RBL

This site needs your support

News

Ads help server costs, we rely on their revenue (and donations, too) to fund hosting.

main
debian
- qemu
- apache
- screen
- bash

RBL

RBL removal information

how do i delist
what is held on all.s5h.net?
ipv6
listing status
multihomed setups
usage
- mediawiki
- qmail
- exim
- postfix
- spamassassin
- sendmail
donations

how do i delist

To request removal, simply go to the web page rblremove. You will need to visit this page from the IP address of the offending computer. If you do this, you will get delisted immediately.

There are a number of ways to do this, using telnet, curl, wget, lynx or a web browser. All you need to do is make one request from the IPv4/IPv6 address that was listed. If you wanted to delist your IPv4 address using curl, just log into the listed mail server and run:

$ curl -4 http://www.usenix.org.uk/content/rblremove

You can do just the same using telnet from a Windows/Linux host, just issue the normal HTTP headers, (you need to enter the GET/host lines below).

$ telnet www.usenix.org.uk 80
GET /content/rblremove HTTP/1.1
Host: www.usenix.org.uk
(press enter twice)

Failing automatic removal, please fill out the form for removal assistance (English only please until we get translators). We will remove anyone from this list providing they can show proof that they have addressed all potential security problems and are willing to communicate openly to resolve any issues. Do be aware, expect this to take much longer than using the automatic process above, exhaust all automatic possibilities first.

Please supply us with your IP address and what you have done so far to address the problem. A decision will be made as to the listing status, should you satisfy the removal criteria then the listing will be removed within 30minutes of the decision being made.

Listings are not simple work, there was a solid reason for the entry being added, so hostility towards the support team will not be tolerated and may end up with you being lucky to receive any response from us at all, so please be polite when communicating with the support team.

what is held on all.s5h.net?

The all.s5h.net list is fully RFC 5782 compliant.

All the spam sources are recorded and kept on a RBL server named all.s5h.net. The all represents a collated list of all sources and attack vectors, that send spam in one form or another to any of our server addresses.

ipv6

We've found a fair amount of spam to originate from IPv6 hosts, so these are added to the list using the same namespace.

For example, if you want to check for 2001:DB8::1 in the database you will need to look up:

1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.all.s5h.net

The NS records have IPv4 and IPv6 glue, making lookups a little more efficient for you. Of course, if you're using this RBL service on your mail server, then chances are those records would be cached for you already.

listing status

If you wish to check the status of a IP address in many RBL servers then you may wish to try the RBL tool, which checks many RBL servers.

All the TTL values for the DNS queries are set to five seconds, the change should appear immediately for you once data has propagated.

multihomed setups

If you have a network of machines and several v4/v6 addresses were listed, so long as you can alias the IPv{4,6} addresses on your machine you can tell curl to bind to this address when using the automation.

Test with curl to make sure that it us using the correct address:

$ curl -I -6 --interface 2001:DB8::10 http://www.usenix.org.uk/content/whatismyip

You should a reply header that looks similar to the below with your expected address:

HTTP/1.1 200 OK
Date: Wed, 03 May 2017 18:18:20 GMT
IPv6: 2001:DB8::10
Content-Type: text/html;charset=UTF-8

Once you have confirmed that this works and the correct address is being used, you may then adjust the URL to match the automatic removal page, http://www.usenix.org.uk/content/rblremove.

You can do the same using telnet, the syntax is slightly more complex. The example below shows the conversation between the client and server, the first three lines are entered by the client, everything after the blank line is the sever reply.

$ telnet -b 2001:DB8::10 www.usenix.org.uk 80
Trying 2001:ba8:1f1:f1cb::2...
Connected to www.usenix.org.uk.
Escape character is '^]'.
HEAD /content/whatismyip HTTP/1.1
Host:www.usenix.org.uk

HTTP/1.1 200 OK
Date: Wed, 03 May 2017 18:25:29 GMT
IPv6: 2001:DB8::10
Content-Type: text/html;charset=UTF-8

usage

You may use this RBL list free of charge, currently without limit and we intend to keep it that way. Please consider donating if you find this service useful and it helps pay for the honeypot addresses.

mediawiki

If you wish to use this in MediaWiki blog, make the following changes:

LocalSettings.php:
$wgDnsBlacklistUrls = array(
        'all.s5h.net.',
);

qmail

qmail:

/var/service/qmail-smtpd/run, add the below to the tcpserver arguments, just prior to qmail-smtpd being called

rblsmtpd -r all.s5h.net

exim

Add the following to your config:

deny dnslists = all.s5h.net

postfix

Insert reject_rbl_client all.s5h.net prior to permit in your smtpd_recipient_restrictions rule.

spamassassin

In your .cf file:

header          RCVD_IN_S5HBL   eval:check_rbl_txt('s5hbl', 'all.s5h.net')
describe        RCVD_IN_S5HBL   Listed at all.s5h.net
tflags          RCVD_IN_S5HBL   net
score           RCVD_IN_S5HBL   0 3.0 0 3.0

sendmail

Add the following, then rebuild:

FEATURE(`enhdnsbl', `all.s5h.net', ``Mail from $&{client_addr} rejected, see http://s5h.net/rbl'',`t')dnl

Should you wish to use this in PHP script (perhaps your web form is getting some spam) then you could use a function like this:

function is_blacklisted($ip) {
    $dnsbl_check=array( "all.s5h.net", "sbl.spamhaus.org" );
    if( $ip ) {
        $quads=explode( ".", $ip );
        $rip=$quads[3].".".$quads[2].".".$quads[1].".".$quads[0];
        for( $i=0; $i&lt;count($dnsbl_check); $i++ ) {
            if( checkdnsrr( $rip.".".$dnsbl_check[$i], "A" ) ) {
                return( true ); // return on first match
            }
        }
    }
    return( false );
}

donations

This cost of the hardware running this service is currently funded privately. If you wish to help support the service please consider donating using the paypal donation paypal. Donations will go towards bringing new servers online to collect network abuse and funnel the information back into the database in realtime.