CBL Index

From Wikipedia, the free encyclopedia

The CBL Index is a ratio between the number of IP addresses in a given IP subnet (Subnetwork) to the number of CBL (Composite Blocking List) listings in the subnet. It may be used to measure how "clean" (of compromised computers) a given subnet is.

The higher the number is, the "cleaner" the subnet.

The CBL index may be represented in Decibels (dB) or as CIDR suffix (*/xx).

Note: other spam researchers prefer to use a percentage of IPs that are listed in a subnet. Using percentages is better suited for "unclean" subnets because "clean" nets have significantly less than 1% of addresses listed.

[edit] Rationale

The CBL DNSBL (Composite Blocking List) lists IP addresses that are compromised by a virus or spam sending infection (computer worm, computer virus, or spamware).

The CBL's full zone (data) is available publicly via rsync for download, you are encouraged to register for it - see http://cbl.abuseat.org for more detail.

The CBL Index is a reasonably good tool for getting estimates of subnet "outgoing spam reputation".

The CBL Index should be treated with caution - subnets often contain IPs with radically different purposes. Assuming all IPs within a subnet represent the same risk/reputation is potentially dangerous.

The CBL Index may be used for estimation of overall anti-spam performance of ISP or AS operator.

[edit] Example

In CBL zone dated 2007-07-07T21:03+00:00 there was 166_086 IP addresses listed from 83.0.0.0/11 network.

The CBL Index for the net was: 2_097_152/166_086 = 12.6 (*/28.3 ; 11.0 dB)

2_097_152 - number of IP addresses in */11 network (2**(32-11))