| CBL Information | Metrics | Bot Hoster Shutdowns |
|---|---|---|
| CBL Lookup AND Removal | CBL by Domain | McColo |
| Frequently Asked Questions | CBL by Country | 3FN | Spam Volume | Real Host |
The CBL has easy self-removal. Go to the above links and perform a lookup with the IP address you've been told is listed. It will provide you with information on why the IP was listed, and a link to do self-removal. The rest of these web pages are intended to help you understand what could cause a listing, and how to diagnose the problem.
WARNING The CBL expects you to resolve the problem, preferably before you do a delisting. If you simply delist without resolving the problem, it will almost certainly list again.
Of late a lot of people are emailing us and asking us to delist an IP address. We can't do it more quickly than you can. It's a LOT faster if you do it yourself.
The CBL takes its source data from very large spamtraps/mail infrastructures, and only lists IPs exhibiting characteristics which are specific to open proxies of various sorts (HTTP, socks, AnalogX, wingate etc) and dedicated Spam BOTs which have been abused to send spam, worms/viruses that do their own direct mail transmission, or some types of trojan-horse or "stealth" spamware, dictionary mail harvesters etc.
NEW! The CBL also lists certain portions of SpamBot infrastructure, such as Spam BOT/virus infector download web sites, and other web sites or name servers exclusively dedicated to the use of Spam BOTs. Considerable care is taken to avoid listing IP addresses that have are or are likely to be shared with legitimate use, except in the case of infector download websites.
In other words, the CBL only lists IPs that have attempted email connections to one of our servers in such a way as to indicate that the sending IP is infected, OR, IPs specifically dedicated to the propagation/use of Spam BOTs.
The CBL does NO probes. In other words, the CBL NEVER makes connections to other machines to "test" anything.
The CBL does NOT test for nor list open SMTP relays.
The CBL only lists individual IPs, it NEVER lists ranges.
The CBL does NOT care whether an IP is dynamic or not, if connections the IP makes indicate that it's infected, it is listed regardless.
The CBL does NOT attempt to associate IP addresses to persons or organizations, and furthermore, a CBL listing should NOT be construed as accusing anyone of spamming - virtually all listees are the victims of a virus or other compromise, not deliberately spamming.
The CBL does NOT accept external submissions for listing. Hence it is not possible for the CBL to be used as an instrument of revenge (eg: "disgruntled ex-employee" or "competitor").
The CBL operates in an entirely automated way designed to avoid listings of spamtrap hits due to bounces of forged spam, virus bounces, and "real" mail servers emitting the occasional spam (unless the server itself appears to be infected). It tries very hard to avoid listing legitimate mail sources. It does not attempt to list every possible spam source.
This list is based on information believed to be reliable. No warranty is made that it is accurate or complete.... Use entirely at your own risk.
There is no supporting data or "evidence" file available for any given listing, and no mechanism to ask why any given listing took place. To counteract this, there is an automated no-questions-asked removals procedure allowing any affected party to delist a specific IP address rapidly. However, delisted IPs are relisted if new evidence of spam activity is subsequently detected.
Entries automatically expire after a period of time. The approximate detection time of a specific entry can be obtained from the web interface.
Use the lookup tool it will often give you further detail. It gives the link to the delisting tool.
See the FAQ for more information on how to identify and resolve a CBL listing.
Before using the CBL, you should read our terms and conditions.
The CBL can be queried in the usual way for DNS-based blocking lists, under the name cbl.abuseat.org.
Entries in the CBL are returned with an IP address (always 127.0.0.2) and a TXT record containing a link to the lookup/removal pages.
If you wish to run a local server using the CBL data you can download the CBL zone. Please see our FAQ under the subject "How do I download the CBL as a list of IPs?"
We're getting a lot of reports of spurious blocking caused by sites using the CBL to block authenticated access to smarthosts / outgoing mail servers. THE CBL is only designed to be used on INCOMING mail, i.e. on the hosts that your MX records point to.
If you use the same hosts for incoming mail and smarthosting, then you should always ensure that you exempt authenticated clients from CBL checks, just as you would for dynamic/dialup blocklists.
Another way of putting this is: "Do not use the CBL to block your own users".
A number of sites are performing automated queries against the CBL web site. Obviously, at least one mail server software vendor believes this is how a mail server queries a DNSBL.
This is not the proper way to do DNSBL queries. We'll also add that this is easy to detect...
Sites doing this are being automatically detected and being given incorrect answers. If it doesn't stop, stronger measures may be taken. So, stop doing it.
Old News alerts are at the end of this page
If you're running a Barracuda Spam Firewall go turn the "bounce spam" feature off. Do it right now. All spam is forged. Which means that every spam you bounce will probably hit an innocent third party who had nothing to do with it. This is called "backscatter". It's spam. It's part of the spam problem, not part of the spam solution.
The ability to let a legitimate non-spamming sender know that you blocked their email without causing backscatter has been well known for years. Pressure your vendor to implement it, or move to another vendor, but in the mean time, turn the bounce spam feature off.
The CBL does not deliberately list for backscatter. However, Barracuda-bounced BOTNET spam is generally indistinguishable from being hit by a BOTNET directly, and that is what we list.
So turn it off.
One of our smaller data feeds misfired and produced a small number of erroneous listings for a new variant of the Rustock BOT commencing at around 3am GMT on October 16/2007. All of these entries were removed and feed taken out of service within a few hours. If the only information that a CBL lookup gives you is a listing and removal within a few hours on October 16, with no subsequent relisting, it's likely to have been the misfire.
The misfiring feed had been taken out of service for testing and recertification, and was put back in operation on October 23.
It has become apparent that reliance on Anti-virus software for protection against spam bots is increasingly ineffective, and is reaching "disaster" status.
A large non-profit security organization has recently reported that only 23% of the 30,000 "unique" infections they see per day are detected by _any_ of 35 of the most popular A/V products, and percentage only reaches 50% after the infections have been in the wild for a month. And this includes well-known long standing botnets like Srizbi or Storm.
Many of our correspondants have told us that they've run a whole battery of A/V products on an infected machine that are provably infected with a known bot (by the email they emit), and not found anything.
Given the failure of A/V to help identify/eradicate infections, we can only continue to assert that the best way to prevent bot emission (and CBL detection) is to secure your networks so that ONLY mail servers can send email to the Internet.
Some people may be noticing increased effectiveness in CBL listings of late. This is because we have been adding new heuristics into the CBL that do a much better job of identifying and classifying BOT emission.
At present, the CBL is able to identify the BOT family behind at least 45% of all spam. The CBL is currently catching in excess of 85% of all spam hitting very large spamtraps.
The feed was removed from operation as soon as we became aware of the issue and have purged all the IPs it listed in the last 48 hours as a precaution. We have verified that this has taken effect in everything the CBL publishes. Here at the CBL we take false positives extremely seriously, and we do apologize for this issue. We have taken steps to ensure that this cannot happen again in the future.
To further ensure the problem is resolved everywhere, we advise the relatively small number of email administrators who retrieve their copy of the CBL via zone transfer to ensure that they have fetched the CBL at least once after 10:30AM UTC on 2008-04-10 to ensure that the erroneous listings have been purged from their systems. Note that the vast majority of sites use the CBL via direct DNSBL query or zone transfers every 2 hours or less, and thus no action is necessary.
This problem was cleared at approximately 13:00 UTC 2007/04/24, and all pent-up removals from the XBL took place at that time.
We apologize for the inconvenience, and will be taking steps to ensure that if this were to happen again, and CBL removals would take effect on the XBL far more quickly.Blagr is a DNSBL aggregator and appears to be aggregating several DNSBLs (including the CBL) together.
Blagr appears to be in use by the emailsrvr.com mail servers only. Hence only affects the email their customers receive. It apparently only refreshes its copy of the CBL once per day.
Hence, if you delist from the CBL, blagr won't notice for as much as another day, and you can't email to emailsrvr.com customers until then.
They really should refresh more often. They'd catch MUCH more spam, and have fewer false positives that way.
There is likely a similar situation with a list called "blacklist.zap", but we have as yet found no definitive information about what it is. We have our suspicions, and if they're true, blacklist.zap removals will lag CBL removals by about an hour instead of a day.
The CBL is presently tracking almost 300,000 hacked machines sending this junk.
It is believed that these are due to infections by the Stration or Warezov email worms. One or both of which appear to the recipient as an email from their email provider, telling them they have a virus and have to open a contained zip file to "fix the virus". But opening the zip file causes the virus to infect them. One common subject line is "Mail Server Report", another is "hello" with body: "Mail transaction failed. Partial message is available".
If you have become listed, perhaps for the first time, after this time (see the lookup link above), particularly if you recognize the above subject lines and clicked on a zip file link, chances are that you are infected with Stration/Warezov virus, and you must take immediate steps to eradicate it, ensuring that you have the latest possible anti-virus program updates.
The lookup page will tell you whether the probable cause for your listing is Stration/Warezov.
See the security bulletin for more information.
If your first detection with the CBL is August 13th or later, especially if the lookup page references "DMS", being compromised by a MS06-040 vulnerability should be considered the most likely cause. In this case, you should patch your system and use a scanner to find open proxies.
If you have applied this patch prior to the detection timestamp the CBL lookup shows, you still need to use a scanner to find open proxies on your system. The patch does not remove the virus that infected you - it merely prevents it happening again.
As we understand it, one of the vectors is an AIM (AOL IM) session that downloads a variety of very malicious bundles of software, including an IRCBOT (variant known as mocbot) and another piece of malware called "ranky". The latter we believe is the spam trojan.
As reported by someone else:
Windows 2000 service pack 4 system compromised by Vulnerability in
Server Service Which Allowed Remote Code Execution (921883) (Microsoft
Security Bulletin MS06-040)
System was infected before patch
Four files installed in system:
Various registry items ran nrcs.exe and wgareg.exe on both system startup
and user login. Probably sent user names and passwords to remote computer.
(All passwords have been changed).
C:\winnt\svchost.exe
C:\winnt\nt\nrcs.exe
C:\winnt\system32\.exe
C:\winnt\system32\wgareg.exe
If any of the files are on your system, this provides a quick confirmation that you have been compromised by MS06-040.
Note: svchost.exe is part of the standard windows install, so it will be present on uninfected machines. It is either a "svchost.exe" in a non-standard location, or a virus-modified one that is of concern. This is why we do not recommend simply deleting them - use a virus scanner to ensure that the problem is corrected properly. Furthermore, their absence is not proof that you have not been compromised by MS06-040. Other compromises are being seen that involve files different than the list above.
You should patch your system AS SOON AS POSSIBLE, whether or not you have signs of compromise, and then run a virus scanner to clean your systems. If the above files are present, and your virus scanner doesn't find them, you will need to obtain a different virus scanner.
Secondly, if there is any sign whatsover that your machine was compromised, you should change all of your passwords immediately.
For a brief period from approximately 4:10 to 6:00 UTC on June 15th, a number of entirely erroneous CBL listings occured due to parsing problems in a new CBL process.
All CBL listings associated with that process were immediately purged, and the process eliminated. It will not be reinstated.
If you encountered email problems during that interval or shortly afterwards, and a lookup shows that it is not currently listed, this is what happened, and no further action is required.
Our profuse apologies for this occurance. It will not repeat.
Due to a hardware failure, the website and master rsync server has been unavailable at times recently. We are migrating services to another machine, but there may be some delays in removals as a result.
Due to increased loading on the CBL servers, we have withdrawn the tinydns and bind rsync retrieval formats and AXFR zone transfers from service. We have attempted to contact each of those sites retrieving the tinydns and bind formats to inform them of that fact.
The only supported bulk download format/protocol is rsync of the rbldnsd file (list.txt). If you are trying to download one of the other formats, please stop doing so.
We would ask those who do zone downloads of the list.txt rsync format to please register
See the FAQ for further information.
A recent Sober worm variant is causing considerable havoc on the Internet. This particular variant sends out email allegedly from the FBI or CIA (amongst other things). It is known by anti-virus companies under several different names: Sober.U (eg: ClamAV), Sober.Z (eg: Sophos) and Sober.X (eg: Symantec).
This is currently one of the leading cause of CBL detections (with somewhere around 100,000 detections). People using the self-delisting page without doing any investigation whatsoever are causing the CBL web pages to operate rather slowly - to little end, because if you don't eradicate your Sober.Z infection, you're just going to get listed again.
If the IP you are concerned with is your personal PC: scan your machine with an anti-virus tool for Sober before attempting to delist. This tool will help.
If the IP you are concerned with is a NAT, secure it ASAP.
The CBL and http://cbl.abuseat.org web pages are copyright © 2003-2007, all unauthorized copying is prohibited