Blocklist Removal Center
About Spamhaus  |  FAQs  |  News Blog   
Frequently Asked Questions (FAQ)
BGPf FAQ
Datafeed FAQ
DNSBL Usage
DROP FAQ
Generic Questions
Glossary
ISP Spam Issues
Legal Questions
Marketing FAQs
Online Scams
Organization
ROKSO FAQ
Spamhaus BCL
Spamhaus CSS
Spamhaus DBL
Spamhaus PBL
Spamhaus SBL
Spamhaus XBL



DROP FAQ

What is DROP?
What is EDROP?
Who should use the DROP / EDROP list?
Are DROP and EDROP also available via DNS lookups ?
The DROP list is free for any use, how can it be any good?
How often should my system fetch the DROP / EDROP list?
What are "hijacked netblocks"?
How about deploying DROP / EDROP on my router?
How about using DROP on other operating systems?
How about using DROP in other firewalls, web filters & proxies?
What else can ISPs use DROP for?


What is DROP?
DROP (Don't Route Or Peer) is an advisory "drop all traffic" list. DROP is a tiny subset of the SBL designed for use by firewalls and routing equipment. The DROP list will not include any IP space allocated to a legitimate network and reassigned - even if reassigned to the proverbial "spammers from hell". DROP includes netblocks that are hijacked or leased by professional spam or cyber-crime operations (used for dissemination of malware, trojan downloaders, botnet controllers). These are direct allocations from ARIN, RIPE, APNIC, LACNIC, or other Regional Internet Registries and "portable allocations" (known as "PI") from RIPE.

Spamhaus strongly recommends the use of DROP by tier-1 and backbone networks. Simply consulting the DROP list's webpage when someone asks you to route some suspicious IPs can help avoid picking up customers you would just as soon not have on your network.



What is EDROP?

EDROP is an extended version of the DROP list that will include netblocks controlled by professional spamming operations and cyber criminals that are not directly allocated. This means that EDROP only includes netblocks that are sub-allocations. Direct allocations will be listed in DROP only.

Spamhaus strongly recommends the use of EDROP by tier-1 and backbone networks. Simply consulting the DROP list's webpage when someone asks you to route some suspicious IPs can help avoid picking up customers you would just as soon not have on your network.



Who should use the DROP / EDROP list?
Anyone or anyplace that has the ability to block or filter IP address ranges on their network.

The DROP list is also open for all to download and use, the is no fee for usage. The only things we require are that:

  • In products, credit for its use is given to The Spamhaus Project.
  • If possible in ones configuration, the date and © text should remain with the file and data.
  • The DROP list should not be imported into your network filters and forgotten about. Please check regularly to ensure you have the latest version of the DROP list. This should be automated.
  • The DROP list data should not be downloaded from our website more than once per hour, nor less frequently than once per day.

Most of the other Spamhaus data-sets (SBL, XBL, PBL) are designed for SMTP connection time filtering. The DROP list is small in comparison and is not a replacement. It can be used to further secure ones network from those attempting to attack it or harm ones users.

For Internet Service Providers (ISPs) or organisations that can run the Border Gateway Protocol (BGP) on their border routers, Spamhaus offers DROP and EDROP along with its botnet C&C list (BGPCC) as BGP feed, with which any networking device peer using the BGP procotol. More information about this service can be found on the Spamhaus BGPf page.



Are DROP and EDROP also available via DNS lookups ?
All the networks listed in DROP and EDROP are also listed on the SBL blocking list, and therefore SBL and ZEN lookups return a listed status for those networks. Since 1st June 2016, the 127.0.0.9 code is returned in addition to the standard 127.0.0.2 return code of the SBL for these networks. Therefore, a 127.0.0.9 return code indicates listing in DROP or in EDROP.


The DROP list is free for any use, how can it be any good?
The DROP list contains network ranges which can cause so much damage to internet users that Spamhaus provides it to all, free-of-charge, to help mitigate this damage. Other anti-spam data Spamhaus produces is also offered free-of-charge to most of the world's internet users via DNSBL lookups. Though we do ask larger users (corporations, universities, governments) who require high-usage or local zones to support our project by using our Datafeed service. Those who resell a product based on this data are also asked to support The Spamhaus Project.

Spamhaus believes that due to the vital nature of the DROP list data, it will be available free-of-charge to anyplace, regardless of size or business type, to protect internet users. If one wishes to redistribute the plain text feeds that you name Spamhaus as source of the data and retain both the copyright statement and the date & time stamps at the top of the text file.

Do also follow our other wishes on how often to fetch the file and try not to leave an older version of the data on the web where people may think it is usable. The DROP lists are dynamic, using older versions is a bad idea.


How often should my system fetch the DROP / EDROP list?

Please DO NOT auto-fetch the DROP / EDROP list more than once per hour!

The DROP list changes quite slowly. There is no need to update cached data more than once per hour, in fact once per day is more than enough in most cases. Automated downloads must be at least one hour apart. Excessive downloads may result in your IP being firewalled from the Spamhaus website.



What are "hijacked netblocks"?

A "hijacked netblock" is a netblock brought back from the dead, often by a spammer, also called a "zombie netblock." (The term "zombie" later became widely applied to the infected PC drones in a botnet.) The original owner of the block may have left it derelict for any number of reasons. Squatters then reclaim it with various ploys including registering an abandoned domain name to accept email to the point-of-contact domain contact, or printing up bogus letterhead, or doing a bit of human engineering over the telephone. Some hijackers even outright steal IP-space allocated to someone else just by announcing it under their BGP Autonomous System Number.

Oh, and Autonomous Systems are hijacked too. Old abandoned ASNs are taken by a spammer or spammer supplier to announce various IP ranges. So it's quite possible to have a hijacked netblock advertised by a hijacked ASN.

Originally a few crufty geeks found these ranges for cheap digs. While their ownership claims were unethical, they did not use the hijacked networks for abuse. All that changed when spammers entered the picture. Then the hijack game became dominated by spammers (and some script kiddies) and it is now wise to accept no packets, but certainly not e-mail, from zombie networks.

Hijacked netblocks can be found in ranges assigned by every Regional Internet Registry (RIR) including ARIN, RIPE, APNIC, and others. Restoring proper ownership of a hijacked netblock means finding the original owner (often a dissolved company) and jumping through RIR hoops. It's a slow and laborious process, important but not suitable to stopping today's spam.

The peering/transit arrangements for these netblocks changes very quickly. Spamhaus leaves the entire block listed in SBL, categorized under the RIR, and then provides additional pointer records for networks carrying the netblocks's traffic. While such records are often only a single router's IP address (/32), the record will indicate the greater problem (and the problem is much greater than a single IP). Spamhaus may also provide additional SBL records within a hijacked netblock as various SWiPs or single IPs within the netblock are assigned to different spammers. These, too, may serve as pointers to the upstream, as the block is sometimes SWiPed as portable subnets with each spammer left to find their own transit. Many of these hijacked netblocks find their way into a special ROKSO record.

Spamhaus lists entire hijacked networks. Some of them are known to be controlled by particular a spammer and are thus listed under that spammer's ROKSO records. Those that are not assigned to another spammer may be assigned to this record. So, it is suggested that anyone searching for hijacked netblocks under their aegis not only check this record's Current SBL Listings, but also check under their domain name and RIR via the SBL search function.



How about deploying DROP / EDROP on my router?

Spamhaus offers DROP and EDROP along with its botnet C&C list (BGPCC) as BGP feed, with which any networking device peer using the BGP procotol. More information about this service can be found on the Spamhaus BGPf page.

If your router is a Cisco device and you don't have BGP support on it (or don't want to use it), you can also use the script developed by Marco d'Itri:

http://www.linux.it/~md/software/cisco-tools-0.3.tgz

Every time it's run by crontab it will download the list and report if there are changes. When run interactively it will remove old entries and ask whether any new entry should be used or not.

It can be used to keep bogon filters up to date too.



How about using DROP on other operating systems?
For those who use PC routers, here's a little Perl script to turn the CIDR blocks in the DROP list into Unix route commands. Different versions of route have slightly different syntax, so you need to pick the one that works with your version. Some versions of route take CIDR notation, others require netmasks, so un-comment the one that works for you. (Note the obvious perl one-liner to turn a bit number into a dotted quad.)

To make day-to-day changes, use -o oldfile where oldfile is the previous version, and it'll give you just route delete and route add for the changes. This script is set up to fetch the current list and update once a day, which is frequent enough for nearly all networks, given the slow day-to-day churn and very conservative listing policy of the DROP list.

Please DO NOT auto-fetch the DROP list more than once per hour!

Usual disclaimers...use at your own discretion!

This site has a shell script for putting the Spamhaus DROP list in FreeBSD's ipfw.

Here's the code for using DROP in Linux firewalls:

Bill Stearns also provides this tcpdump command line. It's tested on Linux and probably works in any Unix/Posix environment, including Cygwin on Windows. A tcpdump error message "Warning: Kernel filter failed: Cannot allocate memory" seems to indicate that the filter can't fit in kernel memory, and it appears that tcpdump then switches over to filtering in userspace.

    tcpdump -tnp `cat /var/lib/drop.lasso | sed -e 's/;.*//' | grep -v '^ *$' | ( read OneAddr ; echo -n "net $OneAddr" ; while read OneAddr ; do echo -n " or net $OneAddr" ; done ; echo )`

Here is a script that converts the DROP list into Qmail's tcpserver blacklist:



How about using DROP in other firewalls, web filters & proxies?
Certainly, note that the data file & CIDR ranges may have to be manipulated for each system's unique requirements. Remember some of these scripts are older and do not also fetch and use the newer eDROP data. A quick modification to add this in should be implemented.


What else can ISPs use DROP for?
  • Logging customer requests for DNS servers in any DROP-listed IP space is a very good way to discover which customers are infected with DNS-changer malware.
  • Logging customer requests for binary files from any DROP-listed IP space is a good way to discover which customers may be infected with malware.
  • Vetting new transit customers' IP ranges against DROP; those ranges are often looking for new routing options.
  • Scoring DROP ranges extra high in such software as SpamAssassin.
  • Using DROP ranges in a DNS RPZ zone to invalidate lookups in these ranges. See Spamhaus' DBL as a Response Policy Zone (RPZ).


  • © 1998-2017 The Spamhaus Project Ltd. All rights reserved.
    Legal  |  Privacy