Blocklist Removal Center
About Spamhaus  |  FAQs  |  News Blog   
Frequently Asked Questions (FAQ)
Active Questions
BGPf FAQ
Datafeed FAQ
DNSBL Usage
DROP FAQ
Generic Questions
Glossary
ISP Spam Issues
Legal Questions
Marketing FAQs
Online Scams
Organization
ROKSO FAQ
Spamhaus BCL
Spamhaus CSS
Spamhaus DBL
Spamhaus PBL
Spamhaus SBL
Spamhaus XBL



Spamhaus CSS

What is CSS?
How do I use CSS and what is its return code? (127.0.0.3)
Does CSS list IPv6 addresses?
How are CSS listings removed?
Why is my IP address listed in CSS?


What is CSS?
Spamhaus CSS is a part of the SBL zone which lists single IP spam sources. As part of SBL zone, it is also included in Zen zone, so if you use SBL or Zen, you already use CSS. It is fed by multiple detection methods using a variety of heuristics. It is highly automated for both listing and expiration of zone entries. It allows fast, no-questions-asked removals - within limits - but it also relists quickly upon redetection. CSS is highly effective at blocking spam during SMTP delivery with very low false positive detections.


How do I use CSS and what is its return code? (127.0.0.3)

Use CSS just as you would use SBL or Zen. In fact, you must use one or the other (but not both!) of those zones in order to use CSS; CSS is not a separate zone. If you are already using SBL or Zen then you are already using CSS.

The return code for CSS in either sbl.spamhaus.org or zen.spamhaus.org zone is 127.0.0.3. For more about Spamhaus DNSBL usage and all our return codes, see the DNSBL Usage FAQ.



Does CSS list IPv6 addresses?

Yes, CSS lists both IPv4 and IPv6 addresses.

CSS lists single "/32" IPv4 addresses.

CSS lists "/64" or larger CIDR blocks in IPv6. A very large number of emitting IPv6 addresses in different /64 blocks within the same network may cause listing expansion to larger blocks. Without such aggregations, the IPv6 zone size could become unworkably large. Also, various gaming strategies used by spammers are much more difficult with aggregated blocks rather than single "/128" IPs.

"/64" is the industry standard for the smallest IPv6 allocation to individual customers, even in home-use situations like cable, DSL or wireless. Thus, for ISPs which follow standard industry practices, CSS IPv6 listings will only affect a single customer.

Spamhaus IPv6 strategy statement, published June 2011, is the result of extensive discussions we had with various members of the anti-abuse community including a large number of ISPs: http://www.spamhaus.org/organization/statement/12/

The M3AAWG IPv6 Policy document provides an excellent summary; see in particular 'Tracking and Actioning Aggregate IPv6 Assignments Instead of Individual /128 Addresses': https://www.m3aawg.org/sites/default/files/document/M3AAWG_Inbound_IPv6_Policy_Issues-2014-09.pdf

The "/64" choice has RFC4291 as its origin and it is further discussed in RFC6177, but what is more important is that essentially no one in the M3AAWG community objected to the adoption of a /64 granularity for blocking lists.

More technical reasons for choosing at least /64 customer assignments are indicated in https://etherealmind.com/allocating-64-wasteful-ipv6-not/ and https://slash64.net/.

Customers of providers that place different customers within the same /64 block should contact the provider support, ask for a dedicated /64 assignment and move mail service to a non-shared /64 range. In particular, customers of Linode should read this document and open a ticket to get their own /64.



How are CSS listings removed?

CSS listings expire quickly, normally three days after last spam detection.

CSS also allows removal via our website. Start with the Blocklist Removal Center and follow the links from there.

IMPORTANT: Identify and stop whatever caused the spam problem before you remove an IP from CSS. While CSS will allow you to remove an IP, it will also relist it immediately if spam continues to be detected. Also, there are limits on removals so if you reach the limit of allowed removals without fixing the problem, you will need to wait for the three day expiration after last detection.



Why is my IP address listed in CSS?

IP addresses listed in CSS have been detected sending mail which matches CSS heuristics. CSS listings expire three days after last detection, so the problem is quite recent.

CSS heuristics look for snowshoe spam as well as mail from known bad actors, infected websites (CMS hacks), bots, and other insecure applications or devices.

We do not provide spam samples related to CSS listings. We suggest all domain and mail server administrators monitor appropriate role accounts and feedback loops as described in that FAQ. Your server logs might also have useful information.

In addition to your IP address, please check your whether your domain is in our DBL list. Spamhaus Blocklist Removal Center has forms for IP address and domain. Check them both!



© 1998-2018 The Spamhaus Project Ltd. All rights reserved.
Legal  |  Privacy