The CBL has a real false positive problem
As I write this, a number of IP addresses in 220.127.116.11/24 are listed in the CBL, and various of them have been listed for some time. There is a problem with this: these CBL-listed IP addresses don't exist. I don't mean 'they aren't supposed to exist'; I mean 'they could only theoretically exist on a secure subnet in our machine room and even if they did exist our firewall wouldn't allow them to pass traffic'. So these IP addresses don't exist in a very strong sense. Yet the CBL lists them and has for some time.
The first false positive problem the CBL has is that they are listing
this traffic at all. We have corresponded with the CBL about this
and these listings (along with listings on other of our subnets)
all come from traffic observed at a single one of their monitoring
points. Unlike what I assumed in the past,
these observations are not coming from parsing
but from real TCP traffic. However they are not connections from
our network, and the university is the legitimate owner and router
of 128.100/16. A CBL observation point that is using false routing
(and is clearly using false routing over a significant period of time)
is an actively dangerous thing; as we can see here, false routing can
cause the CBL to list anything.
The second false positive problem the CBL has is that, as mentioned, we have corresponded with the CBL over this. In that correspondence the CBL spokesperson agreed that the CBL was incorrect in this listing and would get it fixed. That was a couple of months ago, yet a revolving cast of 18.104.22.168/24 IP addresses still gets listed and relisted in the CBL. As a corollary of this, we can be confident that the CBL listening point(s) involved are still using false routes for some of their traffic. You can apply charitable or less charitable assumptions for this lack of actual action on the CBL's part; at a minimum it is clear that some acknowledged false positive problems go unfixed for whatever reason.
I don't particularly have a better option than the CBL these days. But I no longer trust it anywhere near as much as I used to and I don't particularly like its conduct here.
(And I feel like saying something about it so that other people can know and make their own decisions. And yes, the situation irritates me.)
(As mentioned, we've seen similar issues in the past, cf my original 2012 entry on the issue. This time around we've seen it on significantly more IP addresses, we have extremely strong confidence that it is a false positive problem, and most of all we've corresponded with the CBL people about it.)