November 24, 2015 Widespread false positives
Early Nov 24th, a very large scale Kelihos botnet event occured - by large scale, many
email installations will be seeing in excess of 20% kelihos spam, and some will see their inbound
email volume jump by a volume of as much as 500%.
This isn't an unusual thing normally, the CBL/XBL has been successfully dealing with
large scale Kelihos spam spikes like this, often daily, for years.
The email was allegedly from the US Federal Reserve, saying something about restrictions
in "U.S. Federal Wire and ACH online payments."
Not only was the notice itself fraudulent, the attached Excel spreadsheet (.xls) contained
macro instructions (a downloader) to download a Windows executable virus, most likely Dyre.
The detection rules initially deployed by the CBL unfortunately were insufficiently detailed,
and listed a number of IP addresses it shouldn't.
Our internal policy states that when a listing heuristic is generating noticeable amounts
of false positives, and it isn't possible to distinguish the good entries from the bad ones, that
all listings from that heuristic should be purged as soon as possible.
Therefore, all entries of this type were purged (by about 19:05 UTC), and the detection
The false positives tended to be predominently email senders, and they'd only be listed
if they hit our spamtraps (never-existing or not existing in many years email addresses) -
this didn't involve any of our partner feeds.
If you were listed up to around 19:00 UTC November 24th, and the CBL lookup page appears to indicate that
the IP is no longer listed, this is likely the explanation, and no further action is required
on your part.
We apologize for the inconvenience.
A replacement heuristic was installed Nov 24th, around 2130 UTC, and has since listed nearly 40,000
IP addresses without any known false positives.
Sept 28, 2015 IMPORTANT CBL changes happening
Some CBL DNS operational naming conventions are changing.
For the most part, these do not impact basic CBL mail server query function and
users encountering issues with CBL listings are unaffected. This is primarily of
concern to administrators or users using/querying the CBL web pages and corresponding
with the CBL.
In short, the CBL web pages have moved from http://cbl.abuseat.org to http://www.abuseat.org (and are
already being redirected), and our email has moved from <user>@cbl.abuseat.org to <user>@abuseat.org.
See here for further detail.
Note also, the terms and conditions of using the CBL have been updated, please
see items 10, 11 and 12 in the CBL Usage Terms and Conditions.
I'm listed, what do I do?
The CBL has easy self-removal. See:
CBL Lookup AND Removal
It will provide you with information on why the IP was listed, how
to correct the problem that caused the listing, and
a link to do self-removal.
The rest of these web pages are intended to help you understand
what could cause a listing, and how to diagnose/remediate the problem.
The CBL expects you to resolve the problem, preferably before you
do a delisting.
If you simply delist without resolving the problem, it will almost
certainly list again.
Of late a lot of people are emailing us and simply asking us to delist
an IP address.
We can't do it more quickly than you can.
It's a LOT faster if you do it yourself.
What is the CBL?
The CBL takes its source data from very large mail
server (SMTP) installations.
Some of these are pure spamtrap servers, and some are not.
The CBL only lists IPs exhibiting characteristics which
are specific to open proxies of various sorts (HTTP, socks, AnalogX,
wingate, Bagle call-back proxies etc) and dedicated Spam BOTs
(such as Cutwail, Rustock, Lethic, Kelihos etc) which
have been abused to send spam, worms/viruses that do their own direct
mail transmission, or some types of trojan-horse or "stealth"
spamware, dictionary mail harvesters etc.
The CBL does not list based upon the volume
of email from a given IP address.
The CBL also lists certain portions of botnet infrastructure, such
as Spam BOT/virus infector download web sites, botnet infected machines,
machines participating in DDOS, and other web sites or name servers
primarily dedicated to the use of botnets.
Considerable care is taken to avoid listing IP addresses that are shared
or are likely to be shared with legitimate use, except in the
case of infector download websites, phish emission or DDOS.
Our botnet detections may not necessarily directly involve the
observation of spam emission, but most botnets are at least occasionally
involved in email spam, in addition to infostealing, DDOS attacks etc.
In other words, the CBL only lists IPs that have attempted email
connections to one of our servers in such a way as to indicate that
the sending IP is infected with a spam-sending virus or worm, acting
as a open proxy for the sending of spam, OR, IPs primarily used in
the operation of botnets
The CBL does NO probes. In other words, the CBL
NEVER makes connections to other machines to "test" anything.
The CBL does NOT test for nor list open SMTP relays.
The CBL only lists individual IPs, it NEVER lists ranges.
The CBL does NOT care whether an IP is dynamic or not,
if connections the IP makes indicate that it's infected, it is
The CBL does NOT attempt to associate IP addresses to
persons or organizations, and furthermore, a CBL listing
should NOT be construed as accusing anyone of spamming -
virtually all listees are the victims of a virus or other compromise, not
The CBL does NOT accept external submissions for listing.
Hence it is not possible for the CBL to be used as an instrument of
revenge (eg: "disgruntled ex-employee" or "competitor").
The CBL operates in an entirely automated way designed to avoid
listings due to bounces of forged spam, virus
bounces, and "real" mail servers emitting the occasional spam.
However, in some circumstances severe mail server misconfiguration
can make it look as if a mail server is infected.
It does not attempt to list every possible spam source.
This list is based on information believed to be reliable. No
warranty is made that it is accurate or complete.... Use entirely at
your own risk.
There is no supporting data or "evidence" file available for any given
listing, and no mechanism to ask why any given listing took place. To
counteract this, there is an automated no-questions-asked removals
procedure allowing any affected party to delist a specific IP address
rapidly. However, delisted IPs are relisted if new evidence of spam
activity is subsequently detected.
Entries automatically expire after a period of time. The approximate
detection time of a specific entry can be obtained from the web
What to do if you're listed/How do I get delisted?
Use the lookup tool it will
often give you further detail.
It gives the link to the delisting tool.
See the FAQ for more information on
how to identify and resolve a CBL listing.
How to use the CBL
Before using the CBL, you should read our
terms and conditions.
The CBL can be queried in the usual way for DNS-based blocking lists,
under the name cbl.abuseat.org.
Entries in the CBL are returned with an IP address (always 127.0.0.2) and
a TXT record containing a link to the lookup/removal pages.
If you wish to run a local server using the CBL data you can download
the CBL zone. Please see our FAQ under the
subject "How do I download the CBL as a list of IPs?"
We're getting a lot of reports of spurious blocking caused by sites using
the CBL to block authenticated access to smarthosts / outgoing mail servers.
THE CBL is only designed to be used on INCOMING mail, i.e. on the
hosts that your MX records point to.
If you use the same hosts for incoming mail and smarthosting, then you
should always ensure that you exempt authenticated clients from CBL checks,
just as you would for dynamic/dialup blocklists.
Another way of putting this is: "Do not use the CBL to block your
The CBL and web pages are copyright ©
2003-2015, all unauthorized copying is prohibited