abuse.ro
reputation databases
abuse.ro is a collection of classification and reputation databases for public IP addresses and web domains.
Important!
abuse.ro by design neither does block email, nor operates a database of personal data. It only provides a list of IP addresses and domains that we consider probable sources of spam. Operators of email servers may or may not use that information to classify or block the actual messages.
We publish the following realtime lists:
IP addresses
rbl.abuse.ro
for spam sending IPs/classespbl.abuse.ro
for non-mta, residential IPs
Domains
uribl.abuse.ro
for spamvertized domainsdbl.abuse.ro
for spam sending domains
DNS response codes
Following are the DNS responses:
List | Response | Description | Recommended action |
---|---|---|---|
rbl.abuse.ro | 127.0.0.2 | spam sending IP | reject message |
rbl.abuse.ro | 127.0.0.3 | abused or infected IP | reject message |
rbl.abuse.ro | 127.0.0.4 | spam sending class | reject message |
pbl.abuse.ro | 127.0.0.9 | residential* end-user IP block | analyze further |
uribl.abuse.ro | 127.0.0.2 | heavily spamvertized domain | set spam score to a high value |
uribl.abuse.ro | 127.0.0.4 | spamvertized domain | set spam score to a moderate value |
uribl.abuse.ro | 127.0.0.9 | dynamic domain** | set spam score to a low-moderate value |
* residential IPs are dinamically allocated by ISPs to home users and should never send emails directly, but through a registered email server. Use with care, mainly for further scoring, not blocking
** dynamic DNS domains like afraid.org; while good for testing purposes, these domains are easily abused for spam
Using the lists
rbl.abuse.ro, pbl.abuse.ro
Just point your email server to use rbl.abuse.ro for SMTP IP verification.
In Postfix, you have to modify the main.cf configuration file:
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
...
reject_unauth_destination,
reject_rbl_client rbl.abuse.ro,
reject_rbl_client pbl.abuse.ro,
...
Note: the above example also uses pbl.abuse.ro to reject emails. Please note that IPs in pbl.abuse.ro are not listed for spam, but due to their dynamic assignment!
If you want to reject the email messages based on the response codes, here is an example:
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
...
reject_unauth_destination,
reject_rbl_client rbl.abuse.ro=127.0.0.[2..3],
...
In this case, we will reject only the IPs listed at rbl.abuse.ro (code 127.0.0.2 and 127.0.0.3) but not the networks (code 127.0.0.4)
For other antispam tools (lite postscreen), please look at the product's manual for dnsbl implementation.
uribl.abuse.ro
In order to use uribl.abuse.ro within your email environment you need the following prerequisites:
- your own email server (doh!)
- administrative access to your mail server (root access or full managed services);
- Spamassassin installed and working;
- access your server (SSH or direct console)
- go to your SpamAssassin config folder
in CentOS is /etc/mail/spamassassin - define a new file called abuse.ro.conf
- copy and paste the following code in the file
- save the file
- restart the spamassassin daemon
#############################################################################
# SpamAssasin configuration for Romanian spamvertized domains: uribl.abuse.ro
# version 1.0 2016-09-20
#############################################################################
## blacklisted domains
#############################################################################
urirhssub URIBL_RO_BLACK uribl.abuse.ro. A 2
body URIBL_RO_BLACK eval:check_uridnsbl('URIBL_RO_BLACK')
describe URIBL_RO_BLACK Contains a blacklisted domain
tflags URIBL_RO_BLACK net
# set the score as per desired behaviour
score URIBL_RO_BLACK 10.0
## greylisted domains
#############################################################################
urirhssub URIBL_RO_GREY uribl.abuse.ro. A 4
body URIBL_RO_GREY eval:check_uridnsbl('URIBL_RO_GREY')
describe URIBL_RO_GREY Contains a greylisted domain
tflags URIBL_RO_GREY net
# set the score as per desired behaviour
score URIBL_RO_GREY 8.0
## dynamic DNS domains
#############################################################################
urirhssub URIBL_RO_DYNDNS uribl.abuse.ro. A 9
body URIBL_RO_DYNDNS eval:check_uridnsbl('URIBL_RO_DYNDNS')
describe URIBL_RO_DYNDNS Contains a dynamic dns domain
tflags URIBL_RO_DYNDNS net
# set the score as per desired behaviour
score URIBL_RO_DYNDNS 5.0
dbl.abuse.ro
Just point your email server to use dbl.abuse.ro for RHSBL verification.
In Postfix, you have to modify the main.cf configuration file:
smtpd_sender_restrictions =
...
reject_rhsbl_sender dbl.abuse.ro,
...
Policy
Definitions
As per our understanding, we classify as spam any unsolicited email (e.g any mail sent without having the recipient's express consent).
Spamtraps are usually e-mail addresses that are created not for communication, but rather to lure spam. In order to prevent legitimate email from being invited, the e-mail address will typically only be published in a location hidden from view such that an automated e-mail address harvester (used by spammers) can find the email address, but no sender would be encouraged to send messages to the email address for any legitimate purpose. Since no e-mail is solicited by the owner of this spamtrap e-mail address, any e-mail messages sent to this address are immediately considered unsolicited.
We have defined a set of spamtraps and we solely rely on these addresses in building the lists; all spamtraps are secret, except the public one contact@abuse.ro.
By IP block owner we understand the contact listed as Administrative contact at RIPE.
Geting listed
If we capture a message in our spamtraps and the sending host is deemed suspicious and/or spam focused, the listing may be immediate. If the sending host is a shared mail server with likely significant non-spam-related use, we may give the operator some time to fix the problem.
If an operator is known to support spam or if they have previous listings, we reserve the right to list addresses immediately.
Neighbor IP addresses may be listed if they appear to be related to the primary listed IP address and likely sources of similar spam.
The last IP address before destination in the email headers is listed into rbl.abuse.ro list.
Sender domains are analyzed and if confirmed to be not spoofed, are listed into dbl.abuse.ro list
Spamvertized domains (including those indirectly linked through services like bit.ly) are listed into uribl.abuse.ro list
Delisting
Delisting is strictly manually
After we receive a notification from the IP block owner about clearing the problem, IP addresses will be delisted. Prior delisting, we might ask for further evidences that the flow of spam has actually stopped. If the operator continues to provide support services (such as webhosting) for the spammer, delisting might be delayed as a safety precaution.
In order to delist a domain, a notification must be sent from the postmaster address (e.g. postmaster@domain.tld) to our contact address, with evidences that spam flow has been stopped. We might verify the address by sending back a confirmation message and asking for a response.
Old listings may be seldom rechecked and delisted if they no longer seem to be likely sources of spam.
Contact us
At this moment the only way to contact us is sending a message to admin [at] abuse.ro
.