Blocklist Removal Center
About Spamhaus  |  FAQs  |  News Blog   
Frequently Asked Questions (FAQ)
BGPf FAQ
Datafeed FAQ
DNSBL Usage
DROP FAQ
Generic Questions
Glossary
ISP Spam Issues
Legal Questions
Marketing FAQs
Online Scams
Organization
ROKSO FAQ
Spamhaus BCL
Spamhaus DBL
Spamhaus PBL
Spamhaus SBL
Spamhaus XBL



Spamhaus DBL

What is the DBL?
What do the 127.*.*.* Return Codes mean?
Can I look up IP addresses in the DBL?
SpamAssassin 3.3.1 Upgrade with DBL Support
I am in China. Why is DBL listing non-spam domains such as twitter.com or facebook.com?
Why is my domain listed in DBL?
How do I remove my domain from the DBL?
Is there any fee for removing my domain?
How long will it usually take for my domain to be removed?
Is DBL included in the Spamhaus Zen DNSBL?
How much spam will the DBL block for me?
Can I use DBL in a Response Policy Zone (RPZ)?
Is the DBL similar in function to other domain blocklists?
Can the DBL be used to filter blog spam?
URL shorteners and redirectors - what can they do about abuse?
Can URL shortening services use the DBL to deny bad domains?
Is there any code available to query the DBL in my application?
If my domain is forged in spam, will it be listed?
How often is the DBL zone updated?
How can I test the DBL?
Wildcard queries


What is the DBL?
The Spamhaus Domain Block List (DBL) is a realtime database of spam domains including spam payload URLs, spam sources and senders ("right-hand side"), known spammers and spam gangs, and phish, virus and malware-related sites.

The database is maintained 24/7 by both an automated system and by Spamhaus Project team members around the world.


What do the 127.*.*.* Return Codes mean?
The DBL uses DNS return codes in the 127.0.1.0/24 range. Queries regarding any domain listed in DBL and all IP queries will return a response code. If no code is returned (NXDOMAIN) the domain is not listed in DBL. DBL return codes in current and future use are:

Return Codes Data Source
127.0.1.2 spam domain
127.0.1.3 spammed redirector domain (no longer in use*)
127.0.1.4 phish domain
127.0.1.5 malware domain
127.0.1.102 abused legit spam
127.0.1.103 abused spammed redirector domain (*entering zone July, 2014)
127.0.1.104 abused legit phish
127.0.1.105 abused legit malware
127.0.1.106 abused legit botnet C&C
127.0.1.255 IP queries prohibited!

This table will be updated as specific DBL categories are added and 127.0.1.* return codes are assigned to them.


Can I look up IP addresses in the DBL?
NO!

The DBL is a domain-only blocklist and does not include or support IP addresses. It only includes domain names (text strings, not dotted quads). Do not use it the same way as Spamhaus' other IP-based DNSBLs. An IP query against the DBL always returns a positive (listed) return code. If you expect to receive legitimate emails containing http links specified as IP addresses (e.g. "http://1.1.1.1"), wrongly using DBL this way will reject them.

You must not put 'dbl.spamhaus.org' into any email server 'DNSBL' or 'RBLs' feature, spam firewall or spam filter unless it specifically states that blocklists entered there are used for domain checking only. If you are unsure, ask your spam filter developer.

To prevent a build-up of wasted IP query traffic to the DBL zone, which would grow exponentially to problematic levels if left unchecked, Spamhaus DNS returns the code 127.0.1.255 to IP queries to the DBL zone, along with a TXT record referring to this FAQ page.

Look up IP addresses only in Spamhaus's IP-based zones (such as Zen).


SpamAssassin 3.3.1 Upgrade with DBL Support
SpamAssassin users: Since version 3.3.1, SA has had code to deal specifically with domain-only URI BLs such as the DBL. It includes a new feature called "URIBL_DBL_SPAM". Before using the DBL Spamhaus strongly recommends you upgrade to 3.3.1 or later. You can the newest versions from:
http://spamassassin.apache.org/downloads.cgi

SpamAssassin versions prior to 3.3.1 query URI blocklists for URIs of both type domain "http://abc.domain.tld" and IP "http://1.1.1.1", however DBL does not support IP queries (in fact it prohibits them).

Although it is possible to add DBL to existing versions of SpamAssassin, you risk wrongly flagging legitimate email if it contains an IP address http link ("http://1.1.1.1"). Of course such links are notoriously found normally in spam, however the possibility exists that some legitimate mail can contain IP address http links, therefore use at you own risk! (If you want zero risk, upgrade your SpamAssassin)

URI IP queries must go to Spamhaus IP DNSBLs such as the SBL (already included in SA as the URIBL_SBL rule).


I am in China. Why is DBL listing non-spam domains such as twitter.com or facebook.com?

The DBL is not listing twitter.com, facebook.com or other social network domains. However, as part of the Golden Shield Project (most commonly known as the Great FireWall of China) operated by the Ministry of Public Security (MPS) division of the government of China, DNS packets entering or exiting China can be altered by the Great FireWall if they contain particular keywords or domains.

As it turns out, these filters are implemented in a very crude and rudimentary way so as to alter answers to Spamhaus DBL queries that are crossing the firewall (in both directions). So, for instance, our servers answer NXDOMAIN (meaning "this domain is not listed") to queries for twitter.com.dbl.spamhaus.org, but this answer may become something like

        twitter.com.dbl.spamhaus.org. IN	A	159.106.121.75
upon crossing the China Internet boundary. Any software interpreting the presence of an A record as a signal that the domain is listed by DBL would then block mail from twitter.com in error.

This interference of the Chinese government's system with the operation of the Spamhaus infrastructure has the following consequences:

  1. Spamhaus has servers in China to better serve the Chinese user base, but those servers can not be used to serve the DBL, to prevent disservices to users located out of China that happen to query them. So they are only used to answers queries relative to IP addresses (SBL, PBL, XBL).

  2. Spamhaus users in China will get all DBL answers from servers located outside China, and therefore answers can be altered as described above. It is therefore fundamental that all users in China validate our responses by having their software check that the A record is a valid one in the range 127.0.1.0-127.0.1.255. Any other code is a Great Firewall artifact and in this case it must be assumed that the queried domain is not listed by DBL.



Why is my domain listed in DBL?

We do not discuss specific criteria for inclusion in DBL but many factors are evaluated. Domains must match several criteria in order to be listed. While we will not spell out specific listing criteria, we can make some general suggestions for domains to build a good reputation and avoid DBL. DBL listings are reevaluated automatically all the time, and they expire automatically when listing criteria are no longer met.

Reputations are built over time, and building a good reputation takes longer than building a bad reputation. Prudence and experience show that an unknown reputation has a much higher risk of spam than known good domains, so new reputations start out poor. If you use your domain in legitimate traffic for enough time to establish a good reputation, DBL will notice that and remove the listing. Of course, it will also notice if you use your domain for poor reputational activities such as spam or other "blackhat" things.

Snowshoe spamming uses many domains and IPs which change frequently. Legitimate bulk email builds a reputation over time on durable, long-term domains and IPs. Due to that time and effort investment, reputable mailers don't use nearly as many domains, and fewer IPs, than snowshoers. Domains which act like snowshoers get treated like snowshoers.

SPF, DKIM, and/or DMARC are all valuable tools for senders but they can all be used by spammers as well as by good senders, so they are not effective indicators of spamminess. Use them if they help your mail's delivery but they are independent of DBL listings.

If you use your domain in bulk email, be sure that you follow best practices for sending only opt-in, solicited bulk mail. See our Marketing FAQ for more information or consult industry experts or good deliverability consultants for further assistance. Sending spam will cause DBL to list your domain. So will other cyber crime and "blackhat" activities.

Host your domain on good, clean ISPs which do not allow spammers on their network. That includes your domain's A, NS, MX and website DNS records. Hosting on spammer IPs or servers, or even on ISPs which tolerate spammers, has a negative effect on the reputation of all domains on that network. Domain and IP reputations affect each other.



How do I remove my domain from the DBL?
DBL is highly automated and most listings will expire automatically after they cease to appear in spam. Similarly, domains are listed in DBL Zone automatically, and they may re-list automatically after removal if they are re-detected.

While DBL is careful to not list innocent domains, it's possible that a domain may need to be removed from DBL before the listing expires. If you think your domain is listed and should be removed, use the Blocklist Removal Center link on our homepage, look up your domain and follow the instructions returned by that lookup form.

Excessive removers and other removal form abusers may be blocked.


Is there any fee for removing my domain?
No. There is never any charge or fee associated with removing any Spamhaus listing. Any offer from anyone to remove any Spamhaus listing for you for a fee is a scam. Spamhaus has no affiliation with anyone offering any 'blocklist removal' service, nor can any third party influence or expedite removals from any Spamhaus database.


How long will it usually take for my domain to be removed?
If the system allows the removal request, then the request will be processed immediately. It will then take minutes to propagate the removal across the internet, at most one hour.


Is DBL included in the Spamhaus Zen DNSBL?
No. Zen is an IP address DNSBL zone. Zen lists numeric IP address zones only, not domains. The DBL is a purely domain-based zone and must be queried separately by software capable of extracting URLs (domains) from email message bodies and headers.


How much spam will the DBL block for me?
This depends on a number of factors: how many mail-receiving domains you host, how many email addresses in those domains have been harvested by spammers, and what filters you apply before DBL. The DBL targets the website domains that spammers include in spam emails. Current tests show that DBL alone can stop between 60-90% of spam in message body URI checks. In addition DBL can stop a small margin more by testing HELO/EHLO and envelope sender domains during SMTP transactions.

The DBL is meant to be used in conjunction with IP address based blocklists such as the Spamhaus SBL (Spamhaus Block List), the Spamhaus XBL (Exploits Block List) and the Spamhaus PBL (Policy Block List). Those should be used to block spam at SMTP connection time. (The combination of all three of those IP blocklists is available in our Spamhaus Zen zone).

When using SpamAssassin, or similar, the DBL can be used alongside the feature called URIBL_SBL.

See the Spam Filtering Guide with charts and details on how the Blocklists function.


Can I use DBL in a Response Policy Zone (RPZ)?
Yes! A Response Policy Zone (RPZ), also known as a "DNS firewall," is highly effective at protecting your network and its users from not only spam but malware of many kinds including bots, spyware and other malicious attack vectors. For more information see our news piece Spamhaus' DBL as a Response Policy Zone (RPZ) and also this RPZ whitepaper.


Is the DBL similar in function to other domain blocklists?
In function, yes. The Spamhaus DBL is a URI BL or RHS (Right-Hand-Side) BL comprised of domains only. The way it is queried is similar to other widely used domain blocklists such as SURBL and URIBL, however there are some technical differences in what it lists, what can be queried, the query return codes, etc., which developers need to be aware of.

DBL listing policies differ from other domain blocklists as each blocklist has its own set of policies, but like SURBL and URIBL, DBL is all about blocking spam and not blocking legitimate mail.


Can the DBL be used to filter blog spam?
Yes. Many of the same spammers who pump junk into email boxes also spam blog comment sections (and guestbooks). Most blogging software now does a good job in catching comment spam, but if needed, the DBL is able to detect some of the domains used and can flag or block these postings.


URL shorteners and redirectors - what can they do about abuse?
  • Don't redirect to domains on DBL or SURBL lists.
  • Don't redirect to domains with the A RR on SBL and possibly XBL (your call).
  • Check those blocklists at the time of URL creation and again, later, as traffic on the new URL ramps up (a day or a week).
  • Don't daisychain redirectors! (Includes both 'don't shorten shorteners' and 'don't accept referrals from shorteners.' Either side can cut the chain.) We are adamant about that. DBL has a specific return code for redirectors in the DBL zone: 127.0.1.3. (Note: "abused legit redirectors" will return 127.0.0.103 beginning July 1, 2014.)
  • Don't allow users to change the landing URL.
  • Fully suspend (404) the offending URL; don't provide an interstitial link on to the spammer's payload.
  • Role Accounts & Feedback Loops (FBL) - Process those promptly.
  • Also see http://www.surbl.org/redirection-sites.


  • Can URL shortening services use the DBL to deny bad domains?
    Yes. Spammers are using URL shortening services constantly to try and avoid spam filter systems that use tools such as the DBL. URL shortening service should check every URI's domain against the DBL and not allow ones that are listed. Note that domains that map to SBL IP space should also be disallowed. See FAQ URL shorteners and redirectors in the ISP Spam Issues section for more tips on dealing with abuse of shorteners.


    Is there any code available to query the DBL in my application?
    We have seen that others have published code to do DNS lookups on the DBL. Here is one in PHP. This one in Python written for checking SURBL could be modified to work with DBL.


    If my domain is forged in spam, will it be listed?
    The DBL is built predominantly using automated spamtraps and email flow monitoring. It has many checks to prevent legitimate domains being listed. Even a large spam run that forges a legitimate domain will not cause a domain listing.

    Nor is it possible for someone (say your competitor) to get your domain blacklisted by simply forging your domain and sending us a spam report. Spamhaus does not accept or process spam reports from the public.

    Our system also ignores legitimate domains seen in backscatter bounce messages.


    How often is the DBL zone updated?
    The DBL DNS zone is rebuilt and reloaded every 60 seconds, 24/7, to ensure that new spam domains are blocked and that any mistaken listings are swiftly removed. For high redundancy there are over 70 public DBL (and Zen) mirrors located in many nations around the world. Each DBL mirror is independently run as a free service to the Internet community and all respond in realtime to public queries of dbl.spamhaus.org. DBL DNS mirrors are located in: Argentina, Belgium, Denmark, France, Germany, Greece, Italy, the Netherlands, Russia, Singapore, Spain, South Africa, Venezuela, the UK and USA.



    How can I test the DBL?
    Two ways! First, the DBL follows RFC5782 for determining whether a URI zone is operational with an entry for TEST. Second, the DBL has a specific domain for testing DBL applications: dbltest.com. To test functionality of the DBL use the host or dig command to do a manual query. (If you need to look up a domain in the DBL via the web, use the domain lookup form at our Blocklist Removal Center. Do not query our website with automated tools.).

    RFC5782 operational test
    Query: test.dbl.spamhaus.org
    Result: test.dbl.spamhaus.org IN A 127.0.1.2
    Listed Test Results
    Query: dbltest.com.dbl.spamhaus.org
    Result: dbltest.com.dbl.spamhaus.org IN A 127.0.1.2
    Not Listed Test Results
    Query: example.com.dbl.spamhaus.org
    Result: Host example.com.dbl.spamhaus.org not found: 3(NXDOMAIN)

    (Note: the IANA reserved "example.com" domain will never appear in the DBL zone)
    Test Point TXT Record
    Query: TXT dbltest.com.dbl.spamhaus.org
    Result: TXT "http://www.spamhaus.org/query/dbl?domain=dbltest.com"


    Wildcard queries
    The DBL supports wildcard lookups. Querying the full hostname will return a positive result if the host's domain is listed. Therefore, it is optional and not necessary to strip the hostname down to query the actual domain only.

    For example, if spammer.tld is listed:
      $ host spammer.tld.dbl.spamhaus.org
      spammer.tld.dbl.spamhaus.org has address 127.0.1.2
    Any *.spammer.tld sub-domain will also get the same response:
      $ host www.barclays.bank.spammer.tld.dbl.spamhaus.org
      www.barclays.bank.spammer.tld.dbl.spamhaus.org has address 127.0.1.2
    The wildcard query works for subdomains only, and not variations of the domain itself:
      $ host notspammer.tld.dbl.spamhaus.org
      notspammer.tld.dbl.spamhaus.org not found: 3(NXDOMAIN)
    This enables the DBL to be used for either URI type queries (domains in links advertised in spam) and RHSBL type queries such as rDNS, HELO string, Sender and other email headers.


    © 1998-2014 The Spamhaus Project Ltd. All rights reserved.
    Legal  |  Privacy