Please note the references to using Spamhaus DQS queries preferentially over "plain DNSBL" queries.
The time has come, after the CBL has been in operation since 2003 (has it really been that long?), that it be wholly switched over to Spamhaus infrastructure.
This page is specifically for system administrators that use the cbl.abuseat.org DNSBL. In other words, the system you use to query the CBL for IP addresses you wish to block or otherwise treat specially, is querying the cbl.abuseat.org DNS domain. The system may be a Spamassassin installation, a UNIX mail server (like postfix, sendmail or exim) a Windows mailserver or a security appliance like Barracuda. For example, to test whether 192.0.2.0 is in the CBL, your system is issuing a query for:
0.2.0.192.cbl.abuseat.orgThis query will return 127.0.0.2 (and ONLY that value) if the IP address is listed. Note how the IP address is reversed in the query.
If you are here about a specific CBL/XBL listing, you are in the wrong place. If so, please go to the CBL lookup page.
If you are already using Spamhaus XBL or XBL as part of Spamhaus Zen, now is the time to simply turn off using the CBL and forget the rest of all this.
There are changes coming you should be aware of:
You only need to worry about item (1) above for now, but now is a good time to make the change from the cbl.abuseat.org query to the preferred DQS method, or xbl.spamhaus.org (or zen.spamhaus.org) query so you don't have to touch it again.
For a trouble-free path to more modern technologies that doesn't have
ACL or resolver issues, that remains free for small users, you should
This uses exactly the same techniques as normal DNSBL queries do, but,
instead of querying <reverse IP>.xbl.spamhaus.org, you would be
The only difference is that you insert a key you obtain from Spamhaus (see above DQS link to obtain one.
You need to check whether the ACL change coming will cause you problems. If problems occur, fix them, then you can change cbl.abuseat.org to xbl.spamhaus.org in your filtering system.
If your server software is using the default system DNS configuration, log into that system and simply query the value for "18.104.22.168.xbl.spamhaus.org", using "nslookup", "host" or "dig" command line tools, whichever is appropriate for your server. For example, type:
There are several different answers possible. The answer you want to get is "127.0.0.4". Unlike the CBL which returns 127.0.0.2 for listed IP addresses, the XBL returns 127.0.0.4. If you get 127.0.0.4, you can simply cut your filtering system over to the XBL. See below.
Important note if you have specially configured your filtering system to use a different DNS server than the default on that server, you should repeat the test using the alternate DNS server you're using. The command line tools usually have a way to explicitly set the DNS server it queries. For example, "dig" has the "-s server" or "@server" options. With host, you can specify it like this:
host 22.214.171.124.xbl.spamhaus.org IP-address-of-your-DNS-server
If you get anything other than 127.0.0.4, you can't change the query name quite yet. NXDOMAIN or 127.255.255.254 mean that your DNS chain is using an "open resolver", that the Spamhaus ACLs prohibit. You will need to change your configuration so that it doesn't use an open resolver (eg: 126.96.36.199 and 188.8.131.52). If you get 127.255.255.255, this means that Spamhaus has placed your DNS server in a list for querying too much for free access. You should contact Spamhaus about registering for DNSBL (or DQS) access. See Spamhaus DNSBL return codes: technical update for further precise detail.
It is also possible to get a completely different IP address outside of 127/8. This means your DNS is being routed through a "NXDOMAIN" DNS hijacker - some access providers redirect every miss-spelled/non-existing name (especially for browsers) to go to an advertising site. We consider this evil. In some poorly configured filters, this will effectively mean EVERY lookup returns "listed". This likely means your current cbl.abuseat.org installation is not doing anything at all useful now either. You have to configure in some other DNS server that will return 127.0.0.4 for the test query of the XBL.
There are two differences between the CBL and XBL that need to be addressed:
You have to adjust your filtering system for both of these things. This will future-proof you against cbl.abuseat.org being decommissioned.
In about a week or so you should log into your filter server again, and do a test query again. It is possible that you're exceeding the Spamhaus query limits, and you'll get something other than 127.0.0.4. If so, please contact SpamHaus Technology to register for a free trial.
Note that Spamassassin now understands the new 127.255.255.X return codes, and you should be able to tell that you're hitting the limits from Spamassassin's logs or inserted headers.
It may be useful to implement some sort of program that runs periodically that does a 184.108.40.206.xbl.spamhaus.org query, and notify you if it doesn't get a 127.0.0.4 return code. If you do this, a query interval of 12-24 hours is preferred, and please don't do it right on the hour. Pick a random minute from 10 to 50 past the hour.
If you go the preferred DQS route, the query would be: