The CBL - Composite Blocking List

The CBL FAQ

Click here to lookup an IP address in the CBL.

Listing / Delisting questions

I delisted my IP, but it keeps getting relisted again. Why??

You have a virus, or an open proxy, a trojan spam-sender or some other sort of security compromise, or some sort of unusual misconfiguration which is causing your IP to be relisted. Always ensure that viruses, open proxies, etc. are removed or secured before trying to delist your IP.

If you did all that but still keep getting listed, then see below for where to talk about the problem.

I don't have an open relay!

The CBL DOES NOT list open SMTP relays, hence open relay testers such as that at abuse.net and orbs.org are irrelevant to the CBL.

Many of our correspondents are confused by this statement, so it's a good idea to explain the difference between an open SMTP relay, and "open proxies" that we DO detect.

In a nutshell:

  • A SMTP "open relay" is a real mail server that has been misconfigured to accept email from the Internet and permit it to be emailed to somewhere else on the Internet. Mail servers should be configured to reject incoming email that isn't to their user base. But again, the CBL does not detect mail servers misconfigured this way.
  • An "open proxy" is a non-email server that can be tricked into sending email to third parties. These are usually misconfigured web servers, web proxies (eg: Squid), AnalogX, wingates, Socks servers, or custom spamware illicitly installed on a machine (by a trojan downloader). This is what the CBL detects. More information

    • Apparently a recent upgrade/release of Merak (recent as of 2006/12/31) instantiates an open CONNECT proxy on port 32000 without warning. If you are running a recent version of Merak, please make sure that this proxy is turned off. If in doubt, do a port scan of port 32000.

    I'm running Linux (FreeBSD, OpenBSD, UNIX...) and CANNOT be infected with a virus!

    While it is perfectly true that UNIX-like operating systems are almost NEVER infectable with Windows viruses, there are a number of virus-like things that UNIX-like systems are susceptible to.

    For example:
    1. Windows emulation software (eg: VMWARE or Wine) are just as susceptable to infection as native Windows. In fact, it's probably somewhat more likely that an emulator instance of Windows gets infected, because the fact that it's running under another O/S can lead to a false sense of security, and emulator instances are less likely to be protected with a full anti-virus suite.
    2. Open proxies (eg: insecure Squid configurations) leading to open proxy spamming.
    3. Acting as a NAT for a local area network - meaning that machines on the local area network could be infected, and the CBL detects the NAT address not the machine LAN that's actually responsible. It's best to secure the NAT.
    4. Application vulnerabilities: many applications have security vulnerabilities, particularly those associated with PHP on web servers. Eg: older versions of PHPNuke, Mamba etc.

      Some of these vulnerabilities are to the extent that a malefactor can install a full proxy/trojan spamming engine on your machine and control it remotely. Watch out for strange directories being created, particularly those starting with a "." in /tmp. Check for this by doing an "ls -la" in /tmp, and look for directory names starting with "." (other than "." and ".." themselves).

    5. Rootkits are where a malicious entity has installed software on your machine and buried it in such a way that the normal system utilities cannot find it. In some cases they replace the normal system utilities with hacked versions that won't show their tracks.

      Check that you have good remote login-capable passwords (eg: telnet, FTP, SSH), inspect your logs for large quantities of failed SSH/telnet login attempts.

      Consider running a "system modification" detector such as Tripwire.

    6. Not all viruses are windows binaries. Some viruses/worms are in application-level files using non-binary programming techniques (such as macro viruses). These can be truly infectious cross-platform.

    What are the exact criteria for listing on the CBL?

    Those will not be disclosed because it may give spammers or virus writers hints on how to avoid the CBL.

    The next section provides information on how to diagnose persistent CBL relistings.

    CBL listing diagnosis

    Knowledge base on how to investigate persistent listings:

    1. First, use the lookup page to look up your IP address. In a number of cases, you will get specific information related to your listing, and you should follow those instructions first. The following is more general instructions.

    2. If this IP address is that of a Network Address Translation (NAT), or Port Address Translation (PAT) firewall, router or gateway, click here, and carefully follow the instructions. Insecure NATs are probably the leading cause of ALL CBL listings.

    3. If this IP address is your personal computer, you must carefully check your machine for viruses, spyware, adware, open proxies and trojans and remove them. More information on scanning

    4. If this IP is dynamically allocated, click here

    5. If you have a wireless network/hub, see the same link as above.

    6. If this IP address is really that of your mail server, click here

    7. If you're being blocked with something other than email, click here

    8. Did you get blocked when you tried to send email to us? Click if yes

    9. If you sent email to the CBL, and got no response, chances are that you are running some sort of challenge/response filter of your own, your server blocked our email to you, or, your provider blocked your email to us without indicating that it did.

      We endeavor to answer all email, so if you don't get a response within a day or two, we recommend resending your query via a freemail service such as hotmail.

      The CBL team does not answer C/R challenges, so if you're using C/R, either pre-approve email back from us, or use another account.

    Can I nominate IP addresses or ranges for inclusion?

    No.

    Does the CBL contain any static or manually-maintained entries?

    No. (Except the standard test entry of 127.0.0.2)

    Usage questions

    General Filtering Practises

    These are some things to keep in mind when setting up filtering:
    1. KNOW what you're doing. You're doing email blocking, you are responsible for all blocking decisions, you should fully understand what you're getting your mail servers to do.
    2. No filtering technique is perfect. NONE. There will be both spam that gets through, and non-spam that gets blocked. You need to manage your expectations, and engineer your systems to minimize the effect of these "bad things".
    3. If you block email, you should do it at SMTP time, rather than accept-then-bounce. The latter can get you blacklisted for backscatter. NOTE: The CBL does not list for backscatter, other DNSBLs do.
    4. Make your rejection messages helpful - with some means by which an accidentally blocked user can contact you to remediate problems. If you block with a DNSBL, you MUST include the relevant IP address in the rejection - sometimes the mail sender doesn't know because it goes through chains of mail servers...
    5. It is a mistake to rely on a DNSBL for timely list removal. Even the very best DNSBL can have delays that may be unacceptable to you. Be prepared to locally whitelist if necessary.
    6. Generally speaking it's a good idea to let your user population know that you're doing spam filtering with at least some mention of what techniques are used.

      If appropriate, you may wish to consider implementing your filtering in such a way that individual users can opt-in or out of filtering.

    DNSBL Setup Recommendations

    Generally speaking, we prefer users to use the SpamHaus DNSBL system to get access to the CBL, instead of the CBL directly. This has a number of benefits including more DNS servers answering queries (hence less chance of overload/delay on queries) as well as being able to query all of their DNSBLs in one query. The CBL is wholly included in (and in fact is the largest part of) the Spamhaus XBL subzone.

    We recommend that you use the zen.spamhaus.org zone, see that link on how to use it.

    If you use the CBL directly (or via the XBL), you should only check the IP address of the machine that connected to your mail server. Going any further back into the Received chain is officially unsupported, and will yield more false positives.

    The XBL is intended to be useful in environments where you can use DNSBLs to check the URLs in email. For example, SpamAssassin's SURBL/URIDNSBL mechanisms. The following code snippit shows how to add SBL & XBL to SpamAssassin. Don't use PBL or Zen - some admins PBL-list their webservers and name servers because they don't send email, and thus using the PBL or Zen will incorrectly tag email because of URIs. 

    uridnsbl URIBL_SBLXBL  sbl-xbl.spamhaus.org.   TXT
body     URIBL_SBLXBL  eval:check_uridnsbl('URIBL_SBLXBL')
describe URIBL_SBLXBL  Contains a URL listed in the SBL/XBL blocklist
score    URIBL_SBLXBL  4

    Note: Current SpamAssassin only checks the IP addresses for the name servers of a URI's hostname. It will be better if you check the IP addresses of the hostnames too.

    Other DNSBLs?

    We believe that an effective spam filtering system is a hybrid of a number of techniques, you should never put all your eggs in one basket. See Effective Spam Filtering for an excellent discussion of modern spam fighting techniques along with other tools.

    In addition to the excellent SpamHaus SBL, XBL and PBL subzones, here are a few other DNSBLs that you may wish to consider. It is extremely important that you evaluate them according to your needs. Some of these lists are NOT appropriate for certain environments.

    Before using DNSBLs, we recommend becoming familiar with the DNSBL lookup tools on dnsstuff.com.

    Jeff Makey provides a useful Blacklists Compared page.

    Only those DNSBLs we have personal experience with are listed here. While reading these, consider your options - they can either be used in a full blocking mode (a DNSBL hit means the email is blocked), or, as part of a scoring system (a DNSBL hit plus other "scores" are required for a block).

    1. NJABL. Like Spamhaus, NJABL is a reliable and responsible DNSBL has a number of subzones. The NJABL proxy DNSBL is incorporated in the Spamhaus XBL (along with CBL). The NJABL Dynablock list has been decommissioned in favor of the Spamhaus PBL, and is now just a mirror of the PBL. If you're using NJABL Dynablock, replace it with PBL lookup/naming conventions, some time in the not too distant future, the "NJABL named" version of the PBL will probably disappear. The NJABL open relay DNSBL is also good, but does not yield many hits these days.
    2. WPBL. This is a good, reliable and responsible DNSBL, however, as it has very low thresholds (and somewhat limited coverage) it is strongly recommended that it not be used as a single reason for email rejection - this is discussed on their web page. It should be used in a scoring system such as SpamAssassin.
    3. Spamcop. SpamCop is a good, solid, professionally operated DNSBL. Due to the way it's implemented, it used to occasionally "throw" undesirable false positives, and it was best used in a scoring system. Since then, changes have been made, and using it as an outright blocking mechanism is a reasonable choice.
    4. Invaluement DNSBL [Note: Commercial] ivmURI and ivmSIP are good solid and professionally operated lists. ivmURI is a URI (domain) DNSBL like SURBL or URIBL, with high effectiveness (comparable with URIBL/SURBL), extremely low false positives, and quick to list. ivmSIP is a IP-based DNSBL which is particularly good at catching "new" emitters. Its FP rate is quite low. Both of which shouldn't be considered substitutes for Zen/Spamcop, but do complement them well.
    5. SORBS The SORBS open relay, open socks and open proxy lists are good (noting that listing expiration is extremely long), but the other lists should not be used (especially dynamic), except in a scoring system with "moderate" scores.
    6. SPEWS The SPEWS list is dead - DO NOT USE. The SPEWS downloadable zone hasn't been updated since August of 2006, and most mirrors have emptied the zone. In its heydey (years ago), SPEWS was reasonably reliable, but generally not useable except in hobbyist mail server situations because of false positives and the difficulty in getting delistings, and otherwise only useable as part of a scoring system.
    7. APEWS When it became apparent that SPEWS was no longer being maintained, someone, or a group of someones, copied the SPEWS web pages and presumably the SPEWS list of the time, and operated it as a new DNSBL "APEWS". The new operators are far more aggressive than SPEWS ever was, and will list large chunks of net space over a single third party incident report that may not have had anything to do with spam. Eg: APEWS has been known to list entire netblocks because of a single out of date CERT report of a single IP acting as a bot C&C.

      APEWS is reportedly blocking 2/3rds of all useable Internet IP space.

      APEWS false positives in most situations are extremely high, and it should not be used except in some very specific circumstances (eg: single user systems via scoring). The main reason we mention APEWS is that DNSSTUFF queries APEWS listings, and it tends to alarm listees and cause long flamewars on the only places that people can find to discuss them (eg: news.admin.net-abuse.email), with no useful result. APEWS provides no mechanism for appealing listings, and we believe that is not best practise for DNSBL operation.

      As far as we can determine, few (if any) mail servers actually use APEWS, so, an APEWS listing is largely meaningless. Getting out of APEWS is very difficult, and APEWS can just about be completely ignored as being irrelevant.

      Most recent news: APEWS may no longer be queriable - most, if not all, of it's "mirror/publishers" have withdrawn offering it (eg: APEWS listed at least one of its own mirrors).

    8. TQMcube lists (it has several) appeared popular and reasonably effective, however, the admin has completely vanished (we're rather worried about him), and the list appears to be on autopilot now.
    9. Regional DNSBLs. In some cases it may be desirable to use a DNSBL that lists certain regions of the world - for example, if you don't need or want to correspond in email with anyone in China, you can use a DNSBL specifically designed to list all IPs in China.

      There are a number of these lists, the best known are korea.services.net, and blackholes.us.

      BE AWARE that if you use them, you will get very little if any email from these regions. These list IPs in those regions, not IPs in those regions known to spam. Use them at your own risk. Or in a scoring system.

    10. ORDB, OSIRUS, MONKEYS, DSBL: just in case: these DNSBLs are defunct and should NOT be used.

    CBL query setup

    If you are using the Spamhaus Zen, sbl-xbl or xbl lists, you do not need to do this.

    Note if you are using the sbl-xbl list, we recommend that you switch to the Zen list. The sbl-xbl is obsoleted by Zen.

    See previous section on "DNSBL Setup Recommendations".

    Query zone:cbl.abuseat.org
    Query result:127.0.0.2
    Query text:URL to lookup page with IP filled in

    DO NOT set your DNS server to be cbl.abuseat.org - use your ordinary DNS servers. It's the name of the zone and the name of this website, but NOT the name of the DNS server.

    Make sure you read the CBL Terms and Conditions.

    How do I configure my mail server to query the CBL?

    The documentation for your mail server will indicate whether it supports DNSBL queries and if so, how to configure them. The CBL is a standard IP-based blocking list just like the many others available.

    If possible, please configure your mail server to use the TXT record of entries in the rejection message. Otherwise, the recommended URL to include in rejections is http://cbl.abuseat.org/lookup.cgi?ip=x.x.x.x with the IP address of the sender filled in. Always include the IP address of the sender in rejection messages.

    How do I download the CBL as a list of IPs?

    The CBL list is available via the rsync protocol at the following location:

    rsync://rsync.cbl.abuseat.org/cbl/list.txt

    If you wish to download the CBL zone, YOU MUST register

    WARNING: it is CBL policy that spam filter and spam filter service vendors MUST obtain a paid-for feed from Spamhaus. Filter providers that do not have a paid-for feed from Spamhaus, or who have not registered for the CBL feed, MAY find themselves inhibited from obtaining a CBL feed without warning.

    The rsync protocol is used to allow efficient regular updates of the list without requiring all the data to be transferred each time.

    Recommended update interval is once or (at most) twice per hour.

    The format of list.txt is suitable for direct use with programs such as rbldns or rbldnsd.

    How do I run a local CBL zone?

    If you do this, then please restrict the use of such a local CBL zone to within your own organization, and do not publish or advertise it to the Internet at large without prior permission from the CBL team.

    To run a local copy of the CBL in a zone of your own, then set up a regular download of the CBL list as described above, then configure either rbldns or rbldnsd to serve the list under your own choice of zone.

    If you do this with rbldns, the results of negative lookups will not be cacheable since rbldns does not return SOA records. You can avoid this problem with rbldnsd by incorporating a local SOA record into the zone as follows:

    rbldnsd (options...) local-cbl.example.com:ip4tset:cbl.soa,list.txt

    where the file cbl.soa contains:

    $SOA 3600 yourserver.example.com. hostmaster.example.com. 0 1h 5m 5d 600
$NS 3600 yourserver.example.com.

    How do I run a (private or public) secondary of the cbl.abuseat.org zone?

    It is no longer possible to do zone-transfers of the CBL zone from axfr.cbl.abuseat.org. Public zone-transfer access has been withdrawn because it consumed excessive resources.

    The most efficient way to run a full secondary of cbl.abuseat.org is to use rbldnsd as follows:

    rbldnsd (options...) \
    cbl.abuseat.org:ip4tset:list.txt \
    cbl.abuseat.org:generic:cbl-rbldnsd.extras

    How do I use the CBL with spfilter?

    The following configuration has been suggested to us years ago by one spfilter user.

    The CBL list has gotten so large that few sites can use spfilter with it anymore, and we strongly recommend converting to rbldnsd.

    There is even a port of rbldnsd and rsync to windows. 

    <CBL interval="-1" type="addr" minsize="1000" maxsize="5000000">
        <title>CBL - Composite Blocking List</title>
        <home>http://cbl.abuseat.org/</home>
        <comment>The Composite Blocking List (CBL) lists compromised IPs</comment>
        <url>rsync://rsync.cbl.abuseat.org/cbl/list.txt</url>
        <tag>CBL</tag>
        <append>http://cbl.abuseat.org/lookup.cgi?ip=</append>
</CBL>

    As with other methods, we recommend updating the list approximately once per hour.

    Please note: Spfilter operates by loading all lists that it uses into memory to produce a new zone. The CBL is a very large zone (at times greater than 5 million entries). Spfilter can be very slow (hours or more) processing the CBL, especially if you're including other large DNSBL zones.

    We recommend the use of rbldnsd instead of a spfilter/general DNS server combination, because rbldnsd can accept the rsync'd CBL zone directly, and has virtually zero update/reload time.

    General questions

    How do I contact the folks behind the CBL?

    If you have a question not answered in this FAQ or are getting caught by repeated listings that you're unable to diagnose, please contact us for assistance. We'll do our best to help - we are committed to doing that.

    Our email address is cbl@cbl.abuseat.org.

    When mailing us about a listing: always include the specific IP address that you are asking about. If possible, send your email to us through that IP (our email address does not use filtering, so it should get through anyway). If the listing is due to a mailer problem, mailing us through it helps us diagnose the problem.

    Before emailing us remember:

  • Don't email us just to delist the IP. You can almost always remove the IP yourself via our lookup and removal pages and it is much faster if you do it yourself.
  • Once the removal page says your IP is removed, it will be removed, usually within the hour. Contacting us to ask that we speed things up won't work, because we can't delist it any faster than you can - it'll probably be gone before we can do anything about it.
  • Don't repeatedly ask us to remove an IP without doing anything to fix the problem that caused the listing. We notice people doing this and will refuse to delist the IP if it continues.
  • If the lookup/removal pages refuses your removal, or, we've started ignoring your emailed requests (see previous point) you will need to show a commitment to identifying and fixing the problem when you contact us before we will delist it again. Or, you'll have to wait for the entry to expire.
  • The CBL's policy is to NEVER abandon people who make a serious effort to solve listing problems. But we will ignore people who just ask for delisting and never make an effort to fix the problem.

    • It's better to contact us about persistent listing problems than asking in other fora (such as the news.admin.net-abuse.email or news.admin.net-abuse.blocklist Usenet groups or online tech forums). The CBL is very much different than most other DNSBLs, and the advice you will get from sources other than our online information or via email from us will almost always be very very wrong. We occasionally run across such discussions (eg: via web searches while assisting someone else), usually long after the fact, and it's astonishing how wrong the advice/commentary usually is. When seeing such, we can only shake our heads and feel sorry for the person who got bad advice, because it's usually far too late for us to help.

    If you do not get a response from us within 48 hours (we're usually much faster than that), please try resending your email from another account, such as a freemail account on hotmail. Your email to us may have been silently dropped by your ISP without it telling you, OR, your spam filters may have blocked our reply.

    NOTE! If your mail server does SAV ("sender address verify" or "sender address verification callouts"), our mail server will probably NOT "complete" the verification, because our mail server has a long banner delay. Which means that our reply will bounce. You will either have to whitelist our mail server from your SAV, or arrange for our reply to go to some other mail server (eg: a gmail account).

    The above also applies if your mail server has short (non-RFC-compliant) SMTP timeouts.

    We answer all emails. If you don't get a reply, it got lost.

    Note: the commentary you supply to the removal page is not email to us. It is collected for long term research only. It is not read by humans, except when we have cause to look at a specific listing (usually when you email us).

    What is the relationship between the CBL and Spamhaus?

    Spamhaus is one of the most respected anti-spam organizations in the world.

    The members of the CBL strongly believe that Spamhaus has an extremely important part to play in the anti-spam fight, and needs resources to continue operation. See Future Proofing Spamhaus for more information.

    Some years ago, the CBL decided to donate republication rights to the CBL via the Spamhaus XBL.

    Note that public redistribution of the CBL in any form is prohibited without prior authorization from us. See our Terms and Conditions, last item. This restriction "survives" the XBL redistribution of the CBL, and as such, any redistribution of the XBL unauthorized by Spamhaus is also in violation of the CBL terms and conditions.

    The CBL is copyright © 2003-2007, all unauthorized copying is prohibited

    It is exceedingly unlikely that the CBL will ever authorize any other public redistribution over the two already in force (spamhaus.org and dnsbl.net.au). In fact, if for whatever reason, the CBL's current operation shuts down, ownership and operation of the CBL will most likely be transferred directly to Spamhaus to do with as they see fit.

    The Spamhaus XBL is a full superset of the CBL, and you SHOULD NOT USE BOTH DNSBLs at the same time. In fact, for most administrators, we strongly recommend that you use Zen instead of the CBL directly.

    If you are a large organization doing several hundred thousand emails or more per day, in order to reduce DNS query loading, we recommend that you use a rsync feed of either the XBL or CBL.

    If you are a large ISP, or sell spam filtering services, we believe that you should be supporting the anti-spam effort by purchasing a paid-for rsync feed from Spamhaus, rather than getting the CBL directly from us.

    The CBL and Spamhaus work closely together, and Spamhaus has been instrumental in greatly increasing the coverage, effectiveness and reach of the CBL.

    NOTE: The CBL receives no payment from Spamhaus (or anyone else for that matter), nor does it need it.

    What is the relationship between the CBL and Abuseat.org?

    Abuseat.org is hosting our DNS name "cbl.abuseat.org". That's all it does.

    They do not have any involvement with CBL design, data, implementation or server hosting. They have no control over CBL listings.

    Please do not contact them regarding CBL entries, because all they can do is forward the email to us. By emailing them instead of us, you're only slowing down the resolution of listing issues.

    << Back to the CBL home page. Updated 2007/01/05.