Blocklist Removal Center
About Spamhaus  |  FAQs  |  News Blog   
Frequently Asked Questions (FAQ)
BGPf FAQ
Datafeed FAQ
DNSBL Usage
DROP FAQ
Generic Questions
Glossary
ISP Spam Issues
Legal Questions
Marketing FAQs
Online Scams
Organization
ROKSO FAQ
Spamhaus BCL
Spamhaus DBL
Spamhaus PBL
Spamhaus SBL
Spamhaus XBL



Spamhaus PBL

Help! My IP address is on the PBL! What should I do?
A Quick Fix (POP before SMTP)
How do I turn on SMTP Authentication?
I have 'SMTP Authentication' switched ON but I'm still blocked!
Single IP Removal for Mail Server Administrators ("Exclusions")
Why can't I remove a PBL IP with a freemail address? (Gmail, Hotmail, etc.)
Who should NOT remove their IP address from the PBL?
What if I want to run a mail server on dynamic IPs listed in the PBL?
What if spammers hijack my computer after I have removed my IP address?
Won't spammers try to remove IP addresses?
Who is eligible for an ISP PBL Account? (IP Range removal for ISPs)
Instructions for creating and using an ISP PBL Account.
Password or Confirmation Code missing - How do I get a new one?
"Master Range" vs. "PBL Zone" - What is the difference?
What is the "Main Domain" for ISP Accounts?
How do I remove a Spamhaus PBL listing from my ISP Account? ("Claim CIDR")
What does this error mean? "[CIDR] conflicts with other PBL master records."
How does an ISP remove or add IP ranges from the PBL?
How many "bots" are in my IP ranges?
Does the PBL only contain dynamic IP ranges?
How do I use the PBL to block spam?
What do the different return codes mean in the PBL?
What zone should my server or spam filter query?
Can the PBL block email from legitimate sources?
Should an ISP use the PBL to block their own users?
Should I use the PBL to block access to my webserver?
How often is the PBL zone updated?
Can I nominate IP addresses or ranges for inclusion?
How much spam will the PBL block for me?
How do I test my PBL setup?


Help! My IP address is on the PBL! What should I do?
Nothing, in most cases. Read through this FAQ for further explanations.

The first thing to know is: THE PBL IS NOT A BLACKLIST. You are not listed for spamming or for anything you have done. The PBL is simply a list of all of the world's dynamic IP space, i.e: IP ranges normally assigned to ISP broadband customers (DSL, DHCP, PPP, cable, dialup). It is perfectly normal for dynamic IP addresses to be listed on the PBL. In fact all dynamic IP addresses in the world should be on the PBL. Even static IPs which do not send mail should be listed in the PBL.

PBL listings do not prevent you sending email unless your email program is not authenticating properly when it connects to your ISP or to your company's mail server. This can happen if you have forgotten to turn on 'SMTP Authentication' or if you have switched 'SMTP Authentication' off by mistake.

If you are using a normal email program such as Outlook, Entourage, Thunderbird or Apple Mail and you are being blocked by a Spamhaus PBL listing when you try to send email, the reason is simply that YOU NEED TO TURN ON 'SMTP AUTHENTICATION' in your email program's account settings. That will solve the problem for you. See: How do I turn on SMTP Authentication?

Server admins who need help with SMTP AUTH can find lots of information for most servers such as Sendmail, Postfix, Exim, Qmail, Exchange, etc.


A Quick Fix (POP before SMTP)
If you are encountering a problem with the PBL when sending email from an email program (Outlook, Entourage, Apple Mail, Thunderbird, etc.) try checking for new mail first and then sending. Do what you normally do to check if you have new mail (make your email program connect to your mail server to check for new incoming emails), then a few seconds after checking, try sending mail.

If checking before sending works, you can use this method (it is called 'POP before SMTP') to send your emails while you find a permanent fix to the problem. Importantly, if this method works, it means that you have a problem with your SMTP Authentication settings (it means your SMTP Authentication is OFF or badly configured).


How do I turn on SMTP Authentication?
SMTP Authentication is required when sending email out via most major ISP mail servers and most corporate mail servers. It is simply a username/password system which permits authenticated e-mail senders, just like most other computer accounts require authentication.

If you do not have SMTP Authentication turned on in your email software (Outlook, Entourage, Eudora, Apple Mail, etc.) you run the risk that the mail server will not recognize that you are a legitimate customer.

If the mail server is using spam filters (such as Spamhaus' PBL or XBL) it may refuse to take your email, because it thinks you are a stranger and your dynamic IP address is probably on Spamhaus' PBL list of dynamic IP addresses which mail servers should not accept mail from unless the sender is authorized to use that mail server.

To fix this, you need to turn on "SMTP Authentication", here's how:

In Microsoft Outlook & Outlook Express:

    Start Outlook 2000 or Outlook Express. From the menu, select Tools, then Accounts. Click once on the appropriate account from the Mail tab. Select Properties. From the account properties dialog box, choose the Servers tab. Put a check in the box for "My server requires authentication". Click on the "Settings" button. In the 'Outgoing Mail Server' dialog box, make sure "Use same settings as my incoming mail server" is selected. Press "OK". Back at the "Properties", click "Apply", then "OK". Click "OK" to close out of all dialog boxes.

In Eudora:

    Open Eudora, pull down the Tools menu and select "Options..." to display the Options window. Select the "Getting Started" category on the left-hand side. Select the "Allow authentication" checkbox and click "OK".

In Apple Mail:

    Open Apple Mail. Click on the "Mail" menu in the top menubar. Click on Preferences. Click on Accounts. Click on the account that you want to modify. Click on Account Information. Click on the "Outgoing Mail Server (SMTP)" pulldown list. Select "Edit SMTP Server List..." from the bottom of the list. Click on "Advanced". Make sure Authentication is set to "Password" or "MD5 Challenge-Response" (this depends on your ISPs instructions). Make sure your User Name is correct. Make sure your Password is correct (must be exactly as your ISP gave it to you, be ware of uppercase or lowercase). Your username and email password are normally the same ones you use to retreive your POP or IMAP email. Click on OK. Close the Preferences window by clicking on the X in the upper left hand corner of the window.

In Agent:

    Tools >> Servers and Accounts >> Outbound Email Server
    Connection: TLS if available
    Login Method: Username and password
    Advanced Settings: Port: 587


Wikipedia and Google have lots more information about "smarthosts" and "SMTP AUTH".



I have 'SMTP Authentication' switched ON but I'm still blocked!
If you are absolutely sure that you have SMTP Authentication turned on properly in your email program, then contact the administrator of the mail server you are trying to send your email out through. It will usually be your ISP's mail server or your company's mail server. Ask them to check your "SMTP Authentication" settings.

Things to check:
  • Are your outgoing mail server account, username and password correct? (check them, and remember that passwords are case-sensitive)

  • Is the SMTP authentication working correctly at your mail server? (ask your ISP to check)

  • Make sure you are connecting to your mail server's 'authenticated mail' port 587 and not the ordinary 'unauthenticated' port 25. (ask your ISP to check for you)

  • Mail servers only run spam filters such as Spamhaus PBL on port 25, so if you find you are being blocked by the PBL when you try to send mail to your mail server that means you are not communicating with the mail server on the 'authenticated' port 587 but you're still on port 25. This means your 'SMTP Authentication' is not working correctly. (ask your ISP to check for you)
In summary, if you are being blocked by the PBL when you try to send mail from your PC or Mac to your mail server that means you are sending on port 25, which means that even though you think you have SMTP Authentication switched on, your SMTP Authentication is not working correctly. This can often be something as simple as a bad password, see "Things to check" above.


Single IP Removal for Mail Server Administrators ("Exclusions")
If you are a mail server administrator and the static IP address of your outbound mail server is listed in the PBL it is easy and quick to exclude it from PBL Zone. Follow the PBL links from the "Blocklist Removal Center" form for IP addresses and you will find a web form for self-removal. Fill in the form and follow the instructions, and your static IP address will be excluded from the PBL. Allow 30 minutes for DNS to propagate after removal, then try your mail again.

You should only remove an IP address which meets all of these criteria:
    1. static IP (not dynamic), and
    2. outbound mail server, and
    3. configured with proper Reverse DNS, and
    4. assigned to you.
You should only remove one mail server IP address, not any other addresses which do not send mail. If you need to remove more than one IP address you should contact your ISP and show them this FAQ. If you remove many IPs, all your removals may be terminated and you may be blocked from making any further removals.

Exclusions are immediately terminated if spam is detected from them, and they expire after one year. ISPs may select shorter expiration periods for exclusions from their PBL Zone listings. Expired exclusions may be removed again but it would be better if your ISP properly maintained their IP ranges in PBL.

ISPs with PBL Accounts may add or remove lists of many such single-IP exclusions. ISP exclusions do not expire. That is explained further in the ISP's PBL Account "Help" section.


Why can't I remove a PBL IP with a freemail address? (Gmail, Hotmail, etc.)
The PBL removal system does not process removal requests that come from free email accounts such as Gmail.com, Hotmail.com, Yahoo.com, or any other free email domains. Any removals that are made using free email addresses are automatically invalidated by the PBL removal system security checks.

You must use your real address at your own domain to request PBL removals.

Since the only legitimate reason for removing an IP address from the PBL is when there is a legitimate mail server hosted on the IP address, only operators of legitimate mail servers should remove IPs from the PBL (and then strictly only the IP address of the mail server they operate). Therefore the self-service removal process assumes that the person requesting the removal of an IP is the operator of a mail server hosted at the IP address. That person would normally use a 'postmaster' address and not 'anon1234@gmail.com'.

All legitimate mail servers have proper hostnames and the server operator usually has a role address (such as "postmaster") which is used to receive operational communications. The operator of a legitimate mail server does not need to use a freemail address for operational communications. For this reason we treat removals requests from freemail addresses as being suspicious and do not process them.


Who should NOT remove their IP address from the PBL?
Most people should not remove their IP address from the PBL.

If you are a home user and you connect to the Internet with cable, DSL, wireless, satellite or dial-up access, you should not remove your IP. No matter how long your service contract, nearly all home-use "PPP" or "DHCP" leases are not static, but can change at any time. Remember, you are only leasing such an IP for a short time, at most a few months but often only hours or days, so removing it exposes not only flaws in your system, but spam-sending flaws in all the subsequent users of that IP after your DHCP lease expires.

ISPs should also be careful not to remove IP ranges which are not intended to send legitimate e-mail. It is OK for PBL to list web servers, DNS servers, routers and other systems which should not send mail. That way, other networks will be protected from spam if something goes wrong and those machines get hacked by spammers. That can help keep the ISP's infrastructure off of other spam blocking lists and even firewalls and ACLs.

The PBL should not affect anyone sending mail with a normal mail program such as Outlook, Eudora, Thunderbird, Mail.app, Pine and many others. Most people use such a client to send their mail out through their company or ISP's mail server or webmail. They authenticate their access to those servers with a username and password, and those servers must not be configured to reject authenticated connections due to PBL or other IP data provided by Spamhaus. Then, the server which receives your mail on the other end will not see the dynamic IP address in the connection, but instead will see the static IP of your ISP's mailserver, and it will not reject the mail based on the PBL.

Keeping your dynamic IP address listed in PBL is a good thing because it means that spammers cannot abuse it to send spam to other networks. PBL listing of dynamic ranges shows good faith on the part of your ISP to help other networks reject spam from IP ranges known to not be dedicated mail servers. Removing a dynamic IP, an IP which is only temporarily assigned to you, pokes a tiny hole through which a lot of spam can escape even after your IP lease has expired. Do your part to stop botnet spammers by keeping your IP listed in the PBL.

Note: Nothing in this FAQ should suggest to an ISP that removing a range from PBL is any sort of bad mark against that range. Ranges listed and then removed from PBL will be treated just like any other IP ranges as far as SBL or XBL are concerned. Spamhaus encourages and appreciates ISPs which use PBL to help them manage their ranges responsibly.


What if I want to run a mail server on dynamic IPs listed in the PBL?
Due to the vast volumes of compromised PCs spewing spam "direct-to-mx" from dynamic domestic Internet connections, most major mail systems choose not to accept unauthenticated SMTP mail from servers on dynamic IPs.

Unless you use Authenticated SMTP, there is no way for a machine to differentiate between legitimate email sent by your server from a dynamic IP and spam mail sent by a virus on a dynamic IP next door to yours. So, most networks make it their policy not to accept unauthenticated SMTP email sent "direct-to-mx" from dynamic IP pools. The Spamhaus PBL enables networks to enforce this policy.

If you're on a dynamic IP address and you absolutely need to run your own mail server, then use your ISP's outgoing mail relay as a 'smarthost'. If your ISP does not provide an outgoing mail relay, find a commercial smarthost provider. Such smarthosting arrangements are very common and inexpensive; contact your ISP or a hosting company for information. You can still accept inbound mail directly onto your server, PBL does not affect that.

Industry best practice is to block outgoing port 25 of dynamic pools (MAAWG documents).


What if spammers hijack my computer after I have removed my IP address?
By using the "exclusion" feature to remove an IP address from the PBL database you are assuming full responsibility for any spam that may later originate from that IP address.

If, after excluding an IP address from the PBL, any spam is detected originating from that IP address, Spamhaus may instantly and without warning list the IP address in the Spamhaus Block List (SBL) or the Exploits Block List (XBL), within the criteria of those lists. The PBL exclusion of that address will also be revoked.

Of course, you should be very embarrassed for giving spammers an opportunity to penetrate the defenses of hundreds of millions of mailboxes. Your ISP might suspend or cancel your service. And remember, participating ISPs are able to see who removed which IP.


Won't spammers try to remove IP addresses?
Spamhaus knows that spammers will attempt to remove IP addresses of hijacked PCs from which spam will then be sent, therefore safeguards are built in to prevent abuse of the removal facility by spammers, and particularly by automated bots. Removed IP addresses are not actually deleted from the PBL master database, instead they are added to a suppression database which removes the IP address from the current PBL zone distribution only.

The PBL IP address removals system is designed to enable Spamhaus to see who is removing what, and to see patterns of removals, both humanly and automatically. The ISP address block owner also sees which IPs have been removed from within their netblocks, by whom and when.

A check runs periodically many times each day looking for suspect PBL removals, any found are turned back on and flagged for inspection. The system checks to see if a user is removing:
  • multiple other IP addresses
  • IP addresses in different networks
  • IP addresses which are clearly dynamic
  • IP addresses on which there is no mail server rDNS
  • IP addresses from which we are detecting spam
  • IP addresses from which spam is later detected
  • IP addresses already listed by other Spamhaus lists
There is also an extra check done on users who use 'freemail' addresses (such as Hotmail, Gmail, Yahoo, etc.) for PBL removals, as legitimate mail server operators would normally use their domain role/postmaster address to request removals.

If an IP address removed from the PBL begins to emit spam it is also instantly added to the SBL or XBL (not only added back to the PBL), and an IP which attempts to evade filters by mass removals of other IP addresses is itself eligible for the SBL.


Who is eligible for an ISP PBL Account? (IP Range removal for ISPs)
ISPs may claim their entire IP range with a PBL Account and make additions and removals of any size CIDR blocks of IP addresses within that range. Instructions are in this PBL FAQ, below.

Criteria the ISP must meet in order to be eligible for a PBL Account:
  • Must have at least a /24 allocation identifiable by IP-whois, rwhois or rDNS;
  • Network records for that allocation must clearly identify their Main Domain;
  • Must have working abuse@domain e-mail for that Main Domain;
  • Your Work Email and Role Contact addresses should also be at the Main Domain of your PBL Account application, or a domain we can identify as related to your ISP.

Be sure you understand the difference between Master Range and PBL Zone in Step 5 of the following FAQ before you enter IP ranges for a PBL account.



Instructions for creating and using an ISP PBL Account.
Here are step-by-step instructions for ISP PBL Accounts. There is also inline help on each ISP PBL Account page. ISP Accounts have a new user interface as of 19 May 2009, with improved web page layout, faster and easier control of your IP ranges and more features. This FAQ has been updated to reflect those changes, but the basic design of PBL has not changed.

1. Read the ISP Account description here: http://www.spamhaus.org/pbl/ispaccount/

2. Fill out the ISP Account application form here: http://www.spamhaus.org/pbl/signup/

3. Choose your Main Domain carefully. We must be able to verify that it matches the domain in IP-whois, rwhois or rDNS records. You must be able to read email sent to that abuse@domain account. Abuse@domain is where we will send the authorization code required to confirm your application and the password for the account after it is confirmed.

4. Watch for the confirmation mail in your abuse@domain account as soon as you complete the application. Read it and follow the instructions to confirm your account. As soon as you confirm your application, your account password will be mailed to that abuse@domain account, too. If you missed the confirmation message, you can get a new one here and if you need to reset your password go here.

The confirmation messsage will have these headers:

Subject: Spamhaus PBL Account Verification Code
From: Spamhaus PBL Verification <spamhaus_pbl_verify@spamhaus.org>

Important: Be sure you understand the difference between Master Range and PBL Zone before you enter your IP range(s) in this next step.

5. Log in to your new PBL Account. Follow the link to "Add Master Range", and follow the instructions on that page to claim a Master Range in CIDR format. You may claim any or all ranges which are allocated to you, and you can add more of your IP ranges later on, any time. We will look up each range you claim, confirm it is yours, and assign the entire allocation to your account's Master Ranges, but not enter it into the PBL Zone. It may take us a day or two to verify ownership and approve new ranges. Check your PBL Account occasionally; you will see your Master Ranges marked "approved" as soon as we check them.

6. You may also enter PBL Zone listings. They will be kept in "Status: Pending" and not entered in the PBL Zone until the respective Master Range for your account is approved. Be sure that any PBL Zone listings do not include IPs intended for mail servers. Most PBL Zone listings are dynamic IP ranges but it's OK to list static IPs which are not intended to send mail. PBL Zone listings will enter the actual PBL DNSBL Zone only after Spamhaus has verified that the IPs belong to your Master Ranges.

7. For each PBL Zone listing in your account, you must assign a PBL Policy that you want to apply to that listing. Your PBL Account has links to the PBL Policy page where you enter the text of one or more policies, select whether or not you allow individual IP removals by end-users and specify the length of time before such removals expire. You can apply any policy to any PBL listing within your range and you may change the policy whenever you wish, but only one policy at a time per listing, obviously. For existing Spamhaus listings within your Master Range, you may claim them as your own and assign a PBL Policy of your choice, you may leave them as-is under the general Spamhaus policy which allows end-user removals, or you may remove them if they are not dynamic ranges.

8. That's it! Log in whenever you wish to adjust your PBL listings due to changes in your network. Your PBL Account displays your Master Ranges and all PBL Zone listings within those ranges. You will find forms, links and buttons to add, remove, or claim ownership of PBL Zone listings from Spamhaus to your own PBL policy. Changes within your approved Master Ranges will take about 15 minutes to enter the PBL Zone. Policy changes will be visible immediately. Enjoy your PBL account, and thanks for helping make the Internet a better, more spam-free place!



Password or Confirmation Code missing - How do I get a new one?
The Main Domain for your PBL Account must have working abuse@domain and it must be the proper domain for your network. The confirmation code (confirmed opt in token or "authorization code") is sent to your abuse@domain account. Be sure you are receiving mail at abuse@domain and then request a new authorization code here:

http://www.spamhaus.org/pbl/signup/resend_vrfy/

You must complete the confirmation step before our system will send you a password.

As soon as you confirm your PBL Account our system will send you a password for it. We send it to abuse@domain. If you missed your password, you can request a password reset here:

http://www.spamhaus.org/pbl/account/reset_passwd/

Passwords are only sent to domains which already have authorized PBL accounts.



"Master Range" vs. "PBL Zone" - What is the difference?
There are two IP address fields in the PBL database for each ISP: one for all the IPs which we assign to that ISP's Master Ranges, and one for just the IPs that the ISP lists in the PBL Zone. Be sure you understand the difference before you fill out your PBL Account application or else you might end up listing your mail server IPs in the PBL Zone. If you do that, you will see a lot of your mail rejected until you fix it.

Master Ranges are all the IP ranges assigned to your PBL account by Spamhaus. We assign those ranges based on whois, rwhois or rDNS after we receive your application for that range. A Master Range is typically the same as the allocation you received from RIPE, APNIC, ARIN, LACNIC or AFRINIC. Master Ranges are not listed in the PBL Zone. They simply define the IP ranges in which your account is authorized to create PBL Zone records. None, some or all IPs in a Master Range may be listed in PBL Zone by the ISP.

PBL Zone refers to only those IP addresses listed in the DNSBL zone pbl.spamhaus.org. Those are the addresses from which email will be rejected by any server using PBL or Zen data. You may add or remove any IP range within your Master Range to or from the PBL Zone, any time you want. Such changes will become active after the next zone build, within 15 minutes of the change.

In mathematical terms, your PBL Zone listings are a subset of your Master Ranges. ISP's PBL Accounts clearly display "PBL Zone" ranges as subsets of "Master Ranges."



What is the "Main Domain" for ISP Accounts?
The Main Domain that you use to sign up for a PBL account must be clearly published in the IP-whois, rwhois or reverse DNS (PTR) of all your IP Master Ranges. Spamhaus uses those network records to verify that the domain is authoritative for the Master Ranges you request for your PBL Account. Your Main Domain must have a working abuse@domain account. Abuse@domain is where we will send the authorization code required to confirm your application and the password for the account after it is confirmed. Domains with anonymized whois may not be eligible for PBL Accounts. Choose your PBL Account Main Domain carefully so that we can identify the correct ranges for your account, and so that you can confirm your PBL Account application.

We have a section on how to configure rDNS in our "ISP Spam Issues" FAQ.


How do I remove a Spamhaus PBL listing from my ISP Account? ("Claim CIDR")
ISPs with a PBL Account may add or remove any CIDR range, to or from the PBL Zone, if it falls within their Master Range. Simply tick a box next to the CIDR range, then click "Remove selected listings". Or you can claim a PBL listing made by Spamhaus and apply your own policy to it, by following the links on your PBL Account pages.


What does this error mean? "[CIDR] conflicts with other PBL master records."
When an ISP requests CIDR range for its PBL Account which is already assigned to another ISP, an error message tells the ISP "[CIDR] conflicts with other PBL master records." That can happen when a primary ISP has claimed its entire IP range, and then an ISP using a subnet of that range requests those IPs for its Master Range, too. Spamhaus does not assign Master Ranges of subnets which are already controlled by the upstream ISP, sorry! The best thing to do in that case is to contact that primary ISP and arrange whatever adjustments to the PBL Zone are necessary.

It can also happen when an ISP has returned its IP ranges to the Regional Internet Registry (RIR such as RIPE, ARIN, APNIC, etc.) and has not deleted those ranges from PBL. In that case, the ISP which has been newly assigned those IPs may contact Spamhaus directly to obtain control of those Master Ranges. There is a contact address in your PBL Account.


How does an ISP remove or add IP ranges from the PBL?
An ISP with a PBL Account can remove or add any IP range within their assigned Master Ranges. To remove a range from PBL, tick the checkbox beside the CIDR range(s) you wish to remove, then click the "Remove selected listings" button. Removed PBL listings will disappear from the PBL Zone in the next zone build, in just a few minutes. Be sure to keep all of your dynamic IP ranges listed in PBL!

To remove just part of an IP range, first remove the old PBL Zone listing and then use the "Add listing to PBL Zone" link to add the subnet(s) you want listed back into the PBL Zone.

That same "Add listing to PBL Zone" link allows you to add many CIDR ranges at once, or to remove many CIDR ranges at once, or even to add and remove many ranges at the same time. For example, an ISP may need to list around one or more small chunks of static IP space in an otherwise dynamic IP range all in one step. For example:

192.0.2.0/24
!192.0.2.16/31
!192.0.2.248/29
That would list 192.0.2.0-.15 and 192.0.2.18-.247 in the PBL Zone, but it would not list 192.0.2.16/31 or 192.0.2.248/29. ("!" means "do not list the following CIDR".) You may list many ranges and "!" exclusions in one entry form.

If you have a range with many PBL listings and you wish to remove them all at once, you may list the entire range and then quickly delete that range (before the next zone build). Be sure to tick the checkbox labeled "Overwrite conflicting listings".

Users with a single IP address (or any network smaller than /24) must use the single IP removal form, not the ISP Account form.



How many "bots" are in my IP ranges?
In each ISP PBL Account's Master Range pages, at the bottom right of each range, there is a link labeled "Bots detected in this range". It is highlighted in red. Click that link for a page showing all the XBL-listed IPs in that range. Those IPs are infected with malware (virus) and have sent spam within the past week. More information about each IP is available by checking each IP in our lookup form.

Static IP ranges should show no, or very few, XBL-listed IPs. Ranges with higher "bot" infection rates are usually dynamic end-user ranges and should be listed in PBL. This article in our blog shows graphic representation of "bot" densities on some different networks, as examples.

Spamhaus encourages PBL Account holders to use that data about "bots" on their network to (1) make appropriate PBL Zone listings which cover bot-infected ranges and (2) take appropriate actions to stop the spam, disinfect the users' computers, and apply other measures to prevent bot-spam, such as port 25 blocking.

Note: The process which displays this bot data only runs every four hours. Bot data will only show up at the next cycle after we approve a Master Range, and will only update at that interval. Don't script that data to pull it more frequently than four hours; you won't get any new data. Master Ranges which do not display the "Bots" link, and which have been approved longer than four hours, have no bot (XBL) detections in that range.



Does the PBL only contain dynamic IP ranges?
The PBL lists both dynamic and static IP ranges. The design of the PBL is to list all non-MTA customer IP ranges, end-user IP address ranges which should not be delivering unauthenticated SMTP email to any Internet mail server except those provided for specifically for that end-user's use. For example, as an ISP security admin, you might not want some of your corporate desktops to send mail (accidental infection, employees adding unauthorized software, etc.). Feel free to add those non-mailserver ranges into PBL.


How do I use the PBL to block spam?
The best way to use PBL is at the mail server, during the realtime SMTP session, in combination with Spamhaus SBL and XBL as part of the Spamhaus Zen zone. The composite Zen zone is designed to work most effectively for most networks as a complete system. Connections from IP addresses listed in Zen can safely be rejected during SMTP.

For general information on using Spamhaus DNSBL zones, see the DNSBL Technical FAQ.

PBL should not be used to block your own users from accessing their smarthost mailservers. Be sure that both your server and your users' mail clients are configured to use SMTP Auth or otherwise allow your users to access the server (whitelist local dynamic ranges).

PBL should not be used to block access to webservers and blogs because the vast majority of legitimate web access comes from end-user IP space such as contained in PBL.

PBL should not be used for URI-based blocking! Consider the false positive potential: legitimate webservers hosted with services such as dyndns.com or ath.cx! Or consider that ISPs and other networks are encouraged to list any IP ranges which should not send mail, and that could include web servers! Use SBL or XBL (or sbl-xbl.spamhaus.org) for URI blocking as described in our Effective Spam Filtering section. Use PBL only for SMTP (mail).

Remember that PBL policy is based on ranges which should not directly deliver e-mail, so any use beyond that will be riskier and subject to more false interceptions. And remember that PBL is included in Zen, so don't apply Zen to filtering decisions where you wouldn't apply PBL unless your application specifically distinguishes between Zen return codes. PBL is designed to check only the connecting IP address during a realtime SMTP session.



What do the different return codes mean in the PBL?
If an IP address is listed in the PBL zone, a DNS query will return either 127.0.0.10 or 127.0.0.11 depending upon how the IP was entered into the PBL Zone:

Return Code Data Source
127.0.0.10 Participating ISP
127.0.0.11 Spamhaus

NS lookup of an (inverse) address which is not listed in the PBL will return NXDOMAIN, just like any other Spamhaus zone (or any DNSBL, for that matter):

    $ nslookup 2.0.0.127.pbl.spamhaus.org
    ...
    Name:   2.0.0.127.pbl.spamhaus.org
    Address: 127.0.0.10
    
    $ nslookup 1.0.0.127.pbl.spamhaus.org
    ...
    ** server can't find 1.0.0.127.pbl.spamhaus.org: NXDOMAIN
Spamhaus-entered data was seeded with the NJABL/dynablock zone, with approval from and tremendous thanks to all its past maintainers. Such ranges, like all Spamhaus-entered PBL listings, result in a .11 return code. The NJABL Dynablock zone has been emptied. Users of that list must reconfigure their system to not use it!

If your server uses dynablock.njabl.org, reconfigure it now to use PBL or Zen!



What zone should my server or spam filter query?
The Spamhaus PBL can be queried at the DNS zone pbl.spamhaus.org. Like other Spamhaus DNS zones, there is no 'A' record for that fully qualified domain name. To find an 'A' record, you must look up an inverse IP address in that zone.

For most mail servers seeking general-purpose spam blocking, Spamhaus recommends using the combined zone zen.spamhaus.org. The Zen zone includes Spamhaus SBL, XBL, and PBL lists for the most effective server-level spam blocking. Be sure to whitelist any dynamic ranges which are authorized to use your outbound relay, of course. Authenticating users via SMTP AUTH is also a good idea.

WARNING! Some post-delivery filters use "full Received line traversal" or "deep parsing", where the filter reads all the IPs in the Received lines. Legitimate users, correctly sending good mail out through their ISP's smarthost, will have PBL-listed IPs show up in the first (lowest) Received header where their ISP picks it up. Such mail should not be blocked! So, you should tell your filters to stop comparing IPs against PBL at the IP which hands off to your mail server! That last hand-off IP is the one which PBL is designed to check. If you cannot configure your filters that way, then do not use PBL to filter your mail. Instead, you may wish to use sbl-xbl.spamhaus.org, but even that may have unacceptable "false positive" filtering, for example when a an exploited end-user machine sends legitimate mail out through the ISP smarthost, or when the dynamic assignment changes the IP to an uninfected machine. Do not use PBL or XBL if you do not understand the issues of "deep parsing".



Can the PBL block email from legitimate sources?
The PBL is designed to avoid 'false positives', however, like any system used to filter email, the PBL has the potential to block items of legitimate email. The "easy removal" feature of PBL allows server administrators to quickly correct any such listing.

The PBL concept is to include only IP address ranges that would never directly send email. Many of these ranges are submitted by the networks who own them (127.0.0.10) and other ranges are listed by Spamhaus (127.0.0.11). We are pretty good at identifying such ranges, and most ISPs know their own networks very well. But we've found that everyone can make mistakes, so the "easy removal" feature helps everyone.

It is important to note that, unlike many proprietary spam filter solutions, in its normal "realtime" DNSBL application, the PBL does not silently discard incoming email. Instead, as a DNSBL it has a vital delivery fail-safe mechanism: by design, no matter how rare they may be, any false positive rejected by mail servers using the PBL correctly follows RFC defined SMTP mail delivery procedure and is returned to the immediate Sender with a Delivery Status Notification explaining the rejection. One of Spamhaus' main objectives is to help keep valid, non-spam email from being lost, or mixed in with hundreds of spam messages where they can be overlooked or automatically trashed as many systems will do. Using PBL or Zen at the server as a DNSBL means that mail is not discarded.


Should an ISP use the PBL to block their own users?
No! Spurious blocking caused by sites using the PBL to block authenticated access to smarthosts or outgoing email servers is not acceptable. The PBL is only designed to be used on incoming email, that is, on the hosts that your MX records point to.

If you use the same server for incoming email and outgoing email, then you must ensure that you exempt authenticated clients from PBL checks. As your users will often connect from dynamic IP addresses, a user may be assigned an IP address from his provider that is in the PBL and should remain in PBL. For your users outside of locally whitelisted ranges, use SMTP AUTH and do not use PBL exemptions, as that is only a temporary work-around and can allow spam to escape.

Another way of putting this is: "Do not use the PBL to block your own users".

Note: This also applies to using the PBL to deny access to web-forums, journals or blogs (see below).



Should I use the PBL to block access to my webserver?
No! A listing in the PBL does not mean there is anything 'wrong' with the IP address or end user. A PBL listing does not mean an address is an open proxy or run by a spammer. All it means is that the IP address has been designated as 'not allowed to make direct-to-MX SMTP connections'. The majority of legitimate connections to webservers come from IPs listed in PBL. Please do not block innocent users.


How often is the PBL zone updated?
The PBL DNS zone is rebuilt and reloaded every 15 minutes, 24/7, to ensure that new 'no Unauthenticated SMTP allowed' IP addresses are blocked and that any mistaken listings are swiftly removed. For high redundancy Spamhaus has over 100 public DNSBL mirror servers located around the world. Each mirror is independently run as a free service to the Internet community and all respond in realtime to public queries.



Can I nominate IP addresses or ranges for inclusion?
There is no way for third parties to nominate or add IP addresses to the PBL. Only Spamhaus and authorized PBL ISP Accounts can make changes to PBL database listings. ISPs can only make changes within their authorized network ranges.


How much spam will the PBL block for me?
It depends on many factors: how many domains one hosts, how many email addresses the domains have, how many email addresses have been harvested by spammers or pulled out by dictionary attacks, geographic "ccTLDs", and other spam-profile factors.

Current numbers show the PBL can stop, on average, more than 50% of incoming spam. As more and more ISPs submit their ranges to it, this percentage will continue to grow.

The PBL is meant to be used in conjunction with other blocklist systems. The PBL allows users to block emails coming from IP addresses that are not meant to be sending email. Those are often "hacked" or "Trojaned" computers used by spammers who use these exploited systems to send spam.

Additional systems such as the Spamhaus SBL and the Spamhaus XBL should be used to block spam. The combination of all three is available in our Spamhaus Zen zone.

We have a Spam Filtering Guide page with charts and details on how the Blocklists function.



How do I test my PBL setup?
Once you have set up your mail server to use pbl.spamhaus.org (or the preferred zen.spamhaus.org), you can test to see if the PBL blocking is working by sending an email (any email) to: nelson-pbl-test@crynwr.com (you must send the email from the mail server which you wish to test). The Crynwr system robot will answer you to tell you if your server is correctly blocking PBL-listed IP addresses or not.


© 1998-2014 The Spamhaus Project Ltd. All rights reserved.
Legal  |  Privacy