The Spamhaus Project

Glossary

Find explanations of commonly used terms on our website.
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
Abuse Desk

Abuse Desk is the common name for the group of network administrators charged with enforcing Acceptable Use Policy/Terms of Service agreements. They are the people who monitor "abuse@domain" for a network, as specified by RFC 2142, and they should understand Role Accounts and Feedback Loops.

AUP - Acceptable Use Policy

"Acceptable Use Policy" or "AUP" is the part of a service provider's Terms of Service (TOS) contract with each of their customers which specifies both acceptable, and unacceptable, use of the provided services. AUPs generally prohibit spam and other abusive actions.

For more information please see the ISP Area and ISP Spam Issues sections of this website.

Authentication (email, domain)

Email authentication is a technical solution to verifying that an email comes from who it claims to be from.

At present there are three major email authentication standards:

  • Sender Policy Framework (SPF)
  • DomainKeys and DomainKeys Identified Mail (DKIM)
  • Domain-based Message Authentication Reporting and Conformance (DMARC)
ASN - Autonomous System Numbers

An Autonomous System Number (ASN) is a group of one or more IP prefixes (lists of IP addresses accessible on a network) run by one or more network operators that maintain a single, clearly-defined routing policy. Network operators need Autonomous System Numbers (ASNs) to control routing within their networks and to exchange routing information with other Internet Service Providers (ISPs).

Backscatter

Backscatter (also known as outscatter, misdirected bounces, blowback or collateral spam) is incorrectly automated bounce messages sent by mail servers, typically as a side effect of incoming spam.

Recipients of such messages see them as a form of unsolicited bulk email or spam, because they were not solicited by the recipients, are substantially similar to each other, and are delivered in bulk quantities.

  • Systems that generate email backscatter may be listed on various email blocklists and may be in violation of internet service providers' Terms of Service.
  • Backscatter occurs because worms and spam messages often forge their sender addresses.

Instead of simply rejecting a spam message, a misconfigured mail server sends a bounce message to such a forged address.

  • This normally happens when a mail server is configured to relay a message to an after-queue antivirus scan or spam check - which then fails.
  • At the time the antivirus scan or spam check is done, the client already has disconnected.
  • In such cases, it is normally not possible to reject the SMTP transaction, since a client would time out while waiting for the antivirus scan or spam check to finish.

Using a DNSBL such as Spamhaus Zen at the time of the SMTP transaction avoids this issue.

Block, Blocking (ISP)

An action taken by an ISP or network to prevent unwanted traffic from entering its private servers, including mail servers.

DKIM - DomainKeys Identified Mail

DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect forged sender addresses in emails (email spoofing), a technique often used in phishing and email spam.

DMARC - Domain-based Message Authentication, Reporting and Conformance

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol. It is designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing.

DNSBL - Domain Name System Block List

A DNSBL (Domain Name System Block List): A list of IP address ranges or other information compiled and presented as a DNS zone. Information in DNS format is easy to query and transport, and its small answers are very "light" on bandwidth overhead. Spamhaus Zen is a DNSBL, as are its component zones of SBL, XBL, CSS, and PBL.

Spamhaus DBL is a domain DNSBL. It may be used to identify URL domains with poor domain reputation, or as a "Right Hand Side Block List" (RHSBL) for email addresses.

DNSBL Usage FAQ

Understanding DNSBL filtering

DNSBL Return Codes

A return code is the answer a DNSBL provides when the object of a DNS query is listed in that DNSBL zone. All Spamhaus DNSBL return codes are in the 127.0.0.0/8 range assigned by IANA as "Loopback" addresses. Specific return codes may signify specific characteristics of the data within a Spamhaus DNSBL zone. Lists of Spamhaus DNSBL return codes are linked from the What do the 127.*.*.* Return Codes mean? FAQ.

A quick way to check the return code of a listed IP or domain is the "host" or "nslookup" command found on most OS installations. For IPs, check the inverse octets, so for 127.0.0.2 you'd do this:

$ host 2.0.0.127.zen.spamhaus.org
2.0.0.127.zen.spamhaus.org has address 127.0.0.10
2.0.0.127.zen.spamhaus.org has address 127.0.0.2
2.0.0.127.zen.spamhaus.org has address 127.0.0.4

Here's an example for domains:

$ host dbltest.com.dbl.spamhaus.org
dbltest.com.dbl.spamhaus.org has address 127.0.1.2
E-pending (Email appending)

Email appending, e-pending, or "enriching" is the supplementation of existing email databases by cross-referencing them with information from other databases. The presumed goal is to add email addresses for customers or prospects for whom the sender has other information but not email. E-pending is not an opt-in process.

M3AAWG (formerly MAAWG) has published a very clear statement about e-pending The practice of email appending is in direct violation of core MAAWG values. The Spamhaus Project fully agrees with MAAWG's position; we never have and never will support e-pending. Both e-pending services and marketers using e-pending to enlarge their audience risk being listed by Spamhaus.

ESP - Email Service Provider

An ESP (Email Service Provider) is a company that helps customers send email marketing messages by offering an email marketing platform or email tool. Most ESPs will:

  • Allow their customers to build and maintain a list of subscribers.
  • Enable the creation of email campaigns.
  • Send these campaigns to subscribers in bulk.
  • Customise email templates.
  • Provide reporting facilities to measure the results of those campaigns.

The depth and complexity of the offerings vary from ESP to ESP. Examples of ESPs include Constant Contact, Mailchimp, Exact Target, SalesForce Marketing Cloud, Splio, etc.

Hailstorm Spam

Hailstorm spamming is a variation of snowshoe spamming. The difference between the two techniques is the way IP addresses and domains are used.

In snowshoe the emissions for each IP are limited by spreading the spam load across many IPs and/or domains, and in this way the operators hope to stay "under the radar". In contrast, hailstorm emitters start sending out of the blue (with a complete absence of traffic before the spam campaign) with extremely high intensities, and stop after a few minutes, just when anti-spam systems have recognized the activity and started reacting.

At that point, the same activity reappears on other, often completely unrelated IPs. A similar fast rotation is applied to domains. In some cases, domains are registered seconds before the spam starts - that is, they simply do not exist until the spam starts.

Hailstorm spam operations work with a pipelines provisioning chain, constantly getting new blocks of IPv4 addresses to burn. Since IPv4 address space is running out, they have had to resort to compliant IP brokers and ISPs to sustain these types of operations.

For further information: In several cases, large IPv4 ranges have been used illegally through network hijacking.

Hashbusters

Hashbusters are sections of random text included in spam, possibly hidden as invisible text using HTML.

The purpose of including hashbusters is to try and defeat Bayesian spam filtering, by making each individual spam email look as different as possible. This practice is prohibited by legitimate ESPs or affiliate marketing programs.

HELO/EHLO (SMTP)

"HELO/EHLO" is a command sent to an SMTP server to identify itself and initiate the SMTP conversation. The domain name or IP address of the SMTP client is usually sent as an argument together with the command (e.g. “HELO client.example.com”). If a domain name is used as an argument with the HELO command, it must be a fully qualified domain name (also called FQDN).

Hijacking (IP Hijacking)

Internet Protocol hijacking (IP hijacking) is a specific form of attack that makes use of stolen IP addresses to move data over the Internet. This hack exploits some weaknesses in general IP networking and the Border Gateway Protocol (BGP), which is a system used to designate paths for routed data packets.

Hijacked IP addresses can be used for various kinds of targeted activities including spamming and denial of service(DoS) attacks.

IP Address

An IP address (Internet Protocol address) is a unique address that devices use in order to identify and communicate with each other on a computer network utilizing the Internet Protocol standard. The format of an IP address is a 32-bit numeric address written as four numbers separated by periods. Each number can be zero to 255. For example, 1.160.10.240 could be an IP address.

An IP address can appear to be shared by multiple client devices either because they are part of a shared hosting web server environment or because a proxy server (e.g., an ISP or anonymizer service) acts as an intermediary agent on behalf of its customers.

IP addresses are managed and created by the Internet Assigned Numbers Authority. IANA generally assigns super-blocks to Regional Internet Registries, who in turn allocate smaller blocks to Internet service providers and enterprises.

ISP - Internet Service Provider

An ISP is a company that provides subscribers with access to the Internet. Examples of ISPs include: Comcast, Sky, KPN, Telstra, etc.

Listwashing

"Listwashing" is defined as the removal of spamtraps and bad email addresses from a list that is not confirmed-opt-in, while retaining the other email addresses. This is often used as an attempt to clean up a rented, purchased, or very old mailing list.

Malware

Malware is any malicious software intended to remove control of a computer from its legitimate controller. Malware can try to steal and exfiltrate the user's data, or use the system's resources for illicit purposes including spam and DDoS attacks.

Some categories of malware include computer viruses, Trojan horses, worms, ransomware, spyware, adware, and scareware, etc. Firewalls, anti-virus software, and realtime filtering are some appropriate strategies against malware.

MTA - Mail Transfer Agent

Within the Internet email system, a "mail transfer agent" (MTA) or "message transfer agent" or "mail relay" is software that transfers electronic mail messages from one computer to another using SMTP. The terms mail server, mail exchanger, and MX host are also used in some contexts.

MUA - Mail User Agent

A mail user agent (MUA) is a program that allows people to receive and send e-mail messages; it's usually just called an e-mail program, e-mail agent or an e-mail client.

To use an MUA such as Apple Mail. Thunderbird or Microsoft Outlook, the MUA program in installed on a local computer and then used to download and store e-mail messages to that local computer; It also allows messages to be written or read while offline.

Web-based MUAs, such as Hotmail, Gmaill and Yahoo store messages on their own mail servers and allow access to them through a Web page.

NSP - Network Service Provider

An NSP is a business that provides access to the Internet backbone. While some ISPs also serve as NSPs, in most cases, NSPs provide Internet connectivity to ISPs, which in turn provide Internet access to customers. Examples of an NSP include: Level 3, Zayo, Telia, NTT, Verizon Business, Tata, etc.

Phish, Phishing (Identity Theft)

Phishing is defined as "the attempt to steal personal information by presenting a fraudulent copy of a trustworthy identity as bait". This fraudulent copy is intended to trick the victim into revealing their information.

Banks, online payment services, and social media accounts are common targets of phishing. These scams are often distributed via email, as well as other vectors.

Ransomware

Ransomware is a class of malware which restricts access to the computer system that it infects, and demands a ransom be paid to the creator of the malware in order for the restriction to be removed.

  • Some forms of ransomware encrypt files on the system's hard drive, while some may simply lock the system.
  • All types of ransomware display messages intended to coerce the user into paying a ransom to recover their system and data.

You can find more information in this Wikipedia article.

Registrar (Of domain names)

A domain name Registrar provides domain name registrations to the general public. They do not own the domain names; those are provided TO the registrar BY the registries.

Registry (Of domain names)

A domain name Registry is a database of all domain names and the associated registrant information in the top level domains of the Domain Name System (DNS) of the Internet that enables third party entities to request administrative control of a domain name.

RIR - Regional Internet Registry

A Regional Internet Registry (RIR) is a not-for-profit organization that oversees Internet Protocol (IP) address space (IPv4 and IPv6) and the Autonomous System (AS) numbers within a specific geographical region.

There are five regional RIRs across the globe: ARIN, RIPE, APNIC, LACNIC and AfriNIC. Together, they are known as the Number Resource Organization (NRO).

SMTP (Email)

SMTP (Simple Mail Transfer Protocol) is a protocol for sending e-mail messages between servers. Most e-mail systems that send mail over the Internet use SMTP to send messages from one server to another; the messages can then be retrieved with an e-mail client using either POP or IMAP.

Snowshoe Spam

Snowshoe spamming is a sending technique which evolved in an attempt to avoid email filters.

  • Like a snowshoe spreads the load of a traveler across a wide area of snow, snowshoe spamming is a technique used to spread spam output across many IPs and domains in order to dilute reputation metrics and evade filters.
  • Domains which act in a manner indistinguishable from snowshoers will unavoidably be treated like snowshoers.

Some of the things snowshoe spammers do:

  • They may use many fictitious business names (DBA - Doing Business As), fake names and identities;
  • They may use frequently changing postal dropboxes and voicemail drops
  • Snowshoers often use anonymized or unidentifiable Whois records;
  • Use nonsense domains or hostnames in quantity;
  • Some showshoers use tunneled connections from their back-end mail engine to the outgoing, internet-facing IP. This causes the originating IP to be hidden.
    • ISPs are in a position to detect those back-end mail engines by checking where traffic flows are coming from. The tunneled connection is not necessarily on port 25. Spamhaus always appreciates such information!

Legitimate senders work hard to build brand reputation based on a genuine business address, a known domain and a small, permanent, well-identified range of sending IPs.

Spam (Email)

Spam is generally understood to be Unsolicited Bulk E-mail (UBE).

  • Unsolicited: the recipient has not granted verifiable permission for the message to be sent.
  • Bulk: the message is sent as part of a larger collection of messages with identical content.

Spam as defined by Spamhaus.

SPAM®

"SPAM ® Chopped Pork and Ham" is the registered trademark of a famous canned meat product made primarily from ham, made by the Hormel Foods Corporation.

  • It's great in sandwiches, salads, or mac & cheese, with eggs, cheese or pineapples, sliced, diced, baked or fried...
  • The name derives from "SP(iced h)AM";
  • If you have never tasted SPAM, try it today! :-)
  • The product name "SPAM" (always used in upper-case) has no relationship with the internet jargon word "spam", referring to Unsolicited Bulk Email.
SpamAssassin (Email filter)

SpamAssassin is an open source mail filter produced by Apache to identify spam. It is an intelligent email filter which uses a diverse range of tests to identify unsolicited bulk email, more commonly known as spam. These tests are applied to email headers and content to classify email using various statistical methods.

Spamhaus offers a SpamAssassin plug in free of charge.

Spamtrap

Spamtraps are broadly defined as email addresses which have not opted into any email. There are, however, many types of traps.

  • They are used by various reputation systems to highlight senders who add email addresses to their lists without obtaining prior permission.
  • They are also very effective in identifying email marketers with poor permission and list management practices.
  • Spamtraps are never revealed by their owners, for various reasons:
  • They are a component of reputation systems' secret sauce;
  • If the trap is provided, the trap is useless to its owner from that point forward;
  • It often happens in the event a trap address is provided to a sender that is listed, that only the trap address is suppressed - and no other work is done to solve the underlying data collection/maintenance issue.
Spamware

Spamware is software designed for sending email in ways that hide the sender, attempt to circumvent spam filters, or which contains features of use only to miscreants.

NOTE: The sale of spamware is illegal in many countries and most U.S. states.

SPF - Sender Policy Framework

Sender Policy Framework (SPF) is an email authentication method designed to detect forging sender addresses during the delivery of the email. Sender Policy Framework is defined in RFC 7208, dated April 201, as a "proposed standard". For more information start with the Wiki article about SPF.

TOS - Terms of Service

Terms Of Service (TOS) which can also known as "Terms Of Use" and "Terms and Conditions", are the legal agreements between a service provider and a person who wants to use that service. These lay out the responsibilities of both parties.

Verification (Companies)

Verification companies - or email verifiers - are desktop tools or online services (both software-as-a-service or plugins) that allow marketers and salespeople to verify a single email address or a whole list of email addresses, with the intention of being sure the contacts exist, work, and are valid.

Some companies also say they can find and remove spam traps. This is a questionable claim, since Spamhaus frequently sees mail in its spamtraps from "verified" opt-out lists!

Waterfalling

Waterfalling is an abusive technique wherein a list owner "waterfalls" the same illicitly obtained address list through a series of (usually) unknowing, innocent ESPs. Each time they clean out bounces, complainants and maybe non-respondants, with the end goal being to send the final result through a good ESP with solid deliverability.

The result of this process is damage to the reputation of each ESP involved, as well as being a violation of ethics, counter to best practices and against Spamhaus policy.

What is “cache miss” data?

Cache miss data is generated when an internet user makes a request to visit a website, and the hostname is resolved by an external authoritative server instead of a DNS resolver’s cache. This data contains no personally identifiable information, only the domain name, record type, record value, and time stamp.

What are Response Policy Zones (RPZs)?

A method that introduces policy to DNS queries performed on a network. The policy zones are, in effect, targeted datafeeds detailing threat information in a binary format. This means if a user queries a domain listed on a botnet command and controller (C&C) policy zone, for example, they are protected against the malicious site.

RPZs are applied via recursive DNS servers, and with each “zone” defined by “policy,” users can choose to implement only the protection policies that are relevant to them.

What is a Border Gateway Protocol (BGP) Community?

Network administrators can peer routers and firewalls with peering services to provide protective data, such as the BGP datasets provided by Spamhaus. Connections with confirmed malicious IPs can then be dropped, automatically.

Each dataset is "labeled" with a distinct BGP community, allowing administrators to decide which datasets they want to apply. This decision will depend on the nature and security posture of the network protection is applied to.

What is a DNS resolver?

Most simply, it's server software, and a critical infrastructure asset to load web pages. It can also be termed recursive DNS resolver or DNS recursor.

When a user wants to access a website, their human language must be translated into machine-friendly, numerical language. This is a key reason why every device has an IP address associated with it. Domain Name System (DNS) resolution takes place to convert the hostname (e.g., www.example.com) to an IP address - like a telephone book for the internet - to serve up the requested website.

DNS resolution is a phased approach. The first step is for the user’s device to contact a DNS resolver to provide the associated IP address of the hostname. If the IP is stored in the DNS resolver’s cache, the webpage is served to the user. If not, further communications are made from the DNS resolver to various nameservers to locate the IP and ultimately provide the requested content.

Zombie Computers or IP Ranges

Definition #1 (newer):

A zombie is a computer connected to the Internet that has been compromised by a computer virus or trojan malware and, which can then be used to perform malicious tasks under remote direction.

  • Botnets of zombie computers are often used to send spam e-mail and launch distributed-denial-of-service (DDoS) attacks.
  • Most owners of zombie computers are unaware that their system is being used in this way. Because the owner tends to be unaware, these computers are metaphorically compared to zombies.

This definition is analogous to the zombies in modern zombie movies. They become zombies when infected by some virus or pathogen.

Definition #2 (older):

A zombie is a name Spamhaus gave to ranges of IP addresses that are hijacked by spammers, routed to the spammer's servers and then used to send out spam.

  • These IP addresses were either assigned to long-dead companies, or have been forgotten about by the original assignees over the years.
  • Spamhaus saw these ranges of IP addresses "coming back from the dead."

Hijacking, which continues today, pre-dated the use of infected computers for spam. Its analogy is to the zombies in voodoo-lore. These "zombies" of legend are corpses that are re-animated to do the bidding of their master.