat.org - vewy-vewy good BlockList.

What are the responses for this one?

Oyarsa wrote:What are the responses for this one?

Goto http://cbl.abuseat.org/faq.html then scroll down to "DNSBL Setup Recommendations"

This one looks like its meant more for email than for IRC though. Any false positives on this for those that are using it?