About the Data
The Spamhaus Blocklist contains IP addresses that have been identified as malicious. These IPs are being observed in adversarial activity, e.g. sending spam, snowshoe spamming, hosting malicious content, behaving like a bulletproof hosting company or hijacking IP space. Both individual IPs and IP ranges are provided in this dataset.
Policy statement
IP addresses are listed on the SBL because they appear to Spamhaus to be under the control of, used by, or made available for use by spammers and abusers in unsolicited bulk email or other types of Internet-based abuse that threatens networks or users.
The Spamhaus definition of "spam" is "unsolicited bulk email" (UBE). Spamhaus does not evaluate the content or legality of the contents of an email message, merely whether that message constitutes spam by this definition.
Benefits of this data
On average, this dataset contains 30-40 thousand listings, maintained by an Open Source Intelligence (OSINT) research team - including dedicated investigators and forensics specialists. When paired with other reputation datasets, this blocklist provides industry-leading catch rates with extremely low false positives.
Email administrators can use this dataset to reduce the overflow of inbound email traffic associated with spam and other malicious emails. This will reduce risk of security incidents, reduce email infrastructure costs, and reduce human resource requirements.
How to utilize this dataset
To make the best use of Spamhaus' data, blocklists should be utilized at specific points during the email filtering process. For the Spamhaus Blocklist, use during:
- The initial connection – against the connecting IP.
- Throughout the pre-data phase of an email, i.e., the SMTP transaction - against the HELO string, and Mail From domain.
- Once the email data has been accepted - by looking up IP addresses hosting resources appearing in the mail headers and body e.g., URLs.
For more information on this, read this best practice.
Get more protection, for free
Each blocklist targets a specific type of behavior; using one blocklist independently limits the effectiveness of the data. Spamhaus offers three other IP-based blocklists for free:
- Exploits Blocklist (XBL)
- Combined Spam Sources blocklist (CSS) (dataset included in the SBL DNSBL zone)
- Policy Blocklist (PBL)
These IP blocklists can be used via ZEN which combines the above datasets for easier and faster querying.
The majority of malicious email is dropped at the SMTP transaction, however many bad actors invest time and money to evade IP-detection. So to gain the best catch rates, domain and hash blocklists should also be used to filter email, once the email has been accepted. For this, Spamhaus provides the Domain Blocklist (DBL) for free. Find more on why you should use domain and hash blocklists here.
Technical information
You can utilize the data via the SMTP server configuration for connection and SMTP transaction checks, and via open source tools, such as SpamAssassin and Rspamd, for content analysis.
Plugins for both are readily available to minimize configuration time, for users of Spamhaus Technology's free Data Query Service.
Alternatively, integrate with your existing anti-spam platforms with technical information to support here. Set up takes minutes and you instantly gain real time protection.
Accessing the data
Use of the Spamhaus DNSBLs is free of charge for low-volume, non-commercial users. If you’re unsure, please check our DNSBL usage criteria here. Free accounts are made available through our partner, Spamhaus Technology - sign up to access the data via Data Query Service here.
Where data is being used for commercial purposes, an annual subscription-based service is required. Sign up for a free 30-day trial here.
Best practices to maintain a positive IP reputation
Spamhaus’ data protects billions of mailboxes globally. To avoid getting listed and your email service being impacted, some important best practices to adopt are:
- Secure web forms - utilizing captcha or another robot prevention mechanism, in order to prevent “mail bombing” and unauthorized subscriptions.
- Develop a strong Acceptable Use Policy (AUP) - ensure it is enforced swiftly when there is a breach, and do not allow any material exceptions.
- Restrict outbound SMTP traffic - configure your firewall to allow outbound SMTP traffic (destination port 25) only if originated from your mail server internal IP (if you have one).
- Infrastructure - check your internet infrastructure providers, e.g. ISPs. See reputation statistics on ISPs/networks.
- Use double opt-in – to avoid spam traps and ensure only real and interested recipients are sent your emails.
- Configuration – ensure that your hostname and your HELO match, and that your reverse DNS (PTR record) is defined and pointing to the same hostname.
N.B. We recognize these are not all managed by email administrators; where applicable, communicating with other functions, like network administrators and deliverability specialists, is critical.
Removal
SBL Listings
When a SBL listing is made, Spamhaus Project researchers send the network or hosting companies responsible for that IP an email notification. Due to the technical nature of these listings, only these companies can deal with SBL removals. If you are a general user, speak with your Internet Service Provider (ISP) to seek remediation. SBL listing details can be viewed from https://check.spamhaus.org/, either by using the IP, IP range, or SBL ticket number.
It is the network owner's responsibility to notify Spamhaus of any changes that affect a SBL listing, and to request removal when the conditions that caused the SBL listing no longer apply.
SBL Informational Listings
Informational listings act as an early warning signal to indicate that the listed IP is displaying poor behavior. Informational listings are indicative, and do not result in IPs being blocked. However, without further action, a SBL listing 'proper' could be made - so if you see an informational listing, act. You will find more detail at https://check.spamhaus.org/.