About the Data
The Exploits Blocklist contains individual IPv4 and IPv6 addresses exhibiting signs of compromise i.e. IPs that are legitimate but have been hijacked to use by third-party exploits. Spamhaus will automatically add an IP to the XBL where we have compelling evidence that suggests that a machine or device using the IP is insecure, compromised, or infected.
Policy statement
In order to maintain the utility of the XBL and to prevent bad actors from using the information to evade XBL listings, Spamhaus does not reveal the precise behaviors that typically result in an XBL listing. Generally speaking, however, those behaviors can include:
- The presence of malware inadvertently downloaded on a device.
- Security problems on devices allowing unauthorized access and malicious activities unknown to its legitimate user.
- "Free VPN" type applications using the customer device as a proxy to do network activity on behalf of other unknown people.
- Participation in brute force attacks on a specified service.
- Rapid changes in identity while attempting to deliver mail.
- Frequent sinkhole connections in a manner consistent with malware activity.
- Attempts to relay mail using illegitimately obtained credentials.
XBL listings will automatically expire after a period of time once the malicious behavior is no longer detected.
Benefits of this data
This dataset on average contains 2 million listings, with 650,000 new detections relating to exploited IPs every 24 hours. Updated in real time, when paired with other reputation data, gain industry-leading catch rates with extremely low false positives.
Email administrators can apply this DNSBL to reduce the overflow of inbound email traffic associated with spam and other malicious emails. This will reduce risk of security incidents, reduce email infrastructure costs, and reduce human resource requirements.
How to utilize this dataset
To make the best use of Spamhaus' data, blocklists should be utilized at specific points during the email filtering process.
The Exploits Blocklist should be used during:
- The initial connection – against the connecting IP.
- Once the email data has been accepted, by checking IP addresses in the Received chain in the mail headers, and by looking up IP addresses hosting resources appearing in the body - such as URLs.
For more information on this, read this best practice.
Get more protection, for free
Each blocklist targets a specific type of behavior; using one blocklist independently limits the effectiveness of the data. Spamhaus offers three other IP-based blocklists for free:
- Spamhaus Blocklist (SBL)
- Combined Spam Sources blocklist (CSS) (dataset included in the SBL DNSBL zone)
- Policy Blocklist (PBL)
These IP blocklists can be used via ZEN which combines the above datasets for easier and faster querying.
The majority of malicious email is dropped at the SMTP transaction, however many bad actors invest time and money to evade IP-detection. So to gain the best catch rates, domain and hash blocklists should also be used to filter email, once the email has been accepted. For this, Spamhaus provides the Domain Blocklist (DBL) for free. Find more on why you should use domain and hash blocklists here.
Technical information
You can utilize the data via the SMTP server configuration for connection and SMTP transaction checks, and via open source tools, such as SpamAssassin and Rspamd, for content analysis.
Plugins for both are readily available to minimize configuration time, for users of Spamhaus Technology's free Data Query Service.
Alternatively, integrate with your existing anti-spam platforms with technical information to support here. Set up takes minutes and you instantly gain real time protection.
Accessing the data
Use of the Spamhaus DNSBLs is free of charge for low-volume, non-commercial users. If you’re unsure, please check our DNSBL usage criteria. Free accounts are made available through our partner, Spamhaus Technology - sign up to access the data via Data Query Service.
Where data is being used for commercial purposes, an annual subscription-based service is required. Sign up for a free 30-day trial.
Best practices to maintain positive IP reputation
Spamhaus’ data protects billions of mailboxes globally. To avoid getting listed and your email service being impacted, some important best practices are:
- Two-factor authentication (2FA) - ensure you have 2FA applied wherever possible, especially with privileged accounts.
- Software updates - protect against vulnerabilities by ensuring your software is kept up to date.
- Restrict outbound SMTP traffic - configure your firewall to allow outbound SMTP traffic (destination port 25) only if originated from your mail server internal IP (if you have one).
- Infrastructure - check your internet infrastructure providers, e.g. ISPs. See reputation statistics on ISPs/networks.
- Use double opt-in – to avoid spam traps and ensure only real and interested recipients are sent your emails.
- Configuration – ensure that your hostname and your HELO match, and that your reverse DNS (PTR record) is defined and pointing to the same hostname.
We recognize these are not all managed by email administrators; where applicable, communicating with other functions, like network administrators and deliverability specialists, is critical.
Removal
If your IP is listed on the Exploits Blocklist, you should visit: https://check.spamhaus.org. This will take you to our IP and Domain Reputation Checker to find more information, and the only place where XBL removals are handled.