The CBL - Composite Blocking List
CBL Statistics CBL FAQ
CBL HOME Privacy Policy

January 19, 2016 ESP Issue

Early today, a number of high volume ESP mail servers were listed. As soon as this was discovered, they were purged from the list.

Background: recently a few new traps were incorporated into the CBL. From the beginning these traps were behaving very strangely, and during the process of trying to identify why, a bug was introduced and caused the ESP listings to occur.

CBL remediation: as soon as this was discovered, the listings were purged, and the bug corrected. However, analysis of the issue raises issues with the ESPs in question.

Affected server analysis: The listed servers all send extremely high volumes of email to domains that have never existed. Clearly, closed-loop confirmation is not being used by these senders, and they have no list management processes implemented (eg: removing non-responsive addresses).

Furthermore, each of the servers were using an abusive technique to "hold the SMTP channel open" even when there was no email to send, thus unnecessarily wasting recipient resources (in some cases to a very high degree) - in effect, a resource-starvation DoS attack against receivers.

Recommendations: ESPs affected by these listings should review their inadequate list management, non-existent opt-in confirmation policies and stop using artificial "hold channel open" techniques. These are abusive practices, no question about it, and ESPs are at high risk of being blocked by recipients entirely aside from the CBL or Spamhaus.

I'm listed, what do I do?

The CBL has easy self-removal. See: CBL Lookup AND Removal It will provide you with information on why the IP was listed, how to correct the problem that caused the listing, and a link to do self-removal. The rest of these web pages are intended to help you understand what could cause a listing, and how to diagnose/remediate the problem.

WARNING The CBL expects you to resolve the problem, preferably before you do a delisting. If you simply delist without resolving the problem, it will almost certainly list again.

Of late a lot of people are emailing us and simply asking us to delist an IP address. We can't do it more quickly than you can. It's a LOT faster if you do it yourself.

What is the CBL?

The CBL takes its source data from very large mail server (SMTP) installations. Some of these are pure spamtrap servers, and some are not.

The CBL only lists IPs exhibiting characteristics which are specific to open proxies of various sorts (HTTP, socks, AnalogX, wingate, Bagle call-back proxies etc) and dedicated Spam BOTs (such as Cutwail, Rustock, Lethic, Kelihos etc) which have been abused to send spam, worms/viruses that do their own direct mail transmission, or some types of trojan-horse or "stealth" spamware, dictionary mail harvesters etc.

The CBL does not list based upon the volume of email from a given IP address.

The CBL also lists certain portions of botnet infrastructure, such as Spam BOT/virus infector download web sites, botnet infected machines, machines participating in DDOS, and other web sites or name servers primarily dedicated to the use of botnets. Considerable care is taken to avoid listing IP addresses that are shared or are likely to be shared with legitimate use, except in the case of infector download websites, phish emission or DDOS.

Our botnet detections may not necessarily directly involve the observation of spam emission, but most botnets are at least occasionally involved in email spam, in addition to infostealing, DDOS attacks etc.

In other words, the CBL only lists IPs that have attempted email connections to one of our servers in such a way as to indicate that the sending IP is infected with a spam-sending virus or worm, acting as a open proxy for the sending of spam, OR, IPs primarily used in the operation of botnets

The CBL does NO probes. In other words, the CBL NEVER makes connections to other machines to "test" anything.

The CBL does NOT test for nor list open SMTP relays.

The CBL only lists individual IPs, it NEVER lists ranges.

The CBL does NOT care whether an IP is dynamic or not, if connections the IP makes indicate that it's infected, it is listed regardless.

The CBL does NOT attempt to associate IP addresses to persons or organizations, and furthermore, a CBL listing should NOT be construed as accusing anyone of spamming - virtually all listees are the victims of a virus or other compromise, not deliberately spamming.

The CBL does NOT accept external submissions for listing. Hence it is not possible for the CBL to be used as an instrument of revenge (eg: "disgruntled ex-employee" or "competitor").

The CBL operates in an entirely automated way designed to avoid listings due to bounces of forged spam, virus bounces, and "real" mail servers emitting the occasional spam. However, in some circumstances severe mail server misconfiguration can make it look as if a mail server is infected.

It does not attempt to list every possible spam source.

This list is based on information believed to be reliable. No warranty is made that it is accurate or complete.... Use entirely at your own risk.

There is no supporting data or "evidence" file available for any given listing, and no mechanism to ask why any given listing took place. To counteract this, there is an automated no-questions-asked removals procedure allowing any affected party to delist a specific IP address rapidly. However, delisted IPs are relisted if new evidence of spam activity is subsequently detected.

Entries automatically expire after a period of time. The approximate detection time of a specific entry can be obtained from the web interface.

What to do if you're listed/How do I get delisted?

Use the lookup tool it will often give you further detail. It gives the link to the delisting tool.

See the FAQ for more information on how to identify and resolve a CBL listing.

How to use the CBL

Before using the CBL, you should read our terms and conditions.

The CBL can be queried in the usual way for DNS-based blocking lists, under the name cbl.abuseat.org.

Entries in the CBL are returned with an IP address (always 127.0.0.2) and a TXT record containing a link to the lookup/removal pages.

If you wish to run a local server using the CBL data you can download the CBL zone. Please see our FAQ under the subject "How do I download the CBL as a list of IPs?"

Usage WARNING

We're getting a lot of reports of spurious blocking caused by sites using the CBL to block authenticated access to smarthosts / outgoing mail servers. THE CBL is only designed to be used on INCOMING mail, i.e. on the hosts that your MX records point to.

If you use the same hosts for incoming mail and smarthosting, then you should always ensure that you exempt authenticated clients from CBL checks, just as you would for dynamic/dialup blocklists.

Another way of putting this is: "Do not use the CBL to block your own users".

Updated 2016/01/19.

The CBL and web pages are copyright © 2003-2016, all unauthorized copying is prohibited