How to remove an IP from the CBL (Composite Blocking List)

Today I was introduced to something called the CBL, or the Composite Blocking List. This is one of several Spamhaus projects that’s there to make sure IP’s are blacklisted when they’re sending spam.

You can check if your IP’s are OK at http://www.spamhaus.org/lookup/

The CBL is a separate website in which you can also lookup IPs. Spamhaus will tell you if that’s the case and direct you to the CBL here: http://www.abuseat.org/lookup.cgi

Even though my IP was otherwise fine, it was listed in the CBL, and Yahoo kindly made me aware of this as part of an error message I’ve received when trying to send an email. If ever there is an email problem in CentOS, the first place to look is /var/log/maillog. Here’s Yahoo’s very helpful explanation: https://help.yahoo.com/kb/postmaster/SLN5070.html

Turns out that the hostname was not setup yet, so the box would respond as localhost.localdomain. That’s a big fat no-no as far as the CBL people are concerned. Here’s CBL’s explanation:

This IP address is HELO’ing as “localhost.localdomain” which violates the relevant standards (specifically: RFC5321).

The CBL does not list for RFC violations per-se. This _particular_ behaviour, however, correlates strongly to spambot infections. In other words, out of thousands upon thousands of IP addresses HELO’ing this way, all but a handful are infected and spewing junk. Even if it isn’t an infection, it’s a misconfiguration that should be fixed, because many spam filtering mechanisms operate with the same rules, and it’s best to fix it regardless of whether the CBL notices it or not.

So what’s HELO’ing?

HELO seems to be what a server identifies itself as when it sends an email. And without a proper hostname, localhost.localdomain gets us an immediate blacklist entry.

There is an easy link to de-list the IP in question at the bottom of the CBL page, but it says that we obviously need to fix the problem so that our server passes the test next time. That’s a little tricker.

How do we test what the server HELO’s as?

CBL suggest to send an email to helocheck@abuseat.org, as explained in this article: http://www.abuseat.org/helocheck.html

The mail will be rejected immediately, but in the rejection we’ll find how the server HELO’d back.

Testing this sounds easier than it actually is: this particular server wasn’t setup to be a mail server, and sendmail wasn’t installed. I wanted to keep it that way too. Thankfully, there’s telnet! If it’s not installed, “yum install telnet” will do the trick – it’s a really lightweight package and you can remove it if you don’t need it after the test.

Let’s use telnet to send an email. Each command will wait for another response:

telnet localhost smtp

Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 example.com ESMTP Postfix

mail from:hello@example.com
250 2.1.0 Ok

rcpt to: helocheck@abuseat.org
250 2.1.5 Ok

data
354 End data with .
This is a test.

.
250 2.0.0 Ok: queued as EBDDEB14D47

quit
221 2.0.0 Bye
Connection closed by foreign host.

After quitting telnet, we even get a notification back telling us that something didn’t work. That’s probably the email rejection – as expected. Let’s have a look in /var/log/maillog again to see how the server HELO’d this time:

EBDDEB14D47: to=, relay=mail.abuseat.org[54.93.50.35]:25, delay=106, delays=104/0.01/0.92/0.39, dsn=5.0.0, status=bounced (host mail.abuseat.org[54.93.50.35] said: 550 *** The HELO for IP address 12.34.56.78 was 'example.com' (valid syntax) *** (in reply to RCPT TO command))

Alright! It worked! We’ve verified how the server responded this time. Now it’s time to hit the de-blacklist button and wait a day or so until the internet catches up with this new information.

Feel free to send emails in any way you please of course. There are many other reasons why your IP may end up on the CBL – but the hostname is truly an easy fix, if you know what to do about it.