Realtime blacklist databases contain a list of IP addresses that are known to send spam. They also contain IP addresses that have open mail relays, because a spammer can easily hijack these systems to send out spam. Each blacklist has different reasons for why an IP address is blacklisted. Among the more common reasons are: dialups, bulk mailers, spammers and open relays.
Just as blacklists have different criteria for including IP addresses, they also have different ways of categorizing the IP addresses. Some blacklists use different domains (called query domains) to separate IP addresses based on the reason they are blacklisted. One domain will contain only IP addresses for dialup accounts, another domain will contain only IP addresses for bulk mailers. This type of categorization allows you to select the reasons for which you do not want to accept blacklisted mail, and use the domain that contains IP addresses for that reason.
Other blacklists return a reason code/IP address (i.e. 127.0.0.3) as to why an IP address is blacklisted. Although all IP addresses are listed in one domain, each will contain a reason code that explains why it is included. For example, a code of 127.0.0.3 may represent a dial-up account, and a code of 127.0.0.4 might represent a bulk mailer. The Fiveten blacklist is an example of one of these blacklists.
Unfortunately, there is no standard across blacklists. One blacklist may use separate query domains, and another may use reason/IP codes. Likewise, there is no standard across the reason/IP codes that are returned. For one blacklist, 127.0.0.3 may represent dial-ups, and on another blacklist this code may represent bulk mailers. The best resources for finding out this information are the blacklists themselves. By going to their web sites, you can learn how each blacklist classifies the listed IP addresses.
Related Topics
Server Level Anti-spam Options (Blacklists)
Understanding Realtime Blacklists