The CBL - Composite Blocking List
CBL Statistics CBL FAQ
CBL HOME Privacy Policy

CBL Privacy Policy

The CBL is committed to respecting your online privacy, and recognizes your need for appropriate protection and management of any personally identifiable information (PII) you may share with us.

The CBL is a division of Spamhaus.

The CBL strives to comply with applicable laws around the globe. These laws can vary from country to country, but we fully intend to adhere to the principles set out below as a minimum, regardless of country whereever possible.

Given the nature of our work, the CBL may from time to time be subject to attacks on the Internet attempting to damage CBL operation or reveal confidential information. We take that potential risk very seriously, and take extraordinary steps to prevent it.

Accuracy and Legal Disclaimer

While the CBL endeavours to keep the information in this website up to date, correct and as accurate as possible, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, timeliness, suitability or availability with respect to the website or the information contained herein.


The CBL is part of Spamhaus, and does no direct marketing or sales whatsoever of any products or services.

The CBL charges no fees and has no need for financial information of any kind. Anything anywhere indicating otherwise is false and should be considered fraudulent.

Assistance to help remediate a listing is free, subject to availablity.

Information that may be collected our site will not be used for any marketing purpose, and will not be sold or otherwise disclosed to any third party for marketing purposes.

Cookies/Tracking/External Links/Logging

The CBL web pages do not use cookies, Java, flash or other "fancy" features. The only use of javascript is to facilitate multi-lingual translation of some of our web pages, and to operate the captcha on the lookup page. If you choose to have Javascript turned off in your browser, the web pages should still function as normal, except that translation will not be available.

The CBL does not use nor subscribe to any tracking or advertising methodologies. Except for the aforementioned translation facility, and explicit third party links, the CBL web pages are entirely stand-alone and perform no invisible/implicit redirects/links of any kind and do not implement any form of third party tracking/metrics.

The CBL web pages does have links to third party web pages for the purposes of assisting in the analysis and remediation of CBL listings. These web pages are not under our control, and their privacy policies should be consulted if you have concerns.

Web site access logging is the usual: originating IP address, timestamp, browser type, operating system and requested link.

If you register for a rsync transfer of the CBL zone, the originating IP address, current reverse DNS value, timestamp and file transferred are logged for each transfer.

Data Collection

The CBL web pages do not collect any personal information whatsoever, except for the rsync transfer registration page. You can use the CBL web pages without revealing any personal information about yourself, unless you voluntarily choose to sign up for rsync transfers.

Therefore, the only information collected via use of our web pages is the aforementioned basic web logging, plus the voluntary rsync registration.

Rsync zone transfer information collected includes what you enter in on the form: your name, organization, request source IP address, timestamp, and IP address that will be doing rsync transfers.

Email, Other Documents

Essentially all CBL communications are via email. As these are of an operational nature related to current issues or discussions with malware research partners, we do not have a formal archiving mechanism.

The CBL does not store any other documents containing information collected by the web site or email.

CBL Database

The CBL, as a course of implementing its primary function, retains a full audit trail for each listing, including IP address, timestamp and other diagnostic information, and (some) web logging information related to listing removals.

The database does not contain PII data other than what may be deemed PII in the above paragraph in various jurisdictions.

We do not believe that the CBL listing database contains any personally identifiable information, in a legal sense or otherwise, and no attempt to attribute an IP to an individual is ever made, except as you may volunteer yourself in email contact with us. Therefore, a listing of an IP address is not a privacy infringement. If some legal jurisdiction may disagree, protecting our users from malicious spam, fraud and malware is in the public interest and supersedes it.

If you believe a listing is a violation of privacy, correction is simple - find and remediate the infection causing the listing, and the issue goes away. Our mandate is to assist you doing so.

If you deliberately run a network of compromised computers running malware or other malicious software and believe our listings are harming your privacy or business, we'll be happy to delist on request. However, such requests must be accompanied by your real name, age, nationality, details of the criminal charges laid against you, which prison you currently reside in, and be notorized by competent legal jurisdiction. Such information will be verified by independent means. If you are not currently in prison, please let us know so we can rectify the situation.

The contents of the database are not made public, only divulged as we (and only we) deem necessary to assist someone contacting the CBL to resolve individual listings. As such, we will only reveal this information to the listee (person affected by listing) and those they may designate (such as their service provider[s]).

Use of Collected Data

Data collected for rsync registration is used to determine your eligibility for a rsync download and facilitating the setup of rsync to permit your download, as well as contacting you if changes will be made to the rsync service.

All other data is used to facilitate the basic operation of the CBL, diagnose problems, assist in the resolution of a listing, capacity planning, and enhance your experience with the CBL web site.

Data Retention Policies

Generally speaking, logging and database information are kept indefinitely to provide a historical view of the CBL's operation and metrics related to that.

From time to time, as disk space requires, older data may be archived and placed into second-level storage.

Third-Party Data Disclosure

The CBL may divulge information it holds to our partners (which include law enforcement, malware researchers and ISPs) where required by law or regulation, or as we deem fit to protect ourselves, our partners, our users or the public. We require that any third party given such information holds the information under policies at least equivalent to ours.

The published CBL DNSBL zone contains only IP addresses of listings and no other information.

Children under the age of 13

We do not believe that Children's Online Privacy Protection Act of 1998 (COPPA) applies in our case, due to the fact that the CBL is non-commercial/non-profit, does not solicit PII for routine interactions, that any PII collected is for internal (rsync registration) use only and not for marketing or other similar purposes. It seems implausible that any child under the age of 13 years of age would ever be likely to interact with the CBL.

That said, some young children with a technical/scientific inclination are doing some surprising things, and we don't want to discourage such learning. We will not knowingly accept rsync registrations or email from under 13 year olds, please have your parents contact us instead to provide permission.

The CBL and web pages are copyright © 2003-2017, all unauthorized copying is prohibited. All external pages referenced are copyright by their respective owners.