abuse.ro

reputation databases

abuse.ro is a collection of classification and reputation databases for public IP addresses and web domains.

Important!

abuse.ro by design neither does block email, nor operates a database of personal data. It only provides a list of IP addresses and domains that we consider probable sources of spam. Operators of email servers may or may not use that information to classify or block the actual messages.

We publish the following realtime lists:

IP addresses
  • rbl.abuse.ro
    for spam sending IPs/classes
  • pbl.abuse.ro
    for non-mta, residential IPs
Domains
  • uribl.abuse.ro
    for spamvertized domains
  • dbl.abuse.ro
    for spam sending domains

DNS response codes

Following are the DNS responses:

List Response Description Recommended action
rbl.abuse.ro 127.0.0.2 spam sending IP reject message
rbl.abuse.ro 127.0.0.3 abused or infected IP reject message
rbl.abuse.ro 127.0.0.4 spam sending class reject message
pbl.abuse.ro 127.0.0.9 residential* end-user IP block analyze further
uribl.abuse.ro 127.0.0.2 heavily spamvertized domain set spam score to a high value
uribl.abuse.ro 127.0.0.4 spamvertized domain set spam score to a moderate value
uribl.abuse.ro 127.0.0.9 dynamic domain** set spam score to a low-moderate value

* residential IPs are dinamically allocated by ISPs to home users and should never send emails directly, but through a registered email server. Use with care, mainly for further scoring, not blocking

** dynamic DNS domains like afraid.org; while good for testing purposes, these domains are easily abused for spam

Using the lists

rbl.abuse.ro, pbl.abuse.ro

Just point your email server to use rbl.abuse.ro for SMTP IP verification.
In Postfix, you have to modify the main.cf configuration file:

smtpd_recipient_restrictions =
	permit_mynetworks,
	permit_sasl_authenticated,
	...
	reject_unauth_destination,
	reject_rbl_client rbl.abuse.ro,
	reject_rbl_client pbl.abuse.ro,
	...

Note: the above example also uses pbl.abuse.ro to reject emails. Please note that IPs in pbl.abuse.ro are not listed for spam, but due to their dynamic assignment!

If you want to reject the email messages based on the response codes, here is an example:

smtpd_recipient_restrictions =
	permit_mynetworks,
	permit_sasl_authenticated,
	...
	reject_unauth_destination,
	reject_rbl_client rbl.abuse.ro=127.0.0.[2..3],
	...

In this case, we will reject only the IPs listed at rbl.abuse.ro (code 127.0.0.2 and 127.0.0.3) but not the networks (code 127.0.0.4)

For other antispam tools (lite postscreen), please look at the product's manual for dnsbl implementation.

uribl.abuse.ro

In order to use uribl.abuse.ro within your email environment you need the following prerequisites:

  • your own email server (doh!)
  • administrative access to your mail server (root access or full managed services);
  • Spamassassin installed and working;
  1. access your server (SSH or direct console)
  2. go to your SpamAssassin config folder
    in CentOS is /etc/mail/spamassassin
  3. define a new file called abuse.ro.conf
  4. copy and paste the following code in the file
  5. save the file
  6. restart the spamassassin daemon

#############################################################################
# SpamAssasin configuration for Romanian spamvertized domains: uribl.abuse.ro
# version 1.0 2016-09-20
#############################################################################


## blacklisted domains
#############################################################################
urirhssub       URIBL_RO_BLACK  uribl.abuse.ro.        A   2
body            URIBL_RO_BLACK  eval:check_uridnsbl('URIBL_RO_BLACK')
describe        URIBL_RO_BLACK  Contains a blacklisted domain
tflags          URIBL_RO_BLACK  net

# set the score as per desired behaviour
score           URIBL_RO_BLACK  10.0


## greylisted domains
#############################################################################
urirhssub       URIBL_RO_GREY   uribl.abuse.ro.        A   4
body            URIBL_RO_GREY   eval:check_uridnsbl('URIBL_RO_GREY')
describe        URIBL_RO_GREY   Contains a greylisted domain
tflags          URIBL_RO_GREY   net

# set the score as per desired  behaviour
score           URIBL_RO_GREY   8.0


## dynamic DNS domains
#############################################################################
urirhssub       URIBL_RO_DYNDNS   uribl.abuse.ro.        A   9
body            URIBL_RO_DYNDNS   eval:check_uridnsbl('URIBL_RO_DYNDNS')
describe        URIBL_RO_DYNDNS   Contains a dynamic dns domain
tflags          URIBL_RO_DYNDNS   net

# set the score as per desired  behaviour
score           URIBL_RO_DYNDNS   5.0

dbl.abuse.ro

Just point your email server to use dbl.abuse.ro for RHSBL verification.
In Postfix, you have to modify the main.cf configuration file:

smtpd_sender_restrictions =
	...
	reject_rhsbl_sender dbl.abuse.ro,
	...

Policy

Definitions

As per our understanding, we classify as spam any unsolicited email (e.g any mail sent without having the recipient's express consent).

Spamtraps are usually e-mail addresses that are created not for communication, but rather to lure spam. In order to prevent legitimate email from being invited, the e-mail address will typically only be published in a location hidden from view such that an automated e-mail address harvester (used by spammers) can find the email address, but no sender would be encouraged to send messages to the email address for any legitimate purpose. Since no e-mail is solicited by the owner of this spamtrap e-mail address, any e-mail messages sent to this address are immediately considered unsolicited.
We have defined a set of spamtraps and we solely rely on these addresses in building the lists; all spamtraps are secret, except the public one contact@abuse.ro.

By IP block owner we understand the contact listed as Administrative contact at RIPE.

Geting listed

If we capture a message in our spamtraps and the sending host is deemed suspicious and/or spam focused, the listing may be immediate. If the sending host is a shared mail server with likely significant non-spam-related use, we may give the operator some time to fix the problem.

If an operator is known to support spam or if they have previous listings, we reserve the right to list addresses immediately.

Neighbor IP addresses may be listed if they appear to be related to the primary listed IP address and likely sources of similar spam.

The last IP address before destination in the email headers is listed into rbl.abuse.ro list.

Sender domains are analyzed and if confirmed to be not spoofed, are listed into dbl.abuse.ro list

Spamvertized domains (including those indirectly linked through services like bit.ly) are listed into uribl.abuse.ro list

Delisting

Delisting is strictly manually

After we receive a notification from the IP block owner about clearing the problem, IP addresses will be delisted. Prior delisting, we might ask for further evidences that the flow of spam has actually stopped. If the operator continues to provide support services (such as webhosting) for the spammer, delisting might be delayed as a safety precaution.

In order to delist a domain, a notification must be sent from the postmaster address (e.g. postmaster@domain.tld) to our contact address, with evidences that spam flow has been stopped. We might verify the address by sending back a confirmation message and asking for a response.

Old listings may be seldom rechecked and delisted if they no longer seem to be likely sources of spam.

Contact us

At this moment the only way to contact us is sending a message to admin [at] abuse.ro.