The CBL Index is a ratio between the number of IP addresses in a given IP subnet (

Subnetwork A subnetwork or subnet is a logical subdivision of an IP network. Updated by RFC 6918. The practice of dividing a network into two or more networks is called subnetting. Computers that belong to the same subnet are addressed with an identical ...

) to the number of CBL (

Composite Blocking List In computer networking, the Composite Blocking List (CBL) is a DNS-based Blackhole List of suspected E-mail spam sending computer infections. Overview The CBL takes its source data from very large spamtraps/mail infrastructures, and only lists IP ...

) listings in the subnet. It may be used to measure how "clean" (of compromised computers) a given subnet is. The higher the number is, the "cleaner" the subnet. The CBL index may be represented in

Decibel The decibel (symbol: dB) is a relative unit of measurement equal to one tenth of a bel (B). It expresses the ratio of two values of a power or root-power quantity on a logarithmic scale. Two signals whose levels differ by one decibel have a po ...

s ( dB) or as

CIDR Classless Inter-Domain Routing (CIDR ) is a method for allocating IP addresses and for IP routing. The Internet Engineering Task Force introduced CIDR in 1993 to replace the previous classful network addressing architecture on the Internet. Its g ...

suffix (*/xx). Note: other spam researchers prefer to use a percentage of IPs that are listed in a subnet. Using percentages is better suited for "unclean" subnets because "clean" nets have significantly less than 1% of addresses listed.

Rationale

The CBL

DNSBL A Domain Name System blocklist, Domain Name System-based blackhole list, Domain Name System blacklist (DNSBL) or real-time blackhole list (RBL) is a service for operation of mail servers to perform a check via a Domain Name System (DNS) query whe ...

(

) lists IP addresses that are compromised by a virus or spam sending infection (

computer worm A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It wil ...

computer virus A computer virus is a type of computer program that, when executed, replicates itself by modifying other computer programs and inserting its own code. If this replication succeeds, the affected areas are then said to be "infected" with a compu ...

, or

spamware Spamware is software designed by or for spammers. Spamware varies widely, but may include the ability to import thousands of addresses, to generate random addresses, to insert fraudulent headers into messages, to use dozens or hundreds of mail serv ...

). The CBL's full zone (data) is available publicly via rsync for download. The CBL Index is a reasonably good tool for getting estimates of subnet "outgoing spam reputation". It should be treated with caution - subnets often contain IPs with radically different purposes. Assuming all IPs within a subnet represent the same risk/reputation is potentially dangerous. The CBL Index may be used for estimation of overall anti-spam performance of

ISP An Internet service provider (ISP) is an organization that provides services for accessing, using, or participating in the Internet. ISPs can be organized in various forms, such as commercial, community-owned, non-profit, or otherwise private ...

or AS operator.

Example

In CBL zone dated 2007-07-07T21:03+00:00 there was 166_086 IP addresses listed from 83.0.0.0/11 network. The CBL Index for the net was: 2_097_152/166_086 = 12.6 (*/28.3 ; 11.0 dB) 2_097_152 - number of IP addresses in */11 network (2**(32-11))

Literature

External links

References

Computer security procedures Spamming {{www-stub