Blocklist Removal Center
About Spamhaus  |  FAQs  |  News Blog   
Frequently Asked Questions (FAQ)
DNSBL Usage
General Questions
Glossary
Hacked... Here's help
ISP Spam Issues
Legal Questions
Marketing FAQs
Online Scams
Organization
ROKSO FAQ
Spamhaus BCL
Spamhaus CSS
Spamhaus DBL
Spamhaus HBL
Spamhaus PBL
Spamhaus SBL
Spamhaus XBL
Spamhaus DROP
 » BGPf FAQs
 » Datafeed FAQs



Spamhaus XBL


DEFINITION: Spamhaus "Exploits Block List" (XBL)

What is the XBL?

LISTED IN XBL Q&A

Why was my IP listed in the XBL?
I delisted my IP, but it keeps getting listed again. Why?
I get error messages that I'm blocked by XBL, but when I check my IP on your site it's not listed. Why?

XBL USAGE QUESTIONS

What do the different return codes in the XBL mean?
Should providers use the XBL to block their own users?
How often is the XBL zone updated?
Can IPs or ranges be nominated for inclusion?
Using SpamAssassin and Rspamd with Spamhaus data
How does XBL handle IPv6 addresses?



DEFINITION: Spamhaus "Exploits Block List" (XBL)


What is the XBL?
The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses used by hijacked devices compromised by 3rd party exploits.

The range of exploits we track and list changes constantly to reflect the real-world threat map.



LISTED IN XBL Q&A


Why was my IP listed in the XBL?
The IP was listed because we have compelling evidence that suggests that the IP or one or more devices behind it are insecure, compromised, or infected.

To stop the abuse immediately, close port 25 on the router or firewall, and restrict port 25 access to known email servers.
  • NOTE: Closing port 25 will only prevent the abusive connections from leaving your network. If the problem is (for example) an infected mobile phone, when it moves to another insecure network, it will resume its activity without restriction.
To find and eliminate the source of the problem, please see the our FAQs: Is the IP a NAT gateway, firewall or router?
  • The infected devices are usually computers or other devices (such as mobile phones) behind the router, but in some cases it can also be the router itself.
    • Please consult the documentation or manufacturer of your router or firewall to see how to ensure that the device is properly secured, and make sure its software is up to date.
General considerations:

  • Microsoft Windows operating systems: any or all of the following free tools may help: Windows Defender, Malwarebytes, Norton Power Eraser, CCleaner, or McAfee Stinger.
    • Make sure that Windows is running the most up to date and patched version of the available operating system.
  • All operating systems: Check tool-bars, extensions and plug-ins on each browser for anything you don't recognize. Look for for "free" VPNs or other heavily-monetized apps.
  • Calling your ISP, IT department, or taking your suspect machine(s) to a competent tech support service might also be useful.


I delisted my IP, but it keeps getting listed again. Why?
The IP is being re-listed because the detected problem has not been corrected, and we continue to see activity that indicates that the the IP or one or more devices behind it are insecure, compromised, or infected.

Please see the previous entry for possible solutions.


I get error messages that I'm blocked by XBL, but when I check my IP on your site it's not listed. Why?
In this situation is it probable that the IP had been blocked by XBL, but has been recently removed.
  • Data regarding XBL listings are handled by DNS servers all over the Internet, and are cached at mail servers. These can take a little time to update as some systems are faster than others. Please give the issue a couple hours to resolve.
NOTE: If your IP was listed on the XBL, it happened because XBL received either spam or a virus directly from the IP. If the problem that caused the listing is not resolved, the IP will re-list the next time it makes a connection to us.



XBL USAGE QUESTIONS


What do the different return codes in the XBL mean?
The DNS return code (127.0.0.?) denotes the source of the data in the XBL or the SBL-XBL and ZEN combined zones. Only one code is currently used by XBL:

Return Codes Data Source
127.0.0.4 XBL

In the past, 127.0.0.5 was assigned to NJABL listings and 127.0.0.6 to OPM listings; these codes are no longer in use at this time. 127.0.0.5, 127.0.0.6 and 127.0.0.7 remain allocated to XBL for possible future use.


Should providers use the XBL to block their own users?
Providers should not use the XBL to block their own users, or to deny access to web-forums, journals or blogs.
  • If the same hosts are used for both incoming email and outgoing (smarthosted) email, connections using SMTP authentication should be exempted from XBL checks.
  • End users are often on dynamic IP addresses: a user may be assigned an IP address from their provider that is listed in the XBL because of the situation of a previous user of that IP address.
  • The XBL can be used to alert an ISP's security department when a user's IP is in the XBL, but should only be used as an "informational" alert.


How often is the XBL zone updated?
The SBL DNS zone is rebuilt and reloaded every 5 minutes, 24/7, to ensure that new spam problems are swiftly blocked and that fixed problems are swiftly removed.
  • To ensure high redundancy, Spamhaus has over 80 public DNSBL mirror servers located around the world.
  • All respond in realtime to public queries.


Can IPs or ranges be nominated for inclusion?
No. The XBL is an automatic system whose detectors need to receive email (spam, worms, etc.) directly from the IP address so the connection data can be analysed to determine if it's a proxy or virus-spewer. There is no way for third parties to add IP addresses to the XBL.


Using SpamAssassin and Rspamd with Spamhaus data
We have developed our datasets with the final goal of being the most compatible with existing software. The two biggest open source antispam projects are SpamAssassin and Rspamd.

To show the best way to use our data with these products, we have created two dedicated Github projects. The projects contain instructions, rulesets, and code to make the best out of our DQS product.



How does XBL handle IPv6 addresses?

XBL lists /64 subnets of IPv6 addresses.

  • IPv6: XBL lists "/64" or larger CIDR blocks.
    • A very large number of spam-emitting IPv6 addresses in different /64 blocks within the same network could cause listings to extend to larger blocks.
    • Without such extensions/aggregations, the IPv6 zone size could become unworkably large.
    • Various strategies used by spammers to game the system are made much more difficult by the use of aggregated blocks rather than single "/128" IPs.
A "/64" is the industry standard for the smallest IPv6 allocation to individual customers, even for home-uses like cable, DSL or wireless.
  • For ISPs which follow standard industry practices, XBL IPv6 listings will only affect a single customer.
  • The "/64" choice has RFC4291 as its origin and it is further discussed in RFC6177
  • More technical reasons for choosing /64 customer assignments, at minimum, are discussed in a post on Etherealmind.com, on Slash64.net, and in M3AAWG document "Policy Issues for Receiving Email in a World with IPv6 Hosts."
IPV6 allocation information quoted from the Regional Internet Registries (RIRs) documentation:
  • AFRINIC, IPv6 Address Allocation and Assignment Policy | AFPUB-2013-v6-001
    6.4.1. Assignment address space size:
    • "Assignments are to be made using the following guidelines:
      • /48 in the general case, except for very large subscribers.
      • /64 when it is known that one and only one subnet is needed by design
      • /128 when it is absolutely known that one and only one device is connecting."
  • APNIC, APNIC guidelines for IPv6 allocation and assignment requests
    10.1. LIR assignments to end sites:
    • "An LIR can assign a /64 to /48 to an end site customer network based on their requirements. The following guidelines may be useful:
      • /64 where it is known that only one subnet is required.
      • /56 for small sites where it is expected only a few subnets will be required within the next two years. Subscribers can receive a /56 when connecting through on-demand or always-on connections such as small office and home office enterprises.
      • /48 for larger sites, or if an end site is expected to grow into a large network."
  • ARIN, Your First IPv6 Request
    • Step 2: Determine Your Block Size:
      "IPv6 block size is based on the number and size of subnets to be assigned to customers, not on the number of IP addresses required by customers. ISPs will typically assign one subnet (/48 or smaller) to each customer. The default /32 minimum allocation is sufficient for many ISPs since it contains 65,536 /48 subnets to assign to customers. ISPs may also opt to request a smaller /36 allocation."
  • LACNIC, IPv6 Address Allocation and Assignment Policies
    • 4.5.3.1 - Assignment address space size:
      "End sites or users must be assigned a prefix that is a multiple of "n" /64’s which must be enough to meet their current and planned needs, considering existing protocols and future possibilities and thus avoiding possible renumbering scenarios."
      • The size of the prefix to be assigned is an operational decision of the LIR/ISP, although the selection of /48s is recommended for simpler and more functional infrastructure for all the endpoints of the network.
      • Persistent prefix assignments are recommended to avoid undesired failures.
      • Using a /64 prefix for point-to-point with GUAs is recommended."
  • RIPE, Best Current Operational Practice for Operators: IPv6 prefix assignment for end-users - persistent vs non-persistent, and what size to choose
    • 4.2. Prefix assignment options:
      "A single network at a customer site will be a /64. At present, RIR policies permit assignment of a /48 per site, so the possible options when choosing a prefix size to delegate are /48, /52, /56, /60 and /64. However, /64 is not sustainable, it doesn't allow customer subnetting, and it doesn't follow IETF recommendations of “at least” multiple /64s per customer. Moreover, future work within the IETF and recommendations from RFC 7934 (section 6) allow the assignment of a /64 to a single interface (https://tools.ietf.org/html/draft-ietf-v6ops-unique-ipv6-prefix-per-host-07)."
  • RIPE, IPv6 Address Allocation and Assignment Policy
    • 5.4.1 Assignment address space size:
      "End Users are assigned an End Site assignment from their LIR or ISP. The size of the assignment is a local decision for the LIR or ISP to make, using a value of "n" x /64. Section 4.2 of ripe-690 provides guidelines about this."
Customers of providers that assign different customers within the same /64 block should contact their provider's support, ask for a dedicated /64 assignment, and move mail service to a non-shared /64 range.

NOTE: Linode customers should read this document, then open a ticket to get their own /64.


© 1998-2021 The Spamhaus Project SLU. All rights reserved.
Legal  |  Privacy