BIT logo


Lookup Lookup
Stats Stats
Evidence Howto Evidence Howto
About About Virbl
Why Why use Virbl?

Login Login for AS-admins

Quick Stats

Unique hosts: 40165
Unique IPv6 hosts: 54
Entries in db: 47603
IPv6 entries in db: 77
Hosts on virbl: 567
IPv6 hosts on virbl: 2



Welcome to the Virbl-project

Virbl is a project of which the idea was born during the RIPE-48 meeting. The plan was to get reports of virusscanning mailservers, and put the IP-addresses that were reported to send viruses on a blacklist.

For more information, read 'About Virbl'



We've changed Virbl today, which makes it the first fully IPv6 enabled dnsbl, as far as we can tell. You could already reach Virbl via IPv6 for years, but no IPv6 hosts were served by the nameserver. rbldnsd, on which we ran Virbl before, does not understand IPv6 in its zones.

We changed some things today:

  1. We implemented a way to list machines with IPv6 and privacy-extensions
  2. We switched from rbldnsd to Bind
  3. We've changed the website so the changes made in '1' are visible on the website as well

The issue with IPv6 and dnsbls is that it is much easier for hosts to change the IPv6 address each second. By doing that, chances of getting listed on a dnsbl or at least chances of being caught by a listing decrease dramatically. We've decided to list an entire /64 when we see five IPv6 hosts in the same /64. We will also be listing the hosts themselves. People using privacy-extensions (or evil scripts) will be able to use four addresses in the same /64 without getting listed, but will be busted when number five comes around.

We've chosen to use a /64 because a /64 is the mostly used network size for home and office use. Lots of tools expect /64, autoconf even demands a /64.

There aren't too many nameservers focused on serving dnsbls that are capable of working with IPv6-listings, that's why we switched to Bind. Bind isn't the fastest nameserver around, but will be sufficient, for now.

So, the first IPv6 enabled dnsbl is a fact, we hope that many more will follow. It would be a shame if spammers and viruses found out about IPv6 sooner than the anti-spam and anti-virus people. In any case, Virbl is ready to go!


We have decided to stop listing hosts that have sent messages matching a Clamav Email. signature. We have checked with Clamav and it seems that Email. signatures do not necessarily match viruses, but also links to webpages containing viruses. We have archived all messages which were marked with a Email. 'virus' and changed the software so we ignore them.

Unfortunately, Clamav also stops scanning after it has detected Email., but we feel that we should only list actual viruses, not stuff that looks like it.


If you are an AS-administrator, you can now setup notifications in the Virbl 'Login' area. Notifications will be sent out every 12 hours, at 12:00 and 0:00 CEST.

You can also set your password to anything you want (but with some limits).


For people that don't have their own AS, we've added a new function to the Virbl website. You can now see the evidenceheaders for the host you are using to view Virbl. So, if you go to the Evidence howto you can find out how you can see your evidence.


Lots of people ask us for evidence headers to find out where the virus that caused their listing came from. Network admins who run a Autonomous System can now automatically request a login to the 'Login' area. A password will be emailed to a address we can find in you AS registration (at RIPE, ARIN, APNIC, AfriNIC, LACNIC) selected by you (your username is your AS#). You can than login and see which hosts in your AS are listed and you can also find the headers.

If you're experiencing issues with this login-service, please email virbl_at_bit_dot_nl so we can find out what's going on.


We've received some emails from ISP's whose relayserver has been listed. Since we don't want to be too triggerhappy to list people we are now also using DNSWL as a whitelist for Virbl. Before this, we only used the NLWhitelist.