Check the bottom of this page to get more information about migrations to version 5 or here to view the DNSBL Project dashboard.
A DNS-based Blackhole List (DNSBL, Real-time Blackhole List or RBL), is a means by which an Internet site may publish a list of IP addresses, in a format which can be easily queried by computer programs on the Internet. As the name suggests, the technology is built on top of the Internet DNS or Domain Name System. DNSBLs are chiefly used to publish lists of addresses linked to spamming. Most mail transport agent (mail server) software can be configured to reject or flag messages which have been sent from a site listed on one or more such lists (Source)
We are regularly scanning new proxies that are reported to us and we're also trying to keep updated with the "Tor"-network proxies, a network that forgets that anonymity can be a problem when we are speaking abuse.
dnsbl.tornevall.org: Default zone
opm.tornevall.org: Added 1 june 2016 (Deprecation as of 30 june 2013 was reverted)
bl.fraudbl.org: Added 22 june 2016
|1||IP has been reported|
Meaning: The ip has been reported from a third party application, honeypot, but may not necessarily be confirmed by our local sweepers (this is for proxies)
As there may be SMTP-servers amongst our hosts, this bit value may be unsafe to use and in the case of SMTP, there is no available confirmation.
|2||IP has been confirmed as working proxy|
June 2016: When FraudBL is used, this mask confirms the host as fraudible (Servers used for phishing, fraud, etc)
|8||IP was tested, but was never returning anything|
Meaning: The ip may be fixed by the owner and therefore it's not working anymore
|16||June 2016: E-Mail spammer|
This is the former field for failed connections, which there is no interest in
|32||IP is tested and is fully functional but there is a second entry point (meaning this ip is not the same as the one that has been used by the user"), or the address is an exit node in TOR-network|
|64||IP is marked as "abusive". Primary used to point out spam or attacks through webforms, forum, telnet, etc.|
June 2016: When FraudBL is used, this mask are also added, which means that - for example - if there is a phishing case (mail) the bit will be set to over 64 (4+16+64).
|128||IP has a different anonymous-state (web-based proxies, like anonymouse, etc)|
|Follows all bitmasks as dnsbl.tornevall.org generates.|
FraudBL has just been started as a separate project - for the moment you can reach the site at https://fraudbl.org. FraudBL - Explained has been added here at the docs (from fraudbl.org), for your convenience.
FraudBL is a separate project, which lists mail that contains all kinds of phising. However, dnsbl.tornevall.org is covering FraudBL too so you actually don't need to resolve against both domains unless you don't want another scoring on the FraudBL content. Since dnsbl.tornevall.org collects all kinds of spam, the scoring is normally lower rated than the phising mail.
More information about the scoring can be found at DNSBL for Spamfilters.
We are currently working on a complete migration to a new system. Here, you can find the status of that project.
Older versions from 2006 are following TornevallWEB versioning (1.x-4.x).
The complexity of some of our functions are described in . However, the project is being made on spare time, so if something else happens in the private life of Tornevall, it will get higher priority. However, if there are disruptions in the services, such cases will also have higher priority.