CBL Index
Encyclopedia
The CBL Index is a ratio between the number of IP addresses in a given IP subnet (Subnetwork
) to
the number of CBL
(Composite Blocking List
) listings in the subnet. It may
be used to measure how "clean" (of compromised computers) a given subnet is.
The higher the number is, the "cleaner" the subnet.
The CBL index may be represented in Decibel
s (dB
) or as CIDR suffix (*/xx).
Note: other spam researchers prefer to use a percentage of IPs that are
listed in a subnet. Using percentages is better suited for "unclean" subnets
because "clean" nets have significantly less than 1% of addresses listed.
DNSBL
(Composite Blocking List
) lists IP addresses that are compromised by a virus or spam sending infection (computer worm
, computer virus
, or spamware
).
The CBL's full zone (data) is available publicly via rsync for download,
you are encouraged to register for it - see http://cbl.abuseat.org for more detail.
The CBL Index is a reasonably good tool for getting estimates of subnet "outgoing spam reputation".
The CBL Index should be treated with caution - subnets often contain IPs
with radically different purposes. Assuming all IPs within a subnet
represent the same risk/reputation is potentially dangerous.
The CBL Index may be used for estimation of overall anti-spam performance of ISP or AS
operator.
zone dated 2007-07-07T21:03+00:00 there was 166_086 IP addresses listed from 83.0.0.0/11 network.
The CBL Index for the net was:
2_097_152/166_086 = 12.6 (*/28.3 ; 11.0 dB)
2_097_152 - number of IP addresses in */11 network (2**(32-11))
Subnetwork
A subnetwork, or subnet, is a logically visible subdivision of an IP network. The practice of dividing a network into subnetworks is called subnetting....
) to
the number of CBL
Composite Blocking List
In computer networking, the Composite Blocking List is a DNS-based Blackhole List of suspected E-mail spam sending computer infections.The CBL takes its source data from very large spamtraps/mail infrastructures, and only lists IPs exhibiting characteristics such as:* Open proxies of various sorts...
(Composite Blocking List
Composite Blocking List
In computer networking, the Composite Blocking List is a DNS-based Blackhole List of suspected E-mail spam sending computer infections.The CBL takes its source data from very large spamtraps/mail infrastructures, and only lists IPs exhibiting characteristics such as:* Open proxies of various sorts...
) listings in the subnet. It may
be used to measure how "clean" (of compromised computers) a given subnet is.
The higher the number is, the "cleaner" the subnet.
The CBL index may be represented in Decibel
Decibel
The decibel is a logarithmic unit that indicates the ratio of a physical quantity relative to a specified or implied reference level. A ratio in decibels is ten times the logarithm to base 10 of the ratio of two power quantities...
s (dB
Decibel
The decibel is a logarithmic unit that indicates the ratio of a physical quantity relative to a specified or implied reference level. A ratio in decibels is ten times the logarithm to base 10 of the ratio of two power quantities...
) or as CIDR suffix (*/xx).
Note: other spam researchers prefer to use a percentage of IPs that are
listed in a subnet. Using percentages is better suited for "unclean" subnets
because "clean" nets have significantly less than 1% of addresses listed.
Rationale
The CBLComposite Blocking List
In computer networking, the Composite Blocking List is a DNS-based Blackhole List of suspected E-mail spam sending computer infections.The CBL takes its source data from very large spamtraps/mail infrastructures, and only lists IPs exhibiting characteristics such as:* Open proxies of various sorts...
DNSBL
DNSBL
A DNSBL is a list of IP addresses published through the Internet Domain Name Service either as a zone file that can be used by DNS server software, or as a live DNS zone that can be queried in real-time...
(Composite Blocking List
Composite Blocking List
In computer networking, the Composite Blocking List is a DNS-based Blackhole List of suspected E-mail spam sending computer infections.The CBL takes its source data from very large spamtraps/mail infrastructures, and only lists IPs exhibiting characteristics such as:* Open proxies of various sorts...
) lists IP addresses that are compromised by a virus or spam sending infection (computer worm
Computer worm
A computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...
, computer virus
Computer virus
A computer virus is a computer program that can replicate itself and spread from one computer to another. The term "virus" is also commonly but erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the reproductive ability...
, or spamware
Spamware
Spamware is software designed by or for spammers. Spamware varies widely, but may include the ability to import thousands of addresses, to generate random addresses, to insert fraudulent headers into messages, to use dozens or hundreds of mail servers simultaneously, and to make use of open relays....
).
The CBL's full zone (data) is available publicly via rsync for download,
you are encouraged to register for it - see http://cbl.abuseat.org for more detail.
The CBL Index is a reasonably good tool for getting estimates of subnet "outgoing spam reputation".
The CBL Index should be treated with caution - subnets often contain IPs
with radically different purposes. Assuming all IPs within a subnet
represent the same risk/reputation is potentially dangerous.
The CBL Index may be used for estimation of overall anti-spam performance of ISP or AS
Autonomous system (Internet)
Within the Internet, an Autonomous System is a collection of connected Internet Protocol routing prefixes under the control of one or more network operators that presents a common, clearly defined routing policy to the Internet....
operator.
Example
In CBLComposite Blocking List
In computer networking, the Composite Blocking List is a DNS-based Blackhole List of suspected E-mail spam sending computer infections.The CBL takes its source data from very large spamtraps/mail infrastructures, and only lists IPs exhibiting characteristics such as:* Open proxies of various sorts...
zone dated 2007-07-07T21:03+00:00 there was 166_086 IP addresses listed from 83.0.0.0/11 network.
The CBL Index for the net was:
2_097_152/166_086 = 12.6 (*/28.3 ; 11.0 dB)
2_097_152 - number of IP addresses in */11 network (2**(32-11))