The CBL FAQ
Note new section on TOR/VPN/proxy and section on how you can help.
Click here to lookup an IP address in the CBL.
Listing / Delisting questions
I'm Listed in the CBL, what do I do?
ALWAYS go to the CBL lookup page and
follow the instructions.
The lookup page and this FAQ attempt to both help you delist and
help you prevent it getting listed again.
I delisted my IP, but it keeps getting relisted again. Why??
You have a virus, or an open proxy, a trojan spam-sender or some other
sort of security compromise, or some sort of unusual misconfiguration
which is causing your IP to be relisted. Always
ensure that viruses, open proxies, etc. are removed or secured before trying
to delist your IP.
If you did all that but still keep getting listed, then see below for
where to talk about the problem.
How much does a delisting cost?
The CBL NEVER charges money for a delisting, and does NOT provide referrals
The CBL strongly believes in eliminating any possibility of bias,
perceived or otherwise.
From time to time you may encounter claims that some person can get
you delisted for a fee.
The only way to get delisted and stay delisted is to identify the
cause for the listing and prevent it happening again.
I don't have an open relay!
The CBL DOES NOT list open SMTP relays, hence open relay
testers such as that at abuse.net and orbs.org are irrelevant to the CBL.
Many of our correspondents are confused by this statement, so it's a good
idea to explain the difference between an open SMTP relay, and "open proxies"
that we DO detect.
In a nutshell:
A SMTP "open relay" is a real mail server that has been misconfigured
to accept email from the Internet and permits it to be emailed to somewhere
else on the Internet.
Mail servers should be configured to reject incoming email that isn't
to their user base.
But again, the CBL does not detect mail servers misconfigured this way.
An "open proxy" is a non-email server that can be tricked into sending
email to third parties.
These are usually misconfigured web servers, web proxies (eg: Squid or NGinx),
AnalogX, wingates, Socks servers, or custom spamware illicitly installed
on a machine (by a trojan downloader).
This is what the CBL detects.
Over the past year or so, the CBL has been detecting something that
it calls "open relay". That does not mean that the IP address we've
listed is an open relay, it means that the IP address we've listed is
attempting to get our spamtraps to open relay.
Most of these turn out to be Cutwail infections trying to force-relay
through other mail servers.
Apparently a recent upgrade/release of Merak (recent as of 2006/12/31)
instantiates an open CONNECT proxy on port 32000 without warning.
If you are running a recent version of Merak, please make sure that this
proxy is turned off.
If in doubt, do a port scan of port 32000.
You've listed [a TOR exit node/my VPN IP/an Anonymizing Proxy]!
Please see: CBL/XBL TOR/VPN/Anonymizing Proxy Policy
I'm running Linux (FreeBSD, OpenBSD, UNIX...) and CANNOT be infected with a virus!
While it is perfectly true that UNIX-like operating systems are almost
NEVER infectable with Windows viruses, there are a number
of virus-like things that UNIX-like systems are susceptible to.
Windows emulation software (eg: VMWARE or Wine) are just as susceptable to
infection as native Windows.
In fact, it's probably somewhat more likely that an emulator instance
gets infected, because the fact that it's running under another O/S
can lead to a false sense of security, and emulator instances are less
likely to be protected with a full anti-virus suite.
Open proxies (eg: insecure Squid configurations) leading to open proxy
Acting as a NAT for a local area network - meaning that machines on the
local area network could be infected, and the CBL detects the NAT address
not the machine LAN that's actually responsible.
It's best to secure the NAT.
Web server vulnerabilities or compromises.
For example, the DarkMailer/DirectMailer trojan is injected
via FTP (using compromised user's userid/passwords) onto web
servers, and thereupon is used to send very larger volumes of spam.
Virtually all web servers are susceptible to this
if they permit upload of content from the Internet.
Application vulnerabilities: many applications have security vulnerabilities,
particularly those associated with PHP on web servers.
Eg: older versions of Wordpress, PHPNuke, Mamba etc.
Some of these vulnerabilities are to the extent that a malefactor can
install a full proxy/trojan spamming engine on your machine and control
Through this, they can set up spamming engines, open proxies, malware
download and spam redirectors.
Watch out for strange directories being created, particularly those starting
with a "." in /tmp.
Check for this by doing an "ls -la" in /tmp, and look for directory
names starting with "." (other than "." and ".." themselves).
It is CRITICALLY IMPORTANT that all web-facing applications
or application infrastructures (Wordpress, Joomla, Cpanel, etc. etc.)
are kept fully patched and up-to-date.
Furthmore, userid/passwords and other credentials for logging into such
systems should be highly protected, require strong passwords and changed
as frequently as practical/feasible.
Some web hosting services have had to resort to two-factor authentication
to protect themselves from stolen or spoofed authentivcations.
Such sites should consider continous monitoring of web, ftp and other
Rootkits are where a malicious entity has installed software on your
machine and buried it in such a way that the normal system utilities cannot
In some cases they replace the normal system utilities with hacked versions
that won't show their tracks.
Check that you have good remote login-capable passwords (eg: telnet,
FTP, SSH), inspect your logs for large quantities of failed SSH/telnet
Consider running a "system modification" detector such as Tripwire or
Tripwire is designed to detect and report modifications to important
Rkhunter does what Tripwire does, but looks for specific rootkits, insecure
versions of system software and more.
Not all viruses are windows binaries.
Some viruses/worms are in application-level files using non-binary
programming techniques (such as macro viruses, Java, PHP or Perl).
These can be truly infectious cross-platform.
What are the exact criteria for listing on the CBL?
Those will not be disclosed because it may give spammers or
virus writers hints on how to avoid the CBL.
The next section provides information on how to diagnose
persistent CBL relistings.
CBL listing diagnosis
Knowledge base on how to investigate persistent
First, use the lookup page to look up your
In a number of cases, you will get specific information related to your
listing, and you should follow those instructions first.
The following is more general instructions.
We'll say that again: ALWAYS use our
lookup page before doing anything else.
If this IP address is that of a Network Address Translation (NAT),
or Port Address Translation (PAT) firewall, router or gateway,
click here, and carefully follow
Insecure NATs are probably the leading cause of ALL CBL listings.
If this IP address is your personal computer, you must carefully check your machine
for viruses, spyware, adware, open proxies and trojans and remove them.
More information on scanning
If this IP is dynamically allocated, click here
If you have a wireless network/hub, see the same
link as above.
If this IP address is really that of your mail server,
If you're being blocked with something other than email,
Did you get blocked when you tried to send email to us?
Click if yes
If you sent email to the CBL, and got no response, chances are that
you are running some sort of challenge/response filter of your own,
your server blocked our email to you,
or, your provider blocked your email to us without indicating
that it did.
We endeavor to answer all email, so if you don't get a response within
a day or two, we recommend resending your query via a freemail service
such as hotmail.
The CBL team does not answer C/R challenges, so if you're using
C/R, either pre-approve email back from us, or use another account.
Can I nominate IP addresses or ranges for inclusion?
Does the CBL contain any static or manually-maintained entries?
No. (Except the standard test entry of 127.0.0.2)
General Filtering Practises
These are some things to keep in mind when setting up filtering:
- KNOW what you're doing.
You're doing email blocking, you are responsible
for all blocking decisions, you should fully understand what
you're getting your mail servers to do.
No filtering technique is perfect. NONE.
There will be both spam that gets through, and non-spam that
You need to manage your expectations, and engineer your systems
to minimize the effect of these "bad things".
If you block email, you should do it at SMTP time, rather than
accept-then-bounce. The latter can get you blacklisted
NOTE: The CBL does not list for backscatter, other
Make your rejection messages helpful - with some means by which
an accidentally blocked user can contact you to remediate problems.
If you block with a DNSBL, you MUST include the
relevant IP address in the rejection - sometimes the mail sender
doesn't know because it goes through chains of mail servers...
It is a mistake to rely on a DNSBL for timely list removal.
Even the very best DNSBL can have delays that may be unacceptable
Be prepared to locally whitelist if necessary.
Generally speaking it's a good idea to let your user population
know that you're doing spam filtering with at least some mention
of what techniques are used.
If appropriate, you may wish to consider implementing your filtering
in such a way that individual users can opt-in or out of filtering.
DNSBL Setup Recommendations
Generally speaking, we prefer users to use the SpamHaus DNSBL system
to get access to the CBL, instead of the CBL directly.
This has a number of benefits including more DNS servers answering
queries (hence less chance of overload/delay on queries) as well as
being able to query all of their DNSBLs in one query.
The CBL is wholly included in (and in fact is the largest part of)
the Spamhaus XBL subzone.
We recommend that you use the
see that link on how to use it.
If you use the CBL directly (or via the XBL), you should
only check the IP address of the machine that connected to your
mail server. Going any further back into the Received chain
is officially unsupported, and will usually yield unacceptable
numbers of false positives (in excess of 50% in some cases).
This is also true of _most_ DNSBLs (much of SORBs, Spamhaus PBL,
WPBL, SpamCop, Barracuda BRBL etc) that tend to detect or list
IPs that are likely to be spambots. Spambots don't relay through
other mail servers. Hence, going back up the chain farther than
the IP that connected to your mail server is unnecessary and will
generally yield unacceptable numbers of false positives.
A few DNSBLs list what might call "IPs owned and operated by
Eg: Spamhaus SBL and CSS listings of snowshoers.
You probably don't want to hear from those IP addresses no matter how
they got to you.
Those DNSBLs are appropriate for use in deep header parsing.
See also the FAQs on PBL and XBL usage at Spamhaus.
The XBL is intended to be useful in environments where you
can use DNSBLs to check the URLs in email.
For example, SpamAssassin's SURBL/URIDNSBL mechanisms.
The following code snippit shows how to add SBL & XBL to SpamAssassin.
Don't use PBL or Zen - some admins PBL-list their webservers and name
servers because they don't send email, and thus using the PBL
or Zen will incorrectly tag email because of URIs.
uridnsbl URIBL_SBLXBL sbl-xbl.spamhaus.org. TXT
body URIBL_SBLXBL eval:check_uridnsbl('URIBL_SBLXBL')
describe URIBL_SBLXBL Contains a URL listed in the SBL/XBL blocklist
score URIBL_SBLXBL 4
Note: Current SpamAssassin only checks the IP addresses for the name
servers of a URI's hostname. It will be better if you check the
IP addresses of the hostnames too.
We believe that an effective spam filtering system is a hybrid
of a number of techniques, you should never put all your eggs in
Spam Filtering for an excellent discussion of modern spam fighting
techniques along with other tools.
In addition to the excellent SpamHaus SBL, XBL and PBL subzones,
here are a few other DNSBLs that you may wish to consider.
It is extremely important that you evaluate them
according to your needs.
Some of these lists are NOT appropriate for
Before using DNSBLs, we recommend becoming familiar with the
DNSBL lookup tools on MXToolBox.
Jeff Makey provides a useful
Blacklists Compared page.
Only those DNSBLs we have personal experience with are listed here.
We have good relationships with many of them, and in some cases share
While reading these, consider your options - they can either be used
in a full blocking mode (a DNSBL hit means the email is blocked),
or, as part of a scoring system (a DNSBL hit plus other "scores"
are required for a block).
RFC6471: Overview of Best Email DNS-Based List (DNSBL) Operational Practices
can be used as a guide on how to select DNSBLs.
PSKY (Protected Sky) is a relatively new DNSBL and had surprisingly high effectiveness.
PSKY is somewhat notable in that there is virtually no information whatsoever
available on the web site about how it works, no lookup page, and no way
to request a delisting.
We identified that PSKY was pirating Spamhaus DNSBL listings
(and possibly other data) via unauthorized access to the infrastructure of
one of Spamhaus' partners.
PSKY's access to Spamhaus/CBL data has been shut off (March 23, 2017).
It is not clear that PSKY is listing anything anymore.
It is recommended that users of PSKY re-evaluate their use in light of the above, and RFC6471 (link above).
NJABL was a reliable and responsible DNSBL.
For the past few years, most of the useful parts were republished
from Spamhaus, and NJABL has shut down.
This is a good, reliable and responsible DNSBL, however, as it has very
low thresholds (and somewhat limited coverage) it is strongly recommended
that it not be used as a single reason for email rejection - this is
discussed on their web page.
It should be used in a scoring system such as SpamAssassin.
In late 2012, the CBL "loaned" trap cross-section to WPBL, and its
effectiveness has gone up significantly.
Amazingly effective for such a modest effort, and is a good supplement
to other DNSBLs.
SpamCop is a good, solid, professionally operated DNSBL.
Due to the way it's implemented, it used to occasionally "throw"
undesirable false positives, and it was best used in a scoring system.
Since then, changes have been made, and using it as an outright
blocking mechanism is a reasonable choice.
- Invaluement DNSBL
ivmURI and ivmSIP are good solid and professionally operated
ivmURI is a URI (domain) DNSBL like SURBL or URIBL, with high
effectiveness (comparable with URIBL/SURBL), extremely
low false positives, and quick to list.
ivmSIP is a IP-based DNSBL which is particularly good at
catching "new" emitters. Its FP rate is quite low.
Both of which shouldn't be considered substitutes for
Zen/Spamcop, but do complement them well.
The SORBS open relay, open
socks and open proxy lists are good (noting that listing expiration
is extremely long), but the other lists should not be
used (especially dynamic), except in a scoring system with "moderate"
The PSBL is a solid and reliable DNSBL.
Amazingly effective for such a modest effort.
Generally recommended, but PSBL does recommend using it in scoring.
Excellent supplement to other DNSBLs.
- Barracuda BRBL
BRBL uses the CBL for a significant part of their data.
While we believe in synergy between DNSBLs, we're not at all happy
when it's done without permission, and they continue to deny doing it.
And yes, we've caught them red-handed a number of times.
The false positive rate of the BRBL is rather higher than the above
BRBL is also quite unhelpful in the face of FPs or other support
Therefore we don't recommend its use.
V4BL claims to have several hundred million IP addresses in its
list. It appears evident that V4BL essentially lists _any_ IP address
that ever sent a spam and never removes them.
As should be obvious, the false positive rate is rather high.
It may be useful in some situations with scoring algorithms, but we
otherwise do NOT recommend using this DNSBL.
FYI: making sense of its web site is a bit difficult.
The SPEWS list is dead and domain name repurposed.
DO NOT USE.
When it became apparent that SPEWS was no longer being maintained,
someone, or a group of someones, copied the SPEWS web pages and presumably
the SPEWS list of the time, and operated it as a new DNSBL "APEWS".
The new operators are far more aggressive than SPEWS ever was, and will list
large chunks of net space over a single third party incident report that
may not have had anything to do with spam.
Eg: APEWS has been known to list entire netblocks because of a single
out of date CERT report of a single IP acting as a bot C&C.
APEWS is reportedly blocking 2/3rds of all useable Internet IP space.
APEWS false positives in most situations are extremely high, and it
should not be used except in some very specific circumstances (eg:
single user systems via scoring).
The main reason we mention APEWS is that
several online DNSBL lookup services
query APEWS listings, and it tends to alarm listees and cause
long flamewars on the only places that people can find to discuss them
(eg: news.admin.net-abuse.email), with no useful result.
APEWS provides no mechanism for appealing listings,
and we believe that is not best practise for DNSBL operation.
As far as we can determine, few (if any) mail servers
actually use APEWS, so, an APEWS listing is largely meaningless.
Getting out of APEWS is very difficult, and APEWS
can just about be completely ignored as being irrelevant.
Note that APEWS appears to be back in operation, and is
bragging about a .5% false positive rate.
A FP rate that high we consider unacceptable.
In some cases it may be desirable to use a DNSBL that lists
certain regions of the world - for example, if you don't need
or want to correspond in email with anyone in China, you can
use a DNSBL specifically designed to list all IPs in China.
There are a number of these lists, the best known is
blackholes.us has gone
out of service, and briefly it was blacklisting the world.
The web page for blackholes.us no longer exists.
BE AWARE that if you use such a service, you will get
very little if any email from these regions.
These list IPs in those regions, not IPs in those regions known
Use them at your own risk. Or in a scoring system.
- ORDB, OSIRUS, MONKEYS, DSBL: just in case:
these DNSBLs are defunct and should NOT
CBL query setup
If you are using the Spamhaus Zen, sbl-xbl or xbl lists, you do not
need to do this.
Note if you are using the sbl-xbl list, we recommend that you switch
to the Zen list.
The sbl-xbl is obsoleted by Zen.
See previous section on "DNSBL Setup Recommendations".
|Query text:||URL to lookup page with IP filled in|
DO NOT set your DNS server to be
cbl.abuseat.org - use your ordinary DNS servers.
It's the name of the zone and the name of this website,
but NOT the name of the DNS server.
Make sure you read the CBL Terms and Conditions.
How do I configure my mail server to query the CBL?
The documentation for your mail server will indicate whether it
supports DNSBL queries and if so, how to configure them. The CBL is a
standard IP-based blocking list just like the many others available.
If possible, please configure your mail server to use the TXT record of
entries in the rejection message. Otherwise, the recommended URL to include
in rejections is http://www.abuseat.org/lookup.cgi?ip=x.x.x.x with
the IP address of the sender filled in. Always include the IP address of
the sender in rejection messages.
How do I contact the folks behind the CBL?
If you have a question not answered in this FAQ or are
getting caught by repeated listings that you're unable
to diagnose, please contact us for assistance.
We'll do our best to help - we are committed to doing that.
It is important that you follow these instructions carefully
before you contact us.
If you don't follow these instructions, resolution may be delayed.
Ask us to
remove the IP without doing anything.
A CBL listing indicates we have seen BOT-emitted spam or viruses
from your IP.
That means that if you want the IP to stay delisted, you have
to fix the BOT spew at your end.
Contact us to speed up a delisting.
You can delist it faster yourself with the lookup
and delisting tool.
Send multiple emails about the same issue without waiting for a response.
It's annoying and may delay resolution.
Include the IP address you're asking about in the subject line.
If possible, send your email to us through
that IP (our email address does not use filtering, so it should
get through anyway).
If the listing is due to a mailer problem, mailing us through
it may help us diagnose the problem.
We expect you to have looked up your IP on our
read and understood the instructions, and attempted to solve the
problem BEFORE contacting us.
Our email address is
Once the removal page says your IP is removed, it
will be removed, usually within the hour.
Don't repeatedly ask us to remove an IP without doing anything
to fix the problem that caused the listing.
We notice people doing this and will refuse to delist the IP
if it continues.
If the lookup/removal pages refuses your removal, or, we've started
ignoring your emailed requests (see previous point) you will need to show
a commitment to identifying and fixing the problem when you contact
us before we will delist it again.
Or, you'll have to wait for the entry to expire.
The CBL's policy is to NEVER abandon people who make
a serious effort to solve listing problems.
But we will ignore people who just ask for delisting and never
make an effort to fix the problem.
It's better to contact us about persistent listing problems than
asking in other fora (such as the news.admin.net-abuse.email or
news.admin.net-abuse.blocklist Usenet groups or online tech forums).
The CBL is very much different than most other DNSBLs, and the
advice you will get from sources other than our online information
or via email from us will almost always be very very wrong.
We occasionally run across such discussions (eg: via web searches
while assisting someone else), usually long after the fact, and
it's astonishing how wrong the advice/commentary usually is.
When seeing such, we can only shake our heads and feel sorry for
the person who got bad advice, because it's usually far
too late for us to help.
If you do not get a response from us within 24 hours (we're usually much
faster than that), please try resending your email from another account, such as
a freemail account on hotmail.
Your email to us may have been silently dropped by your ISP without it telling you,
OR, your spam filters may have blocked our reply.
NOTE! If your mail server does SAV ("sender address verify"
or "sender address verification callouts"), our mail server will
probably NOT "complete" the verification, because our mail
server has a long banner delay. Which means that our reply will bounce.
You will either have to whitelist our mail server from your SAV,
or arrange for our reply to go to some other mail server (eg: a
The above also applies if your mail server has short (non-RFC-compliant)
We answer all emails. If you don't get a reply, it got lost.
(NEW): How Can I Help?
We view the CBL/XBL as a collaborative effort. We are always
on the hunt for improved information on how to protect our users,
and how listees can secure their systems to prevent being taken over.
If you know of, or have written, a blog or article or tool that helps
find infected machines, disinfect infected machines, or protects machines
against future infections, whether they be general, or aimed at a specific
risk, please let us know at the email
address given above. Good tips we'll include in our web site.
But first, see the next point:
Does the CBL/XBL Endorse Specific Commercial Products or Services?
Except where otherwise explicitly noted, the CBL/XBL does not endorse
any commercial organization or any paid product, service or tool from them.
Preference is always for free public information and tools that a
system administrator/end-user can use to help themselves.
Where multiple commercial organizations do offer good free information
and tools, we deliberately distribute our references amongst the different
vendors so as to not imply favoritism for any vendor. However,
some vendors will naturally appear more frequently because they have
broader consistent and useful information.
Visitors to our site are presented with what we believe to be the
best information possible to help them secure their computers and networks.
We will gladly accept suggestions from reputable commercial organizations
in this industry for tools and other information, but this does not mean
that we will automatically accept them for external reference.
Standards Compliance/Further reading
DNSBL Blacklists and Whitelists
contains the DNSBL protocol standard (informational) by the Anti-Spam Research
Group of the Internet Research Task Force (IRTF), all part of the IETF.
This can be assistance in a deeper understanding of how DNSBLs work.
Overview of Best Email DNS-Based List (DNSBL) Operational Practices
(DNSBL BCP) contains a DNSBL operational policy document, companion
to RFC5782, also a product of the ASRG/IRTF.
The CBL provided commentary to the authors of these documents.
The CBL fully supports the DNSBL BCP and is believed to be in full compliance.
Beware of Frauds/Rumors
From time to time we encounter claims that we charge a fee for
delisting, or that certain "consultants" claim to be able to remove
a CBL listing for a fee.
This is not true.
The CBL NEVER charges fees.
The only way to get out and stay out of the CBL is to correct the
problem that got an IP listed in the first place.
The CBL believes that charging a fee for delisting is, in effect,
a protection racket with all the negative connotations that implies.
Even if it isn't intended that way, it causes more problems than it solves.
We will never charge a fee for delisting.
What is the relationship between the CBL and Spamhaus?
Spamhaus is one of the most
respected anti-spam organizations in the world.
The CBL is now a division of Spamhaus
Note that public redistribution of the CBL in any
form is prohibited without prior authorization from us. See our
Terms and Conditions, last item.
This restriction "survives" the XBL redistribution of the CBL,
and as such, any redistribution of the XBL unauthorized by Spamhaus
is also in violation of the CBL terms and conditions.
The CBL is copyright © 2003-2017, all unauthorized copying
All external web pages that the CBL pages reference are copyright
by their respective owners.
It is exceedingly unlikely that the CBL will ever authorize
any other public redistribution over those already in force
(spamhaus.org and senderbase).
dnsbl.net.au used to have redistribution arrangement with the
CBL, but dnsbl.net.au shut down in April 2009.
The Spamhaus XBL (or SBL-XBL or Zen) is a full superset of the CBL, and
you SHOULD NOT USE BOTH DNSBLs at the same time. In fact, for most
administrators, we strongly recommend that you use
Zen instead of the
If you are a large organization doing several hundred thousand
emails or more per day, in order to reduce DNS query loading, we
recommend that you use a rsync feed of either the XBL or CBL.
If you are a large ISP, or sell spam filtering services, we believe
that you should be supporting the anti-spam effort by purchasing
a paid-for rsync feed from Spamhaus, rather than getting the CBL directly
What is the relationship between the CBL and Abuseat.org?
As of April 2, 2013, the abuseat.org domain was wholy acquired by
the CBL, after it having been "loaned" for our use since 2003.
<< Back to the CBL home page. Updated 2007/01/05.
The CBL and abuseat.org web pages are copyright ©
2003-2017, all unauthorized copying is prohibited.
All external pages referenced are copyright by their