Blocklist Removal Center
About Spamhaus  |  FAQs  |  News Blog   
Frequently Asked Questions (FAQ)
Datafeed FAQ
DNSBL Usage
Generic Questions
Glossary
Hacked... Here's help
ISP Spam Issues
Legal Questions
Marketing FAQs
Online Scams
Organization
ROKSO FAQ
Spamhaus BCL
Spamhaus CSS
Spamhaus DBL
Spamhaus HBL
Spamhaus PBL
Spamhaus SBL
Spamhaus XBL
Spamhaus BGPf
Spamhaus DROP



Spamhaus CSS


DEFINITION: SPAMHAUS CSS

What is CSS?

LISTED IN CSS Q&A

Why is my IP address listed in CSS?
Removing an IP listed in CSS

CSS USAGE QUESTIONS

How do I use CSS and what is its return code? (127.0.0.3)
How does CSS handle IPv6 addresses?
Using SpamAssassin and Rspamd with Spamhaus data



DEFINITION: SPAMHAUS CSS


What is CSS?
The Spamhaus CSS is a component of the SBL.

The CSS list is an automatically produced dataset of IP addresses that are involved in sending low-reputation email. CSS mostly targets static spam emitters but may also include other senders that display a risk to our users, such as compromised hosts. CSS lists both IPv4 addresses (/32) and IPv6 addresses (/64 or larger). CSS listings are influenced by:
  • Email showing indications of unsolicited nature;
  • Broad-spectrum aggregated views of email deliveries;
  • Having poor list-hygiene;
  • Sending out bad email due to a compromise (compromised account, webform or CMS);
  • Other indicators of low reputation or abuse.
CSS listings are based on a wide range of inputs and are always the result of multiple events and heuristics.
  • It is also included in Zen, so if the SBL or Zen are already in use, CSS is also.
  • It allows fast, no-questions-asked removals - within limits - but it also re-lists IPs quickly if there is re-detection.



LISTED IN CSS Q&A


Why is my IP address listed in CSS?
Spamhaus is a reputation data producer. The actions taken by email/internet service providers that are based on our data will vary by ISP.
  • It is up to the provider to decide how to treat IP addresses listed in CSS.
IP addresses listed in CSS have been detected sending mail which matches CSS heuristics.
  • CSS listings expire three (3) days after the last detection.
  • If an IP is listed, the problem is recent!
CSS rules look for several problems, including snowshoe spam, mail from known bad actors, infected or compromised websites or CMS, bots, and other insecure applications or devices.
  • If an IP is listed because it is compromised, we have an FAQ that is a good place to start.
NOTE: We do not provide spam samples related to CSS listings, though in some cases of compromise we may be able to provide some additional information if we have it.
  • We recommend that all domain and mail server administrators monitor the appropriate role accounts and feedback loops for their domains and network space.
  • Server logs might also have useful information.
If an IP address is listed, please check to see if any related domains are in the DBL.
  • The Spamhaus Blocklist Removal Center has forms for both IP addresses and domains.
  • If you are authoritative for an IP address, and you believe the issues that caused the listing have been solved, you can request a delisting.


Removing an IP listed in CSS
CSS listings expire quickly: normally, three days after last spam detection.
  • It allows fast, no-questions-asked removals - within limits - but it also re-lists IPs quickly if there is re-detection.
  • De-listing should begin at the Blocklist Removal Center. Follow the links from there.
Whatever caused the problem must be identified and corrected before removing an IP from CSS.
  • CSS will allow the removal of an IP, but it will also re-list it immediately if a problem continues to be detected.
  • Self-removals are limited.
IMPORTANT: The reputation of any associated domains should also be checked using the Blocklist Removal Center: Domain and IP reputations are related.



CSS USAGE QUESTIONS


How do I use CSS and what is its return code? (127.0.0.3)
The Spamhaus CSS is used in the same way as the SBL or Zen.
  • One or the other must be used (but not both!) in order to use CSS; CSS is not a separate zone.
  • CSS is included in Zen, so if the SBL or Zen are already in use, CSS is also.
  • The return code for CSS in either "sbl.spamhaus.org" or "zen.spamhaus.org" zone is 127.0.0.3.
For more about Spamhaus DNSBL usage, and all our return codes, see the DNSBL Usage FAQ.


How does CSS handle IPv6 addresses?

CSS lists both IPv4 and IPv6 addresses.

  • IPv4: CSS lists single "/32" addresses.
  • IPv6: CSS lists "/64" or larger CIDR blocks.
    • A very large number of spam-emitting IPv6 addresses in different /64 blocks within the same network could cause listings to extend to larger blocks.
    • Without such extensions/aggregations, the IPv6 zone size could become unworkably large.
    • Various strategies used by spammers to game the system are made much more difficult by the use of aggregated blocks rather than single "/128" IPs.
A "/64" is the industry standard for the smallest IPv6 allocation to individual customers, even for home-uses like cable, DSL or wireless.
  • For ISPs which follow standard industry practices, CSS IPv6 listings will only affect a single customer.
  • The "/64" choice has RFC4291 as its origin and it is further discussed in RFC6177
  • More technical reasons for choosing /64 customer assignments, at minimum, are discussed in a post on Etherealmind.com and on Slash64.net.
Customers of providers that assign different customers within the same /64 block should contact their provider's support, ask for a dedicated /64 assignment, and move mail service to a non-shared /64 range.

NOTE: Linode customers should read this document, then open a ticket to get their own /64.


Using SpamAssassin and Rspamd with Spamhaus data
We have developed our datasets with the final goal of being the most compatible with existing software. The two biggest open source antispam projects are SpamAssassin and Rspamd.

To show the best way to use our data with these products, we have created two dedicated Github projects. The projects contain instructions, rulesets, and code to make the best out of our DQS product.



© 1998-2020 The Spamhaus Project SLU. All rights reserved.
Legal  |  Privacy