About the Data
Don't Route Or Peer (DROP) lists the worst of the worst IP traffic. It is an advisory “drop all traffic”, containing IP ranges which are so dangerous to internet users that Spamhaus provides access to anyone who wants to add this layer of protection, free of charge.
Policy Statement
The Spamhaus DROP lists consist of netblocks that are leased or stolen by professional spam or cyber-crime operations, and used for dissemination of malware, trojan downloaders, botnet controllers, or other kinds of malicious activity.
The DROP lists are a subset of the Spamhaus Blocklist (SBL), designed for a total protection from all the activity involving the listed networks over all the Internet protocols. This also specifically includes traffic directed to these networks, such as access to web sites hosted there. The DROP lists are also designed for use by Tier-1 and backbone providers in firewalls and routing equipment to filter out the malicious traffic from listed netblocks.
Networks are inserted in the DROP lists only after dedicated investigators and forensics specialists have gathered evidence that they are controlled by cybercrime groups or by "bulletproof" hosters that either ignore abuse reports or, more frequently, move abusive customers to different IPs to evade targeted listings. With IPv4 depletion, assignments of netblocks to customers are now typically done by IPv4 brokers and are much more dynamic than in the past. Furthermore, ASNs are rotated very rapidly together with company names by malicious actors. For these reasons, the DROP lists change on a daily basis tracking the continuous and relentless movement of rogue networks trying to avoid detection.
Benefits of this data
Protect from activity directly originating from rogue networks, such as spam campaigns, encryption via ransomware, DNS-hijacking and exploit attempts, authentication attacks to discover working access credentials, harvesting, DDoS attacks. Also, gain automatic protection to immediately stop infected devices from communicating with adversaries with "bulletproof hosting" on listed networks. Users are often unaware of these background communications, so this infrastructure-level protection should be an important part of your overall security stack.
IP address space under the control of any legitimate network will never be listed, and false positives are extremely low, given the high confidence nature of this dataset.
How it works
The free DROP datasets are provided in JSON format to be parsed out and implemented on nearly any kind of device or software that is capable of processing IP networks for making a decision e.g., network gateways, firewalls, web-proxies, DNS resolvers etc.
The DROP lists available are:
- DROP - https://www.spamhaus.org/drop/drop_v4.json
- DROPv6 - https://www.spamhaus.org/drop/drop_v6.json
- ASN-DROP - https://www.spamhaus.org/drop/asndrop.json
For long-term users of the DROP files in text format, we recommend you update your configuration with the above JSON files as soon as your cycles allow. If you require continued long-term use of a text file, the jq command can always be used to convert the JSON.
N.B. The text files are still being populated however, in time, these will be deprecated; users will be notified with ample notice before deprecation takes place.
Accessing this data, for free
Spamhaus believes that due to the vital nature of the DROP list data, it should be available at no cost, regardless of size or business type, to protect internet users. We do ask, when used in a product, credit must be given to Spamhaus Project, and the date and © text should remain with the file and data.
For a more commercially-focused solution, which also includes communities listing compromised and dedicated botnet command and controller (C&Cs), we make data available via our partner Spamhaus Technology. Find out more about BGP Firewall.
Removal
Ranges in DROP are connected to the corresponding Spamhaus Blocklist (SBL) record mentioned in the DROP files. Once the SBL record is removed, the ranges will automatically leave DROP also. Visit the SBL page for more information on removals.