abuse.ro

reputation databases

Abuse.ro is a collection of classification and reputation databases for IP addresses and domains.

Important!
abuse.ro by itself neither does block email, nor operates a database of personal data. It only provides a list of IP addresses and domains that we consider probable sources of spam. Operators of mail servers may or may not use that information to classify or block the actual messages.

We publish the following realtime lists:

IPs
  • rbl.abuse.ro for spam sending IPs/classes
Domains and URLs
  • uribl.abuse.ro for spamvertized domains
  • dbl.abuse.ro for spam sending domains

Using the lists

rbl.abuse.ro

Just point your email server to use rbl.abuse.ro for SMTP IP verification.
In Postfix, you have to modify the main.cf configuration file:

smtpd_recipient_restrictions =
	permit_mynetworks,
	permit_sasl_authenticated,
	...
	reject_rbl_client rbl.abuse.ro,
	...
									

Following are the DNS responses:

Returned IP Description Recommended action
127.0.0.2 spam sending IP block
127.0.0.4 spam sending class block
127.0.0.9 residential* end-user IP block analyze further

* Residential IPs are dinamically allocated by ISPs to home users and should never send emails directly, but through a registered email server; use with care, eventualy just for scoring, not blocking

uribl.abuse.ro

In order to use uribl.abuse.ro within your email environment you need the following prerequisites:

  • your own email server (doh!)
  • administrative access to your mail server (root access or full managed services);
  • Spamassassin installed and working;
  1. access your server (SSH or direct console)
  2. go to your SpamAssassin config folder
    in CentOS is /etc/mail/spamassassin
  3. define a new file called abuse.ro.conf
  4. copy and paste the following code in the file
  5. save the file
  6. restart the spamassassin daemon

# SpamAssasin configuration for Romanian spamvertized domains: uribl.abuse.ro
# version 1.0 2016-09-20
## blacklisted domains
#####################################################################################
urirhssub       URIBL_RO_BLACK  uribl.abuse.ro.        A   2
body            URIBL_RO_BLACK  eval:check_uridnsbl('URIBL_RO_BLACK')
describe        URIBL_RO_BLACK  Contains a blacklisted URL at uribl.abuse.ro
tflags          URIBL_RO_BLACK  net
# set the score as per desired behaviour
score           URIBL_RO_BLACK  10.0

## greylisted domains
#####################################################################################
urirhssub       URIBL_RO_GREY   uribl.abuse.ro.        A   4
body            URIBL_RO_GREY   eval:check_uridnsbl('URIBL_RO_GREY')
describe        URIBL_RO_GREY   Contains a greylisted URL at uribl.abuse.ro
tflags          URIBL_RO_GREY   net

# set the score as per desired  behaviour
score           URIBL_RO_GREY   8.0

## dynamic DNS domains
#####################################################################################
urirhssub       URIBL_RO_DYNDNS   uribl.abuse.ro.        A   9
body            URIBL_RO_DYNDNS   eval:check_uridnsbl('URIBL_RO_DYNDNS')
describe        URIBL_RO_DYNDNS   Contains a dynamic dns URL listed at uribl.abuse.ro
tflags          URIBL_RO_DYNDNS   net

# set the score as per desired  behaviour
score           URIBL_RO_DYNDNS   5.0
									

Following are the DNS responses from uribl.abuse.ro:

Returned IP Description Recommended score
127.0.0.2 heavily spamvertized domain 10.0
127.0.0.4 spamvertized domain 8.0
127.0.0.9 dynamic* DNS domain 5.0

* dynamic DNS domains like afraid.org; while good for testing purposes, these domains are easily abused for spam

dbl.abuse.ro

Just point your email server to use dbl.abuse.ro for RHSBL verification.
In Postfix, you have to modify the main.cf configuration file:

smtpd_sender_restrictions =
	...
	reject_rhsbl_sender dbl.abuse.ro,
	...
									

Policy

Definitions

As per our understanding, we classify as spam any unsolicited email (e.g any mail sent without having the recipient's express consent).

Spamtraps are usually e-mail addresses that are created not for communication, but rather to lure spam. In order to prevent legitimate email from being invited, the e-mail address will typically only be published in a location hidden from view such that an automated e-mail address harvester (used by spammers) can find the email address, but no sender would be encouraged to send messages to the email address for any legitimate purpose. Since no e-mail is solicited by the owner of this spamtrap e-mail address, any e-mail messages sent to this address are immediately considered unsolicited.
We have defined a set of spamtraps and we solely rely on these addresses in building the lists; all spamtraps are secret, except the public one contact@abuse.ro.

By IP block owner we understand the contact listed as Administrative contact at RIPE.

Geting listed

If we capture a message in our spamtraps and the sending host is deemed suspicious and/or spam focused, the listing may be immediate. If the sending host is a shared mail server with likely significant non-spam-related use, we may give the operator some time to fix the problem.

If an operator is known to support spam or if they have previous listings, we reserve the right to list addresses immediately.

Neighbor IP addresses may be listed if they appear to be related to the primary listed IP address and likely sources of similar spam.

The last IP address before destination in the email headers is listed into rbl.abuse.ro list.

Sender domains are analyzed and if confirmed to be not spoofed, are listed into dbl.abuse.ro list

Spamvertized domains (including those indirectly linked through services like bit.ly) are listed into uribl.abuse.ro list

Delisting

Delisting is strictly manually

After we receive a notification from the IP block owner about clearing the problem, IP addresses will be delisted. Prior delisting, we might ask for further evidences that the flow of spam has actually stopped. If the operator continues to provide support services (such as webhosting) for the spammer, delisting might be delayed as a safety precaution.

In order to delist a domain, a notification must be sent from the postmaster address (e.g. postmaster@domain.tld) to our contact address, with evidences that spam flow has been stopped. We might verify the address by sending back a confirmation message and asking for a response.

Old listings may be seldom rechecked and delisted if they no longer seem to be likely sources of spam.

Contact us

At this moment the only way to contact us is sending a message to admin [at] abuse.ro.