ABUSEAT.ORG

Changes to the CBL. IMPORTANT TO ALL CBL users: If you were using the CBL to filter access to your mail servers or anything else, you will need to take note of several changes to the CBL that occured in January 2021. In short, the CBL infrastructure was replaced by the Spamhaus XBL structure, the lookup pages and access methods have

changed.

TOR/VPN/ANONYMIZING PROXY POLICY CBL/XBL TOR/VPN/Anonymizing Proxy Policy. This page explains the policy that the CBL has towards IP addresses used as "TOR exit nodes", VPN tunnels, and other mechanisms that use shared IP addresses for relaying traffic from unattributable third parties. HOW TO FIND BOTS IN A LAN

THE CBL FAQ

WHAT IS A NAT FIREWALL/ROUTER/GATEWAY? What is a NAT Firewall/Router/Gateway? "NAT" stands for "Network Address Translation", which is used to "map" the private IP addresses of individual computers on a local network, to a single IP address (the "NAT's address") on the Internet. NOTES: - ABUSEAT.ORG Notes: Population and Internet population numbers are generally as of 2014, and are sourced directly from the World Bank public access

repositories.

WHAT AFFECT IS THIS LISTING HAVING ON YOU? What affect is this listing having on you? The CBL is intended to be used only on inbound email from the Internet. If you are being blocked from IRC, Chat, web sites, web email interfaces (eg: you're using Internet Explorer, Firefox, Chrome, Opera etc to send email) or anything other than basic email with a mail reader like Exchange, Thunderbird etc, the provider of this service is using the

HELO SETTINGS

HELO Settings. The CBL attempts to detect compromised machines in a number of ways based upon the email that the CBL's mail servers receive. During this it tries distinguish whether the connections represent real mail servers by ensuring that each connection is claiming a plausible name for itself (via SMTP HELO), and not listing any IP that corresponds to a real mail server (or several mail POSSIBLE MAIL SERVER CONFIGURATION ISSUES Possible Mail Server Configuration Issues. One way of testing whether your mail server is misconfigured is to send an email through it to You will get a virtually immediate rejection.. In other words, you will get bounce message back that appears to indicate

that your email to

CPANEL - ABUSEAT.ORG cPanel. This was written by cPanel support to one of our correspondants, which echoes what we say in our per-IP diagnostic page: Thank you for your patience while I've looked into this for you.

ABUSEAT.ORG

Changes to the CBL. IMPORTANT TO ALL CBL users: If you were using the CBL to filter access to your mail servers or anything else, you will need to take note of several changes to the CBL that occured in January 2021. In short, the CBL infrastructure was replaced by the Spamhaus XBL structure, the lookup pages and access methods have

changed.

TOR/VPN/ANONYMIZING PROXY POLICY CBL/XBL TOR/VPN/Anonymizing Proxy Policy. This page explains the policy that the CBL has towards IP addresses used as "TOR exit nodes", VPN tunnels, and other mechanisms that use shared IP addresses for relaying traffic from unattributable third parties. HOW TO FIND BOTS IN A LAN

THE CBL FAQ

WHAT IS A NAT FIREWALL/ROUTER/GATEWAY? What is a NAT Firewall/Router/Gateway? "NAT" stands for "Network Address Translation", which is used to "map" the private IP addresses of individual computers on a local network, to a single IP address (the "NAT's address") on the Internet. NOTES: - ABUSEAT.ORG Notes: Population and Internet population numbers are generally as of 2014, and are sourced directly from the World Bank public access

repositories.

WHAT AFFECT IS THIS LISTING HAVING ON YOU? What affect is this listing having on you? The CBL is intended to be used only on inbound email from the Internet. If you are being blocked from IRC, Chat, web sites, web email interfaces (eg: you're using Internet Explorer, Firefox, Chrome, Opera etc to send email) or anything other than basic email with a mail reader like Exchange, Thunderbird etc, the provider of this service is using the

HELO SETTINGS

HELO Settings. The CBL attempts to detect compromised machines in a number of ways based upon the email that the CBL's mail servers receive. During this it tries distinguish whether the connections represent real mail servers by ensuring that each connection is claiming a plausible name for itself (via SMTP HELO), and not listing any IP that corresponds to a real mail server (or several mail POSSIBLE MAIL SERVER CONFIGURATION ISSUES Possible Mail Server Configuration Issues. One way of testing whether your mail server is misconfigured is to send an email through it to You will get a virtually immediate rejection.. In other words, you will get bounce message back that appears to indicate

that your email to

CPANEL - ABUSEAT.ORG cPanel. This was written by cPanel support to one of our correspondants, which echoes what we say in our per-IP diagnostic page: Thank you for your patience while I've looked into this for you. SCANNING YOUR MACHINE FOR EXPLOITS Scanning your machine for exploits. There are a variety of different compromises that the CBL detects: mass mailing worms/viruses/trojans like Cutwail, Srizbi, Ozdok/Mega-D, Rustock, Storm and others. WEB SITE/CMS VULNERABILITY REMEDIATION Web site/CMS Vulnerability Remediation CMS Infections in General. Many CMS infections are due to the StealRat botnet, it should be the first

to check.

MY PROVIDER IS BLOCKING ME! My Provider is blocking me! The CBL is specifically intended to be used to filter email coming into a mail server from the Internet, not to filter email going out to the Internet.. In "tech-jargon", it's intended to be used on email going to the MX for your domain, NOT to block your (or your user's) access to a "outbound SMTP server". This most often happens when the user is "roaming MAIL SERVERS IN THE CBL Mail Servers in the CBL. It is very rare for "real" mail servers to find themselves listed in the CBL. The CBL's techniques are specifically designed to avoid listing real mail servers, even if the mail server relays viruses or trojan/proxy spam.. A correctly operating and configured mail server cannot trigger a CBL listing under any circumstances.. The only exception is if the mail server

ABUSEAT.ORG

© 2018 CBL. A Division of Spamhaus. All rights reserved. | Privacy Policy | Terms and ConditionsPrivacy Policy | Terms and Conditions POSSIBLE MAIL SERVER CONFIGURATION ISSUES Possible Mail Server Configuration Issues. One way of testing whether your mail server is misconfigured is to send an email through it to You will get a virtually immediate rejection.. In other words, you will get bounce message back that appears to indicate

that your email to

MAIL SERVER NAMING PROBLEMS Mail Server Naming Problems. The CBL uses a variety of techniques to determine what IPs are behaving highly suspiciously and are likely have been compromised into sending spam or viruses. THIS IP ADDRESS IS DYNAMIC This IP address is dynamic. As we've mentioned earlier, CBL listings that interfere with legitimate email are almost ALWAYS as a result of virus-infected machines.. The difficulty with dynamic IP addresses is that you may not have had this IP address at the time the virus was infected, so there is nothing you can do to prevent a relisting. CPANEL - ABUSEAT.ORG cPanel. This was written by cPanel support to one of our correspondants, which echoes what we say in our per-IP diagnostic page: Thank you for your patience while I've looked into this for you.

SENDMAIL NOTES

Sendmail Notes. Sendmail's configuration is handled by the file sendmail.cf. Depending on which Linux distro you are running, it may be in /etc/sendmail.cf or /etc/mail/sendmail.cf (probably the latter).

ABUSEAT.ORG

Changes to the CBL. IMPORTANT TO ALL CBL users: If you were using the CBL to filter access to your mail servers or anything else, you will need to take note of several changes to the CBL that occured in January 2021. In short, the CBL infrastructure was replaced by the Spamhaus XBL structure, the lookup pages and access methods have

changed.

TOR/VPN/ANONYMIZING PROXY POLICY CBL/XBL TOR/VPN/Anonymizing Proxy Policy. This page explains the policy that the CBL has towards IP addresses used as "TOR exit nodes", VPN tunnels, and other mechanisms that use shared IP addresses for relaying traffic from unattributable third parties. HOW TO FIND BOTS IN A LAN

THE CBL FAQ

WHAT IS A NAT FIREWALL/ROUTER/GATEWAY? What is a NAT Firewall/Router/Gateway? "NAT" stands for "Network Address Translation", which is used to "map" the private IP addresses of individual computers on a local network, to a single IP address (the "NAT's address") on the Internet. NOTES: - ABUSEAT.ORG Notes: Population and Internet population numbers are generally as of 2014, and are sourced directly from the World Bank public access

repositories.

WHAT AFFECT IS THIS LISTING HAVING ON YOU? What affect is this listing having on you? The CBL is intended to be used only on inbound email from the Internet. If you are being blocked from IRC, Chat, web sites, web email interfaces (eg: you're using Internet Explorer, Firefox, Chrome, Opera etc to send email) or anything other than basic email with a mail reader like Exchange, Thunderbird etc, the provider of this service is using the

HELO SETTINGS

HELO Settings. The CBL attempts to detect compromised machines in a number of ways based upon the email that the CBL's mail servers receive. During this it tries distinguish whether the connections represent real mail servers by ensuring that each connection is claiming a plausible name for itself (via SMTP HELO), and not listing any IP that corresponds to a real mail server (or several mail POSSIBLE MAIL SERVER CONFIGURATION ISSUES Possible Mail Server Configuration Issues. One way of testing whether your mail server is misconfigured is to send an email through it to You will get a virtually immediate rejection.. In other words, you will get bounce message back that appears to indicate

that your email to

CPANEL - ABUSEAT.ORG cPanel. This was written by cPanel support to one of our correspondants, which echoes what we say in our per-IP diagnostic page: Thank you for your patience while I've looked into this for you.

ABUSEAT.ORG

Changes to the CBL. IMPORTANT TO ALL CBL users: If you were using the CBL to filter access to your mail servers or anything else, you will need to take note of several changes to the CBL that occured in January 2021. In short, the CBL infrastructure was replaced by the Spamhaus XBL structure, the lookup pages and access methods have

changed.

TOR/VPN/ANONYMIZING PROXY POLICY CBL/XBL TOR/VPN/Anonymizing Proxy Policy. This page explains the policy that the CBL has towards IP addresses used as "TOR exit nodes", VPN tunnels, and other mechanisms that use shared IP addresses for relaying traffic from unattributable third parties. HOW TO FIND BOTS IN A LAN

THE CBL FAQ

WHAT IS A NAT FIREWALL/ROUTER/GATEWAY? What is a NAT Firewall/Router/Gateway? "NAT" stands for "Network Address Translation", which is used to "map" the private IP addresses of individual computers on a local network, to a single IP address (the "NAT's address") on the Internet. NOTES: - ABUSEAT.ORG Notes: Population and Internet population numbers are generally as of 2014, and are sourced directly from the World Bank public access

repositories.

WHAT AFFECT IS THIS LISTING HAVING ON YOU? What affect is this listing having on you? The CBL is intended to be used only on inbound email from the Internet. If you are being blocked from IRC, Chat, web sites, web email interfaces (eg: you're using Internet Explorer, Firefox, Chrome, Opera etc to send email) or anything other than basic email with a mail reader like Exchange, Thunderbird etc, the provider of this service is using the

HELO SETTINGS

HELO Settings. The CBL attempts to detect compromised machines in a number of ways based upon the email that the CBL's mail servers receive. During this it tries distinguish whether the connections represent real mail servers by ensuring that each connection is claiming a plausible name for itself (via SMTP HELO), and not listing any IP that corresponds to a real mail server (or several mail POSSIBLE MAIL SERVER CONFIGURATION ISSUES Possible Mail Server Configuration Issues. One way of testing whether your mail server is misconfigured is to send an email through it to You will get a virtually immediate rejection.. In other words, you will get bounce message back that appears to indicate

that your email to

CPANEL - ABUSEAT.ORG cPanel. This was written by cPanel support to one of our correspondants, which echoes what we say in our per-IP diagnostic page: Thank you for your patience while I've looked into this for you. SCANNING YOUR MACHINE FOR EXPLOITS Scanning your machine for exploits. There are a variety of different compromises that the CBL detects: mass mailing worms/viruses/trojans like Cutwail, Srizbi, Ozdok/Mega-D, Rustock, Storm and others. WEB SITE/CMS VULNERABILITY REMEDIATION Web site/CMS Vulnerability Remediation CMS Infections in General. Many CMS infections are due to the StealRat botnet, it should be the first

to check.

MY PROVIDER IS BLOCKING ME! My Provider is blocking me! The CBL is specifically intended to be used to filter email coming into a mail server from the Internet, not to filter email going out to the Internet.. In "tech-jargon", it's intended to be used on email going to the MX for your domain, NOT to block your (or your user's) access to a "outbound SMTP server". This most often happens when the user is "roaming MAIL SERVERS IN THE CBL Mail Servers in the CBL. It is very rare for "real" mail servers to find themselves listed in the CBL. The CBL's techniques are specifically designed to avoid listing real mail servers, even if the mail server relays viruses or trojan/proxy spam.. A correctly operating and configured mail server cannot trigger a CBL listing under any circumstances.. The only exception is if the mail server POSSIBLE MAIL SERVER CONFIGURATION ISSUES Possible Mail Server Configuration Issues. One way of testing whether your mail server is misconfigured is to send an email through it to You will get a virtually immediate rejection.. In other words, you will get bounce message back that appears to indicate

that your email to

ABUSEAT.ORG

© 2018 CBL. A Division of Spamhaus. All rights reserved. | Privacy Policy | Terms and ConditionsPrivacy Policy | Terms and Conditions MAIL SERVER NAMING PROBLEMS Mail Server Naming Problems. The CBL uses a variety of techniques to determine what IPs are behaving highly suspiciously and are likely have been compromised into sending spam or viruses. THIS IP ADDRESS IS DYNAMIC This IP address is dynamic. As we've mentioned earlier, CBL listings that interfere with legitimate email are almost ALWAYS as a result of virus-infected machines.. The difficulty with dynamic IP addresses is that you may not have had this IP address at the time the virus was infected, so there is nothing you can do to prevent a relisting. CPANEL - ABUSEAT.ORG cPanel. This was written by cPanel support to one of our correspondants, which echoes what we say in our per-IP diagnostic page: Thank you for your patience while I've looked into this for you.

SENDMAIL NOTES

Sendmail Notes. Sendmail's configuration is handled by the file sendmail.cf. Depending on which Linux distro you are running, it may be in /etc/sendmail.cf or /etc/mail/sendmail.cf (probably the latter). Composite Blocking List - A Division of Spamhaus

* Home

* CBL Statistics

* CBL FAQ

* Privacy Policy

* Lookup/Remove

Select

LanguageAfrikaansAlbanianAmharicArabicArmenianAzerbaijaniBasqueBelarusianBengaliBosnianBulgarianCatalanCebuanoChichewaChinese

(Simplified)Chinese

(Traditional)CorsicanCroatianCzechDanishDutchEsperantoEstonianFilipinoFinnishFrenchFrisianGalicianGeorgianGermanGreekGujaratiHaitian CreoleHausaHawaiianHebrewHindiHmongHungarianIcelandicIgboIndonesianIrishItalianJapaneseJavaneseKannadaKazakhKhmerKinyarwandaKoreanKurdish (Kurmanji)KyrgyzLaoLatinLatvianLithuanianLuxembourgishMacedonianMalagasyMalayMalayalamMalteseMaoriMarathiMongolianMyanmar (Burmese)NepaliNorwegianOdia (Oriya)PashtoPersianPolishPortuguesePunjabiRomanianRussianSamoanScots GaelicSerbianSesothoShonaSindhiSinhalaSlovakSlovenianSomaliSpanishSundaneseSwahiliSwedishTajikTamilTatarTeluguThaiTurkishTurkmenUkrainianUrduUyghurUzbekVietnameseWelshXhosaYiddishYorubaZulu  Powered

by Translate

IMPORTANT: Many CBL/XBL listings are caused by a vulnerability in Mikrotik routers. If you have a Mikrotik router, please check out the Mikrotik blog on this subject

and

follow the instructions BEFORE attempting to remove your CBL listing. I'M LISTED, WHAT DO I DO? The CBL has easy self-removal. See: CBL Lookup AND Removal It will provide you with information on why the IP was listed, how to correct the problem that caused the listing, and a link to do self-removal. The rest of these web pages are intended to help you understand what could cause a listing, and how to diagnose/remediate the problem. WARNING The CBL expects you to resolve the problem, preferably before you do a delisting. If you simply delist without resolving the problem, it will almost certainly list again. Of late a lot of people are emailing us and simply asking us to delist an IP address. We can't do it more quickly than you can. It's a LOT faster if you do it yourself.

WHAT IS THE CBL?

The CBL takes its source data from very large mail server (SMTP) installations. Some of these are pure spamtrap servers, and some are

not.

The CBL only lists IPs exhibiting characteristics which are specific to open proxies of various sorts (HTTP, socks, AnalogX, wingate, Bagle call-back proxies etc) and dedicated Spam BOTs (such as Cutwail, Rustock, Lethic, Kelihos, Necurs etc) which have been abused to send spam, worms/viruses that do their own direct mail transmission, or some types of trojan-horse or "stealth" spamware, dictionary mail

harvesters etc.

The CBL does NOT list based upon the volume of email from a given IP

address.

The CBL also lists certain portions of botnet infrastructure, such as Spam BOT/virus infector download web sites, botnet infected machines, machines participating in DDOS, and other web sites or name servers primarily dedicated to the use of botnets. Considerable care is taken to avoid listing IP addresses that are shared or are likely to be shared with legitimate use, except in the case of infector download websites, phish emission or DDOS. Our botnet detections may not necessarily directly involve the observation of spam emission, but most botnets are at least occasionally involved in email spam, in addition to infostealing, DDOS

attacks etc.

In other words, the CBL only lists IPs that have attempted email connections to one of our servers in such a way as to indicate that the sending IP is infected with a spam-sending virus or worm, acting as a open proxy for the sending of spam, OR, IPs primarily used in the operation of botnets The CBL does NO probes. In other words, the CBL NEVER makes connections to other machines to "test" anything. The CBL does NOT test for nor list open SMTP relays. The CBL only lists individual IPs, it NEVER lists ranges. The CBL does NOT care whether an IP is dynamic (NAT, PAT, TOR, VPN etc) or not, if connections the IP makes indicate that it's infected, it is listed regardless. Further details: * NAT Listing Policy * TOR/VPN/proxy Listing/delisting Policy . The CBL does NOT attempt to associate IP addresses to persons or organizations, and furthermore, a CBL listing should NOT be construed as accusing anyone of spamming - virtually all listees are the victims of a virus or other compromise, not deliberately spamming. The CBL does NOT accept external submissions for listing. Hence it is not possible for the CBL to be used as an instrument of revenge (eg: "disgruntled ex-employee" or "competitor"). The CBL operates in an entirely automated way designed to avoid listings due to bounces of forged spam, virus bounces, and "real" mail servers emitting the occasional spam. However, in some circumstances severe mail server misconfiguration can make it look as if a mail

server is infected.

It does not attempt to list every possible spam source. This list is based on information believed to be reliable. No warranty is made that it is accurate or complete.... Use entirely at your own

risk.

There is no supporting data or "evidence" file available for any given listing, and no mechanism to ask why any given listing took place. To counteract this, there is an automated no-questions-asked removals procedure allowing any affected party to delist a specific IP address rapidly. However, delisted IPs are relisted if new evidence of spam activity is subsequently detected. Entries automatically expire after a period of time. The approximate detection time of a specific entry can be obtained from the web

interface.

WHAT TO DO IF YOU'RE LISTED/HOW DO I GET DELISTED? Use the lookup tool it will often give you further detail. It gives the link to the delisting tool. See the FAQ for more information on how to identify and resolve a CBL listing.

HOW TO USE THE CBL

Before using the CBL, you should read our terms and conditions. The CBL can be queried in the usual way for DNS-based blocking lists, under the name CBL.ABUSEAT.ORG. Entries in the CBL are returned with an IP address (always 127.0.0.2) and a TXT record containing a link to the lookup/removal pages. If you are doing a lot of CBL queries (over 10,000 queries per day) it is best that you consider running your own local DNS server with the CBL data. As the CBL is part of Spamhaus (and published using the "XBL" name), you should contact http://spamteq.com and see about obtaining the XBL zone files.

USAGE WARNING

We're getting a lot of reports of spurious blocking caused by sites using the CBL to block authenticated access to smarthosts / outgoing mail servers. THE CBL IS ONLY DESIGNED TO BE USED ON INCOMING MAIL, I.E. ON THE HOSTS THAT YOUR MX RECORDS POINT TO. If you use the same hosts for incoming mail and smarthosting, then you should always ensure that you exempt authenticated clients from CBL checks, just as you would for dynamic/dialup blocklists. Another way of putting this is: "DO NOT USE THE CBL TO BLOCK YOUR OWN

USERS".

-------------------------

Updated 2016/01/19.

Lookup/Remove

© 2018 CBL. A Division of Spamhaus. All rights reserved. | Privacy Policy | Terms and Conditions

ORIGINAL TEXT

Contribute a better translation -------------------------