How to Use AbuseBL

Step-by-step configuration guides for integrating rbl.abusebl.org and ubl.abusebl.org into your mail infrastructure.

Overview

Two Blocklists, One Purpose

AbuseBL exposes two DNS-based blocklists (DNSBLs) that you can query from virtually any modern mail server or spam filter:

IP Blocklist
rbl.abusebl.org

Lists IP addresses (IPv4 and IPv6) that have been observed sending spam. Query this at the SMTP connection level to reject mail before it is even accepted.

Return code: 127.0.0.2 — listed / block recommended
URL / Domain Blocklist
ubl.abusebl.org

Lists domains and URLs found in spam message bodies, including sender domains, linked URLs, and image URLs. Use this in content-scanning filters (Rspamd, SpamAssassin).

Return code: 127.0.0.2 — listed / block recommended
Compatible with any DNSBL-aware software. The guides below cover Postfix, Exim, Rspamd, and SpamAssassin. AbuseBL works with any MTA or spam filter that supports standard DNS blocklist queries (Haraka, Milter-based tools, etc.).
MTA

Postfix

Postfix queries IP blocklists during the SMTP connection phase via smtpd_recipient_restrictions (or smtpd_client_restrictions). Add the reject_rbl_client restriction for the IP blocklist.

IP Blocklist — rbl.abusebl.org

Edit /etc/postfix/main.cf:

# /etc/postfix/main.cf
smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination,
    reject_rbl_client rbl.abusebl.org,
    permit

You can also add a custom rejection message so senders know why they were blocked: 

# /etc/postfix/main.cf
maps_rbl_reject_code = 554
smtpd_rbl_reply_maps = hash:/etc/postfix/rbl_reply_maps
# /etc/postfix/rbl_reply_maps
rbl.abusebl.org    554 5.7.1 Service unavailable; $rbl_class [$rbl_what] blocked using rbl.abusebl.org. See https://abusebl.org/information
Note: Postfix does not natively support URIBL (URL/domain body lookups). Use Rspamd or SpamAssassin as a content filter alongside Postfix to leverage ubl.abusebl.org.

Apply changes

postmap /etc/postfix/rbl_reply_maps
systemctl reload postfix
MTA

Exim

Exim checks DNSBLs in an ACL (Access Control List). The standard place is the acl_check_rcpt ACL inside /etc/exim4/exim4.conf (or your split-config equivalent).

IP Blocklist — rbl.abusebl.org

Add a deny condition inside acl_check_rcpt that fires when the connecting IP is listed: 

# /etc/exim4/exim4.conf — inside acl_check_rcpt

  deny
    dnslists        = rbl.abusebl.org
    message         = $sender_host_address is listed in AbuseBL. \
                      See https://abusebl.org/information
    log_message     = blocked by AbuseBL RBL ($dnslist_domain)

URL / Domain Blocklist — ubl.abusebl.org

Exim can check URIs in message bodies using the acl_check_data ACL together with dnslists and the $acl_m_mime_subject variables, but the most practical approach is to call an external content scanner (Rspamd or SpamAssassin). Alternatively, use the spam condition with a SpamAssassin socket: 

# /etc/exim4/exim4.conf — inside acl_check_data
# Requires Exim built with Content_Scanning support and
# SpamAssassin/Rspamd running as a daemon

  warn
    spam            = nobody:true
    add_header      :at_start: X-Spam-Status: $spam_score_int / $spam_bar \n\tX-Spam-Report: $spam_report

  deny
    condition       = ${if >{$spam_score_int}{150}{yes}{no}}
    message         = This message has been rejected as spam.

Apply changes

exim -bV          # verify config syntax
systemctl reload exim4
Spam Filter

Rspamd

Rspamd has native support for both IP RBLs and URL/domain blocklists via its rbl module. Create two files in /etc/rspamd/local.d/:

rbl.conf — declare the blocklists

# /etc/rspamd/local.d/rbl.conf

rbls {
  abuseblip {
    rbl = "rbl.abusebl.org";
    ipv4 = true;
    ipv6 = true;

    returncodes {
      RBL_ABUSEBLIP_DROP = "127.0.0.2";
    }
  }

  abuseblurl {
    rbl = "ubl.abusebl.org";

    emails = true;
    emails_domainonly = true;
    images = true;
    urls = true;
    no_ip = true;

    returncodes {
      RBL_ABUSEBLURL_DROP = "127.0.0.2";
    }
  }
}
ipv4 / ipv6 = true Query for both address families.
emails_domainonly = true Look up only the domain part of email addresses found in the body.
images = true Also check domains referenced in image tags.
no_ip = true URL blocklist — skip bare IP addresses (IP lookups go to rbl.abusebl.org).

groups.conf — assign weights

# /etc/rspamd/local.d/groups.conf

group "abusebl" {
    max_score = 20.0;

    symbols {
        "RBL_ABUSEBLIP_DROP" {
            weight = 15.0;
            description = "Sender listed at AbuseBL IP blacklist";
        }

        "RBL_ABUSEBLURL_DROP" {
            weight = 15.0;
            description = "URI listed at AbuseBL URI blacklist";
        }
    }
}
Score guidance: A weight of 15.0 on its own is typically enough to trigger a reject action (Rspamd's default reject threshold is 15.0). Combined with other symbols, a hit on either rule will almost certainly result in rejection. Adjust to taste.

Apply changes

rspamadm configtest           # verify config syntax
systemctl restart rspamd
Spam Filter

SpamAssassin

Add the following rules to /etc/spamassassin/local.cf (or an include file in /etc/spamassassin/):

local.cf

# /etc/spamassassin/local.cf

# --- IP Blocklist (rbl.abusebl.org) ---
header    RBL_ABUSEBLIP eval:check_rbl('abuseblip', 'rbl.abusebl.org.')
describe  RBL_ABUSEBLIP  Sender listed in AbuseBL IP blacklist
score     RBL_ABUSEBLIP  15.0
tflags    RBL_ABUSEBLIP  net

# --- URL / Domain Blocklist (ubl.abusebl.org) ---
uridnsbl  RBL_ABUSEBLURL ubl.abusebl.org. A 127.0.0.2
describe  RBL_ABUSEBLURL  URI listed in AbuseBL URL blacklist
score     RBL_ABUSEBLURL  15.0
tflags    RBL_ABUSEBLURL  net
check_rbl('abuseblip', …) Creates a named RBL check. The first argument is an internal label; use a unique string.
uridnsbl Extracts all URIs from the message body and checks their domains against ubl.abusebl.org.
tflags … net Marks the rule as a network test — it is only run when network tests are enabled (default in daemon mode).
score … 15.0 A score of 15 alone is well above the default spam threshold of 5.0. A hit is treated as a near-certain block.

Apply changes

spamassassin --lint             # validate rules — no output = all good
systemctl restart spamassassin
Verification

Testing Your Configuration

After applying changes, verify that DNS queries return the expected results before sending live traffic through the new rules.

Manual DNS lookup

To test an IP address query against rbl.abusebl.org, reverse the octets (for IPv4) and append the blocklist hostname: 

# IPv4 — reverse the octets
# Example: checking 192.0.2.1
dig +short 1.2.0.192.rbl.abusebl.org A

# IPv6 — reverse the nibbles (full expanded address)
# Example: checking 2001:db8::1
dig +short 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.rbl.abusebl.org A

# Domain / URL query against ubl.abusebl.org
# Example: checking example-spam-domain.com
dig +short example-spam-domain.com.ubl.abusebl.org A

A listed entry returns 127.0.0.2. A not listed entry returns NXDOMAIN (no answer).

Test Rspamd with a message file

# Scan a raw .eml file through Rspamd and show all triggered symbols
rspamc -h 127.0.0.1:11334 symbols /path/to/message.eml | grep -i abusebl

Test SpamAssassin with a message file

# Lint first, then scan a message (network tests enabled with -t)
spamassassin --lint
spamassassin -t < /path/to/message.eml | grep -i abusebl
DNS caching: If you are testing from the same host that runs your resolver, be aware that negative answers (NXDOMAIN) are also cached. Flush your local DNS cache if you are not seeing expected results after a listing is added or removed.