Overview of Exploits Block List - XBL (Spamhaus.org) in Comment Spam Protection

By Angsuman Chakraborty, Gaea News Network
Tuesday, February 5, 2008

The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of hijacked PCs infected by illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits. I was recently testing this list againt spam email. Here are few observations from our testing.

XBL is effective in catching comment spams. However I have also seen several false positives where genuine comments were flagged as spam by xbl database. This is not surprising by itself. XBL includes list of IP addresses which are hijacked. However most of the time the owners do not know that their PC’s have been hijacked. As it happens such owners also want to participate and make comments. Working from a compromised PC doesn’t automatically make them spammers. However there is more to it that just that.

The XBL wholly incorporates data from two highly-trusted DNSBL sources, with tweaks by Spamhaus to maximise the data efficiency and lower False Positives. The main components are:
- the CBL (Composite Block List) from cbl.abuseat.org
- the NJABL Open Proxy IPs list from www.njabl.org.

It appears XBL team is already working to eliminate false positives. The problem is that in many countries like India, IP addresses are mostly allocated dynamically. Many people also connect over dial-ups. Such users have a high likelihood of being identified as spammers with XBL. They are not necessarily using a compromised PC.

Note: XBL was not designed to catch comment spams. It was primarily designed for catching email spams. However the usage is valid because both kind of spams share many common characteristics and can leverage common technologies such as blacklists. Both can be done manually and also heavily automated. Both are used to advertise same type of products.
However there are differences too which needs to be kept in mind while designing anti-spam solutions. Comment spam is by far much easier to intercept than email spam in my experience.

In Comment Guard plugin I have decided to remove XBL because of the false positives. Comment Guard Pro is designed to eliminate false positives from comment spam detection (as well as false negetives). Any source of false positives, however valuable, is simply not acceptable.

will not be displayed