Mailservers can be configured to block connections from IPs that are listed on the XBL. Routers can also be configured to prevent XBL-listed computers from accessing their networks. By blocking connections from compromised computers, the Spamhaus XBL helps to reduce the distribution of malware and spam and can be used to mitigate DDoS attacks.
Any IP address that exhibits behaviour consistent with malware infection and botnet command and control activity is added to the XBL
XBL is the Spamhaus brand name for its Composite Block List (CBL). The CBL team uses automated tools to observe SMTP connections to a vast number of mailservers and spam traps. Any IP address that exhibits behaviour consistent with malware infection and botnet command and control activity is added to the XBL.
This blocklist comprises individual IP addresses of computers that have been observed to be involved in sending malicious email, rather than IP address ranges or networks.
The XBL only lists IP addresses of computing devices that attempt to send malicious spam. IP addresses that are not used to send email will not be included in the XBL, even if they are involved in other malicious activity.
IP addresses can be quickly removed from the XBL once malware has been removed from individual devices and the XBL listings automatically expire after 72 hours.
XBL is part of the combined Spamhaus domain name server block list (DNSBL) service, comprising SBL, XBL and PBL (see Spamhaus Zen).
How Spamhaus XBL works:
The mailserver DNSBL feature is configured to query XBL.spamhaus.org whenever another IP address attempts to deliver email to it. System administrators can configure the mailserver to perform one of the following tasks whenever a connection is requested from an IP address listed in the XBL:
- Refuse the connection and reject delivery of the email message
- Accept the connection, but save the email in a system spam folder
- Accept the connection but tag the email as **SPAM** and deliver it to the recipient, to enable them to decide whether the message is legitimate (a false positive)
- Accept the connection, but silently drop the email message
- Configure the mailserver to delay transmission of emails after a certain number of messages have been received, to combat spammers sending bulk emails: a practice known as ‘tar pitting.’ For example, 10,000 emails that have a 2 second delay added for every 20 emails sent would be subject to a 5 hour delay.
- Follow the policy set by the systems administrator
How to benefit from XBL
- Spamhaus Technology subscribers with more than 5,000 users can access near real-time XBL updates via rsync
- Spamhaus Technology datafeed subscribers can configure their servers to query a designated datafeed mirror.
- For users undertaking fewer than 100,000 XBL queries a day, mailservers can be configured to query zen.spamhaus.org, or sbl-xbl.spamhaus.org, via a public mirror.
- Within IT environments where it is not practical to use XBL on a mailserver, anti-spam filters, such as SpamAssassin, can also be configured to check XBL.
Click for your free 30 day trial