Blacklist Check

Ever wonder if an IP address has been flagged as a spammer, botnet node, or general troublemaker? This endpoint checks it against 15 of the most widely used DNS-based blacklists (DNSBLs) in a single request.

If you run a mail server, this is the endpoint that tells you why your emails keep landing in spam. If you run a web app, this helps you figure out if that sketchy IP hitting your API is known bad actor.

Parameters

Important: This endpoint only accepts IPv4 addresses. If you pass an IPv6 address, you’ll get a 400 error. Most DNSBLs don’t support IPv6 lookups anyway, so this isn’t us being lazy. It’s just the reality of how blacklists work in 2024.

Response Fields

Blacklists Checked

The endpoint queries these 15 DNSBLs:

1. Spamhaus ZEN (zen.spamhaus.org) — The big one. Combines SBL, XBL, PBL, and CSS lists.
2. Barracuda (b.barracudacentral.org) — Widely used by enterprise mail filters.
3. SORBS (dnsbl.sorbs.net) — Spam and Open Relay Blocking System.
4. SpamCop (bl.spamcop.net) — User-reported spam sources.
5. UCEPROTECT Level 1 (dnsbl-1.uceprotect.net) — Individual IPs.
6. UCEPROTECT Level 2 (dnsbl-2.uceprotect.net) — Entire allocations with problems.
7. Lashback UBL (ubl.unsubscore.com) — Unsubscribe abuse tracking.
8. PSBL (psbl.surriel.com) — Passive Spam Block List.
9. DroneBL (dnsbl.dronebl.org) — Compromised machines and open proxies.
10. Abuse.ch (spam.abuse.ch) — Malware and botnet tracking.
11. CBL (cbl.abuseat.org) — Composite Blocking List (botnet detection).
12. NordSpam (bl.nordspam.com) — Nordic spam tracking.
13. WPBL (db.wpbl.info) — Weighted Private Block List.
14. Mailspike (bl.mailspike.net) — Reputation-based blocking.
15. Invaluement ivmSIP (ivmsip.invaluement.com) — Snowshoe spam detection.

Example Request

curl

curl "https://whatismyip.technology/api/blacklist?ip=192.0.2.1"

Python

import requests

response = requests.get(
    "https://whatismyip.technology/api/blacklist",
    params={"ip": "192.0.2.1"}
)
data = response.json()

print(f"IP: {data['ip']}")
print(f"Listed on {data['listedCount']} of {data['total']} blacklists")

for result in data["results"]:
    status = "LISTED" if result["listed"] else "clean"
    print(f"  {result['list']}: {status}")

JavaScript

const response = await fetch(
  "https://whatismyip.technology/api/blacklist?ip=192.0.2.1"
);
const data = await response.json();

console.log(`IP: ${data.ip}`);
console.log(`Listed on ${data.listedCount} of ${data.total} blacklists`);

data.results.forEach(({ list, listed }) => {
  console.log(`  ${list}: ${listed ? "LISTED" : "clean"}`);
});

Example Response

{
  "ip": "192.0.2.1",
  "results": [
    { "list": "Spamhaus ZEN", "listed": false },
    { "list": "Barracuda", "listed": false },
    { "list": "SORBS", "listed": true },
    { "list": "SpamCop", "listed": false },
    { "list": "UCEPROTECT L1", "listed": false },
    { "list": "UCEPROTECT L2", "listed": false },
    { "list": "Lashback UBL", "listed": false },
    { "list": "PSBL", "listed": false },
    { "list": "DroneBL", "listed": false },
    { "list": "Abuse.ch", "listed": false },
    { "list": "CBL", "listed": false },
    { "list": "NordSpam", "listed": false },
    { "list": "WPBL", "listed": false },
    { "list": "Mailspike", "listed": false },
    { "list": "Invaluement ivmSIP", "listed": false }
  ],
  "listedCount": 1,
  "total": 15
}

Errors

Runtime and Caching

This endpoint runs on Node.js (not Edge). It needs the dns module to perform DNSBL lookups, and the Edge runtime doesn’t have it. This means it runs in a single region rather than at the edge, so latency might be slightly higher than the other endpoints.

Responses are cached for 30 minutes. Blacklist status doesn’t change minute to minute. If an IP gets listed, it stays listed for hours or days. A 30-minute cache is totally reasonable and saves a lot of DNS queries.

How DNSBL Lookups Work

If you’re curious about the magic behind the curtain: DNSBL lookups are just DNS queries. To check if 192.0.2.1 is on Spamhaus, you reverse the IP octets and append the blacklist domain: 1.2.0.192.zen.spamhaus.org. Then you do a DNS A record lookup. If you get a response (usually 127.0.0.x), the IP is listed. If you get NXDOMAIN (no such domain), it’s clean.

The endpoint does all 15 of these lookups in parallel, so the total time is roughly equal to the slowest single lookup, not the sum of all of them.

Notes and Edge Cases

Private IPs (10.x.x.x, 192.168.x.x, 172.16-31.x.x) will pass validation but return all false results. Blacklists don’t track private addresses.

Clean IPs are normal. Most IPs aren’t on any blacklist. A listedCount of 0 is the expected result for a healthy IP.

Being on one list isn’t always a crisis. Some lists are more aggressive than others. UCEPROTECT Level 2, for example, can list entire IP ranges because of one bad neighbor. If you’re only on one or two obscure lists, it might not affect your email deliverability at all. But if Spamhaus or Barracuda flags you, that’s a problem worth fixing.

Delisting is not handled by this API. If your IP is listed, you’ll need to visit the blacklist’s website directly and follow their removal process. Each list has its own rules.

The response always contains exactly 15 results. Even if a DNS query times out for a particular blacklist, it returns listed: false for that entry. The assumption is that if we can’t confirm a listing, we treat it as clean. This keeps the response format consistent and avoids partial arrays.