The database is maintained every day, around the clock, by Spamhaus Project team members around the world.

IP addresses, that host URLs with executable virus/trojan content in emails sent from XBL'd addresses, will also be added due to the very strong likelihood that this is also a trojan infected machine.

Most IPs are listed as a result of directly sending spam or viruses to the CBL system's detectors (spamtraps, special addresses which do not belong to any real users, and which receive only spam) or by initiating SMTP transactions that look similar to viruses or botnet-proxies. Other listed IPs come from NJABL's proxy list. Other feeds of spam-sending exploited systems may be added, but only if they meet Spamhaus quality standards. (XBL formerly included the RSL & BOPM lists, which no longer exist)

If the IP belongs to a NAT gateway/firewall system, Spamhaus strongly recommends blocking all outgoing port 25 traffic from machines on your network not configured and maintained specifically as mailservers. A single infected machine sending spam out through a NAT can result in blocked mail form the whole LAN. See CBL's FAQ for more information.

Removing trojans/viruses from your system

If you find your IP has been listed by XBL, your system is very likely compromised by a virus via mail, web, or other download. To fix it, you need to find and close any open SOCKS, Wingate or HTTP type proxies. Many viruses install open proxies and other Trojan Horse or "backdoor" malware on systems, so you should download a copy of stinger for Windows from www.nai.com, and fix anything it finds.

Also download and read this CERT document Recovering from a Trojan Horse or Virus (PDF).

Useful links:

Before You Connect a New Computer to the Internet
http://www.us-cert.gov/reading_room/before_you_plug_in.html

Understanding Firewalls
http://www.us-cert.gov/cas/tips/ST04-004.html

Windows Update
http://windowsupdate.microsoft.com/

Protect Your PC
http://www.microsoft.com/security/protect/default.asp

But bear in mind that if your IP was listed on the XBL, it was listed because the detectors which feed the XBL received either spam or a virus directly from the IP, or found it to be an open proxy. Keep reading for information on what you need to do to ensure it doesn't simply get listed again.

A role account is an e-mail address which serves a particular function, not an individual person, for example "sales@" or "info@". Postmaster@domain (RFC2821) and abuse@domain (RFC2142) are the two role accounts which every ISP, webhost, mail service and DNS host must have in order to promptly identify spam and abuse related problems on their network. Networks which do not tolerate spammers are careful to look at their abuse mail every day and take effective actions to stop any problems which arise.

A Feedback Loop (FBL) is an automated stream of spam reports sent by prior agreement between individual receiving and sending networks, often based on a "This Is Spam" button in the user interface. FBLs are intended to help streamline and automate the spam reporting process with specific machine-readable parts. A standard Abuse Reporting Format (ARF) is specified and implemented for FBLs. ARF follows existing RFC2045 MIME standards for e-mail (and the earlier RFC1341). More about ARF is here and here.

A single spam report could be a fluke or someone reporting mail they actually signed up for, or it could represent 10,000 or more spam recipients. For wide-scale, pure-spam mailshots, the reporting rate is often even less than one in 10,000 due to filtering and "LART fatigue" of many who used to report spam. In general, hand-crafted reports are more likely to be actual spam than reports from automated http://tinyurl.com/kda37"This Is Spam" (TIS) buttons. Even TIS reports average in excess of 80% spam, though. Evaluate reports as you will; ignore them at the risk of your network's reputation and e-mail deliverability.

Here are some tools which can help direct spam reports to your proper role account. WARNING: FBLs can produce very high volumes of e-mail. Use a specifically designated e-mail account and allow plenty of disk space and server cycles to accept the full stream of reports. Some networks use a seperate server to accept the flow (for example, fbl@abuse.domain.tld). Do not apply content-based spam filters to FBL or abuse@ accounts or you will discard the very messages you need to keep your network clean.

1. The Network Abuse Clearinghouse
Not a reporting service or FBL per se, but a database of correct addresses for spam reports based on domain. Registered users can send spam reports via its mail server, or anyone can query it to find reporting addresses for a particular domain. Since reports are not automated, volumes tend to be lower and reports hand-crafted. This may identify some of the more stubborn spam issues on a network, for example HTTP redirectors or DNS. See the Abuse.net website for instructions on using and updating its database.

2. SpamCop
SpamCop reports the spam source, SMTP relay and spamvertised URLs in the message body based on IP. Registered users can use SpamCop to parse and report spam. A SpamCop feed might be high volume depending on your network size and output. The instructions on this page explain how anyone can receive SpamCop daily or hourly summaries about spam problems in specified IP ranges. For more information see the SpamCop FAQ for abuse-desks and administrators.

3. AOL Feedback Loop: http://postmaster.aol.com/tools/fbl.html
When AOL users click the "This Is Spam" button in their e-mail client, this system generates a "SCOMP" report to you. While it can be high-volume, it offers excellent feedback on proxies, virus infections and spammers on your network. You need to sign up for this free service with AOL. (And same with the MSN, Yahoo! and Outblaze systems, too.) AOL's whitelist info is here.

4. Outblaze (mail.com): Request a feedback loop by contacting postmaster@outblaze.com. ISPs and COI bulk mailers only!

5. Microsoft (msn.com, live.com, hotmail.com) has Feedback Loops and other information for bulk mailers at http://postmaster.msn.com/. Their Smart Network Data Services includes delivery numbers at SNDS, "Junk Mail Reporting Program" FBL at JMRPP and other services. Senders may also be interested in this PDF to help their delivery.

6. United Online Trusted List and Feedback Loop (Netzero and Juno): http://www.unitedonline.net/postmaster/whitelisted.html

7. Road Runner FBL: http://feedback.postmaster.rr.com/
Road Runner's postmaster page: http://postmaster.rr.com/

8. Yahoo! FBL: http://feedbackloop.yahoo.net/
Deliverability information: http://postmaster.yahoo.com/

9. "USA.net offers a feedback loop service, operated by Return Path, free of charge, to parties sending large amounts of mail to USA.net members. The feedback loop (FBL) will forward any mail reported as spam originating from the associated IP addresses back to the listed email address. We highly recommend the use of a dedicated e-mail address for this purpose." (Spamhaus: good advice for any FBL!) And, of course, http://postmaster.usa.net/.

10. Comcast Feedback Loop: http://feedback.comcast.net/
Postmaster pages for more info: http://postmaster.comcast.net/

11. Earthlink Feedback Loop: Write to fblrequest@abuse.earthlink.net with your IP range, domains, your network's contact information including name, contact e-mail and phone, and the e-mail to which the FBL will be sent. ISPs only. [May 2009: reported to be unresponsive; status unknown.]

12. Excite Feedback Loop: http://feedback.bluetie.com/

13. Cox.net Feedback Loop: http://fbl.cox.net/ and Postmaster pages.

14. Mailtrust Feedback Loop: http://fbl.mailtrust.com/ (Rackspace.com)

15. Tucows (OpenSRS) Feedback Loop: http://fbl.hostedemail.com/

Spamhaus is happy to update this information at the request of the FBL provider or other authority. Other sites have additional information. Also, private FBLs can be established between consenting parties. And ask your network friends and geek buddies to filter spam from your IP ranges into a forwarding account for you.

Tip: Do not put your FBL or abuse@ account behind spam filters, and particularly not behind content filters. What's the point of filtering away the evidence you need to clean up your network?

Finally, be sure that your network has an enforcible Acceptable Use Policy (AUP) as a part of your contract with each and every customer! More examples are here. Seek legal counsel to ensure that your AUP will cover you in the event of account termination for abuse.

The acronym DNSBL stands for Domain Name System Block List. Understanding DNSBL Filtering explains the concept in words and diagrams.

DNSBLs list IP addresses. These IP addresses are often those that the list operator has observed sending spam, hosting the web sites of spammers, or providing other services to spammers (collectively called spam support services). The Spamhaus Policy Blocklist (PBL) lists IPs that the ISP does not (or should not) allow to send email directly to other SMTP servers, but should send email only via the ISP's designated outgoing SMTP servers. Some DNSBLs have other listing criteria, such as geographic lists of IPs by country. Those DNSBLs may be used for a variety of purposes.

DNSBLs are used by companies, ISPs, and even individual email applications to help determine whether an email is likely to be spam, and if it is to prevent that email from being delivered to the recipient. Usually a company or ISP's SMTP server checks the DNSBL when an email is received, and refused that email if it is coming from a listed IP or if it contains a URL that is hosted on a listed IP.

DNSBLs are sometimes called RBLs (Realtime Blackhole Lists) after MAPS, the granddaddy of all DNSBLs. They can also be called just blocklists, blacklists, or simply BLs.

IMPORTANT: A DNSBL cannot stop anyone from sending mail. It only prevents delivery at the receiving end when the receiver specifically configures his mail server or mail software to consult it. DNSBLs are strictly defensive tools; they cannot be used to launch denial-of-service (DOS) attacks or to do any offensive damage.

Spamhaus strongly recommends the use of DROP by tier-1 and backbone networks. Simply consulting the DROP list's webpage when someone asks you to route some suspicious IPs can help avoid picking up customers you would just as soon not have on your network.

In Microsoft Outlook & Outlook Express:

Start Outlook 2000 or Outlook Express. From the menu, select Tools, then Accounts. Click once on the appropriate account from the Mail tab. Select Properties. From the account properties dialog box, choose the Servers tab. Put a check in the box for "My server requires authentication". Click on the "Settings" button. In the 'Outgoing Mail Server' dialog box, make sure "Use same settings as my incoming mail server" is selected. Press "OK". Back at the "Properties", click "Apply", then "OK". Click "OK" to close out of all dialog boxes.

Open Eudora, pull down the Tools menu and select "Options..." to display the Options window. Select the "Getting Started" category on the left-hand side. Select the "Allow authentication" checkbox and click "OK".

Open Apple Mail. Click on the "Mail" menu in the top menubar. Click on Preferences, Click on Accounts. Click on the account that you want to modify. Click on Account Information. Click on the "Server Settings..." button. In the pulldown list next to "Authentication:", select "Password". Enter your username and email password (the same ones you use to retreive your POP or IMAP email). Click on OK. Close the Preferences window by clicking on the X in the upper left hand corner of the window.

Tools >> Servers and Accounts >> Outbound Email Server
Connection: TLS if available
Login Method: Username and password
Advanced Settings: Port: 587

• CONGRATULATIONS! You have won a Lottery!
  
• Contact Western Union Bank Urgently!
  
• Your ATM MASTERCARD worth $800,000 USD is with FedEx!
  
• URGENT! Contact My Secretary Now!
  
• Contact me for your Compensation Fund
  

• "I write to solicit your assistance in a funds transfer deal involving US$ 3.5M.This fund has been stashed out of the excess profit made last 2years by my branch office of the International Commercial Bank of Lagos Nigeria which I am the manager."

• "I am a rich widow, all my family died in a horrible plane crash, I too am dying of cancer. Before I die I wish to give all my {$Millions} to you, because I found your name on the Internet and I trust you. Please help me. God Bless You."

• "I have deposited your ATM MASTERCARD worth $800,000 USD with FedEx. Insurance and delivery charges have been paid for, but the only fee remaining is the security safe keeping fee of $185 USD which you will be required to pay."

• "Congratulations on your success in our sweepstake! Your email address attached to Ticket No:WRNM/SMI/5990 won the draw in the Second category! You have been approve for the star prize of USD$1.7M! Just send us your bank details..."

• "My name is Dr. Rev. Brown Hamilton Esq. I am the attorney of Late Mrs. Jennifer Wilson, who died in London UK . I have a business proposition for you. My late client lodged huge amount of money in a security vault..."

• "The Bank Of Nigeria is pleased to notify you that you have been chosen by the board of trustees as one of the final recipients of a Grant/Donation cash aid of US$850,000.00"

Provide roper role accounts in RIR records, including abuse role accounts. Be sure such accounts are read frequently by admins with the authority to fix the problems identified by reports to that address.

Properly identify subnet clients. For example, ARIN requires public identification records for /29 (8 IPs) and larger ranges (section 4.2.3.7.2.).

This FAQ also has information about proper rDNS as well as the role accounts to go with those hostnames.

All modern mail servers have a 'DNSBL' feature (sometimes called 'RBL Servers' or 'Blacklist'). If you are not sure whether yours does, read its 'Help' file or ask your mail server vendor.

Depending on how much email traffic you have, you can either use Spamhaus public mirrors free by setting your mail server's 'DNSBL' feature to query zen.spamhaus.org, or - if you have high traffic - you will need a special Data Feed from us.

There is more information in our "How-to-Use" FAQ, and see the following FAQ 'What zone should my server or spam filter query?'

Remember, use your mail server to query a Spamhaus DNS zone such as zen.spamhaus.org. Do not automate queries of our website lookup form!

There are other ways to use SBL beyond just checking the connecting IP. Our Effective Spam Filtering page has suggestions for checking URIs in the spam against SBL, which is very effective at stopping spam. Nameserver IPs of connecting hosts are another check which some admins have found effective. If you decide to do such checks on your mailstream, be very careful which Spamhaus zone you select for each step. Checking against SBL is quite conservative and will have few false positives. Checking against XBL is more aggressive and while it will catch more spam it may also intercept more non-spam mail. Don't use URI checks against PBL unless you know exactly what you're doing; that will result in rejecting non-spam mail for most servers. Remember that Zen zone contains SBL, XBL and PBL combined, so you will need to select the correct response based on the 127 return code.

Phishing spams are email messages that claim to be from a business or organization that you deal with, such as your bank, an online payment service such as PayPal, an auction house such as eBay, your Internet service provider (ISP), or even a government agency. The message usually says that you need to "update" or "validate" your account information, and often threatens the closure of your account if you don't respond.

When clicked, the email link will take you to an official-looking web site, which usually looks identical to the real one (since the fraudster has simply lifted the logos and wording from the real site), and will request you enter your account number, password, etc. This should obviously not be done as they will then empty accounts of funds or use them to commit other crimes.

If you see one of these scams, please report it to the Anti-Phishing Working Group by emailing their <reportphishing@antiphishing.org> address. eBay scams can also be emailed to <spoof@ebay.com> and PayPal has a reporting page.

• Are your outgoing mail server account, username and password correct? (check them, and remember that passwords are case-sensitive)

• Is the SMTP authentication working correctly at your mail server? (ask your ISP to check)

• Make sure you are connecting to your mail server's 'authenticated mail' port 587 and not the ordinary 'unauthenticated' port 25. (ask your ISP to check for you)

• Mail servers only run spam filters such as Spamhaus PBL on port 25, so if you find you are being blocked by the PBL when you try to send mail to your mail server that means you are not communicating with the mail server on the 'authenticated' port 587 but you're still on port 25. This means your 'SMTP Authentication' is not working correctly. (ask your ISP to check for you)

1. static (not dynamic), and
2. an outbound mail server, and
3. configured with proper Reverse DNS and
4. assigned to you.

An overview off Effective Spam Filtering strategies explains additional uses of spam block lists such as URI_SBL in SpamAssassin and SURBLs and URIBL, domain-based DNS spam blocking lists.

The SBL can be used by almost all modern mail servers, by setting your mail server's anti-spam DNSBL feature (sometimes called "Blacklist DNS Servers" or "RBL servers") to query sbl.spamhaus.org.

For information on how to configure your mail server to use sbl.spamhaus.org please refer to your mail server documentation/manuals or ask your mail server developer. With so many different mail servers in use we can not offer technical help with setting up the SBL.

We recommend you use sbl.spamhaus.org together with xbl.spamhaus.org and pbl.spamhaus.org, as the SBL and XBL/PBL block different spam sources. To save you having to query three separate DNSBL zones, there combined "zen.spamhaus.org" zone contains the complete SBL, XBL and PBL data. Your server can safely reject SMTP connections from any IP listed in Zen by simply setting your mail server's DNSBL check to query zen.spamhaus.org only. Read the XBL FAQ and PBL FAQ for further information if your application uses second-stage filtering such as URI checks or full header traversal.

We ask, but do not require, that all ISPs using our BL zones inform customers of the fact you run spam filters (simply because it is the correct thing to do). Use of known-to-be-effective spam blocklists is normally seen as a service advantage and strong sales point. All SBL, XBL and PBL users are welcome to use the "email protected by" SBL, XBL and PBL web badges on sites.

If you run a Microsoft Windows based system, you should download a copy of stinger for Windows from www.nai.com, and fix anything it finds. See "Removing trojans/viruses from your system" in this FAQ for further information. More tools for checking if your PC may be infected are at http://www.mynetwatchman.com/tools/sc/

If after checking your PC for viruses/trojans/worms you are still unable to find the problem, contact the CBL team (see the CBL website http://cbl.abuseat.org for the correct email address).

• A payment via check is made, but (some weeks later) is returned by the bank on which it's drawn because it was forged. The scammer counts on your willingness to ship the product after your bank has (provisionally) cleared the check, and before the check has cleared its way through the whole international banking system.
  
  
• An "accidental" overpayment by the buyer, who asks you to deposit the check and then refund the amount of the "overpayment" when you ship the goods. You're out both the cost of the goods, and whatever "overpayment" you refund, when you find that the original check is made of rubber.

Please DO NOT auto-fetch the DROP list more than once per hour!

The DROP list changes quite slowly. There is no need to update cached data more than once per hour, in fact once per day is more than enough in most cases. Automated downloads must be at least one hour apart. Excessive downloads may result in your IP being firewalled from the Spamhaus website.

The choice of which service to apply for, Datafeed Query Service or Datafeed Rsync Service, depends on how big your network is and how high your email traffic is.

If you have 1,000's of users and very high email traffic or you want to serve our DNSBL data locally to multiple mail servers on your network, we recommend you use the Rsync Service. The Rsync Service requires some setup on your end (requires you also set up Rbldnsd) and usually a dedicated server (although you can also run Rbldnsd on the same machine as your DNS server). So only take the Rsync Service if you understand why you want Rsync/Rbldnsd.

If your network is medium-sized, small, or you want a non-complicated solution with no software to install, the best choice is the Datafeed Query Service. With this service the Datafeed Service Group assigns you a unique account ID and access to a set of private Datafeed Query Service servers. The Query Service is very simple to install (it should take you literally one minute to set up on most moderns mail servers). It requires no extra software or servers.

Instructions for using the Datafeed Query Service with Microsoft Exchange 2007 (PDF. 166 KB) have been published by MXTools.

Both services perform the same. You can switch from Query Service to Rsync Service later on if you find reason to need Rsync Service.

Snowshoers use many fictitious business names (DBAs), fake names and identities, and frequently changing postal dropboxes and voicemail drops. Conversely, legitimate mailers try hard to build brand reputation based on a real business address, a known domain and a small permanent range of sending IPs. Snowshoers often use anonymized or unidentifiable whois records, whereas legitimate senders are proud to provide their bona fide identity.

Some showshoers use tunneled connections from their back-end spam cannon to the spam egress IP. The back-end IP address is not in the spam headers. ISPs, you are in a position to detect those back-end spam cannons by checking where traffic flows are coming from. Remember, the tunneled connection is not necessarily on port 25. Spamhaus always appreciates such information.

Current numbers show the SBL can stop, on average, 5-10% of incoming spam at SMTP connection time, and 60-90% of spam in message body URI checks.

The SBL is meant to be used in conjunction with other Blocklists. The SBL targets spammers who host on, or spam from, a fixed location.

Additional systems such as the Spamhaus XBL (Exploits Block List) and the Spamhaus PBL (Policy Block List) should be used to block spam from spammers who use criminal methods to spam. These target spammers using open botnet-proxies - PCs they have infected with viruses. The combination of all three is available in our Spamhaus Zen zone.

See the Spam Filtering Guidewith charts and details on how the Blocklists function.