IP and Domain Reputation Checker
About Spamhaus  |  FAQs  |  News Blog   
Frequently Asked Questions (FAQ)
DNSBL Usage
General Questions
Glossary
Hacked... Here's help
ISP Spam Issues
Legal Questions
Marketing FAQs
Online Scams
Organization
ROKSO FAQ
Spamhaus BCL
Spamhaus CSS
Spamhaus DBL
Spamhaus HBL
Spamhaus PBL
Spamhaus SBL
Spamhaus XBL
Spamhaus DROP
 » BGPf FAQs
 » Datafeed FAQs



General Questions

Email that appears to be "from" Spamhaus...
Is my IP or domain listed by Spamhaus? How do I get it removed?
I am being blocked. Why can't I find my IP/domain listed on Spamhaus?
Did Spamhaus list my email address?
I am not receiving expected mail from Spamhaus
Is there a way to report suspicious activity relating to emails, IPs, domains and URLs?
Can registrars suspend domains for spam and abuse?
Someone's spamming with my return address, will Spamhaus block me?
How to secure your SSH daemon (sshd)

Email that appears to be "from" Spamhaus...
Spamhaus does NOT send out email alerts or notices to Internet users.

The "FROM" field of an email can contain anything the sender chooses to put there.
  • Spam rarely comes from the address that is in the "FROM" field
  • It is dangerous to assume that any unexpected email truly originates from the email address seen in the "FROM".
Always check an email's Headers to verify where it really came from.

NOTE:
  • Legitimate email from spamhaus.org will only come from a Spamhaus email server and will be verifiable in DNS.
  • Legitimate email from Spamhaus will always signed with DKIM.
  • If the email looks suspicious, it probably is.


Is my IP or domain listed by Spamhaus? How do I get it removed?
The Spamhaus lookup tool

The listing of an IP or domain by any of the Spamhaus DNSBLs or blocklists can be checked using the Spamhaus lookup form.

How to submit a removal request
  • Please understand that we will not be able to handle removal requests made through other channels (such as email).
  • Due to the amount of requests, removal requests must be made by the registered owner of the domain or IP. If that is not you, please contact your service provider for help.
If you are the registered owner of the domain or IP:
  • Removal requests must from an IP address that can be associated with the requested IP or domains, and should not be made using a VPN.
  • When you submit a removal request through the Blocklist Removal Center, please make sure that you provide us sufficient information so we can handle your request appropriately:
    1. What caused the spam issue,
    2. What action you took to solve it,
    3. What further actions you took to prevent spam problems again in the future.
NOTE: Submitting a removal request does not guarantee that the removal will be granted. Please ensure that the problem has been addressed before submitting a request.


I am being blocked. Why can't I find my IP/domain listed on Spamhaus?
The Spamhaus lookup tool of our Blocklist Removal Center page will show IPs and domains that are currently listed in one or more of Spamhaus's blocklists.

If the IP or domain you are checking is not found, but you are blocked, it is probable that the IP or domain was listed by Spamhaus and was recently removed. It takes some networks longer to catch up than others. In this case, wait 1-2 hours and the problem should clear by itself.


Did Spamhaus list my email address?
Probably not. Spamhaus has automated systems that can list email addresses, but these listings almost always occur when the addresses are fully involved in spamming. This is part of our Hash Block List (HBL) What probably occurred is that that the domain used by your email address or the IP address that is sending your email are listed.
  • You can check whether an IP address or domain is in any Spamhaus list using our lookup form.
  • If either your domain or IP address are listed and you believe this is incorrect, please read below.
How to submit a removal request
  • Please understand that we will not be able to handle removal requests made through other channels (such as email).
  • Due to the amount of requests, removal requests must be made by the registered owner of the domain or IP address. If that is not you, please contact your service provider for help.
If you are the registered owner of the domain or IP address:
  • Removal requests must from an IP address that can be associated with the listed IP addresses or domains and should not be made using a VPN or proxy.
  • When you submit a removal request through the Blocklist Removal Center, please make sure that you provide us sufficient information so we can handle your request appropriately:
    1. What caused the spam issue,
    2. What action you took to solve it,
    3. What further actions you took to prevent spam problems again in the future.
NOTE: Submitting a removal request does not guarantee that the removal will be granted. Please ensure that the problem has been addressed before submitting a request.


I am not receiving expected mail from Spamhaus
If you are waiting for a reply from Spamhaus, and not receiving one, check your 'Spam' folder. If that doesn't locate the email, please contact your IT department or helpdesk.


Is there a way to report suspicious activity relating to emails, IPs, domains and URLs?
Yes. The Threat Intel Community is a portal that enables users of all types to submit suspicious internet activity. Whether you want to submit a single IP address via a simple form, or multiple domains via an API, you can do so from the Portal. We accept IPs, domains, URLs and raw source emails. If you authenticate and create an account you will also be able to see if your submissions are being reflected in our datasets. Authentication can be done via Linkedin, Google and Github.


Can registrars suspend domains for spam and abuse?
Registrars should always have an anti-spam Acceptable Use Policy (AUP) which they can enforce, and most do.


Someone's spamming with my return address, will Spamhaus block me?
Since the "FROM" field in most spam is forged and meaningless, we do not block based on that.


How to secure your SSH daemon (sshd)

We at Spamhaus come across compromised (web)servers frequently, which turned out to be hijacked by spammers or other cybercriminals to host spammer sites, malware distribution sites or even botnet controllers. Many of these compromised servers have been hacked using SSH brute forcing.

With the SSH bruteforcing method, an attacker tries to guess (brute force) the password by using the "try and error" principle. If the victim system is using a weak password the chance is high than an attack can result in a positive match, after which the attacker is able to get (root) access to the system.

Fortunately there are several technical measures that can help to mitigate SSH bruteforce attempts.

Change the port SSHd is listening on

One of the most effective ways to prevent your system getting hacked by brute forcing the SSH password, is simply changing the port where the SSH daemon (SSHd) is listening on to a non-standard port. SSHd usually listens on 22 TCP, which makes it attractive for attackers. You should change it to something else like port 2233 or 2244. You can do this by changing the configuration file of SSHd which usually resides in /etc/ssh/sshd_config. Please consider that there are two files: sshd_config and ssh_config. Make sure that you edit sshd_config. In the config file, somewhere at the top you will find an option called Port which should have the value 22. All you need to do is change this option to a different port (eg. 2233) and restart the SSH daemon using the command sudo /etc/init.d/ssh restart. SSHd should now listen on the port you have just specified in the configuration. Be sure to open the new SSH port on your firewall, and then you can close port 22 since you aren't using it anymore.

If you use Red Hat SELinux, read the fine manual to learn more about binding functions like SSH to non-standard ports.

Fail2Ban

Fail2ban is a open source tool that looks for failed SSH login attempts in the SSH logs and bans the attacking IP address for a specific time period using iptables or nullroute. The installation and configuration of Fail2Ban is pretty simple. If you are using Ubuntu or Debian you can simply install the Fail2Ban packet from the repository by using apt-get:

sudo apt-get install fail2ban

The configuration file of Fail2Ban is usually located in /etc/fail2ban/jail.conf. There are various options you can configure, for example the email address where notifications should be sent to or the default ban action (usually iptables-multiport which means that the attacking IP address will be blocked on all ports using iptables). Per default, Fail2Ban monitors the SSH log located at /var/log/auth.log for failed login attempts. If Fail2Ban is configured correctly, you should see something like this in your Fail2Ban configuration file:

[ssh]

enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6

With the option enabled you can define if the rule/filter is active or not (true or false). The option filter defines which filter configuration this rule will use. The filter configuration files are located in /etc/fail2ban/filter.d/. Basically what this rule/filter does is monitoring the SSH log auth.log and bans the attacking IP address after 6 failed login attempts for 600 seconds (see option bantime) using iptables (see option banaction).

If you want to monitor the activities of Fail2Ban you might wan to check out the logfile that is being produced by Fail2Ban: it is usually located in /var/log/fail2ban.log

If you are interested in Fail2Ban you can find more information on the Fail2Ban project website:

http://www.fail2ban.org/wiki/index.php/README

DenyHosts

Another tool to prevent that attackers gain access to your server using brute forced SSH credentials is running DenyHosts on your server. DenyHosts is open source project that maintains a database of IP addresses that are know to be a source of SSH attacks. The tool works similar as fail2ban by monitoring the sshd log for failed login attempts. Once an SSH attack has been detected, DenyHosts will block the offending IP address by adding it to /etc/hosts.deny. If you are running Ubuntu or Debian you can simply install DenyHosts using the following command:

sudo apt-get install denyhosts

This command will install denyhosts on your linux/unix server. Usually, the configuration for DenyHosts comes out of the box, but if you want to check the configuration you can find the config file in /etc/denyhosts.conf. Ensure that the path to the SSH log (SECURE_LOG) is set correctly and that DenyHosts blocks login attempts from the offending host for sshd (BLOCK_SERVICE).

More information about DenyHosts can be found here:

http://www.denyhosts.net/


© 1998-2023 The Spamhaus Project SLU. All rights reserved.
Legal  |  Privacy