What Is the Composite Blocking List (CBL) and How to Get Removed

Summary

Background

The CBL, otherwise known as The Composite Blocking List is a DNS based blacklist similar to the majority of other DNS based blacklists. The CBL does not list URL’s or URI’s, and like other DNSBL’s lists large quantities of IP addresses. Current averages of number of IP addresses in the CBL are approximately 5 million. The CBL can be used as a scoring based blacklist, or as a immediate block blacklist, where the message is dropped early on in the SMTP conversation. Administrators of the CBL recommend that it be used as an immediate block type of blacklist, and are available at all times for support via email. However, they do recommend you first use the tools on their website to try to solve any problems you may have on your own.

Listing criteria

The CBL receives its data from large spamtraps. The only IP addresses that are listed are those that have characteristics defined as open proxies. Some such characteristics are open proxies, HTTP Proxies, SOCKS Proxies, WinGate, AnalogX and dedicated custom spambots. Efforts are also taken to include email address harvesting machines, and well as machines that have been seen performing dictionary attacks. The only IP’s that are listed are those that have actively made a connection to one of the CBL listing machines. The CBL does not actively scan other machines looking for IP addresses to list.

Further, The CBL does not list open relays. It is important to understand the distinction of an open relay, and an open proxy. An open relay is a misconfigured email server that allows anonymous SMTP sending of third part email through a remote system. The CBL makes no effort to list such servers. An open proxy is generally a web server that will allow email sending to piggy back on a script that sends email. The CBL will notice and block such systems.

There are more reasons The CBL will not list and IP address than reasons that it will list an IP address. The CBL primarily exists to list infected and compromised machines. They do not list dynamic IP address space, ranges of IP addresses, known IP addresses owned by spammers, and certainly do not take suggestions for listings. As a result, it is not possible for the data in THE CBL to ever become compromised. Only CBL identified IP addresses that have been seen contacting CBL equipment, and noticed to be infected or compromised are ever listed.

Zones

cbl.abuseat.org

The primary DNS zone for The CBL is cbl.abuseat.org. You can perform a lookup against it in the same way you would lookup against any other DNSBL, where a positive listing will return 127.0.0.2. The CBL is also available for download in full, via rsync, to members. Membership is free.

One unique aspect of The CBL is that they discourage you from querying them directly. The CBL either asks that you rsync their zone, or, though a cooperative with Spamhaus, perform your lookups there. A complete and full copy of cbl.abuseat.org is maintained by Spamhaus at zen.spamhaus.org.

Removal Process

Removal from The CBL is simple; go to The CBL IP address lookup page and request that your IP address be removed. If your IP address is listed, the returned result will have instructions that explain in some detail, why you were listed, and how to go about removal. In most cases, to be delisted, you will need to secure your machine, and ask The CBL system to test your IP address again through The CBL IP address lookup page.

The CBL intentionally discloses as little information as possible about their processes in an effort to keep spammers in the dark. That which spammers do not know, can not be used in an attempt to circumvent The CBL systems.

Related Articles

• General blacklist removal instructions
• Check to see if an IP is blacklisted
• How do I report spam?
• What is a spam trap?
• What is a DNSBL (blacklist)?
• Ask for help to diagnose and resolve listing issues