Blocklist Removal Center
About Spamhaus  |  FAQs  |  News Blog   
Frequently Asked Questions (FAQ)
BGPf FAQ
Datafeed FAQ
DNSBL Usage
DROP FAQ
Generic Questions
Glossary
ISP Spam Issues
Legal Questions
Marketing FAQs
Online Scams
Organization
ROKSO FAQ
Spamhaus BCL
Spamhaus DBL
Spamhaus PBL
Spamhaus SBL
Spamhaus XBL



Spamhaus DBL

What is the DBL?
What do the 127.*.*.* Return Codes mean?
Can I look up IP addresses in the DBL?
SpamAssassin 3.3.1 Upgrade with DBL Support
Why is my domain listed in DBL?
How do I remove my domain from the DBL?
Is there any fee for removing my domain?
How long will it usually take for my domain to be removed?
I am in China. Why is DBL listing non-spam domains such as twitter.com or facebook.com?
Is DBL included in the Spamhaus Zen DNSBL?
How much spam will the DBL block for me?
Can I use DBL in a Response Policy Zone (RPZ)?
Is the DBL similar in function to other domain blocklists?
Tell me more about the "abused legit" part of DBL?
Do the "abused legit" or "abused redirector" listings include full URL/URI links?
Do "abused legit" categories include illegitimate domains?
How does listing/delisting work for "abused legit" DBL listings?
Can the DBL be used to filter blog spam?
URL shorteners and redirectors - what can they do about abuse?
Can URL shortening services use the DBL to deny bad domains?
Is there any code available to query the DBL in my application?
If my domain is forged in spam, will it be listed?
How often is the DBL zone updated?
How can I test the DBL?
Wildcard queries


What is the DBL?
The Spamhaus Domain Block List (DBL) is a realtime database of spam domains including spam payload URLs, spam sources and senders ("right-hand side"), known spammers and spam gangs, and phish, virus and malware-related sites.

The database is maintained 24/7 by both an automated system and by Spamhaus Project team members around the world.


What do the 127.*.*.* Return Codes mean?
The DBL uses DNS return codes in the 127.0.1.0/24 range. Queries regarding any domain listed in DBL and all IP queries will return a response code. If no code is returned (NXDOMAIN) the domain is not listed in DBL. DBL return codes in current and future use are:

Return Codes Data Source
127.0.1.2 spam domain
127.0.1.3 spammed redirector domain (no longer in use*)
127.0.1.4 phish domain
127.0.1.5 malware domain
127.0.1.6 botnet C&C domain
127.0.1.102 abused legit spam
127.0.1.103 abused spammed redirector domain (*entering zone July, 2014)
127.0.1.104 abused legit phish
127.0.1.105 abused legit malware
127.0.1.106 abused legit botnet C&C
127.0.1.255 IP queries prohibited!

This table will be updated as specific DBL categories are added and 127.0.1.* return codes are assigned to them.


Can I look up IP addresses in the DBL?
NO!

The DBL is a domain-only blocklist and does not include or support IP addresses. It only includes domain names (text strings, not dotted quads). Do not use it the same way as Spamhaus' other IP-based DNSBLs. An IP query against the DBL always returns a positive (listed) return code. If you expect to receive legitimate emails containing http links specified as IP addresses (e.g. "http://1.1.1.1"), wrongly using DBL this way will reject them.

You must not put 'dbl.spamhaus.org' into any email server 'DNSBL' or 'RBLs' feature, spam firewall or spam filter unless it specifically states that blocklists entered there are used for domain checking only. If you are unsure, ask your spam filter developer.

To prevent a build-up of wasted IP query traffic to the DBL zone, which would grow exponentially to problematic levels if left unchecked, Spamhaus DNS returns the code 127.0.1.255 to IP queries to the DBL zone, along with a TXT record referring to this FAQ page.

Look up IP addresses only in Spamhaus's IP-based zones (such as Zen).


SpamAssassin 3.3.1 Upgrade with DBL Support
SpamAssassin users: Since version 3.3.1, SA has had code to deal specifically with domain-only URI BLs such as the DBL. It includes a new feature called "URIBL_DBL_SPAM". Before using the DBL Spamhaus strongly recommends you upgrade to 3.3.1 or later. You can the newest versions from:
http://spamassassin.apache.org/downloads.cgi

SpamAssassin versions prior to 3.3.1 query URI blocklists for URIs of both type domain "http://abc.domain.tld" and IP "http://1.1.1.1", however DBL does not support IP queries (in fact it prohibits them).

Although it is possible to add DBL to existing versions of SpamAssassin, you risk wrongly flagging legitimate email if it contains an IP address http link ("http://1.1.1.1"). Of course such links are notoriously found normally in spam, however the possibility exists that some legitimate mail can contain IP address http links, therefore use at you own risk! (If you want zero risk, upgrade your SpamAssassin)

URI IP queries must go to Spamhaus IP DNSBLs such as the SBL (already included in SA as the URIBL_SBL rule).


Why is my domain listed in DBL?

We do not discuss specific criteria for inclusion in DBL but many factors are evaluated. Domains must match several criteria in order to be listed. While we will not spell out specific listing criteria, we can make some general suggestions for domains to build a good reputation and avoid DBL. DBL listings are reevaluated automatically all the time, and they expire automatically when listing criteria are no longer met.

Reputations are built over time, and building a good reputation takes longer than building a bad reputation. Prudence and experience show that an unknown reputation has a much higher risk of spam than known good domains, so new reputations start out poor. If you use your domain in legitimate traffic for enough time to establish a good reputation, DBL will notice that and remove the listing. Of course, it will also notice if you use your domain for poor reputational activities such as spam or other "blackhat" things.

Snowshoe spamming uses many domains and IPs which change frequently. Legitimate bulk email builds a reputation over time on durable, long-term domains and IPs. Due to that time and effort investment, reputable mailers don't use nearly as many domains, and fewer IPs, than snowshoers. Domains which act like snowshoers get treated like snowshoers.

SPF, DKIM, and/or DMARC are all valuable tools for senders but they can all be used by spammers as well as by good senders, so they are not effective indicators of spamminess. Use them if they help your mail's delivery but they are independent of DBL listings.

If you use your domain in bulk email, be sure that you follow best practices for sending only opt-in, solicited bulk mail. See our Marketing FAQ for more information or consult industry experts or good deliverability consultants for further assistance. Sending spam will cause DBL to list your domain. So will other cyber crime and "blackhat" activities.

Host your domain on good, clean ISPs which do not allow spammers on their network. That includes your domain's A, NS, MX and website DNS records. Hosting on spammer IPs or servers, or even on ISPs which tolerate spammers, has a negative effect on the reputation of all domains on that network. Domain and IP reputations affect each other.



How do I remove my domain from the DBL?
DBL is highly automated and most listings will expire automatically after they cease to appear in spam. Similarly, domains are listed in DBL Zone automatically, and they may re-list automatically after removal if they are re-detected.

While DBL is careful to not list innocent domains, it's possible that a domain may need to be removed from DBL before the listing expires. If you think your domain is listed and should be removed, use the Blocklist Removal Center link on our homepage, look up your domain and follow the instructions returned by that lookup form.

Excessive removers and other removal form abusers may be blocked.


Is there any fee for removing my domain?
No. There is never any charge or fee associated with removing any Spamhaus listing. Any offer from anyone to remove any Spamhaus listing for you for a fee is a scam. Spamhaus has no affiliation with anyone offering any 'blocklist removal' service, nor can any third party influence or expedite removals from any Spamhaus database.


How long will it usually take for my domain to be removed?
If the system allows the removal request, then the request will be processed immediately. It will then take minutes to propagate the removal across the internet, at most one hour.


I am in China. Why is DBL listing non-spam domains such as twitter.com or facebook.com?

The DBL is not listing twitter.com, facebook.com or other social network domains. However, as part of the Golden Shield Project (most commonly known as the Great FireWall of China) operated by the Ministry of Public Security (MPS) division of the government of China, DNS packets entering or exiting China can be altered by the Great FireWall if they contain particular keywords or domains.

As it turns out, these filters are implemented in a very crude and rudimentary way which may alter answers to Spamhaus DBL queries that are crossing the firewall (in both directions). So, for instance, our servers answer NXDOMAIN (meaning "this domain is not listed") to queries for twitter.com.dbl.spamhaus.org, but this answer may become something like

        twitter.com.dbl.spamhaus.org. IN	A	159.106.121.75
upon crossing the China Internet boundary. Any software interpreting the presence of an A record as a signal that the domain is listed by DBL would then block mail from twitter.com in error.

This interference of the Chinese government's system with the operation of the Spamhaus infrastructure has the following consequences:

  1. Spamhaus has servers in China to better serve the Chinese user base, but those servers can not be used to serve the DBL, to prevent disservices to users located out of China that happen to query them. So they are only used to answers queries relative to IP addresses (SBL, PBL, XBL).

  2. Spamhaus users in China will get all DBL answers from servers located outside China, and therefore answers can be altered as described above. It is therefore fundamental that all users in China validate our responses by having their software check that the A record is a valid one in the range 127.0.1.0-127.0.1.255. Any other code is a Great Firewall artifact and in this case it must be assumed that the queried domain is not listed by DBL.



Is DBL included in the Spamhaus Zen DNSBL?
No. Zen is an IP address DNSBL zone. Zen lists numeric IP address zones only, not domains. The DBL is a purely domain-based zone and must be queried separately by software capable of extracting URLs (domains) from email message bodies and headers.


How much spam will the DBL block for me?
This depends on a number of factors: how many mail-receiving domains you host, how many email addresses in those domains have been harvested by spammers, and what filters you apply before DBL. The DBL targets the website domains that spammers include in spam emails. Current tests show that DBL alone can stop between 60-90% of spam in message body URI checks. In addition DBL can stop a small margin more by testing HELO/EHLO and envelope sender domains during SMTP transactions.

The DBL is meant to be used in conjunction with IP address based blocklists such as the Spamhaus SBL (Spamhaus Block List), the Spamhaus XBL (Exploits Block List) and the Spamhaus PBL (Policy Block List). Those should be used to block spam at SMTP connection time. (The combination of all three of those IP blocklists is available in our Spamhaus Zen zone).

When using SpamAssassin, or similar, the DBL can be used alongside the feature called URIBL_SBL.

See the Spam Filtering Guide with charts and details on how the Blocklists function.


Can I use DBL in a Response Policy Zone (RPZ)?
Yes! A Response Policy Zone (RPZ), also known as a "DNS firewall," is highly effective at protecting your network and its users from not only spam but malware of many kinds including bots, spyware and other malicious attack vectors. For more information see our news piece Spamhaus' DBL as a Response Policy Zone (RPZ) and also this RPZ whitepaper.


Is the DBL similar in function to other domain blocklists?
In function, yes. The Spamhaus DBL is a URI BL or RHS (Right-Hand-Side) BL comprised of domains only. The way it is queried is similar to other widely used domain blocklists such as SURBL and URIBL, however there are some technical differences in what it lists, what can be queried, the query return codes, etc., which developers need to be aware of.

DBL listing policies differ from other domain blocklists as each blocklist has its own set of policies, but like SURBL and URIBL, DBL is all about blocking spam and not blocking legitimate mail.


Tell me more about the "abused legit" part of DBL?
In July 2014 Spamhaus DBL began listing domains which are generally legitimate but are abused by spammers through exploits/hacking. We call these domains "abused legit" (to signify that the domain owners are legitimate, honest folk whose servers have simply been hacked) and these listings have a DBL return code in the 127.0.1.100+ range. Among the most common abuses we see are hacked content management system pages (CMS like WordPress or Joomla) which return 127.0.1.102 in dbl.spamhaus.org. Many have Stealrat infections (Google it) and therefore return 127.0.1.105 or 127.0.1.106 return codes.

Like all DBL listings, we list these domains as soon as we detect abuse in order to protect DBL users from spam. Since we know there are legitimate users of these domains, we provide immediate, no-questions-asked removals for administrators of these domains and we also expire these DBL listings quickly, usually a day after last detection. Admins of "abused legit" sites should follow the normal removal procedure starting from our Blocklist Removal Center. It will route your removal request appropriately.

As a routine part of cleaning up after such an intrusion, we strongly suggest that the pages the spammer inserted should return appropriate "page not found" HTTP errors. 403, 404 or 410 are suitable response headers. That is especially important when the domain is in front of a shared web hosting resource which was abused.

Admin.ch offers a paper to on how to clean up compromised websites, available in several languages: English, French, German and Italian. Spamhaus' news blog has a good article on how to Stop Spammers from Exploiting your Webserver. Wordpress has an FAQ, My site was hacked with lots of tips and links.



Do the "abused legit" or "abused redirector" listings include full URL/URI links?

No. DBL zone listings include only the domain, not the full directory path of URL/URIs. We suggest that redirector domains (and any other domains concerned about their security and reputation, for that matter) set up appropriate "Role Accounts" & "Feedback Loops" to be notified of such problems. In some cases, additional DBL information may be available for admins of hacked CMS sites. Start the removal procedure from our Blocklist Removal Center and follow the steps from there.



Do "abused legit" categories include illegitimate domains?
No. Domains in DBL are listed in either "abused legit" or in normal spam, malware or phish return-code categories, not in both. Return codes under .100 (spam, malware, etc.) represent dedicated "known bad" domains, while those over .100 ("abused legit") should all have legitimate uses in addition to the bad stuff. They are often hacked websites, often with unpatched Content Management System (CMS) packages such as Joomla or Wordpress. They are frequently infected with Stealrat remote access trojan malware.


How does listing/delisting work for "abused legit" DBL listings?

Listing, delisting and removal of "abused legit" work just like regular DBL listings, however some heuristics of DBL are tuned to minimize listings which could cause false positive mail interceptions. For example, "abused legit" listings time out much faster than other listings. Keeping false positives near zero, like all of DBL, is an important goal of the "abused legit" segment of DBL. Admins of "abused legit" sites should follow the normal DBL removal procedure starting from our Blocklist Removal Center. It will route your removal request appropriately.



Can the DBL be used to filter blog spam?
Yes. Many of the same spammers who pump junk into email boxes also spam blog comment sections (and guestbooks). Most blogging software now does a good job in catching comment spam, but if needed, the DBL is able to detect some of the domains used and can flag or block these postings.


URL shorteners and redirectors - what can they do about abuse?
  • DBL has a specific return code for abused redirectors in the DBL zone: 127.0.1.103. (See blog article Changes in Spamhaus DBL DNSBL return codes, 2014-06-15.)
  • Don't daisychain redirectors! That includes both 'Don't shorten shorteners' and 'Don't accept referrals from shorteners.' Either side can cut the chain.
  • Don't redirect to domains on DBL or SURBL lists.
  • Don't redirect to domains with the A RR on SBL and possibly XBL (your call).
  • Check those blocklists at the time of URL creation and again, later, as traffic on the new URL ramps up (a day or a week).
  • Don't allow users to change the landing URL after the redirect is created.
  • Don't provide an interstitial link on to the spammer's payload. Fully suspend the offending URL (404 or 410 HTTP return).
  • Do create and maintain Role Accounts & Feedback Loops (FBL) to help detect abuse. Process that information promptly.
  • Also see http://www.surbl.org/redirection-sites.


  • Can URL shortening services use the DBL to deny bad domains?
    Yes. Spammers are using URL shortening services constantly to try and avoid spam filter systems that use tools such as the DBL. URL shortening services should check every URI's domain against the DBL and not allow ones that are listed. Note that domains that map to SBL IP space should also be disallowed. See FAQ URL shorteners and redirectors in the ISP Spam Issues section for more tips on dealing with abuse of shorteners.


    Is there any code available to query the DBL in my application?
    We have seen that others have published code to do DNS lookups on the DBL. Here is one in PHP. This one in Python written for checking SURBL could be modified to work with DBL.


    If my domain is forged in spam, will it be listed?
    The DBL is built predominantly using automated spamtraps and email flow monitoring. It has many checks to prevent legitimate domains being listed. Even a large spam run that forges a legitimate domain will not cause a domain listing.

    Nor is it possible for someone (say your competitor) to get your domain blacklisted by simply forging your domain and sending us a spam report. Spamhaus does not accept or process spam reports from the public.

    Our system also ignores legitimate domains seen in backscatter bounce messages.


    How often is the DBL zone updated?
    The DBL DNS zone is rebuilt and reloaded every 60 seconds, 24/7, to ensure that new threat domains are blocked and that any mistaken listings are swiftly removed. For high redundancy Spamhaus has over 100 public DNSBL mirror servers located around the world. Each mirror is independently run as a free service to the Internet community and all respond in realtime to public queries.



    How can I test the DBL?
    Two ways! First, the DBL follows RFC5782 for determining whether a URI zone is operational with an entry for TEST. Second, the DBL has a specific domain for testing DBL applications: dbltest.com. To test functionality of the DBL use the host or dig command to do a manual query. (If you need to look up a domain in the DBL via the web, use the domain lookup form at our Blocklist Removal Center. Do not query our website with automated tools.).

    RFC5782 operational test
    Query: test.dbl.spamhaus.org
    Result: test.dbl.spamhaus.org IN A 127.0.1.2
    Listed Test Results
    Query: dbltest.com.dbl.spamhaus.org
    Result: dbltest.com.dbl.spamhaus.org IN A 127.0.1.2
    Not Listed Test Results
    Query: example.com.dbl.spamhaus.org
    Result: Host example.com.dbl.spamhaus.org not found: 3(NXDOMAIN)

    (Note: the IANA reserved "example.com" domain will never appear in the DBL zone)
    Test Point TXT Record
    Query: TXT dbltest.com.dbl.spamhaus.org
    Result: TXT "http://www.spamhaus.org/query/dbl?domain=dbltest.com"


    Wildcard queries
    The DBL supports wildcard lookups. Querying the full hostname will return a positive result if the host's domain is listed. Therefore, it is optional and not necessary to strip the hostname down to query the actual domain only.

    For example, if spammer.tld is listed:
      $ host spammer.tld.dbl.spamhaus.org
      spammer.tld.dbl.spamhaus.org has address 127.0.1.2
    Any *.spammer.tld sub-domain will also get the same response:
      $ host www.barclays.bank.spammer.tld.dbl.spamhaus.org
      www.barclays.bank.spammer.tld.dbl.spamhaus.org has address 127.0.1.2
    The wildcard query works for subdomains only, and not variations of the domain itself:
      $ host notspammer.tld.dbl.spamhaus.org
      notspammer.tld.dbl.spamhaus.org not found: 3(NXDOMAIN)
    This enables the DBL to be used for either URI type queries (domains in links advertised in spam) and RHSBL type queries such as rDNS, HELO string, Sender and other email headers.


    © 1998-2014 The Spamhaus Project Ltd. All rights reserved.
    Legal  |  Privacy