abuse.ro
reputation databases
abuse.ro is a collection of classification and reputation databases for public IP addresses and web domains.
Important!
On 2024.11.10 04:00 - 05:00 UTC we will perform maintenance operations on the RBL, changing the IP address from 188.209.212.254 to 93.113.28.254. Although we planned the change in fine details, during this period the RBL may become unresponsive. Thank you for your patience!
By design, abuse.ro neither does block email, nor operates a database of personal data. It only provides a list of IP addresses and domains that we consider probable sources of spam.
Operators of email servers may or may not use that information to classify or block the actual messages.
Do not send us requests to delist your email address!
We publish the following realtime lists:
IP addresses
rbl.abuse.ro
for spam sending IPs/classespbl.abuse.ro
for non-mta, residential IPs
Domains
uribl.abuse.ro
for spamvertized domainsdbl.abuse.ro
for spam sending domains
DNS response codes
Following are the DNS responses:
| List | Response | Description | Recommended action |
|---|---|---|---|
| rbl.abuse.ro | 127.0.0.2 | spam sending IP | reject message |
| rbl.abuse.ro | 127.0.0.3 | abused or infected IP | reject message |
| rbl.abuse.ro | 127.0.0.4 | spam sending class | reject message |
| pbl.abuse.ro | 127.0.0.9 | residential* end-user IP block | analyze further |
| uribl.abuse.ro | 127.0.0.2 | heavily spamvertized domain | set spam score to a high value |
| uribl.abuse.ro | 127.0.0.4 | spamvertized domain | set spam score to a moderate value |
| uribl.abuse.ro | 127.0.0.9 | dynamic domain** | set spam score to a low-moderate value |
* residential IPs are dynamically allocated by ISPs to home users and should never send emails directly, but through a registered email server. Use with care, mainly for further scoring, not blocking
** dynamic DNS domains like afraid.org; while good for testing purposes, these domains are easily abused for spam
Using the lists
rbl.abuse.ro, pbl.abuse.ro
Just point your email server to use rbl.abuse.ro for SMTP IP verification.
In Postfix, you have to modify the main.cf configuration file:
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
...
reject_unauth_destination,
reject_rbl_client rbl.abuse.ro,
reject_rbl_client pbl.abuse.ro,
...
Note: the above example also uses pbl.abuse.ro to reject emails. Please note that IPs in pbl.abuse.ro are not listed for spam, but due to their dynamic assignment!
If you want to reject the email messages based on the response codes, here is an example:
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
...
reject_unauth_destination,
reject_rbl_client rbl.abuse.ro=127.0.0.[2..3],
...
In this case, we will reject only the IPs listed at rbl.abuse.ro (code 127.0.0.2 and 127.0.0.3) but not the networks (code 127.0.0.4)
For other antispam tools (lite postscreen), please look at the product's manual for dnsbl implementation.
uribl.abuse.ro
In order to use uribl.abuse.ro within your email environment you need the following prerequisites:
- your own email server (doh!)
- administrative access to your mail server (root access or full managed services);
- Spamassassin installed and working;
- access your server (SSH or direct console)
- go to your SpamAssassin config folder
in CentOS is /etc/mail/spamassassin - define a new file called abuse.ro.conf
- copy and paste the following code in the file
- save the file
- restart the spamassassin daemon
#############################################################################
# SpamAssasin configuration for Romanian spamvertized domains: uribl.abuse.ro
# version 1.0 2016-09-20
#############################################################################
## blacklisted domains
#############################################################################
urirhssub URIBL_RO_BLACK uribl.abuse.ro. A 2
body URIBL_RO_BLACK eval:check_uridnsbl('URIBL_RO_BLACK')
describe URIBL_RO_BLACK Contains a blacklisted domain
tflags URIBL_RO_BLACK net
# set the score as per desired behaviour
score URIBL_RO_BLACK 10.0
## greylisted domains
#############################################################################
urirhssub URIBL_RO_GREY uribl.abuse.ro. A 4
body URIBL_RO_GREY eval:check_uridnsbl('URIBL_RO_GREY')
describe URIBL_RO_GREY Contains a greylisted domain
tflags URIBL_RO_GREY net
# set the score as per desired behaviour
score URIBL_RO_GREY 8.0
## dynamic DNS domains
#############################################################################
urirhssub URIBL_RO_DYNDNS uribl.abuse.ro. A 9
body URIBL_RO_DYNDNS eval:check_uridnsbl('URIBL_RO_DYNDNS')
describe URIBL_RO_DYNDNS Contains a dynamic dns domain
tflags URIBL_RO_DYNDNS net
# set the score as per desired behaviour
score URIBL_RO_DYNDNS 5.0
dbl.abuse.ro
Just point your email server to use dbl.abuse.ro for RHSBL verification.
In Postfix, you have to modify the main.cf configuration file:
smtpd_sender_restrictions =
...
reject_rhsbl_sender dbl.abuse.ro,
...
Frequently Asked Questions
What are these terms, spam, spamtraps, IP address owner ?
As per our understanding, we classify as spam any unsolicited email (e.g any mail sent without having the recipient's express consent).
Spamtraps are usually e-mail addresses that are created not for communication, but rather to lure spam. In order to prevent legitimate email from being invited, the e-mail address will typically only be published in a location hidden from view such that an automated e-mail address harvester (used by spammers) can find the email address, but no sender would be encouraged to send messages to the email address for any legitimate purpose. Since no e-mail is solicited by the owner of this spamtrap e-mail address, any e-mail messages sent to this address are immediately considered unsolicited.
We have defined a set of spamtraps and we solely rely on these addresses in building the lists; all spamtraps are secret, except the public one contact@abuse.ro.
By IP block owner we understand the contact listed as Administrative contact at RIPE.
How is an IP address listed?
If we capture a message in our spamtraps and the sending host is deemed suspicious and/or spam focused, the listing may be immediate. If the sending host is a shared mail server with likely significant non-spam-related use, we may give the operator some time to fix the problem.
If an operator is known to support spam or if they have previous listings, we reserve the right to list addresses immediately.
Neighbor IP addresses may be listed if they appear to be related to the primary listed IP address and likely sources of similar spam.
The last IP address before destination in the email headers is listed into rbl.abuse.ro list.
Sender domains are analyzed and if confirmed to be not spoofed, are listed into dbl.abuse.ro list
Spamvertized domains (including those indirectly linked through services like bit.ly) are listed into uribl.abuse.ro list
How can I delist my IP address?
Delisting is strictly manually, follow the procedure below:
Step #1: Confirm if your IP is really listed
Do not entirely rely on 3rd party tools, always verify directly!
Let's suppose that your IP address is 10.11.12.13, this is how you verify:
If you are using Windows, open a command prompt window and type:
nslookup 13.12.11.10.rbl.abuse.ro
(note the reverse order of numbers in the IP format in front of "rbl.abuse.ro")
C:\Users\alex nslookup 13.12.11.10.rbl.abuse.ro
...
Addresses: 127.0.0.2
If you are using Linux, open a terminal window and type:
dig 13.12.11.10.rbl.abuse.ro
(note the reverse order of numbers in the IP format in front of "rbl.abuse.ro")
[alex@linux ~]$ dig 13.12.11.10.rbl.abuse.ro
...
;; ANSWER SECTION:
13.12.11.10.rbl.abuse.ro. 3600 IN A 127.0.0.2
If one of the DNS response codes is shown on the screen, your IP is listed!
Step #2: Make sude you are no longer sending spam
Check your environment and make sure that no spam or other unsolicited email messages are being send from the listed IP address
Actions may include one or more of the following:
- remediate infected mailboxes
- if you send newsletters, remove subscribers that haven't clearly opted in for it
Step #3: Make sure you (or your company) owns the IP block
If you don't know how to check, most probably you are not the IP address owner, contact your email provider
Step #4: Send an email message to admin [@] abuse.ro with subject: "Delist IP: 10.11.12.13"
After we receive a notification from the IP block owner about clearing the problem, IP addresses will be delisted. Prior delisting, we might ask for further evidences that the flow of spam has actually stopped. If the operator continues to provide support services (such as webhosting) for the spammer, delisting might be delayed as a safety precaution.
In order to delist a domain, a notification must be sent from the postmaster address (e.g. postmaster@domain.tld) to our contact address, with evidences that spam flow has been stopped. We might verify the address by sending back a confirmation message and asking for a response.
Old listings may be seldom rechecked and delisted if they no longer seem to be likely sources of spam.
Why do you block my email address?
We do not block anything! We just make public a list of IP addresses and internet domains detected to send spam. It is solely the recipient's decision to configure our list in the email server and filter or block offending messages
I am not sending spam, but my messages are still being rejected
Please contact your email provider first!
It is very possible that your email server's IP address to be shared by multiple senders (e.g. Gmail, Yahoo) and abused by others.
MX Toolbox shows my IP as listed at abuse.ro but I am not sending spam, why are you listing me?
Always ask for a second opinion, manually check your IP and/or domain using two or even more tools. See also https://multirbl.valli.org to check the presence in RBLs
Contact us
At this moment the only way to contact us is sending a message to admin [at] abuse.ro.
However, if you are not the IP address or domain owner, it is very little chance you'll get a response.