Users of the CBL: CBL->XBL Cutover

First revision

Please note the references to using Spamhaus DQS queries preferentially over "plain DNSBL" queries.

Introduction

The time has come, after the CBL has been in operation since 2003 (has it really been that long?), that it be wholly switched over to Spamhaus infrastructure.

This page is specifically for system administrators that use the cbl.abuseat.org DNSBL. In other words, the system you use to query the CBL for IP addresses you wish to block or otherwise treat specially, is querying the cbl.abuseat.org DNS domain. The system may be a Spamassassin installation, a UNIX mail server (like postfix, sendmail or exim) a Windows mailserver or a security appliance like Barracuda. For example, to test whether 192.0.2.0 is in the CBL, your system is issuing a query for:

0.2.0.192.cbl.abuseat.org
This query will return 127.0.0.2 (and ONLY that value) if the IP address is listed. Note how the IP address is reversed in the query.

If you are here about a specific CBL/XBL listing, you are in the wrong place. If so, please go to the CBL lookup page.

If you are already using Spamhaus XBL or XBL as part of Spamhaus Zen, now is the time to simply turn off using the CBL and forget the rest of all this.

There are changes coming you should be aware of:

  1. The CBL is being cutover to use the same DNS Access Control (ACL) as the rest of the Spamhaus lists (including XBL). The CBL will be subjected to the same terms of use of the Spamhaus public mirrors, detailed in Spamhaus Public Mirrors - Terms of Use. Therefore, queries made using public DNS resolvers may start failing. The ACL is likely to be switched in February or March 2021.
  2. The CBL list will start being created from the XBL at Spamhaus, instead of the other way around (the lists have been identical for years). The only visible change of this will be that the public lookup/removal pages will change to the Spamhaus standard, and be directly accessible from the Spamhaus Blocklist Removal Center intead of the existing CBL lookup/removal pages. This will be done transparently - If you try the CBL lookup page directly, it will redirect you to the Spamhaus one. We expect this will happen during the first week in January. The only other thing you might see is the detection rate goes up - the new infrastructure is faster in adding new IPs.
  3. The CBL service will continue operation under the "cbl.abuseat.org" query name for some time, after which "abuseat.org" will be retired. No date has been identified for this to occur, but rest assured, when we do it, at worst it will simply stop returning a positive list indication.

You only need to worry about item (1) above for now, but now is a good time to make the change from the cbl.abuseat.org query to the preferred DQS method, or xbl.spamhaus.org (or zen.spamhaus.org) query so you don't have to touch it again.

For a trouble-free path to more modern technologies that doesn't have ACL or resolver issues, that remains free for small users, you should consider DQS instead. This uses exactly the same techniques as normal DNSBL queries do, but, instead of querying <reverse IP>.xbl.spamhaus.org, you would be querying
<reverse IP>.<key>.xbl.dq.spamhaus.org
The only difference is that you insert a key you obtain from Spamhaus (see above DQS link to obtain one.

What you need to do now if you don't go with DQS

You need to check whether the ACL change coming will cause you problems. If problems occur, fix them, then you can change cbl.abuseat.org to xbl.spamhaus.org in your filtering system.

If your server software is using the default system DNS configuration, log into that system and simply query the value for "2.0.0.127.xbl.spamhaus.org", using "nslookup", "host" or "dig" command line tools, whichever is appropriate for your server. For example, type:

host 2.0.0.127.xbl.spamhaus.org

There are several different answers possible. The answer you want to get is "127.0.0.4". Unlike the CBL which returns 127.0.0.2 for listed IP addresses, the XBL returns 127.0.0.4. If you get 127.0.0.4, you can simply cut your filtering system over to the XBL. See below.

Important note if you have specially configured your filtering system to use a different DNS server than the default on that server, you should repeat the test using the alternate DNS server you're using. The command line tools usually have a way to explicitly set the DNS server it queries. For example, "dig" has the "-s server" or "@server" options. With host, you can specify it like this:

host 2.0.0.127.xbl.spamhaus.org IP-address-of-your-DNS-server

If you get anything other than 127.0.0.4, you can't change the query name quite yet. NXDOMAIN or 127.255.255.254 mean that your DNS chain is using an "open resolver", that the Spamhaus ACLs prohibit. You will need to change your configuration so that it doesn't use an open resolver (eg: 4.4.4.4 and 8.8.8.8). If you get 127.255.255.255, this means that Spamhaus has placed your DNS server in a list for querying too much for free access. You should contact Spamhaus about registering for DNSBL (or DQS) access. See Spamhaus DNSBL return codes: technical update for further precise detail.

It is also possible to get a completely different IP address outside of 127/8. This means your DNS is being routed through a "NXDOMAIN" DNS hijacker - some access providers redirect every miss-spelled/non-existing name (especially for browsers) to go to an advertising site. We consider this evil. In some poorly configured filters, this will effectively mean EVERY lookup returns "listed". This likely means your current cbl.abuseat.org installation is not doing anything at all useful now either. You have to configure in some other DNS server that will return 127.0.0.4 for the test query of the XBL.

Converting from CBL to XBL

There are two differences between the CBL and XBL that need to be addressed:

  • (the obvious) the XBL DNS tail is named "xbl.spamhaus.org" (or <key>.xbl.dq.spamhaus.org for DQS). , the CBL DNS tail is "cbl.abuseat.org".
  • The CBL returns "127.0.0.2" for a positive listing, and the XBL returns "127.0.0.4".
  • You have to adjust your filtering system for both of these things. This will future-proof you against cbl.abuseat.org being decommissioned.

    What you should do next

    In about a week or so you should log into your filter server again, and do a test query again. It is possible that you're exceeding the Spamhaus query limits, and you'll get something other than 127.0.0.4. If so, please contact SpamHaus Technology to register for a free trial.

    Note that Spamassassin now understands the new 127.255.255.X return codes, and you should be able to tell that you're hitting the limits from Spamassassin's logs or inserted headers.

    It may be useful to implement some sort of program that runs periodically that does a 2.0.0.127.xbl.spamhaus.org query, and notify you if it doesn't get a 127.0.0.4 return code. If you do this, a query interval of 12-24 hours is preferred, and please don't do it right on the hour. Pick a random minute from 10 to 50 past the hour.

    If you go the preferred DQS route, the query would be:
    2.0.0.127.<key>.xbl.dq.spamhaus.org