Most spam lists have multiple levels of entries. When a query is sent to a DNS server asking if a ip is listed the response is a IP address that also works as as code:
For example the SpamHaus project provides a list of valid return codes.
These codes are mapped inside the code with level names, where white is the best and brown the worst.
If you have a lot of time you can read RFC5782.
The short version is:
- Each blocklist provider generates DNS records for EACH ip that is listed (even for ranges every single IP).
- The DNS system does its job and propagates the records
- You can query with A/AAAA-records for listed IPs
- Inverse the IP blocks e.g.
127.0.0.2->2.0.0.127 - Select your spam list e.g.
zen.spamhaus.org - Query it:
dig 74.0.91.223.zen.spamhaus.org a +noall +answer - Optional: When you get an result, check the TXT record for more details (e.g. a link for removal request):
dig 74.0.91.223.zen.spamhaus.org txt +noall +answer
- Inverse the IP blocks e.g.
- Due to the nature of DNS removals are taking sometime and also when you get listed it can take sometime till everyone gets the new records.