pofon.foobar.hu

Hello and welcome!

This is pofon, the fast-expiration spambot-network DNSBL.

If you've been sent here because you're listed please proceed to the last section, but technically you have nothing useful to do here around. You've got yourself listed: stop what you're doing (which is usually sending spam or using illegally acquired credentials, using various methods) and your entry will expire soon. Start doing it again and you'll be relisted for an exponentially longer period.

How to use

The lists here are offered to the general public until further notice. You're free to use it personally or commercially but try to be sensible and use your local caching resolver. If you happen to generate too much traffic (right now a few request per second is okay) then you may be temporarily disabled (so if you plan to generate more it's better to contact me and let us arrange an agreement; I may try to contact you so keep your RIPE/ARIN records fresh).

You should use the standard DNSBL acess methods. If you don't know what I'm talking about you should not use it.

pofon DNSBLs
DNSBL base subdomain purpose description
pofon.foobar.hu active spambot IP blacklist This is an automatically built and fast expiring list containing currently active spambots.
uribl.pofon.foobar.hu spam-hosting URI (URL) blacklist Contains URLs found in spam body.
ispmx.pofon.foobar.hu ISP mail relay whitelist These are known ISP mail relay servers, which may send spam only on behalf of their customers but almost never being a part of a real spambotnet. You should score/analyse these email instead of rejecting.

Inner working of zones

pofon.foobar.hu

This zone contains active spambot network members, hopefully with low false positive rate.

When a zombie gets reported it starts with 4 hours expiration. If the zombie stays active the expiration counts from the last activity (so if it's active it stays listed). When the activity stops and the entry expires it's gone from the list.

If a zombie gets listed and possess a history entry (it's been listed in the past and expired) we list it a bit longer; right now it's double of the the last expiration. If a zombie come and go several times we consider it a long-term spambot member and thus expire it later and later.

Standard reply is 127.0.0.2, it means the entry is automatically listed and expire.

Manual entries are 127.0.0.4 which usually mean either a spambot which was tricky enough not to trigger automagical filters and alerted a human inspector or a genuine spam source, usually long-term. These entries may possess a longer expiration, upper limit is the thermodynamical death of the Universe.

This list contains both IPv4 and IPv6 entries.

You may use this list for outright rejecting connections. This is generally not advisable for usual lists due to their wide coverage and slow expiration (which in turn results higher false positive rate) but pofon ought to expire fast enough to unlist inactive spambots.

uribl.pofon.foobar.hu

This is a URI DNSBL by popular demand (from the side of the spammers, that's it). Right now the policies of this zone are hazy, the entries are manual and the expiration is occasional. We have higher FP rates here since some phishers chose to use too-easy-to-use free web providers to host phishing and malware sites and we hardly ever have transactions with them (so blacklisting them causes no local collateral damage), but YMMV and this list may not be suitable for you.

If you use it please do monitor it occasionally and drop it if it'd cause you problems.

There are plans to spamanalyze the crap we catch but it's not yet happening.

Use this list for spam scoring (like for SpamAssassin).

v6.pofon.foobar.hu

You wouldn't have guessed that this is the IPv6 only zone. This is being aggregated into pofon above.

v4.pofon.foobar.hu

I'm not even sure why you're reading this. :-) This is obviously the IPv4 part of the pofon aggregate should you require a separated zone.

ispmx.pofon.foobar.hu

This whitelisting zone lists ISP mail relays we happen to know (or care) about.

Mail relays are not spambotnet members and we do not want to list them this way. Their relayed spam should be caught otherwise. These addresses should never be listed in pofon zones, but we provide you with the zone if you want to use it for your local whitelisting.

Requirements to be listed are a bit hard: we require working abuse contacts (including email and phone), a valid, established ISP or IAP, verifiable existence, acceptable nonspam history and obvoiusly only addresses of real mail relays. Since entries are manually verified the update speed is extremely low.

I'm listed, what now?

Panic!

…okay, no, don't panic. There are several reasons you may be listed.

Contact us

We prefer you not to contact us unless you intend to cover our costs.

But, anyway, you may use hulyevagyok@foobar.hu to get yourself listed permanently since it's intended to catch the stupid.

If you do not prefer to have your permanent entry avoid using the address above. For removal requests, despite what have been said before, you still can use this form, but expect a few days, weeks, or years delay in due course.

For all other (non-removal) inquiries, comments, hate mail, lawyertalk and other content with high amusement value you may use the pofonfeedback local part with the same domain you've seen above. We may read your email, and in exceptional cases we may even choose to reply.

If you want to use our lists for higher traffic sites use the same address as above and try to include as much details as possible. If you intend to offer money don't forget to mention it, but due to the low probability of this happening we probably will read your mail anyway. We believe admins helping one another, after all.


©2013-14 by Pofon Cabal. You may use this text under the Creative Commons BY-SA-4.0 license.