Skip to main content

AHBL DNSbl Code Responses & Meanings

Posted in

To help you understand why an IP is listed in our DNSbl database, we have established the following policies:

Open Relay (Response: 127.0.0.2)
This IP address is listed because it is an open SMTP relay - either a single relay, or a multi-stage relay.  An open SMTP relay means that a third party can send e-mail through the server on that IP address without authorization (to spam, for example).

Open Proxy (Response: 127.0.0.3)
This IP address is listed because it is an open proxy (SOCKS4/5, HTTP-Connect, and others).  An open proxy means that a third party can access the server and hide their true identity and masquerade as the server they connected to.  The most common use for open proxies is to spam while hiding where the spam is actually coming from.

Spam Source (Response: 127.0.0.4)
This IP address is listed because it is either sending spam, 419 scams, or other illegal content, or is on a netblock that is infested with spammers (and the provider refuses to deal with the customer in question).  While we do have single IP addresses listed, we more commonly list /24 netblocks and larger.

Provisional Spam Source Listing Block (Response: 127.0.0.5)
This IP address is listed because it was seen sending spam, 419 scams, viruses/trojans (which could be used to spam), or other illegal content, and investigation is in progress.  If the abusive activity stops, the listing will be removed.  However, once the investigation is complete, the IP will be moved to another category.

Formmail Spam (Response: 127.0.0.6)
This IP address is listed because the web server is running an insecure script on one of its websites.  This insecure script is allowing spam, 419 scams, or other illegal content to be sent through the server unrestricted.

Spam Support (Response: 127.0.0.7)
This IP address is listed because the provider, which owns the netblock, is either acting as a front for spammers (ie: WholeSaleBandwidth), is completely ignoring spam/abuse reports, providing support services for the spammers (DNS, websites, etc), or has a contract to not terminate the spammer for their actions.

Spam Support Indirect (Response: 127.0.0.8)
This is the same as the Spam Support category, but is for situations where an upstream provider refuses to deal with a customer who's customer is spamming.

End User (Response: 127.0.0.9)
This IP address is an end user system which should not be sending e-mail.  This is not a DUL type list, but rather for providers who wish to have their dynamic IP space or end user IP space that should not be sending spam listed to prevent spam/abuse.

Shoot On Sight (Response: 127.0.0.10)
This IP address is listed for one of several reasons.  The provider, individual, or company did one of the following:

* Cart00ney threats made towards the AHBL, SOSDG, other blacklists, and spam fighters.
* Attempted and unsuccessful legal attacks against the AHBL, SOSDG, other blacklists, and spam fighters.
* Promotes, supports, or incites attacks against the AHBL, SOSDG, other blacklists, spam fighters, and others on the Internet.

The SOS listings are also known as the 'cart00ney listings'.  Once a provider is in the SOS listings, there is normally no way to have the IP space delisted.  However, we do make exceptions to this policy under certain situations.

Please note that SOS listings are considered 'sticky', meaning that they will follow the person/individual/company/ISP being listed no matter where they go, or if they change IP space.

Non-RFC Complaint - No abuse or postmaster (Response: 127.0.0.11)
This IP address is listed because the server does not have a proper abuse@ or postmaster@ contact for their mail system.

Does not properly handle 5xx errors (Response: 127.0.0.12)
This IP address is listed because the mail server on it does not properly handle 5xx errors (ie: GO AWAY/Permanent errors).  This means that the mail server is either trying to blast many e-mails in a short amount of time to non-existent addresses or accounts which have this host blocked, even after being told it is not getting through or the user does not exist.

Other Non-RFC Compliant (Response: 127.0.0.13)
This IP address is listed because the mail server on it does not follow accepted standards set forth in RFCs.  This is a generic listing that covers anything not covered in the other non-RFC compliant listings.

Compromised System (Response 127.0.0.14-127.0.0.18)
These are various categories that cover systems infected by DDoS drones, trojans, viruses, malware/ratware that is used for spamming.

Other (Response: 127.0.0.127)
This IP address is listed for reasons other then stated above.