Slashdot Mirror

As a company that host spammers, and threatens lawsuits (cartoonies) against anti spammers, I can only hope the crooks stole the spam servers as well.

http://www.spamhaus.org/sbl/listings.lasso?isp=cihost.com

curl -s http://www.spamhaus.org/drop/drop.lasso |grep ^[1-9]|cut -f 1 -d ' ' |xargs -iX -n 1 iptables -A INPUT -s X -i eth0 -j DROP

Regarding spamhaus, there's the DROP list http://www.spamhaus.org/drop/ plus a perl script http://www.spamhaus.org/faq/answers.lasso?section=DROP%20FAQ#116 to turn that list into route commands which block those networks. If it has to be iptables for you, the script shouldn't be too hard to customize.

Regarding spamhaus, there's the DROP list http://www.spamhaus.org/drop/ plus a perl script http://www.spamhaus.org/faq/answers.lasso?section=DROP%20FAQ#116 to turn that list into route commands which block those networks. If it has to be iptables for you, the script shouldn't be too hard to customize.

Although the RBN are certainly bad guys, Slashdotters should pls resist the tendency to assume that all the bad guys are nasty, foreign types. Most of the bad guys - for example spammers - as usual, are home-grown.

Of the 133 worst spammers on the Spamhaus ROKSO list, the vast majority of the worlds worst spammers are from the USA, followed after a big gap by nasty foreigners from Israel, Ukraine, China and yes Russia too:

See: http://www.spamhaus.org/rokso/index.lasso

easy, just look at the spamhaus statistics.

RBN addresses (and assorted other nasties) are also listed in the Spamhaus DROP (Don't Route Or Peer) list. IMO, it's a useful thing to drop (pun intended) into your firewall...

They actually have a drop list

The Spamhaus project has a list of Russian Business Network addresses, for what it's worth.

I wonder if anyone has every found a remote exploit that will get past iptables -j DROP recently.

OK -- well, at least they shouldn't say that I put them up to it.

Our (100% legitimate, double opt-in) mailing list

As a legitimate list admin, please read this, and consider using the less confusing term, "confirmed opt-in" instead of "double opt-in".

You won't need to feel obligated to refer to yourself as "legitimate" once your choice of language announces that for you.

perhaps you should block "huge netblocks" from the US too as long as they are the number one shit spewer and bot haven.

Good luck - the ISPs are the ones that are *hosting spammers* for profit:

You think Verizon cares about spammers? Think again:

http://www.spamhaus.org/sbl/listings.lasso?isp=verizon.com

You think Comcast cares about spammers? Think again:

http://www.spamhaus.org/sbl/listings.lasso?isp=comcast.net

You think AT&T cares about spammers? Think again:

http://www.spamhaus.org/sbl/listings.lasso?isp=att.net

Large ISPs are too busy making money off spammers and pretending they care about the spam issue to listen to the piddly whines of their customers.

Good luck - the ISPs are the ones that are *hosting spammers* for profit:

You think Verizon cares about spammers? Think again:

http://www.spamhaus.org/sbl/listings.lasso?isp=verizon.com

You think Comcast cares about spammers? Think again:

http://www.spamhaus.org/sbl/listings.lasso?isp=comcast.net

You think AT&T cares about spammers? Think again:

http://www.spamhaus.org/sbl/listings.lasso?isp=att.net

Large ISPs are too busy making money off spammers and pretending they care about the spam issue to listen to the piddly whines of their customers.

Good luck - the ISPs are the ones that are *hosting spammers* for profit:

You think Verizon cares about spammers? Think again:

http://www.spamhaus.org/sbl/listings.lasso?isp=verizon.com

You think Comcast cares about spammers? Think again:

http://www.spamhaus.org/sbl/listings.lasso?isp=comcast.net

You think AT&T cares about spammers? Think again:

http://www.spamhaus.org/sbl/listings.lasso?isp=att.net

Large ISPs are too busy making money off spammers and pretending they care about the spam issue to listen to the piddly whines of their customers.

In addition to mr_mischief's post, check the raw email headers and look at where it came from.
It's so very easy to use a direct SMTP connection to either a relay or the target server and just lie about who sent the email using the "FROM" header.

SMTP is one of those annoying protocols that is just too damned "okay" (and ubiquitous) to be reimplemented with better source address verification. (See http://en.wikipedia.org/wiki/Sender_Policy_Framework http://en.wikipedia.org/wiki/DomainKeys and http://en.wikipedia.org/wiki/Sender_ID )

If you can verify that it came from a mail relay, try contacting them about it. A lot of times the server admin doesn't realise they've buggered the security (once I contacted one that had accidentally connected his NIC to the WAN instead of LAN... he was a bit shocked). That at least helps countless other people.
You can also check if that relay is already on http://www.spamhaus.org/ and consider adding it otherwise.

If it really is her email that's been hacked, just change her password to a /decent/ one.

The second part of this is already being done. Spamhaus's SBL and ROKSO databases can show a list of recent IP block listings as well as listing by ISP. See here: http://www.spamhaus.org/sbl/latest.lasso

Congress needs to earmark funding for the FBI to prosecute spammers under CAN-SPAM.

Yeah, whiners on Slashdot say CAN-SPAM is horrible, because it legalizes spam. What they forget is that CAN-SPAM only legalizes it under certain rules, which spammers are ignoring because there's no enforcement. According to this article from last year, only 0.27% of all junk mail actually complies with CAN-SPAM, which means the other 99.73% is clearly illegal. On top of that, the 0.27% is deliberately easy to filter out if you choose.

We don't need a new law to make spam illegal; CAN-SPAM already makes it illegal. We just need to start actually prosecuting people who break the law.

Yes, some spam comes from other countries where the FBI has no jurisdiction, but not as much as you might think, and I believe the FBI already has partnership agreements with agencies in several other countries to work together on fighting spam - they're just not doing enough of it.

Why won't this happen without an act of Congress? Because without a direct congressional mandate, the FBI has better things to do with its time and money. I don't blame them, really - raiding meth labs or catching serial killers is certainly important. But fighting spam is important too, and there's no reason the FBI couldn't do both.

So that's the answer. Spam is a social problem, more than it's a technical problem. We can try to fight it with technology, but spammers are fighting back, and they have the huge advantage of not being limited by morals or legality. We can't win with the odds stacked that high in their favor. The only way to win is to throw them all in jail.

here's the bl's that i am using with sendmail that would go into your siteconfig.mc file -- that through trial and error -- i have found have zero false positive hit rate... n.b. that the XXX.r.mail-abuse.com (RBL) & XXX.q.mail-abuse.com (QIL) bl's require that you to have a subscription to Trend Micro Advanced Email Reputation Services at http://us.trendmicro.com/us/products/enterprise/ne twork-reputation-services/index.html -- you can get a free trial at https://nssg.trendmicro.com/download/trial/trial-s ervices.php?id=66 --
make sure you select "Email Reputation Services, Advanced". you would then replace the "XXX" in the below with the activation code they would send you:

FEATURE(dnsbl, `XXX.r.mail-abuse.com.', `"550 Mail from " $&{client_addr} " BLOCKED/RBL; see http://www.mail-abuse.com/cgi-bin/lookup?ip_addres s=" $&{client_addr}')

FEATURE(dnsbl, `zen.spamhaus.org.', `"550 Mail from " $&{client_addr} " BLOCKED/ZEN; see http://www.spamhaus.org/query/bl?ip=" $&{client_addr}')

FEATURE(dnsbl, `bhnc.njabl.org.', `"550 Mail from " $&{client_addr} " BLOCKED/BHNC; see http://www.njabl.org/lookup?" $&{client_addr}')

FEATURE(dnsbl, `bl.spamcop.net.', `"550 Mail from " $&{client_addr} " BLOCKED/COP; see http://www.spamcop.net/w3m?action=checkblock&ip=" $&{client_addr}')

FEATURE(dnsbl, `list.dsbl.org.', `"550 Mail from " $&{client_addr} " BLOCKED/DSBL; see http://www.dsbl.org/listing?" $&{client_addr}')

FEATURE(rhsbl, `dsn.rfc-ignorant.org.',`"550 Mail from domain " $`'&{RHS} " BLOCKED/DSN; MX of domain dose not accept bounces in violation of RFC 821/2505/2821, see http://www.rfc-ignorant.org/tools/lookup.php?domai n=" $`'&{RHS}')

FEATURE(rhsbl, `bogusmx.rfc-ignorant.org.',`"550 Mail from domain " $`'&{RHS} " BLOCKED/BMX; MX of domain contains bogus address information in violation of RFC 1035/3330, see http://www.rfc-ignorant.org/tools/lookup.php?domai n=" $`'&{RHS}')

FEATURE(dnsbl, `XXX.q.mail-abuse.com.', `"450 Mail from " $&{client_addr} " BLOCKED/QIL; see http://www.mail-abuse.com/cgi-bin/lookup?ip_addres s=" $&{client_addr}')

FEATURE(dnsbl, `safe.dnsbl.sorbs.net.', `"450 Mail from " $&{client_addr} " BLOCKED/SAFE; see http://www.dnsbl.sorbs.net/lookup.shtml?" $&{client_addr}')

i also use the http://hcpnet.free.fr/milter-greylist greylisting package as well as spamassassin with some custom score tweaks available at http://iconia.com/user_prefs. all this keeps my mailbox as well as other users at a college radio station and a commercial asp with lots of public email addresses on their respective websites relatively spam free.

respectfully submitted,
geoff goodfellow

"Spammers can get around blacklists anyways. They're about as effective as locking a door made of tissue paper. The number of false positives is high. The amount of spam blocked is negligible. My suggestion is to abandon the idea altogether..."

Thank you for your suggestion. It will be duly ignored, laughed at, or similarly ridiculed by those of us who actually run our own mail systems, or are responsible for such at work.

In my case, I'm self-hosted. Authoritative DNS for my domains, mail, web, Usenet, the works. I can say, from five-plus years of direct experience, that your statements above are just plain wrong.

I use a combination of Spamhaus and my own home-grown blacklist to keep spam in check. The few false positives I've gotten over the years have been ENTIRELY due to overly-broad entries in my LOCAL list, and have been easily and quickly corrected by white-listing.

I have NEVER received a false positive from any Spamhaus entry. Not once. The old SPEWS list, yes, but I haven't used them in years (and I'm leery of their successor, APEWS).

The fact remains that those who own mail systems have absolute and total authority over who they choose to communicate (or not) with. If a mail server operator decides to block a single address, a /24 IP address subnet, or even an entire country, that is their privilege. There is no legal recourse I know of that can force anyone to open their server(s) to traffic that they do not wish to carry (in short: private property rights).

Keep the peace(es).

That's great, but the United States will have to be cut off from the Internet first. The USA is the world's biggest spam source, according to Spamhaus.

http://www.spamhaus.org/statistics/countries.lasso

The United States emits *four* times as much spam as its nearest competitor, China.
Verizon is the world's spammiest ISP.

Ever heard of proxies?

Also, have a look at the ROKSO list. Most spam originates in the USA. They may route it through Russia or China or Korea, but its source is the USA. Block China, say, and next week it'll be coming via Brazil, or .... faster than you can reconfigure.

If the USA wants to take decisive action, something the government has actively avoided doing, it could shut down spammers in a week. How many spammers have been prosecuted and gone to jail? It's big news when they do, but only a handful have been prosecuted. The feds just don't care enough to build cases, even when the evidence is handed to them. Only if AOL or Microsoft push does anything happen.

Spammers have to make money. Credit card companies do that for them, and they are all based in the USA. As for the pump-and-dump spammers, that's a bit harder, but the stock exchanges should be able to block suspicious activity based on that. Thay don't care now because it's just foolish home investors losing money when they try to "take advantage" of the tips.

If you want to stop high levels of spam you should tackle one of the top 5 spamming countries

The good old U S of A

check out http://www.spamhaus.org/rokso/index.lasso

SpamHaus's "weekly top 10" is interesting http://www.spamhaus.org/statistics/spammers.lasso

If you want to stop high levels of spam you should tackle one of the top 5 spamming countries

The good old U S of A

check out http://www.spamhaus.org/rokso/index.lasso

SpamHaus's "weekly top 10" is interesting http://www.spamhaus.org/statistics/spammers.lasso

Yahoo! and Hotmail are both USA companies, which is also where most spam originates, so the solution is simple.

Route-around the United States, and the problem is solved for most of us. They can rejoin the world when lawmakers take spam seriously.

Most people believe they won't get caught. If you start catching and jailing 100s of spammers for even sentences of a few months AND fine them so they end up with a significant net loss, then spammers will stop spamming - because they start noticing that spammers ARE getting caught.

The problem is that lion's share of spam can be traced back to very few individuals. Sentencing one of them to 10+ years in jail certainly sends a message to the rest of them. BUT I agree: it's still not enough. Once they sentenced, say, 10 or 20 of the top spammers 10+ years each, THEN it will start to show. Right now, it's nothing more than a blip on the radar of those ROKSO criminals. But now, not even this one has been sentenced yet. It's still to be seen how many year's he'll finally get (probation? 2 to 5?)

"I've been in business for over 10 years with the best accountants in the world, and lawyers in all 50 states that know how to run my business legally and protect me from all lawsuits that come my way.. not a concern.. I just pay them a few hours of my work and they take care of the entire cases for me..."

There's plenty of evidence around to nail Soloway for a long, long time.. but to be honest he's not even the worst spammer out there. I suspect the possibility of a plea bargain is quite likely, so that international law enforcement can get to the even bigger fish.

There's plenty of evidence around to nail Soloway for a long, long time.. but to be honest he's not even the worst spammer out there. I suspect the possibility of a plea bargain is quite likely, so that international law enforcement can get to the even bigger fish.

We have known for a long time that "Leo Kuvayev" (aka "Alex Rodrigez"), one of the most prolific spammers on the internet, has ties to the Russian mob ( see http://www.spamhaus.org/rokso/listing.lasso?-op=cn &spammer=Leo%20Kuvayev%20/%20BadCow ).

Previously, he went out-of-state (as in outside of Russia) to register his spamvertised domains. Some of his favorite registrars even started their own pro-spammer policies to obfuscate his WHOIS data to prevent people from being able to find out who and where he was.

Now, it looks like his home state will do it for him, for free.

I'm just not sure whats in it for Russia. Other than keeping Kuvayev's registration money inside their country.

And yet:
http://www.spamhaus.org/statistics/networks.lasso [spamhaus.org]

Not in the top-10 list. Kinda easy to pick on them. Any Idea how many IP addresses are in the 'Verio Network'?

I've dealt with them for years now. The have issues, what huge company doesn't?

Let me ask you, are the spammers located in their Shared Web hosting, their Managed or Virtual Private Servers department? how about their Dedicated Hosting? How about their T-1 or OC3 leasing? How about Verio Europe? Did you realize that they sold almost all of their T-1 services to Cogent Communications, but the whois info for the IPs still list Verio? How many other Hosting providers utilize Verio-owned IP addresses?

What are the Abuse Policies for these myriad departments? Are they related closely as say Marlboro and Kraft Mac&Cheese? As close as a Ford Ranger and an Aston Martin Vanquish? As close as a Lamborghini and a Le Baron?

I'm just saying. If you paint with that wide of a paint-brush, you miss details. You are not Bob Ross.

Happy Trees

Of course, it's VERIO's network, they're free to have whomever they like as customers. I just find it dubious that they're TOS'ing Young for abuse or violations of their AUP when they simultaneously decide to host spamming scum:

http://www.spamhaus.org/sbl/listings.lasso?isp=ver io.net

just don't bother hosting a mail server on XO, they are one of the biggest spammers in the US and heavily blacklisted.

http://www.spamhaus.org/sbl/listings.lasso?isp=xo. com

(A) At least 95% of spam is sent using fraudulent "From" addresses, most of them being addresses (like yours) taken often from the same list being spammed to. None of the major blocklists ever block based on the "From" domains in spams, nor indeed do we pay any attention to "From" addresses on spams. What gets blacklisted is the sending IP address or the IP of a web server hosting the spammer's website advertized in the spam. There has never, ever, been a case of a major blocklist listing someone based on the "From" address of spams, therefore this is not something to worry about.

(B) Thousands of people worldwide are bombed every day with 'undeliverable' bounces due to spammers using their addresses as the "From". The way to handle it is to never accept mail for non-existent usernames (anyone accepting mail for anyuser@ these days is nuts) and use a filter that can block on text strings such as "From: *daemon*", "Subject: *returned*|*undeliverable*", etc. Then, simply ignore it, the spammer will move on to using a different address tomorrow.

Steve Linford
The Spamhaus Project
http://www.spamhaus.org/

A SLAPP lawsuit filed in an Illinois (United States) court by David Linhardt (aka e360 Insight LLC) against The Spamhaus Project Ltd., a British-based non-profit organization over which the US court had no jurisdiction, went predictably to default judgement when Spamhaus did not accept U.S. jurisdiction.

To get the lawsuit case accepted in Illinois, instead of filing in the correct jurisdiction (United Kingdom), David Linhardt fabricated under oath that Spamhaus "operates a business in Illinois". Despite being fully aware that Spamhaus was UK-based and that the British organization had correctly filed an Answer to the court declaring there was no jurisdiction, Illinois District Court Judge Charles Kocoras accepted Linhardt's false claim and proceeded, without asking to see proof of jurisdiction, to rule the British-based organization to be in Illinois jurisdiction. The Spamhaus Project in fact operates no business in the United States, has no U.S. office, agents or employees in Illinois or any other U.S. state.

The default judgement issued by Judge Charles Kocoras awards Linhardt, a one-man bulk email marketing outfit based in Chicago, compensatory damages for ficticious 'lost contracts' totaling US$11.7 million, orders Spamhaus to supress evidence of illegal spamming by Linhardt and to permanently remove Linhardt's spam evidence records, orders Spamhaus to lie to the public by posting a notice on its website stating that Linhardt is "not a spammer" and orders Spamhaus to cease stopping spam sent by Linhardt's company e360 Insight LLC to Spamhaus' users.

Spamhaus firmly stands by its position that Linhardt is a spammer (i.e: "a sender of unsolicited bulk email"), Spamhaus has a large evidence archive of spam sent by Linhardt and spam advertising Linhardt's website www.bargaindepot.net, sent to Spamtraps and non-existent users, including spam sent by Linhardt to a number of Spamhaus own investigators. Plus Spamhaus has many complaints from Internet users ready to testify they never opted-in to any such list and were being spammed by Linhardt/e360. (see samples of e360 spam below)

Spamhaus additionally has samples of spams advertising www.bargaindepot.net sent, in violation of the U.S. CAN-SPAM Act, with false routing information, from compromised computers on ADSL lines in Vietnam, China, Korea, Taiwan and Norway.

Spamhaus also stands by the absolute right, under the European Convention on Human Rights, of Spamhaus' users to refuse access to their private mailboxes on their private networks to senders of unsolicited bulk email or indeed any unwanted email, a right established also in U.S. law by Chief Justice Burger, U.S. Supreme Court, who ruled: "The asserted right of a mailer stops at the outer boundary of every person's domain". Spamhaus maintains that while Linhardt has a right under U.S. law to send as much unsolicited bulk email as he likes, he has no right under any law to force Spamhaus users to receive it.

The Illinois ruling shows that U.S. courts can be gamed by spammers with ease, and that no proof is required in order to obtain judgments over clearly foreign entities. Additionally, as spamming is illegal in the United Kingdom, a U.S. judge ordering a British organization to not block incoming Illinois spam into Britain goes contrary to U.K. law which orders all spammers to cease sending spam in the first place.

Default judgments obtained in U.S. County, State or Federal courts have no validity in the United Kingdom and can not be enforced under the British legal system. A Plaintiff seeking to have such an order enforced must re-file the case in a British court of law and prove jurisdiction, as well as the small matter of proving the merits of the case, all of which were in this case bogus and would not have stood up in any court if tested. Spamhaus h

Well, the ROKSO list includes "131 Spam Operations as at 3/23/07", more thna half American. Not all active 24/7 of course.

See http://www.spamhaus.org/zen/

http://www.spamhaus.org/pbl/index.lasso

How hard is that?

And if all major providers did it, then zombie spam would die out pretty quickly.

This is absolutely false. Blocking spam from compromised domains, absolutely. I agree with you 100% that blocking those emails is a service to the consumer, and so does the author. But blocking the user from navigating to a website in that IP block, an action which they have explicitly initiated, is another thing entirely.

Take a look at, for example, http://www.spamhaus.org/sbl/sbl.lasso?query=SBL434 89

A few IPs in that range were mentioned in an AUSCERT notification relating to trojan activity last week. Examination of my proxy logs indicated rather a lot of other unwanted activity for various other IP addresses throughout that range - typical "phone home" zombie stuff. As a result, I've put a blanket ban on web access to that range. The stuff on installing trojans appears to have been added to the SpamHaus listing this week - when I last looked, it was all about spam that originated from that range. This suggests that those who used to spam from these kind of ranges now do so from compromised machines and use their address space to host command/control machines and serve up browser exploits. The original purpose of the SpamHaus data was to indicate spam sources, but the abusers of many of those listed networks may have changed their strategy in response to being listed there.

Further examination of my proxy logs revealed something else - a significant number of connections to numeric addresses that turned out to be listed in various dynamic/dial-up RBLs, and had similar "phone home" or botnet-participant markers.

Now, we're a .edu.TLD, and as such a certain amount of openness and "academic freedom" is required... so I suspect that a blanket-ban on machines on our network establishing connections to web services on dynamic IP addresses won't fly - students and staff will set up home servers, hobbyists will run stuff off dynamic connections, etc. It's something that could be VERY important and useful to corporate or government IT departments, though, and I can see no reason why I wouldn't be able to get away with blocking web access to IPs listed in the SBL/XBL if I ran it past management and could find an easy and reliable way to implement it and monitor/whitelist anything that probably shouldn't be blocked that accidentally slips in... or until the site owners can get a legitimate listing resolved if I don't think there's a risk to my users from such a whitelisting, in much the same way as I can and do whitelist around email blocks.

I agree that it's an area with many questions unresolved and many grey areas, and I welcome the fact that people are starting to discuss this seriously. There is room for abuse in this kind of blocking, which is why transparency and accountability - and maybe a shitload of logging, too - are needed if it happens. I don't expect ISPs to capriciously block sites that they don't agree with politically or which compete with them commercially, and would kick up a stink if I found one had done that to me... but by the same token, if they knew another network was a source of abusive traffic and did nothing to stop that abusive traffic traversing their network I'd want to know why not.

Guess which ISP is ranked as the world's worst by The Spamhaus Project, in terms of "the few networks who, out of corporate greed or mismanagement, choose to be part of the problem"?

http://www.spamhaus.org/statistics/networks.lasso
http://www.spamhaus.org/sbl/listings.lasso?isp=ver izon.com

Before rushing to praise Verizon, consider that Verizon are knowingly and unrepentently hosting more of the world's hardcore spam operations than any other network, anywhere in the world.

Guess which ISP is ranked as the world's worst by The Spamhaus Project, in terms of "the few networks who, out of corporate greed or mismanagement, choose to be part of the problem"?

http://www.spamhaus.org/statistics/networks.lasso
http://www.spamhaus.org/sbl/listings.lasso?isp=ver izon.com

Before rushing to praise Verizon, consider that Verizon are knowingly and unrepentently hosting more of the world's hardcore spam operations than any other network, anywhere in the world.

Huh? Verizon is still listed as Number 1 in Spamhaus' ISP spammers. http://www.spamhaus.org/statistics/networks.lasso That's irony.

I guess we have. And according to all the Unsolicited Bulk Email I've been getting, I think I know what has taken its place in the "concern over size and performance" department.

"This is a risk management practice, and you need to decide where you want to put your risk. Would you rather risk getting spam with lower risk of losing/delaying messages you actually wanted to get, or would you rather risk losing/delaying legitimate messages with lower risk of spam? You can't have both, no matter how loudly you scream."

Yes you can, its called dspam, and it works beautifully.

I, and none of my users, have seen an single spam email in over 3 years. I added graymilter and Project Zen from Spamhaus very recently, and its helped even more.

Sure, there are false positives that get caught and quarantined, but dspam has a nice webui that let's me retrain them and forward them on to my mailbox. The users have the same web interface and can manage their own false-positives in the same way. They can set it to catch more, or catch less with a few clicks in the interface. Some of my users love HTML email from online stores, and some do not. Everyone can tweak and train the heuristics for their own mail, however they wish.

I have no problem now making any of my email addresses visible on the Internet, on forums, wikis, mailing lists or webpages, because I simply do not get spam, so its not a problem anymore.

Yours is a common fear, but as you might know, fear is a poor motivation.

I can truly say there is a way to use the pleasure of RBLs, or more appropriately DNSBLs and never, ever, ever reject legitimate mail. That is simply to use the RIGHT dnsbls.

Forget about spews and others. These are quite aggresive.

Use the spamhaus sbl-xbl and see your amount of spammy connections plummet. Use just this one. It ONLY lists confirmed, actual spammer IPs that have gone through a rigorous validation process. Also, Spamhaus is an open organisation and they have excellent, and quick, delisting policies.

Really. Just use this one and cut your time spent on spam in half. You WILL like it.

I am NOT affiliated with them, and besides they're free anyway.

200 Known Spam Operations responsible for 80% of your spam.