What is the VBL
The VBL is a virus host blacklist which is provided by the Internet Defence team. The database is a list of all IP addresses from which email containing a virus, or phishing/fraud email, has been sent from. As with the SBL, the identification is an automated process - no user preferences are involved in making the decision about whether an email contains a virus or not. It is an aged database, so no IP’s remain in the database over 3 days, unless the timeout is reset by receiving another virus from the same address.
How VBL works
The IP is added to the VBL database if:
- it appears in other trusted sources
- the email contains a known virus
- the IP has not sent ham or is not in the Anti-VBL
If a virus is detected in an email, the IP address is extracted from the header and is entered in the database with a timestamp for furture reference.
Using VBL
As with the SBL, the VBL is used in the conventional way with the order of the IP address being reversed - e.g. to check the IP address 1.2.3.4 you would query 4.3.2.1.vbl.internetdefence.net. If the IP is in the VBL then the DNS lookup of the A record will return 127.0.0.2, otherwise “Not Found” is returned. A descriptive TXT record is also available. Instructions for using your particular system with Realtime Blacklists are readily available, either with the documentation that comes with your DNS package, or on the Internet.
Why should I use VBL?
Defense In-depth - VBL is another source in which spam and viruses can be stopped.
When new viruses are sent via email, sometimes AV vendors do not recognise them immediately as new viruses, but the VBL may aid in the process of stopping them, as previously known virus may have been sent from the same IP as a new one.
As seen in our timeline of viral outbreak - most AV products are not up to scratch, and anything that can assist in filtering viruses, is always of benefit.