Summary
Abusix maintains two distinct abuse lists, 'black' and 'black_css', each serving a specific role in email deliverability and spam prevention. The 'black' list acts as a Realtime Blocklist (RBL), primarily identifying and blocking IP addresses and domains actively engaged in abuse, such as direct spamming or malware distribution, based on real-time complaints and spam trap hits. In contrast, the 'black_css' (Composite Scanning Service Blocklist) is a more aggressive and comprehensive list. It targets a broader range of low-reputation or non-compliant senders by leveraging extensive heuristics, patterns, and suspected abuse types, often including servers that show signs of compromise or suspicious behavior, even before they send large volumes of spam. While 'black' focuses on immediate, clear-cut threats, 'black_css' offers a proactive defense against a wider spectrum of potentially undesirable email traffic.
Key findings
- Primary Purpose: The Abusix 'black' list is a Realtime Blocklist (RBL) focused on immediate, real-time blocking of active threats, primarily fed by direct abuse complaints and active spam traps. The 'black_css' list, or Composite Scanning Service Blocklist, is a more aggressive and comprehensive list for proactive defense against a wider spectrum of low-quality or potentially undesirable traffic.
- Scope and Heuristics: While 'black' targets current, clear-cut spam sources, 'black_css' employs a broader range of heuristics, patterns, and suspected abuse types. It includes IPs associated with suspicious behavior or poor reputation, extending beyond direct abuse reports.
- Data Sources: The 'black' list relies on direct abuse complaints and active spam traps. In contrast, 'black_css' utilizes a wider array of data sources, including public and private data, spam traps, honeypots, and proprietary algorithms, to identify malicious or questionable senders.
- Compromised Servers: A key distinction of 'black_css' is its specific design to identify IP addresses of servers suspected of being compromised or controlled by botnets, even if they aren't yet sending large volumes of abusive mail. IPs are removed once the server is cleaned, but might transition to the 'black' list if significant abuse commences.
- Spamhaus Naming Convention: The 'black_css' naming likely borrows from Spamhaus's CSS (Composite Blocking List), which is a highly automated subset of their SBL data, known for detecting various issues, including potential snowshoeing patterns.
Key considerations
- Filtering Approach: For critical real-time blocking of actively malicious senders, the 'black' list is often recommended. If a more aggressive and proactive filtering approach is desired to catch a wider range of low-quality or suspicious email, 'black_css' is more beneficial.
- Potential for False Positives: Implementing the 'black_css' list, due to its broader filtering, can sometimes lead to blocking a small percentage of legitimate email, necessitating careful monitoring.
- Dual Listing Significance: If an IP address is listed on both the 'black' and 'black_css' lists, the specific distinction between them becomes less critical, as it strongly indicates that the sender is a confirmed source of spam.
- Direct Contact for Clarity: In cases where the reason for being listed on 'black_css' is unclear, contacting Abusix directly for clarification is advisable.
What email marketers say
9 marketer opinions
Abusix utilizes two primary abuse lists, 'black' and 'black_css', each serving a distinct purpose in email deliverability. The 'black' list is widely regarded as a real-time blacklist (RBL), primarily targeting current and active sources of spam or abuse for immediate blocking. Conversely, the 'black_css' list is a more comprehensive and aggressive mechanism. It includes IP addresses that might not be actively sending spam but are associated with suspicious behavior or a poor reputation, extending beyond direct abuse reports to provide proactive filtering against a wider spectrum of low-quality or questionable email traffic.
Key opinions
- Black List Purpose: The Abusix 'black' list is a real-time blacklist (RBL) designed for immediate blocking of active spamming, malware, or other clear-cut abuse sources.
- Black_CSS Scope: The 'black_css' list is more comprehensive and aggressive, including IPs associated with suspicious behavior or poor reputations, even without active spamming.
- Proactive Filtering Benefit: 'black_css' provides a proactive filtering approach to intercept a wider range of low-quality or suspicious email traffic.
- Potential False Positives: Due to its broader criteria, 'black_css' can occasionally block legitimate emails, often leading to a higher block rate.
- Naming Influence: The 'black_css' name may be influenced by Spamhaus's CSS (Composite Scanning Service), a highly automated subset of their SBL data that detects various issues.
- Documentation Note: One expert indicates that Abusix's official documentation does not explicitly list a 'black_css' zone, despite its practical use and description by others.
Key considerations
- Choosing the Right List: The 'black' list is recommended for critical real-time blocking of actively malicious senders, while 'black_css' is better for a more aggressive, proactive filtering strategy to intercept low-quality or suspicious traffic.
- Monitoring for Overblocking: Users of 'black_css' should monitor for potential false positives, as its broad filtering approach can occasionally block legitimate email, requiring careful assessment.
- Dual Listing Implication: If an IP appears on both 'black' and 'black_css', the primary takeaway is that the IP is a confirmed source of spam, making the specific list distinction less critical.
- Direct Inquiry for Clarity: If listed on either list, especially 'black_css' where reasons might be broader, direct contact with Abusix is suggested for clarification.
Marketer view
Email marketer from Email Geeks explains that 'black_css' likely borrows its naming convention from Spamhaus CSS, which is a high-automation subset of SBL data and detects various issues. He advises that if listed on both 'black' and 'black_css', the distinction is less critical as it indicates being a source of spam, suggesting to contact Abusix directly for clarification.
25 Feb 2023 - Email Geeks
Marketer view
Email marketer from Email Geeks shares that Abusix documentation does not list a 'black_css' zone.
29 Jan 2024 - Email Geeks
What the experts say
2 expert opinions
The 'black' and 'black_css' abuse lists from Abusix serve different purposes in identifying problematic email senders. The 'black' list traditionally targets IP addresses actively involved in sending abusive traffic like spam or malware. In contrast, the 'black_css' list, an acronym for 'Compromised Server Summary,' is specifically designed to flag IP addresses of servers that are suspected of being compromised or under botnet control. An IP on the 'black_css' list might not be sending high volumes of spam, but rather shows indicators of compromise, and is removed once the server is secured. There's also a perspective that 'black_css' might indicate a method of listing, such as for snowshoeing, rather than being a wholly separate list itself, drawing parallels to Spamhaus conventions.
Key opinions
- Traditional Black List: The Abusix 'black' list primarily targets IP addresses that are actively sending abusive traffic, such as spam or malware.
- Compromised Server Identification: The 'black_css' list, which stands for 'Compromised Server Summary,' is specifically designed to identify IP addresses of servers suspected of being compromised or controlled by botnets.
- Volume vs. Compromise: IPs are placed on 'black_css' based on signs of compromise, even if they are not yet sending large volumes of abusive mail.
- Remediation and Escalation: An IP is removed from 'black_css' once the server is cleaned; however, it may transition to the 'black' list if significant abusive traffic commences.
- Listing Method Perspective: Some experts suggest that 'black_css' might signify a particular listing method, similar to Spamhaus's conventions for detecting patterns like snowshoeing, rather than being a completely separate list.
Key considerations
- Diagnosing Listing Reasons: Understanding if a listing is due to active abuse on the 'black' list or a compromised server on the 'black_css' list is crucial for accurate remediation efforts.
- Focus on Server Security: For 'black_css' listings, the immediate priority is to identify and clean the compromised server, as removal from this list typically occurs once the server is secured.
- Monitoring for Escalation: Be aware that an IP on the 'black_css' list can escalate to the 'black' list if the compromised server begins sending significant volumes of spam, necessitating prompt intervention.
- Content and Sending Patterns: Consider the possibility that 'black_css' might also flag issues like snowshoeing, where similar content is sent across multiple services, prompting a review of overall sending patterns.
Expert view
Expert from Email Geeks explains that if Abusix is borrowing the Spamhaus convention, 'black_css' isn't a separate list but a different way to get listed, specifically for detecting snowshoeing, which implies one customer sending the same content across multiple services.
6 Feb 2025 - Email Geeks
Expert view
Expert from Spam Resource explains that the Abusix 'black' abuse list is their traditional list, targeting IP addresses that are actively sending abusive traffic like spam or malware. The 'black_css' list, which stands for 'Compromised Server Summary,' is specifically designed to identify IP addresses of servers that are suspected of being compromised or controlled by botnets. IPs are placed on the 'black_css' list if they show signs of compromise, even if they are not yet sending large volumes of abusive mail, and are removed once the server is cleaned. An IP on the 'black_css' list might later be moved to the 'black' list if it begins sending significant abusive traffic.
1 May 2022 - Spam Resource
What the documentation says
6 technical articles
Abusix offers two distinct abuse lists, 'black' and 'black_css', each with a unique approach to identifying and blocking problematic email senders. The 'black' list functions as a Realtime Blocklist, primarily targeting IP addresses and domains that are actively engaged in abuse, identified through direct complaints and real-time spam trap hits. This list is designed for immediate, reactive blocking of clear-cut, ongoing threats. In contrast, the 'black_css' list, or Composite Scanning Service Blocklist, takes a more aggressive and comprehensive approach. It uses a wider array of data sources, including various heuristics, patterns, and proprietary algorithms, to identify a broader range of low-reputation, non-compliant, or potentially suspicious senders. While 'black' focuses on confirmed, active abuse, 'black_css' provides a proactive defense against a wider spectrum of potentially undesirable or low-quality email traffic, often flagging issues before they escalate into high-volume spam.
Key findings
- Purpose of 'black': The Abusix 'black' list serves as a Realtime Blocklist, focusing on immediate blocking of IP addresses and domains identified by direct abuse complaints and active spam traps for current, clear-cut abuse activity.
- Purpose of 'black_css': The 'black_css' list, or Composite Scanning Service Blocklist, is a more aggressive and comprehensive list designed for proactive defense, targeting low-reputation or non-compliant senders based on a broader range of heuristics and suspected abuse types.
- Data Sources for 'black': The 'black' list is primarily populated by direct abuse complaints and hits on active spam traps, indicating real-time identification of ongoing abuse campaigns.
- Data Sources for 'black_css': The 'black_css' list employs a wider array of data sources, including public and private data, various spam traps, honeypots, and proprietary algorithms, to identify a broader scope of malicious or questionable senders.
- Intended Application: 'black' is intended for immediate, real-time blocking of active threats, suitable for organizations prioritizing stopping clear-cut abuse as it occurs. 'black_css' is for those seeking a more robust defense against a broader spectrum of potentially undesirable email traffic.
Key considerations
- Filtering Objectives: Organizations aiming for immediate, surgical blocking of clear-cut, active email abuse should prioritize the 'black' list. Conversely, those seeking a more comprehensive, proactive defense against a wider spectrum of low-quality or potentially undesirable traffic will find 'black_css' more beneficial.
- Impact on Deliverability: Due to its broader and more aggressive criteria, implementing the 'black_css' list may result in a higher volume of blocked email, necessitating vigilant monitoring to avoid inadvertently impacting legitimate communications.
- Remediation Strategy: The distinction between being listed on 'black' versus 'black_css' helps in formulating a precise remediation strategy, as 'black' typically points to direct, ongoing abuse, while 'black_css' suggests broader reputational or behavioral issues.
- Proactive vs. Reactive: 'black' functions as a reactive measure to current abuse, ideal for stopping active threats as they emerge. 'black_css' offers a proactive defense, identifying potential issues before they escalate into full-blown abuse campaigns.
Technical article
Documentation from Abusix.com explains that the 'black' list is their Realtime Blocklist, comprising IP addresses and domains identified by direct abuse complaints and active spam traps for current abuse activity.
4 Jan 2022 - Abusix.com
Technical article
Documentation from Abusix.com explains that the 'black_css' list, or Composite Scanning Service Blocklist, is a more aggressive list based on a broader range of heuristics, patterns, and suspected abuse types, often targeting low-reputation or non-compliant senders.
23 Sep 2023 - Abusix.com
Related resources
5 resources
How impactful are Abusix blacklisted IPs from a shared IP pool?
How to handle a domain listed on Abusix or request delisting?
Should I use blacklist or blocklist in email marketing?
What are Abusix's services for email deliverability and how do they compare to Spamhaus?
What impact does Abuse.ro have on email deliverability and which blocklists are most important to monitor?
Why was there a sudden increase in Spamhaus CSS listings?
