Roaring Penguin Software's DNSBLs
The CanIt Reputation List collects IP reputation data from a worldwide network of sensors. Roaring Penguin aggregates this data into four DNS-based block lists:
- Spam Source: A list of IP addresses that have sent mostly spam and very little non-spam.
- Mixed: A list of IP addresses that have sent a significant amount of spam, but also quite a bit of non-spam.
- Dictionary Attackers: A list of IP addresses that have sent to many nonexistent recipients and very few valid recipients.
- Greylist Stumblers: A list of IP addresses that have been thwarted by greylisting. Such machines are typically compromised personal computers.
IPv6 Reputation List
In addition to Roaring Penguin's IPv4 based reputation list, in 2010 we announced the availability of our IPv6 based reputation list.
Access to the CanIt Reputation List (CanIt-RL) is included free with the following Roaring Penguin Products:
We do not sell access to the lists separately from CanIt.
Q: How are the lists compiled?
A: The lists are compiled from real-time reports submitted by a worldwide network of sensors to Roaring Penguin's servers. The lists are updated hourly.
Q: How long does a machine stay on the list?
A: Since the lists are compiled automatically, a machine stays on the list until its behaviour changes. When we compile the lists, we use a 45-day window of event data, so it may take several days or even a few weeks for a behaviour change to be effective enough to change a machine's reputation.
Q: What are the criteria for listing?
A: We do not list any IP address until we have seen at least ten reports for it. Once we reach that threshold, we apply the following criteria:
- If a machine has been thwarted by greylisting at least 5 times, and has never passed greylisting, we add it to the Greylist Stumblers list.
- If a machine has sent to at least 10 invalid addresses, and the number of invalid addresses is at least twice the number of valid addresses, we add it to the Dictionary Attackers list.
- If a machine has had at least 10 messages automatically determined to be spam and this is greater than the number automatically determined to be non-spam, OR if the machine has had at least 5 messages hand-voted as spam and this number is higher than the number hand-voted as non-spam, we list the machine on Spam Source (However, the machine will go onto Mixed if it has sent a significant amount of non-spam.)
- If the machine is not on any of the bad lists, and the number of non-spam reports is at least 20 times the number of spam reports, we list the machine on Good.
Note that listing is completely automatic. There is no human intervention on the part of Roaring Penguin personnel.
Q: How do you delist a machine?
A: To delist a machine, you need to change the behaviour that caused the machine to be listed in the first place. Eventually, the machine will be delisted. For urgent delisting requests, or if you think your machine has been listed by mistake please contact Roaring Penguin at firstname.lastname@example.org. Please provide your:
- IP address
- E-mail of system administrator
- Phone number
- Reason for removal
Q: How Can I check if my Host Name is on the CanIt Reputation list?
A: To check and see if your Domain or IP Address is on the CanIt Reputation list click here.
Roaring Penguin takes all false positives very seriously and tries to have them removed from CanIt-BL as quickly as possible. Please provide as much detail as you can in the reason for removal section of your submission. Please understand that this is a manual process. Allow at least 24 hours for investigation and processing of your submission.