Blocklist Removal Center
About Spamhaus  |  FAQs  |  News Blog   
Frequently Asked Questions (FAQ)
BGPf FAQ
Datafeed FAQ
DNSBL Usage
DROP FAQ
Generic Questions
Glossary
ISP Spam Issues
Legal Questions
Marketing FAQs
Online Scams
Organization
ROKSO FAQ
Spamhaus BCL
Spamhaus DBL
Spamhaus PBL
Spamhaus SBL
Spamhaus XBL



Spamhaus XBL

Why was my IP listed in the XBL?
I get messages that I'm blocked by you, but when I check my IP on your site it's not listed
I delisted my IP, but it keeps getting relisted again. Why??
Why didn't you notify me first!
Can the XBL block email from legitimate sources?
What do the different return codes in the XBL mean?
What source data is incorporated into the XBL?
Should an ISP use the XBL to block their own users since it means they have a virus or open proxy?
Should I use the XBL to block access to my webserver since it means that the IP address has a virus or open proxy?
How often is the XBL zone updated?
Can I nominate IP addresses or ranges for inclusion?
Does the XBL contain any static or manually-maintained entries?
How much spam will the XBL block for me?


Why was my IP listed in the XBL?

When mail is received to one of XBL's feeds, the connection is analyzed automatically to determine if the connecting machine is either an open proxy or a spam-sending Trojan Horse. If so, the IP Address is immediately added to Spamhaus' XBL blocklist. XBL only lists single IP address, and only when the spam/virus/trojan connects directly to its feed's servers, not when an intermediate, non-infected-MTA connects, nor due to a virus being bounced by a legitimate MTA ("backscatter").

IP addresses, that host URLs with executable virus/trojan content in emails sent from XBL'd addresses, will also be added due to the very strong likelihood that this is also a trojan infected machine. For the same reason, IP addresses that connect to our botnet C&C sinkhole servers will also be added.

Most IP addresses are listed as a result of directly sending spam or viruses to the CBL system's detectors (spamtraps, special addresses which do not belong to any real users, and which receive only spam) or by initiating SMTP transactions that look similar to viruses or botnet-proxies. Other feeds of spam-sending exploited systems may be added, but only if they meet Spamhaus quality standards. (XBL formerly included data from the RSL, BOPM & NJABL blocklists, which no longer exist).

If the IP belongs to a NAT gateway/firewall system, Spamhaus strongly recommends blocking all outgoing port 25 traffic from machines on your network not configured and maintained specifically as mailservers. A single infected machine sending spam out through a NAT can result in blocked mail form the whole LAN. See CBL's FAQ for more information.

Removing trojans/viruses from your system

If you find your IP has been listed by XBL, your system is very likely compromised by a virus via mail, web, or other download. To fix it, you need to find and close any open SOCKS, Wingate or HTTP type proxies. Many viruses install open proxies and other Trojan Horse or "backdoor" malware on systems, so you should download a copy of stinger for Windows from www.nai.com, and fix anything it finds.

Also download and read this CERT document Recovering from a Trojan Horse or Virus (PDF).

Useful links:

Before You Connect a New Computer to the Internet
http://www.us-cert.gov/reading_room/before_you_plug_in.html

Understanding Firewalls
http://www.us-cert.gov/cas/tips/ST04-004.html

Windows Update
http://windowsupdate.microsoft.com/

Protect Your PC
http://www.microsoft.com/security/protect/default.asp



I get messages that I'm blocked by you, but when I check my IP on your site it's not listed
Very likely your IP was blocked by our XBL system and has been recently removed either by you or by someone else requesting a removal of the IP. Data in our DNS servers around the Internet, and cached at mail servers, takes a bit of time to update, so wait a couple of hours and the problem should clear by itself.

But bear in mind that if your IP was listed on the XBL, it was listed because the detectors which feed the XBL received either spam or a virus directly from the IP, or found it to be an open proxy. Keep reading for information on what you need to do to ensure it doesn't simply get listed again.



I delisted my IP, but it keeps getting relisted again. Why??
You have either an open proxy, a virus, a trojan spam-sender or some other sort of security compromise which is causing your IP to be relisted. Always ensure that viruses, trojans and open proxies are removed or secured before trying to delist your IP.

If you run a Microsoft Windows based system, you should download a copy of stinger for Windows from www.nai.com, and fix anything it finds. See "Removing trojans/viruses from your system" in this FAQ for further information. More tools for checking if your PC may be infected are at http://www.mynetwatchman.com/tools/sc/

If after checking your PC for viruses/trojans/worms you are still unable to find the problem, contact the CBL team (see the CBL website http://cbl.abuseat.org for the correct email address).



Why didn't you notify me first!
Spamhaus adds between 1,500,000 to 2,000,000 IP addresses to the SBL, XBL and PBL databases every single day.

There is no technology to match the hundreds of millions of IP addresses in the world to email addresses of people using them at any given time. IP addresses are not like phone numbers, there is no 'directory' of internet users and we can not 'call' an IP address or send a message to an IP address. Quite simply, there is no magic way to know that (say) IP address '86.132.10.22' is currently being used by 'joe.smith@btbroadband.com'.

Existing Internet technology only allows us to know that (say) IP address '86.132.10.22' belongs to 'British Telecom' and is located somewhere in Southern Britain.


Can the XBL block email from legitimate sources?
The XBL is designed to avoid 'false positives', however, like any system used to filter email, the XBL has the potential to block items of legitimate email if they are sent from an IP infected with a spam virus or trojan.

In cases where the IP is dynamic, it is possible for a virus-infected customer to transmit spam to the XBL's detectors and, after the customer has disconnected, the IP is automatically reassigned to the next customer who connects. If that next customer tries to run a direct-delivery mail server off the dynamic IP, that email would be blocked by XBL users. (Now ask yourself, do you really want to accept mail from a mail server running off a dynamic IP? With bad or no rDNS? If you do, then XBL is not for you.)

In cases where the IP is a firewall or NAT gateway, it is possible for a virus-infected PC on the local LAN to be transmitting spam and viruses out via the Firewall's IP resulting in the firewall getting listed on the XBL. In these cases the only remedy is for the network administrator to ensure the PCs on the LAN are not doing this. Blocking port 25 for all user (non-mail server) machines in the LAN is a good fix. Users can access the mail server on port 587-Submit.

It is important to note that, unlike most commercial ISP-level spam filter solutions, in its normal "realtime" DNSBL application, the XBL does not silently discard incoming email. Instead it has a vital delivery fail-safe mechanism: by design, no matter how rare they may be, any false positive rejected by mail servers using the XBL correctly follows RFC defined SMTP mail delivery procedure and is returned to the immediate Sender with a Delivery Status Notification explaining the rejection. One of Spamhaus' main objectives is to help keep valid, non-spam email from being lost, or mixed in with hundreds of spam messages where they can be overlooked or automatically trashed as many systems will do.

WARNING! Some post-delivery filters use "full Received line traversal" or "deep parsing", where the filter reads all the IPs in the Received lines. Legitimate users, correctly sending good mail out through their ISP's smarthost, will have XBL-listed IPs show up in the first (lowest) Received header where their ISP picks it up. Such mail should not be blocked. You should tell your filters to stop comparing IPs against XBL at the IP which hands off to your mail server. That last hand-off IP is the one which XBL is designed to check. If you cannot configure your filters that way, then do not use XBL to filter your mail. If you use this method, even in a spam-scoring system, it may still have unacceptable "false positives", for example when a an exploited end-user machine sends legitimate email out through the ISP smarthost, or when the dynamic assignment changes the IP to an uninfected machine. Do not use XBL (or PBL) if you do not understand the issues of "deep parsing".



What do the different return codes in the XBL mean?
The DNS return code (127.0.0.?) denotes the source of the data in the XBL or the SBL-XBL and ZEN combined zones. Only one code is currently used by XBL:

Return Codes Data Source
127.0.0.4 CBL

In the past, 127.0.0.5 was assigned to NJABL listings and 127.0.0.6 to OPM listings; these codes are no longer in use at this time. 127.0.0.5, 127.0.0.6 and 127.0.0.7 remain allocated to XBL for possible future use.


What source data is incorporated into the XBL?
The XBL incorporates data from the CBL (Composite Block List), and no other data sources are present at this time. Therefore, XBL and CBL are coincident at present. However, further data sources may be added to XBL in the future.


Mail servers already using cbl.abuseat.org should NOT also use xbl.spamhaus.org or you will be making double queries about the same data, increasing your load and the DNSBL's load, and only one DNSBL will appear to work, the other will appear to not catch anything. In fact, in most cases the composite zen.spamhaus.org list (including CBL) should be used.




Should an ISP use the XBL to block their own users since it means they have a virus or open proxy?
We're getting a lot of reports of spurious blocking caused by sites using the XBL to block authenticated access to smarthosts / outgoing email servers. The XBL is only designed to be used on incoming email, i.e. on the hosts that your MX records point to.

If you use the same hosts for incoming email and smarthosting / outgoing email, then you should always ensure that you exempt authenticated clients from XBL checks, just as you would for dynamic/dialup blocklists.

As your users are often on dynamic IP addresses, a user may be assigned an IP address from his provider that is in the XBL due to the virus or open proxy situation of a previous user of that IP address.

Another way of putting this is: "Do not use the XBL to block your own users".

Using the XBL to alert an ISP's security department when a user's IP is in the XBL is permissible and a good thing. But remember, that user may not be the one with the virus or open proxy problem.

Note: This also applies to using the XBL to deny access to web-forums, journals or blogs (see below).



Should I use the XBL to block access to my webserver since it means that the IP address has a virus or open proxy?
A listing in the XBL does not mean this. It means that at one time the IP address may have had a virus or open proxy.

The XBL contains mostly dynamic IP addresses, meaning the user you would be blocking is probably not going to be the user with the exploited computer. Please do not block innocent users.

If you still feel you must use the XBL in this way, do not refer users back to Spamhaus. You must deal with blocked users yourself. Either by giving them a point of contact, or perhaps by instituting a CAPTCHA + cookie system to screen out spam-bots.



How often is the XBL zone updated?
The XBL DNS zone is rebuilt and reloaded every 15 minutes, 24/7, to ensure that new spam problems are swiftly blocked and that fixed problems are swiftly removed. For high redundancy there are over 40 public XBL (and SBL) mirrors located in many nations around the world. Each XBL mirror is independently run as a free service to the Internet community and all respond in realtime to public queries of sbl-xbl.spamhaus.org. XBL DNS mirrors are located in: Argentina, Belgium, China, Denmark, France, Germany, Greece, Italy, the Netherlands, Russia, Singapore, Spain, South Africa, Venezuela, the UK and USA.



Can I nominate IP addresses or ranges for inclusion?
No. The XBL is an automatic system whose detectors need to receive email (spam, worms, etc.) directly from the IP address so the connection data can be analysed to determine if it's a proxy or virus-spewer. There is no way for third parties to add IP addresses to the XBL.


Does the XBL contain any static or manually-maintained entries?
No (except a standard test entry of 127.0.0.2), not at this time.

The SBL and PBL are our databases of manually-maintained entries.


How much spam will the XBL block for me?
It depends on many factors: how many domains one hosts, how many email addresses the domains have, how many email addresses have been harvested by spammers or pulled out by dictionary attacks, geographic "ccTLDs", and other spam-profile factors.

Current numbers show the XBL can stop, on average, about 50-70% of incoming spam.

The XBL is meant to be used in conjunction with other Blocklists. The XBL targets spammers who use exploited systems to spam out of. These spammers criminally use open relays, open proxies, PCs they have infected with viruses.

Additional systems such as the Spamhaus SBL should be used to block spam from spammers who email from fixed locations, and the Spamhaus PBL covers ranges not yet detected by XBL which should not be delivering email. The combination of all three is available in our Spamhaus Zen zone.

We have a Spam Filtering Guide page with charts and details on how the Blocklists function.



© 1998-2014 The Spamhaus Project Ltd. All rights reserved.
Legal  |  Privacy