The Spamhaus Project - Frequently Asked Questions (FAQ)

About Spamhaus | FAQs | News Blog

Frequently Asked Questions (FAQ)

DROP FAQ

What is DROP?

How often should my system fetch the DROP list?

What are "hijacked netblocks"?

How about deploying DROP on CISCO?

How about using DROP on other operating systems?

What else can ISPs use DROP for?

What is DROP?

DROP (Don't Route Or Peer) is an advisory "drop all traffic" list. DROP is a tiny subset of the SBL designed for use by firewalls and routing equipment. The DROP list will not include any IP space allocated to a legitimate network and reassigned - even if reassigned to the proverbial "spammers from hell". DROP includes IP space totally controlled by spammers or 100% spam hosting operations. These are "direct allocations" from ARIN, RIPE, APNIC, LACNIC, or other Regional Internet Registries and "portable allocations" (known as "PI") from RIPE.

Spamhaus strongly recommends the use of DROP by tier-1 and backbone networks. Simply consulting the DROP list's webpage when someone asks you to route some suspicious IPs can help avoid picking up customers you would just as soon not have on your network.

How often should my system fetch the DROP list?
	Please DO NOT auto-fetch the DROP list more than once per hour! The DROP list changes quite slowly. There is no need to update cached data more than once per hour, in fact once per day is more than enough in most cases. Automated downloads must be at least one hour apart. Excessive downloads may result in your IP being firewalled from the Spamhaus website.

What are "hijacked netblocks"?

A "hijacked netblock" is a netblock brought back from the dead, often by a spammer, also called a "zombie netblock." (The term "zombie" later became widely applied to the infected PC drones in a botnet.) The original owner of the block may have left it derelict for any number of reasons. Squatters then reclaim it with various ploys including registering an abandoned domain name to accept email to the point-of-contact domain contact, or printing up bogus letterhead, or doing a bit of human engineering over the telephone. Some hijackers even outright steal IP-space allocated to someone else just by announcing it under their BGP Autonomous System Number.

Oh, and Autonomous Systems are hijacked too. Old abandoned ASNs are taken by a spammer or spammer supplier to announce various IP ranges. So it's quite possible to have a hijacked netblock advertised by a hijacked ASN.

Originally a few crufty geeks found these ranges for cheap digs. While their ownership claims were unethical, they did not use the hijacked networks for abuse. All that changed when spammers entered the picture. Then the hijack game became dominated by spammers (and some script kiddies) and it is now wise to accept no packets, but certainly not e-mail, from zombie networks.

Hijacked netblocks can be found in ranges assigned by every Regional Internet Registry (RIR) including ARIN, RIPE, APNIC, and others. Restoring proper ownership of a hijacked netblock means finding the original owner (often a dissolved company) and jumping through RIR hoops. It's a slow and laborious process, important but not suitable to stopping today's spam.

The peering/transit arrangements for these netblocks changes very quickly. Spamhaus leaves the entire block listed in SBL, categorized under the RIR, and then provides additional pointer records for networks carrying the netblocks's traffic. While such records are often only a single router's IP address (/32), the record will indicate the greater problem (and the problem is much greater than a single IP). Spamhaus may also provide additional SBL records within a hijacked netblock as various SWiPs or single IPs within the netblock are assigned to different spammers. These, too, may serve as pointers to the upstream, as the block is sometimes SWiPed as portable subnets with each spammer left to find their own transit. Many of these hijacked netblocks find their way into a special ROKSO record.

Spamhaus lists entire hijacked networks. Some of them are known to be controlled by particular a spammer and are thus listed under that spammer's ROKSO records. Those that are not assigned to another spammer may be assigned to this record. So, it is suggested that anyone searching for hijacked netblocks under their aegis not only check this record's Current SBL Listings, but also check under their domain name and RIR via the SBL search function.

How about deploying DROP on CISCO?
	The following script by Marco d'Itri deploys DROP on CISCO devices: http://www.linux.it/~md/software/cisco-tools-0.2.tgz Every time it's run by crontab it will download the list and report if there are changes. When run interactively it will remove old entries and ask whether any new entry should be used or not. It can be used to keep bogon filters up to date too.

How about using DROP on other operating systems?

For those who use PC routers, here's a little Perl script to turn the CIDR blocks in the DROP list into Unix route commands. Different versions of route have slightly different syntax, so you need to pick the one that works with your version. Some versions of route take CIDR notation, others require netmasks, so un-comment the one that works for you. (Note the obvious perl one-liner to turn a bit number into a dotted quad.)

To make day-to-day changes, use -o oldfile where oldfile is the previous version, and it'll give you just route delete and route add for the changes. This script is set up to fetch the current list and update once a day, which is frequent enough for nearly all networks, given the slow day-to-day churn and very conservative listing policy of the DROP list.

Please DO NOT auto-fetch the DROP list more than once per hour!

Usual disclaimers...use at your own discretion!

#!/usr/bin/perl
# -*- perl -*-

use Getopt::Std;
use strict;
use vars qw{%nets $n $m $opt_o};

getopts('o:');

while(<>) {
    if(($n, $m) = m{(\d+\.\d+\.\d+\.\d+)/(\d+)}) {
	# local sanity check
	die "local network $n" if $n =~ /^127.|^208.31./;

$nets{$n} = $m;
    } else {
	print "#??? $_\n";
    }
}

# do old thing here sometime
if($opt_o) {
    open(OLD, $opt_o) or die "Cannot open $opt_o $!";

while(<OLD>) {
	if(($n, $m) = m{(\d+\.\d+\.\d+\.\d+)/(\d+)}) {
	    my $mask = join '.',unpack "CCCC", pack "N", -1<<(32-$m);

if(exists $nets{$n} and $nets{$n} == $m) {
		print "# exists route add -net $n/$m\n";
		delete $nets{$n};
	    } else {
		#print "route delete -net $n -netmask $mask\n";
		print "route delete -net $n/$m\n";
	    }
	} else {
	    print "#??? $_\n";
	}
    }
    close OLD;
}

while(($n, $m) = each %nets) {
    my $mask = join '.',unpack "CCCC", pack "N", -1<<(32-$m);

#print "route add -net $n -netmask $m 127.1 -blackhole # m\n";
    print "route add -net $n/$m 127.1 -blackhole\n";

}

This site has a shell script for putting the Spamhaus DROP list in FreeBSD's ipfw.

Here's the code for using DROP in Linux firewalls:

#!/bin/bash

#Script to add firewall rules to a linux system to completely block
#all traffic to and from networks in the spamhaus drop list.

#Copyright 2009, William Stearns, wstearns@pobox.com
#Released under the GPL.  This and other tools can be found at
#http://www.stearns.org/

#Sole (optional) command line parameter is the file location of the
#drop list, such as:

#cd /var/lib/
#wget http://www.spamhaus.org/drop/drop.lasso
# ./spamhaus-drop /var/lib/drop.lasso

#While the DROP file should be regularly updated, this should 
#probably be about once per day or less frequently; do _not_ 
#download DROP more than once an hour.

if [ -n "$1" ]; then
	DropList="$1"
else
	DropList="./drop.lasso"
fi
if [ ! -s "$DropList" ]; then
	echo "Unable to find drop list file $DropList .  Perhaps do:" >&2
	echo "wget http://www.spamhaus.org/drop/drop.lasso -O $DropList"
	echo "exiting." >&2
	exit 1
fi

if [ ! -x /sbin/iptables ]; then
	echo "Missing iptables command line tool, exiting." >&2
	exit 1
fi

cat "$DropList" \
 | sed -e 's/;.*//' \
 | grep -v '^ *$' \
 | while read OneNetBlock ; do
	/sbin/iptables -I INPUT -s "$OneNetBlock" -j DROP
	/sbin/iptables -I OUTPUT -d "$OneNetBlock" -j DROP
	/sbin/iptables -I FORWARD -s "$OneNetBlock" -j DROP
	/sbin/iptables -I FORWARD -d "$OneNetBlock" -j DROP
done

Bill Stearns also provides this tcpdump command line. It's tested on Linux and probably works in any Unix/Posix environment, including Cygwin on Windows. A tcpdump error message "Warning: Kernel filter failed: Cannot allocate memory" seems to indicate that the filter can't fit in kernel memory, and it appears that tcpdump then switches over to filtering in userspace.

tcpdump -tnp `cat /var/lib/drop.lasso | sed -e 's/;.*//' | grep -v '^ *$' | ( read OneAddr ; echo -n "net $OneAddr" ; while read OneAddr ; do echo -n " or net $OneAddr" ; done ; echo )`

Here is a script that converts the DROP list into Qmail's tcpserver blacklist:

#!/usr/bin/perl
#
# This script converts CIDR notation from STDIN or specified files to
# the format used for generating tcpserver's blacklist.
#
# Usage example:
#
# Add this cronjob:
#   0 0 * * * /usr/bin/wget http://www.spamhaus.org/drop/drop.lasso -O- 2>/dev/null|/usr/bin/drop2blacklist.pl >/etc/tcp.smtp.droplist
#
# Then generate your tcpserver's CDB files as follow (or modify qmailctl as needed):
#   cat /etc/tcp.smtp /etc/tcp.smtp.droplist|tcprules /etc/tcp.smtp.cdb /etc/.tcp.smtp.tmp
#   chmod 644 /etc/tcp.smtp.cdb
#
#
# Author: Thomas Guyot-Sionnest <tguyot@gmail.com>
# This script has been released into the public domain.
# This script comes with absolutely no warranty.
#

use strict;
use warnings;
use Net::IP;

# Make this an empty string to remove the trailing dot
my $dot = '.';

while (<>) {
	next if (m/^\s*(?:;.*)?$/);
	s/\s*;.*//;
	my $ip = Net::IP->new($_) or die ("Invalid IP Address: '$_'\n");
	die ("IPv6 not supported\n") if ($ip->version() != 4);
	print map { "$_:deny\n" } rangeexpand($ip->ip(), $ip->last_ip());
}

sub rangeexpand {
	my $lowr = shift;
	my $highr = shift;

return ipexpand(split(/\./, "$lowr.$highr"));
}

sub ipexpand {
	my @low = splice(@_,0,4);
	my @high = splice(@_,0,4);

my @list;
	if ($low[0] != $high[0]) {
		push(@list, ipexpand(@low,$low[0],255,255,255));
		for (my $i=$low[0]+1; $i<$high[0]; $i++) {
			push(@list, ipexpand($i,0,0,0,$i,255,255,255));
		}
		push(@list,ipexpand($high[0],0,0,0,@high));
	} elsif ($low[1] != $high[1]) {
		if ($low[1] == 0 && $high[1] == 255) {
			push(@list,"$low[0]$dot");
		} else {
			push(@list,ipexpand(@low,$low[0],$low[1],255,255));
			for (my $i=$low[1]+1; $i<$high[1]; $i++) {
				push(@list,ipexpand($low[0],$i,0,0,$low[0],$i,255,255));
			}
			push(@list,ipexpand($high[0],$high[1],0,0,@high));
		}
	} elsif ($low[2] != $high[2]) {
		if ($low[2] == 0 && $high[2] == 255) {
			push(@list,"$low[0].$low[1]$dot");
		} else {
			push(@list,ipexpand(@low,$low[0],$low[1],$low[2],255));
			for (my $i=$low[2]+1; $i<$high[2]; $i++) {
				push(@list,ipexpand($low[0],$low[1],$i,0,$low[0],$low[1],$i,255));
			}
			push(@list,ipexpand($high[0],$high[1],$high[2],0,@high));
		}
	} elsif ($low[3] != $high[3]) {
		if ($low[3] == 0 && $high[3] == 255) {
			push(@list,"$low[0].$low[1].$low[2]$dot");
		} else {
			push(@list,map { "$low[0].$low[1].$low[2].$_" } $low[3]..$high[3]);
		}
	} else {
		push(@list,"$low[0].$low[1].$low[2].$low[3]");
	}

return @list
}

What else can ISPs use DROP for?
	Logging customer requests for DNS servers in any DROP-listed IP space is a very good way to discover which customers are infected with DNS-changer malware. Vetting new transit customers' IP ranges against DROP; those ranges are often looking for new routing options. Scoring DROP ranges extra high in such software as SpamAssassin.