abuseat org что это
Что такое чёрные списки и чем опасно в них попадать
Существует более 300 публичных чёрных списков, в которые могут попасть IP-адреса и домены. Создать блеклист может кто угодно – как крупные надёжные компании, так и небольшие независимые сети. Но не все списки одинаково влияют на доставляемость. Почтовые провайдеры и фильтрационные программы не проверяют каждый из них, они объединяют данные из разных публичных блеклистов и собственные данные, чтобы определить репутацию отправителя.
Емейл-маркетологи часто связывают блокировку писем у почтового провайдера с попаданием в чёрные списки. Но это не одно и то же. Два этих события может объединять одна причина – например, часто такая ситуация связана с плохим качеством базы, то есть большим числом несуществующих ящиков и жалоб от пользователей.
Существует 2 типа чёрных списков: содержащие IP-адреса и домены.
Чёрный список IP-адресов
Они работают в режиме реального времени и называются Real-time Black Lists и Domain Name Server Black Lists.
Самые известные RBL/DNSBLs-листы
Return Path Reputation Network Blacklist (RNBL) – этим листом IP-адресов владеет Return Path. Компания сама определяет, блокировать ли рассыльщика, на основании своих данных из Return Path Provider Network. Алгоритм сложный: это и модели предсказаний, и данные о спам-ловушках, и жалобы.
Sbl.spamhaus.org (SBL) – это база IP-адресов, от которых крупнейшая в мире организация по борьбе со спамом Spamhaus не рекомендует принимать письма. SBL включает спамеров, спам-операции и сервисы, через которые отправляется спам. Если вы просите Spamhaus удалить вас из их блеклиста, в ответ они потребуют план действий, как исправить проблему, которая вызвала попадание в чёрный список.
Xbl.spamhaus.org (XBL): Exploits Bot List (XBL) – это список известных открытых источников и нелегальных сторонних эксплоитов для отправки спама и вирусов. Эксплоит – компьютерная программа, атакующая вычислительные системы через уязвимости. XBL включает в себя информацию Spamhaus.
Cbl.abuseat.org (CBL): Spamhaus Composite Blocking List (CBL) – это блэклист, основанный на DNS-записях и оперирующий IP-адресами, которых подозревают в отправке спама и заражении вирусным ПО. CBL получает эти данные от крупных почтовых серверов и их спам-ловушек. У CBL есть простой вариант самостоятельного удаления IP-адресов.
SpamCop (SCBL) – это сервис спам-отчётов. Частные лица могут написать в спамкоп и зарепортить массовую коммерческую рассылку, которую не ждали, как спамерскую. Удаление из SCBL происходит автоматически через 24 часа, если не было повторного запроса на добавление в лист.
Psbl.surriel.com: Passive Spam Block List (PSBL) – список IP-адресов, с которых отправляются письма на спам-ловушки. У PSBL существуют белые списки, и если IP-адрес находится в таком списке, то вероятность попадания в блеклист снижается.
Invaluement: Invaluement Anti-Spam DNSBL – это компилятор трёх коммерческих анти-спам блеклистов:
ivmURI – содержит домены, принадлежащие спамерам;
ivmSIP – IP-адреса ботов, неуловимых спамеров или мошенников, которые пропускаются Spamhaus или ещё не добавлены туда;
ivmSIP/24 – диапазон IP-адресов, в которых обнаружены модели поведения спамеров.
Чёрный список доменов
Это работающие в режиме реального времени чёрные списки ссылок, содержащихся в теле письма.
Dbl.spamhaus.org: Spamhaus DBL – это база доменов с низкими репутациями, которые обнаружены в спамерских рассылках. Списки Spamhaus DBL поддерживают команда специалистов и автоматическая система – они непрерывно анализируют мировой поток писем со спамом.
URIBL – это список доменов, которые замечены в спамерских письмах. Сейчас у сервиса есть несколько публичных листов, наиболее популярный из которых black.uribl.сom. Список обновляется по мере поступления новых данных, поэтому удаление из него может происходить автоматически. Владелец домена может также отправить запрос на удаление из чёрного списка после регистрации на сайте.
SURBL – это список сайтов, которые появились в спам-сообщениях. Владелец домена может запросить удалить домен из блеклиста, выполнив условия инструкции по удалению.
Обычная реакция отправителя после попадания в чёрный список – сразу же требовать удаления из него (делист). Но иногда это может больше навредить, чем помочь. Если отправитель часто запрашивает удаление и не предпринимает ничего, чтобы исправить ситуацию, он рискует попасть в немилость, после чего все его последующие запросы будут отклоняться автоматически.
По нашему опыту, попадание доменов или IP-адресов в чёрные списки несильно влияет на доставляемость у российских провайдеров и редко приводит к блоку рассылок на них. Чего не скажешь о зарубежных провайдерах – Gmail, Yahoo и т.д., поэтому мы попросили поделиться опытом взаимодействия с ЧС наших польских коллег. По их словам, при попадании IP-адреса или домена в чёрный список первым делом нужно проверить:
— последнее отправленное письмо (наличие спам-слов, ссылки отписки, причины получения письма, количество изображений по отношению к тексту);
— был ли массовый импорт новых подписчиков в базу.
При этом все рассылки на время прекращаются во избежание ещё больших проблем.
Параллельно нужно отправить запрос на делист IP-адреса/домена из чёрного списка. Это должен сделать владелец домена или IP, так как в некоторых случаях потребуется подтверждение владением. Обычно IP-адреса автоматически удаляют из чёрного списка через 3 дня, если не было новых нарушений. Для доменов может потребоваться больше времени – до двух недель. Однако даже по истечении этого срока делиста может не произойти, если отправитель не предпринимает ничего, чтобы исправить проблему.
Чуть больше статистики по чёрным спискам – в инфографике от Return Path.
Если ваш домен или ссылки попали в чёрные списки и вы не знаете, как оттуда выбраться, обращайтесь к нашим экспертам — мы поможем написать запрос на делист 🙂
The CBL FAQ
IMPORTANT TO ALL CBL users: if you use the CBL to filter access to your mail servers or anything else, you will need to take note of several changes coming to the CBL in the coming months. This does not apply to users coming to the CBL about individual listings. Full details on our CBL Cutover page
IMPORTANT! due to the above changes coming in the CBL, new users wishing to use the CBL will need to go to for instructions on how to set up the Spamhaus XBL.
NEW! Please see question and answer about the AUTHBL
Listing / Delisting questions
I’m Listed in the CBL, what do I do?
ALWAYS go to the CBL lookup page and follow the instructions. The lookup page and this FAQ attempt to both help you delist and help you prevent it getting listed again.
I delisted my IP, but it keeps getting relisted again. Why??
You have a virus, or an open proxy, a trojan spam-sender or some other sort of security compromise, or some sort of unusual misconfiguration which is causing your IP to be relisted. Always ensure that viruses, open proxies, etc. are removed or secured before trying to delist your IP.
If you did all that but still keep getting listed, then see below for where to talk about the problem.
How much does a delisting cost?
The CBL NEVER charges money for a delisting, and does NOT provide referrals to consultants. The CBL strongly believes in eliminating any possibility of bias, perceived or otherwise.
From time to time you may encounter claims that some person can get you delisted for a fee. The only way to get delisted and stay delisted is to identify the cause for the listing and prevent it happening again.
I don’t have an open relay!
The CBL DOES NOT list open SMTP relays, hence open relay testers such as that at abuse.net and orbs.org are irrelevant to the CBL.
Many of our correspondents are confused by this statement, so it’s a good idea to explain the difference between an open SMTP relay, and «open proxies» that we DO detect.
The CBL has been detecting something that it calls «open relay». That does not mean that the IP address we’ve listed is an open SMTP relay, it means that the IP address we’ve listed is attempting to get our spamtraps to open relay. Most of these turn out to be Cutwail infections trying to force-relay through other mail servers.
Apparently a recent upgrade/release of Merak (recent as of 2006/12/31) instantiates an open CONNECT proxy on port 32000 without warning. If you are running a recent version of Merak, please make sure that this proxy is turned off. If in doubt, do a port scan of port 32000.
You’ve listed [a TOR exit node/my VPN IP/an Anonymizing Proxy]!
I’m running Linux (FreeBSD, OpenBSD, UNIX. ) and CANNOT be infected with a virus!
While it is perfectly true that UNIX-like operating systems are almost NEVER infectable with Windows viruses, there are a number of virus-like things that UNIX-like systems are susceptible to.
It is CRITICALLY IMPORTANT that all web-facing applications or application infrastructures (WordPress, Joomla, Cpanel, etc. etc.) are kept fully patched and up-to-date. Furthmore, userid/passwords and other credentials for logging into such systems should be highly protected, require strong passwords and changed as frequently as practical/feasible. Some web hosting services have had to resort to two-factor authentication to protect themselves from stolen or spoofed authentivcations.
Check that you have good remote login-capable passwords (eg: telnet, FTP, SSH), inspect your logs for large quantities of failed SSH/telnet login attempts.
Consider running a «system modification» detector such as Tripwire or rkhunter. Tripwire is designed to detect and report modifications to important system programs. Rkhunter does what Tripwire does, but looks for specific rootkits, insecure versions of system software and more.
What are the exact criteria for listing on the CBL?
Those will not be disclosed because it may give spammers or virus writers hints on how to avoid the CBL.
The next section provides information on how to diagnose persistent CBL relistings.
There seems to be some sort of strange relationship between AUTHBL and CBL/XBL
The Spamhaus AUTHBL (at present offered as DQS only, not regular DNSBL) is a specialized subset of the CBL/XBL. The AUTHBL consists of those CBL/XBL listings where the infection we’ve detected is, or is known to be capable of, breaking into authenticated email accounts to send or receive email. In short, we know that the IP can log into a mail account with stolen/guessed password, and fake the origin of the email. This is a very big problem across the Internet.
The AUTHBL is implemented through the CBL/XBL system and uses the same query tools, but as its expiration interval is longer than the CBL/XBL, it is possible for an IP to be listed by the AUTHBL and not the CBL/XBL, and the CBL/XBL lookup/removal page won’t work for these. The Spamhaus Blocklist Removal Center can detect this issue and direct you to the right place.
CBL listing diagnosis
Knowledge base on how to investigate persistent listings:
If this IP address is that of a Network Address Translation (NAT), or Port Address Translation (PAT) firewall, router or gateway, click here, and carefully follow the instructions. Insecure NATs are probably the leading cause of ALL CBL listings.
If this IP address is your personal computer, you must carefully check your machine for viruses, spyware, adware, open proxies and trojans and remove them. More information on scanning
If this IP is dynamically allocated, click here
If you have a wireless network/hub, see the same link as above.
If this IP address is really that of your mail server, click here
If you’re being blocked with something other than email, click here
Did you get blocked when you tried to send email to us? Click if yes
If you sent email to the CBL, and got no response, chances are that you are running some sort of challenge/response filter of your own, your server blocked our email to you, or, your provider blocked your email to us without indicating that it did.
We endeavor to answer all email, so if you don’t get a response within a day or two, we recommend resending your query via a freemail service such as hotmail.
The CBL team does not answer C/R challenges, so if you’re using C/R, either pre-approve email back from us, or use another account.
Can I nominate IP addresses or ranges for inclusion?
Does the CBL contain any static or manually-maintained entries?
No. (Except the standard test entry of 127.0.0.2)
Usage questions
General Filtering Practises
If appropriate, you may wish to consider implementing your filtering in such a way that individual users can opt-in or out of filtering.
General questions
How do I contact the folks behind the CBL?
It is important that you follow and understand the results of a CBL lookup carefully before you contact us. If you don’t follow those instructions, resolution may be delayed.
We expect you to have looked up your IP on our lookup page, read and understood the instructions, and attempted to solve the problem BEFORE contacting us.
It’s better to contact us about persistent listing problems than asking in other fora (such as the news.admin.net-abuse.email or news.admin.net-abuse.blocklist Usenet groups or online tech forums). The CBL is very much different than most other DNSBLs, and the advice you will get from sources other than our online information or via email from us will almost always be very very wrong. We occasionally run across such discussions (eg: via web searches while assisting someone else), usually long after the fact, and it’s astonishing how wrong the advice/commentary usually is. When seeing such, we can only shake our heads and feel sorry for the person who got bad advice, because it’s usually far too late for us to help.
If you do not get a response from us within 24 hours (we’re usually much faster than that), please try resending your email from another account, such as a freemail account on hotmail. Your email to us may have been silently dropped by your ISP without it telling you, OR, your spam filters may have blocked our reply.
NOTE! If your mail server does SAV («sender address verify» or «sender address verification callouts»), our mail server will probably NOT «complete» the verification, because our mail server has a long banner delay. Which means that our reply will bounce. You will either have to whitelist our mail server from your SAV, or arrange for our reply to go to some other mail server (eg: a gmail account).
The above also applies if your mail server has short (non-RFC-compliant) SMTP timeouts.
We answer all emails. If you don’t get a reply, it got lost.
(NEW): How Can I Help?
We view the CBL/XBL as a collaborative effort. We are always on the hunt for improved information on how to protect our users, and how listees can secure their systems to prevent being taken over.
If you know of, or have written, a blog or article or tool that helps find infected machines, disinfect infected machines, or protects machines against future infections, whether they be general, or aimed at a specific risk, please let us know at the email address given above. Good tips we’ll include in our web site.
But first, see the next point:
Does the CBL/XBL Endorse Specific Commercial Products or Services?
Except where otherwise explicitly noted, the CBL/XBL does not endorse any commercial organization or any paid product, service or tool from them. Preference is always for free public information and tools that a system administrator/end-user can use to help themselves.
Where multiple commercial organizations do offer good free information and tools, we deliberately distribute our references amongst the different vendors so as to not imply favoritism for any vendor. However, some vendors will naturally appear more frequently because they have broader consistent and useful information.
Visitors to our site are presented with what we believe to be the best information possible to help them secure their computers and networks. We will gladly accept suggestions from reputable commercial organizations in this industry for tools and other information, but this does not mean that we will automatically accept them for external reference.
Standards Compliance/Further reading
RFC5782: DNSBL Blacklists and Whitelists contains the DNSBL protocol standard (informational) by the Anti-Spam Research Group of the Internet Research Task Force (IRTF), all part of the IETF. This can be assistance in a deeper understanding of how DNSBLs work.
RFC6471: Overview of Best Email DNS-Based List (DNSBL) Operational Practices (DNSBL BCP) contains a DNSBL operational policy document, companion to RFC5782, also a product of the ASRG/IRTF.
The CBL provided commentary to the authors of these documents. The CBL fully supports the DNSBL BCP and is believed to be in full compliance.
Beware of Frauds/Rumors
From time to time we encounter claims that we charge a fee for delisting, or that certain «consultants» claim to be able to remove a CBL listing for a fee.
This is not true. The CBL NEVER charges fees. The only way to get out and stay out of the CBL is to correct the problem that got an IP listed in the first place.
The CBL believes that charging a fee for delisting is, in effect, a protection racket with all the negative connotations that implies. Even if it isn’t intended that way, it causes more problems than it solves.
We will never charge a fee for delisting.
What is the relationship between the CBL and Spamhaus?
Spamhaus is one of the most respected anti-spam organizations in the world.
The CBL is now a division of Spamhaus
Note that public redistribution of the CBL in any form is prohibited without prior authorization from us. See our Terms and Conditions, last item. This restriction «survives» the XBL redistribution of the CBL, and as such, any redistribution of the XBL unauthorized by Spamhaus is also in violation of the CBL terms and conditions.
The CBL is copyright © 2021, all unauthorized copying is prohibited.
All external web pages that the CBL pages reference are copyright by their respective owners.
It is exceedingly unlikely that the CBL will ever authorize any other public redistribution over those already in force (spamhaus.org and senderbase).
dnsbl.net.au used to have redistribution arrangement with the CBL, but dnsbl.net.au shut down in April 2009.
The Spamhaus XBL (or SBL-XBL or Zen) is a full superset of the CBL, and you SHOULD NOT USE BOTH DNSBLs at the same time. In fact, for most administrators, we strongly recommend that you use Zen instead of the CBL directly.
If you are a large organization doing several hundred thousand emails or more per day, in order to reduce DNS query loading, we recommend that you use a rsync feed of the XBL. While this is ordinarily a commercial service, in certain public interest situations, a subscription may be free.
If you are a large ISP, or sell spam filtering services, we believe that you should be supporting the anti-spam effort by purchasing a paid-for rsync feed from Spamhaus, rather than getting the CBL directly from us.
What is the relationship between the CBL and Abuseat.org?
As of April 2, 2013, the abuseat.org domain was wholy acquired by the CBL, after it having been «loaned» for our use since 2003.
© 2018 CBL. A Division of Spamhaus. All rights reserved. | Privacy Policy | Terms and Conditions
Abuseat org что это
You are using an outdated browser. Please upgrade your browser to improve your experience and security.
Changes to the CBL
IMPORTANT TO ALL CBL users: If you were using the CBL to filter access to your mail servers or anything else, you will need to take note of several changes to the CBL that occured in January 2021. In short, the CBL infrastructure was replaced by the Spamhaus XBL structure, the lookup pages and access methods have changed. Full details on our CBL Cutover page
IMPORTANT! due to the above changes, new users wishing to use the CBL will need to go to for instructions on how to set up the Spamhaus XBL.
I’m listed, what do I do?
The CBL has easy self-removal. See: CBL Lookup AND Removal It will provide you with information on why the IP was listed, how to correct the problem that caused the listing, and a link to do self-removal. The rest of these web pages are intended to help you understand what could cause a listing, and how to diagnose/remediate the problem.
WARNING The CBL expects you to resolve the problem, preferably before you do a delisting. If you simply delist without resolving the problem, it will almost certainly list again.
Of late a lot of people are emailing us and simply asking us to delist an IP address. We can’t do it more quickly than you can. It’s a LOT faster if you do it yourself.
What is the CBL?
The CBL takes its source data from very large mail server (SMTP) installations. Some of these are pure spamtrap servers, and some are not.
The CBL only lists IPs exhibiting characteristics which are specific to open proxies of various sorts (HTTP, socks, AnalogX, wingate, Bagle call-back proxies etc) and dedicated Spam BOTs (such as Cutwail, Rustock, Lethic, Kelihos, Necurs etc) which have been abused to send spam, worms/viruses that do their own direct mail transmission, or some types of trojan-horse or «stealth» spamware, dictionary mail harvesters etc.
The CBL does not list based upon the volume of email from a given IP address.
The CBL also lists certain portions of botnet infrastructure, such as Spam BOT/virus infector download web sites, botnet infected machines, machines participating in DDOS, and other web sites or name servers primarily dedicated to the use of botnets. Considerable care is taken to avoid listing IP addresses that are shared or are likely to be shared with legitimate use, except in the case of infector download websites, phish emission or DDOS.
Our botnet detections may not necessarily directly involve the observation of spam emission, but most botnets are at least occasionally involved in email spam, in addition to infostealing, DDOS attacks etc.
In other words, the CBL only lists IPs that have attempted email connections to one of our servers in such a way as to indicate that the sending IP is infected with a spam-sending virus or worm, acting as a open proxy for the sending of spam, OR, IPs primarily used in the operation of botnets
The CBL does NO probes. In other words, the CBL NEVER makes connections to other machines to «test» anything.
The CBL does NOT test for nor list open SMTP relays.
The CBL only lists individual IPs, it NEVER lists ranges.
The CBL does NOT accept external submissions for listing. Hence it is not possible for the CBL to be used as an instrument of revenge (eg: «disgruntled ex-employee» or «competitor»).
The CBL operates in an entirely automated way designed to avoid listings due to bounces of forged spam, virus bounces, and «real» mail servers emitting the occasional spam. However, in some circumstances severe mail server misconfiguration can make it look as if a mail server is infected.
It does not attempt to list every possible spam source.
This list is based on information believed to be reliable. No warranty is made that it is accurate or complete. Use entirely at your own risk.
There is no supporting data or «evidence» file available for any given listing, and no mechanism to ask why any given listing took place. To counteract this, there is an automated no-questions-asked removals procedure allowing any affected party to delist a specific IP address rapidly. However, delisted IPs are relisted if new evidence of spam activity is subsequently detected.
Entries automatically expire after a period of time. The approximate detection time of a specific entry can be obtained from the web interface.
What to do if you’re listed/How do I get delisted?
Use the lookup tool it will often give you further detail. It gives the link to the delisting tool.
See the FAQ for more information on how to identify and resolve a CBL listing.
How to use the CBL
Before using the CBL, you should read our terms and conditions.
The CBL can be queried in the usual way for DNS-based blocking lists, under the name cbl.abuseat.org.
Entries in the CBL are returned with an IP address (always 127.0.0.2) and a TXT record containing a link to the lookup/removal pages.
If you are doing a lot of CBL queries (over 10,000 queries per day) it is best that you consider running your own local DNS server with the CBL data. As the CBL is part of Spamhaus (and published using the «XBL» name), you should contact http://spamteq.com and see about obtaining the XBL zone files.
Usage WARNING
We’re getting a lot of reports of spurious blocking caused by sites using the CBL to block authenticated access to smarthosts / outgoing mail servers. THE CBL is only designed to be used on INCOMING mail, i.e. on the hosts that your MX records point to.
If you use the same hosts for incoming mail and smarthosting, then you should always ensure that you exempt authenticated clients from CBL checks, just as you would for dynamic/dialup blocklists.
Another way of putting this is: «Do not use the CBL to block your own users».
© 2018 CBL. A Division of Spamhaus. All rights reserved. | Privacy Policy | Terms and Conditions