The Abuseat CBL (Composite Blocking List) is a part of Spamhaus and runs on their infrastructure. The list is made up of IP addresses that upon connection have exhibited characteristics indicative of infection, open proxies, or botnets. The source of the data is large installations of mail servers, of which some are pure spam trap servers, and the CBL does not accept external submissions for entry into the list.
Listings are done on a single IP level, never for ranges of IP addresses. The CBL is designed to avoid listings of legitimate mail servers sending the occasional spam, except for in some few instances of severe misconfiguration that make it look like the server is infected. As such the likelihood of being listed is, in general, low.
Reason for listing
IPs can be listed for:
- Being infected with a virus or worm that causes it to send spam
- Acting as an open proxy that facilitates the sending of spam
- Being used in a botnet
Being listed on the CBL does not necessarily mean that the sender is maliciously spamming, but could be an indicator of a compromise that needs to be addressed.
Entries on the list expire automatically after a set period of time. If you do not want to wait, delisting can be requested by first looking up the affected IP using the Spamhaus Reputation Checker, and following instructions from there for delisting. In some cases the lookup will also provide information about the listing, however, there is no option to reach out for specific information about why an IP was listed.
For the Abuseat CBL in particular, delisting is automated and normally takes place quickly. However, as with all delistings, the underlying issue needs to be addressed prior to delisting, otherwise relisting will take place upon new occurrences of the same behavior.