These are the terms and conditions for using the CBL. You are given permission to use the CBL as long as it complies with these guidelines. Violation of this may result in revoking permission for you using the CBL.
WARNING: All of the restrictions documented in these terms and conditions apply equally to using the CBL portion of the XBL, SBL-XBL and Zen from Spamhaus. Note that the PBL has similar technical restrictions.
The CBL is operated by a group of computer security, spam and virus professionals, dedicated to developing and maintaining an anti-spam and anti-virus DNSBL of the highest possible quality and reliability, that large organizations can use with confidence.
That said, use of the CBL is at your own risk.
The CBL is primarily intended for use with email inbound to your domain's MXes. We generally prefer that email be rejected with a pointer to our site, including the listed IP, so that listings can be resolved and the problem cleared.
The CBL provides DNS TXT records that can be used directly in your rejections.
As a matter of best practise, you MUST NOT bounce (accept then queue up separate email to the sender), but instead reject (issue SMTP rejection inline). This largely prevents your filters mail bombing the victims of forgery.
If you want to use the CBL to block protocols other than SMTP on port 25 (ie: IRC), realize this is officially UNSUPPORTED by the CBL team.
We appreciate that this is a useful thing to do, but you MUST NOT mention the CBL as being the source of a block and you should be prepared to provide "first contact" assistance for users encountering a block and potentially whitelisting on your service.
It should be absolutely clear that there will be a potentially large number of affected users who, through no fault of their own, will NOT be able to delist due to NAT, dynamic IPs, or other similar issues. Anyone using the CBL for blocking IRC, blog comments or whatever needs to know that they will get collateral damage and they will either have to manage that themselves with whitelisting or live with it.
It's a very bad idea to use the CBL on "full Received line traverse". Use the CBL only on the IP that attempts to connect to your mail servers. Trying to parse Received lines further back is seldom useful, and will yield a lot more false positives than on peer addresses only.
If you want to use the CBL to derive listings of other IP addresses than we explicitly list, you MUST NOT reference the CBL in your rejection messages.
For example, blocking /24s due to "greater than some threshold number of CBL entries" is actually a very effective anti-spam/virus technique (works much like a DUL), but you MUST handle complaints from users for IPs that the CBL didn't list, and potentially be prepared to whitelist individual IP addresses locally. Consider: if you blame us for a block for an IP address that we do not list, there's NOTHING we can do to assist, and the user is very unlikely to be able to "fix" the multiple CBL listings that caused their block either. Much frustration.
If you plan on using the CBL in such a way that can block your own customers relaying their outbound email through your mail servers, there are two different situations that should be handled differently. One of them is where you're some sort of email service provider or for roaming users - your user's email is traversing the Internet to get to your relay. The second is where these users are on your own network, and their email only goes through your LAN to your outbound relay.
Recognize that your users should be encouraged to use your outbound relay server.
Recognize that most of the compromises that we catch do NOT use your user's relay server settings.
Thus, by applying the CBL to your relay server for outbound email, you will be impacting legitimate email sent properly. You really don't want to discourage that. You'll even prevent your user contacting us! You can guarantee legitimate email by requiring that your users use SMTP AUTH or some other form of sender authentication, better still, not on port 25 (ie: port 587 SMTP SUBMIT).
"We block the connection before we give the user a chance to authenticate" is _not_ in compliance with this section - in fact, it's the whole point of this section!. If you're using some port other than 25 for end-user submission (such as the standard port 587 SUBMIT port), you simply don't apply the CBL to such connections, AND, force the user to authenticate. Only if the user doesn't authenticate do you refuse the email. If you force users to submit through port 25, you should delay rejection _until_ the user has a chance to authenticate and only reject if the user fails to do so.
In the first case (outbound email traverses the Internet to get to your relay), you MUST NOT apply the CBL to connections that do SMTP authentication (or some other technique that proves that the SMTP connection is from your customer). These will often be the NATs for wireless POPs or airport lounges or hotels. Because of this a roaming user (or us) is relatively unlikely to be able to contact the right people to get the listing fixed properly. So the user will just be very frustrated (and mad at both you and us).
In concrete terms: you should offer authenticated inbound email access on port 25 or port 587 (or some other port), and you MUST ignore CBL listings of connections that have authenticated. If you only allow authenticated connections on port 587 (or other non-port 25 port), you do not need to implement CBL checking on it at all.
As a corollary, you must not use the CBL to block external connections to your smarthost (technically "MSA" - Mail submission server) by your own users.
In short: implement SMTPAUTH/STARTTLS for roaming users, and do not apply the CBL to such connections.
In the second case (outbound email traverses your LAN to get to your relay), all of the argument for the first case above still applies.
However, since you likely control the IP address that's listed, this becomes an important opportunity for your support staff to disinfect the customer. Many providers do exactly that, and this is very good for the Internet. If you do choose to use the CBL in this fashion, you MUST refer your user to your support staff in the rejection, NOT the CBL.
If, inspite of 3, 4, 5 or 6 above you still want to use the CBL in an unsupported fashion (eg: block blog, web, IRC access, block on full received line traverse, derive other blocking heuristics, or block MSA submissions), you must take full responsibility yourself for the decision.
This means that you must remove all mention of the CBL (or Spamhaus) from any error messages or communications the user may see, and direct all support questions to your own support infrastructure.
The CBL assumes no responsibility whatsoever for the CBL being used in an unsupported/not-recommended fashion.
[See the last two paragraphs of 5 above]. The best way to use the CBL to find (so you can disinfect) infected machines in your network is to rsync the CBL periodically and scan it for entries in your IP ranges. This is better than waiting for your users to encounter problems with sending email. Many ISPs do this, and it is "good for the Internet".
The "grepcidr" tool (google for it) is quite useful in this regard.
In some cases you'll clearly need timestamps so you can identify who was using the IP at the time of detection. You can get those by going to our web site and doing a query for the listed IP. As a security measure, we round off the detection time to the nearest half hour, but if a more accurate timestamp is needed for an individual listing, contact us. But we'd prefer you didn't have to.
For the most part, CBL listings are because of virus infections of some sort or inadequately secured machines. The CBL does NOT accuse the owner of the IP as being a spammer. They probably aren't spammers, they're just hacked. Thus, termination of an account simply for a CBL listing is very rarely justified, unless they're unable to secure their machine.
See the faq and the next item for further technical information on how to use the CBL.
Note: we prefer that if you use the CBL to block email, that your rejection message uses the TXT record as the diagnostic - if you mention the CBL in the rejection, the diagnostic message should include the IP address. The TXT record for a CBL DNS query includes links like this: http://cbl.abuseat.org/lookup.cgi?ip=[ip address]
Note: all users of the CBL zone files must register see Zone signup
Note: as a matter of policy, all commercial anti-spam filter vendors making direct use of the CBL zone files should obtain a zone license from Spamhaus.
The CBL is copyright © 2003-2007, all unauthorized copying is prohibited
Note: You MUST NOT publish information derived from the CBL zone outside of your own local organization (ie: via publicly available DNS zone of your own construction, or any other form of redistribution of the list) without prior authorization from us.
At present, the only authorized republications of the CBL are through SpamHaus XBL (via SBL-XBL and Zen), Senderbase, and dnsbl.net.au (originally bl.reynolds.net.au). Any other public republication of the CBL is strictly prohibited.