abuse.ro

reputation databases

abuse.ro is a collection of classification and reputation databases for public IP addresses and web domains.

Important!

By design, abuse.ro neither does block email, nor operates a database of personal data. It only provides a list of IP addresses and domains that we consider probable sources of spam.
Operators of email servers may or may not use that information to classify or block the actual messages.

Do not send us requests to delist your email address!

We publish the following realtime lists:

IP addresses
  • rbl.abuse.ro
    for spam sending IPs/classes
  • pbl.abuse.ro
    for non-mta, residential IPs
Domains
  • uribl.abuse.ro
    for spamvertized domains
  • dbl.abuse.ro
    for spam sending domains

DNS response codes

Following are the DNS responses:

List Response Description Recommended action
rbl.abuse.ro 127.0.0.2 spam sending IP reject message
rbl.abuse.ro 127.0.0.3 abused or infected IP reject message
rbl.abuse.ro 127.0.0.4 spam sending class reject message
pbl.abuse.ro 127.0.0.9 residential* end-user IP block analyze further
uribl.abuse.ro 127.0.0.2 heavily spamvertized domain set spam score to a high value
uribl.abuse.ro 127.0.0.4 spamvertized domain set spam score to a moderate value
uribl.abuse.ro 127.0.0.9 dynamic domain** set spam score to a low-moderate value

* residential IPs are dynamically allocated by ISPs to home users and should never send emails directly, but through a registered email server. Use with care, mainly for further scoring, not blocking

** dynamic DNS domains like afraid.org; while good for testing purposes, these domains are easily abused for spam

Using the lists

rbl.abuse.ro, pbl.abuse.ro

Just point your email server to use rbl.abuse.ro for SMTP IP verification.
In Postfix, you have to modify the main.cf configuration file:

smtpd_recipient_restrictions =
	permit_mynetworks,
	permit_sasl_authenticated,
	...
	reject_unauth_destination,
	reject_rbl_client rbl.abuse.ro,
	reject_rbl_client pbl.abuse.ro,
	...

Note: the above example also uses pbl.abuse.ro to reject emails. Please note that IPs in pbl.abuse.ro are not listed for spam, but due to their dynamic assignment!

If you want to reject the email messages based on the response codes, here is an example:

smtpd_recipient_restrictions =
	permit_mynetworks,
	permit_sasl_authenticated,
	...
	reject_unauth_destination,
	reject_rbl_client rbl.abuse.ro=127.0.0.[2..3],
	...

In this case, we will reject only the IPs listed at rbl.abuse.ro (code 127.0.0.2 and 127.0.0.3) but not the networks (code 127.0.0.4)

For other antispam tools (lite postscreen), please look at the product's manual for dnsbl implementation.

uribl.abuse.ro

In order to use uribl.abuse.ro within your email environment you need the following prerequisites:

  • your own email server (doh!)
  • administrative access to your mail server (root access or full managed services);
  • Spamassassin installed and working;
  1. access your server (SSH or direct console)
  2. go to your SpamAssassin config folder
    in CentOS is /etc/mail/spamassassin
  3. define a new file called abuse.ro.conf
  4. copy and paste the following code in the file
  5. save the file
  6. restart the spamassassin daemon

#############################################################################
# SpamAssasin configuration for Romanian spamvertized domains: uribl.abuse.ro
# version 1.0 2016-09-20
#############################################################################


## blacklisted domains
#############################################################################
urirhssub       URIBL_RO_BLACK  uribl.abuse.ro.        A   2
body            URIBL_RO_BLACK  eval:check_uridnsbl('URIBL_RO_BLACK')
describe        URIBL_RO_BLACK  Contains a blacklisted domain
tflags          URIBL_RO_BLACK  net

# set the score as per desired behaviour
score           URIBL_RO_BLACK  10.0


## greylisted domains
#############################################################################
urirhssub       URIBL_RO_GREY   uribl.abuse.ro.        A   4
body            URIBL_RO_GREY   eval:check_uridnsbl('URIBL_RO_GREY')
describe        URIBL_RO_GREY   Contains a greylisted domain
tflags          URIBL_RO_GREY   net

# set the score as per desired  behaviour
score           URIBL_RO_GREY   8.0


## dynamic DNS domains
#############################################################################
urirhssub       URIBL_RO_DYNDNS   uribl.abuse.ro.        A   9
body            URIBL_RO_DYNDNS   eval:check_uridnsbl('URIBL_RO_DYNDNS')
describe        URIBL_RO_DYNDNS   Contains a dynamic dns domain
tflags          URIBL_RO_DYNDNS   net

# set the score as per desired  behaviour
score           URIBL_RO_DYNDNS   5.0

dbl.abuse.ro

Just point your email server to use dbl.abuse.ro for RHSBL verification.
In Postfix, you have to modify the main.cf configuration file:

smtpd_sender_restrictions =
	...
	reject_rhsbl_sender dbl.abuse.ro,
	...

Frequently Asked Questions

What are these terms, spam, spamtraps, IP address owner ?

As per our understanding, we classify as spam any unsolicited email (e.g any mail sent without having the recipient's express consent).

Spamtraps are usually e-mail addresses that are created not for communication, but rather to lure spam. In order to prevent legitimate email from being invited, the e-mail address will typically only be published in a location hidden from view such that an automated e-mail address harvester (used by spammers) can find the email address, but no sender would be encouraged to send messages to the email address for any legitimate purpose. Since no e-mail is solicited by the owner of this spamtrap e-mail address, any e-mail messages sent to this address are immediately considered unsolicited.
We have defined a set of spamtraps and we solely rely on these addresses in building the lists; all spamtraps are secret, except the public one contact@abuse.ro.

By IP block owner we understand the contact listed as Administrative contact at RIPE.

How is an IP address listed?

If we capture a message in our spamtraps and the sending host is deemed suspicious and/or spam focused, the listing may be immediate. If the sending host is a shared mail server with likely significant non-spam-related use, we may give the operator some time to fix the problem.

If an operator is known to support spam or if they have previous listings, we reserve the right to list addresses immediately.

Neighbor IP addresses may be listed if they appear to be related to the primary listed IP address and likely sources of similar spam.

The last IP address before destination in the email headers is listed into rbl.abuse.ro list.

Sender domains are analyzed and if confirmed to be not spoofed, are listed into dbl.abuse.ro list

Spamvertized domains (including those indirectly linked through services like bit.ly) are listed into uribl.abuse.ro list

How can I delist my IP address?

Delisting is strictly manually, follow the procedure below:

Step #1: Confirm if your IP is really listed

Do not entirely rely on 3rd party tools, always verify directly!
Let's suppose that your IP address is 10.11.12.13, this is how you verify:

If you are using Windows, open a command prompt window and type:
nslookup 13.12.11.10.rbl.abuse.ro
(note the reverse order of numbers in the IP format in front of "rbl.abuse.ro")

C:\Users\alex nslookup 13.12.11.10.rbl.abuse.ro

...

Addresses:  127.0.0.2

If you are using Linux, open a terminal window and type:
dig 13.12.11.10.rbl.abuse.ro
(note the reverse order of numbers in the IP format in front of "rbl.abuse.ro")

[alex@linux ~]$ dig 13.12.11.10.rbl.abuse.ro

...

;; ANSWER SECTION:
13.12.11.10.rbl.abuse.ro. 3600    IN      A       127.0.0.2

If one of the DNS response codes is shown on the screen, your IP is listed!

Step #2: Make sude you are no longer sending spam

Check your environment and make sure that no spam or other unsolicited email messages are being send from the listed IP address

Actions may include one or more of the following:

  • remediate infected mailboxes
  • if you send newsletters, remove subscribers that haven't clearly opted in for it

Step #3: Make sure you (or your company) owns the IP block

If you don't know how to check, most probably you are not the IP address owner, contact your email provider

Step #4: Send an email message to admin [@] abuse.ro with subject: "Delist IP: 10.11.12.13"

After we receive a notification from the IP block owner about clearing the problem, IP addresses will be delisted. Prior delisting, we might ask for further evidences that the flow of spam has actually stopped. If the operator continues to provide support services (such as webhosting) for the spammer, delisting might be delayed as a safety precaution.

In order to delist a domain, a notification must be sent from the postmaster address (e.g. postmaster@domain.tld) to our contact address, with evidences that spam flow has been stopped. We might verify the address by sending back a confirmation message and asking for a response.

Old listings may be seldom rechecked and delisted if they no longer seem to be likely sources of spam.

Why do you block my email address?

We do not block anything! We just make public a list of IP addresses and internet domains detected to send spam. It is solely the recipient's decision to configure our list in the email server and filter or block offending messages

I am not sending spam, but my messages are still being rejected

Please contact your email provider first!

It is very possible that your email server's IP address to be shared by multiple senders (e.g. Gmail, Yahoo) and abused by others.

MX Toolbox shows my IP as listed at abuse.ro but I am not sending spam, why are you listing me?

Always ask for a second opinion, manually check your IP and/or domain using two or even more tools. See also https://multirbl.valli.org to check the presence in RBLs

Contact us

At this moment the only way to contact us is sending a message to admin [at] abuse.ro.

However, if you are not the IP address or domain owner, it is very little chance you'll get a response.