Skip to main content

Using the DNSBL

LimesIndex runs a public DNS-based blocklist at bl.limesindex.com. Mail servers can query it the same way they query Spamhaus ZEN or Barracuda — no API key needed.

How it works

For any IP you want to check, reverse its octets and prepend them to bl.limesindex.com, then do an A-record lookup:

IP to check:   192.0.2.55
Query:         55.2.0.192.bl.limesindex.com.
  • NXDOMAIN — the IP is not listed.
  • Any 127.0.0.x A-record — the IP is listed. The return code tells you why.

A TXT lookup on the same name returns a human-readable reason.

Return codes

Return codeMeaning
127.0.0.2Spam — pristine trap hits or aggregate volume
127.0.0.3SMTP open-relay attempt
127.0.0.4Cross-signal confirmed (trap + honeypot + other)
127.0.0.5Policy / manual listing

Return codes are stable — if we add new categories, they'll use new codes. Existing codes won't be reused.

Check it manually

# Listed IP — returns 127.0.0.2
dig +short 55.2.0.192.bl.limesindex.com A

# Reason string
dig +short 55.2.0.192.bl.limesindex.com TXT

# Clean IP — returns NXDOMAIN (no output)
dig +short 1.1.1.1.8.bl.limesindex.com A

Postfix

# /etc/postfix/main.cf
smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_rbl_client bl.limesindex.com,
    reject_unauth_destination

Exim

# /etc/exim4/conf.d/acl/40_exim4-config_check_rcpt
  deny  message        = $sender_host_address listed by bl.limesindex.com: $dnslist_text
        dnslists       = bl.limesindex.com

Sendmail

# /etc/mail/sendmail.mc
FEATURE(`dnsbl', `bl.limesindex.com', `"550 Rejected: " $&{client_addr} " listed by LimesIndex"')dnl

Rspamd

# /etc/rspamd/local.d/rbl.conf
rbls {
  limesindex {
    symbol = "RBL_LIMESINDEX";
    rbl = "bl.limesindex.com";
    ipv4 = true;
    ipv6 = false;
    returncodes {
      LIMESINDEX_SPAM = "127.0.0.2";
      LIMESINDEX_RELAY = "127.0.0.3";
      LIMESINDEX_CROSSSIG = "127.0.0.4";
      LIMESINDEX_POLICY = "127.0.0.5";
    }
  }
}

How listings are populated

bl.limesindex.com is driven by the same underlying blocklist_listings table that the REST /v1/blocklist/* endpoints read from. Listings are created by the listing-engine-runner CronJob every 5 minutes from five rule sources:

  • 5+ pristine trap hits from one IP in 1 hour
  • 20+ total trap hits from one IP in 1 hour
  • 3+ unique pristine trap domains hit by one IP in 24 hours
  • Any SMTP open-relay attempt against the honeypot
  • 3+ distinct signal types for one IP (cross-signal confirmed)

Expiry is automatic — each rule has its own TTL, and repeat offenders escalate (24h → 72h → 7d → 30d).

False-positive handling

If you're a legitimate sender who got caught, contact abuse@limesindex.com with:

  1. The IP or prefix.
  2. Reverse DNS / HELO / sending domain.
  3. What you think went wrong.

We can delist individual IPs immediately and, depending on volume, add your prefix to a per-source allowlist.