Blocklist Removal Center
About Spamhaus  |  FAQs  |  News Blog   
Frequently Asked Questions (FAQ)
An email "FROM" Spamhaus
BGPf FAQ
Datafeed FAQ
DNSBL Usage
DROP FAQ
Generic Questions
Glossary
Hacked... Here's help
ISP Spam Issues
Legal Questions
Marketing FAQs
Online Scams
Organization
ROKSO FAQ
Spamhaus BCL
Spamhaus CSS
Spamhaus DBL
Spamhaus PBL
Spamhaus SBL
Spamhaus XBL



Spamhaus DBL


DEFINITION: "Domain BlockList" (DBL)

What is the DBL?

LISTED IN DBL Q&A

Why is a domain listed in DBL?
All about removing domains from the DBL
Can you scan my site and check that it is secure?

ABUSED-LEGIT Q&A

What does the "abused-legit" classification mean in the DBL?
Help for domains listed as "abused legit" in the DBL
Do the "abused legit" or "abused redirector" listings include full URL/URI links?

DBL USAGE QUESTIONS

What do the 127.*.*.* Return Codes mean?
Is the DBL included in the Spamhaus Zen DNSBL?
Can the DBL be used to look up IP addresses?
Can DBL be used in a Response Policy Zone (RPZ)?
Can DBL be used with Microsoft Exchange ?
Can the DBL be used to filter blog spam?
Can wildcard quesries be used with the DBL?
URL shortening or re-directing services and the DBL
Is there any code available to query the DBL in my application?
How can I test the DBL?
Running SpamAssassin and Rspamd with Spamhaus data

The DBL and Project Golden Shield

I am in China. Why is the DBL listing non-spam domains such as twitter.com, facebook.com or pinterest.com?



DEFINITION: "Domain BlockList" (DBL)


What is the DBL?
The Spamhaus DBL is a list of domain names with poor reputations. It is published in a domain DNSBL format. These domain reputations are calculated from many factors, and maintained in a database which in turn feeds the DBL zone itself.

  • It ONLY lists domains. No IP addresses are listed by the DBL.
  • The DBL's reputation database is maintained by a dedicated team of specialists.
  • Data from many sources is used to build and maintain a large set of rules.
  • The DBL zone is is continually updated, and the data is served from over 80 mirrors world-wide.
  • These rules control an automated system that constantly analyses a large portion of the world's email flow and the domains in it.
  • Most DBL listings occur automatically, although where necessary Spamhaus researchers will add or remove listings manually.
  • Listings will expire without intervention after the domain stops matching the criteria that caused the listing.
DBL data is exchanged with other Spamhaus systems which can result in further listings in the DBL, or in IP addresses being listed in other Spamhaus zones.



LISTED IN DBL Q&A


Why is a domain listed in DBL?
The Spamhaus Domain Block List (DBL) evaluates many factors for inclusion of domains. We do not discuss the specific criteria we use.
  • Domains must match several criteria in order to be listed.
  • We will not reveal specific listing criteria in most cases.
  • DBL listings are constantly reevaluated by our systems, and listings do expire automatically when listing criteria are no longer met.
These are general observations to help domains build a good reputation and avoid DBL listings.
NOTE: These observations are universal and do not apply only to the Spamhaus reputation systems.

Domain reputation
  • Reputations are built over time, and building a good reputation takes longer than building a bad reputation.
  • Experience has shown that an unknown reputation has a much higher risk of emitting spam than known-good domains, so unknown reputations begin as "poor" by default.
  • Anonymity does not contribute to a good reputation.
  • Domain and IP reputations affect each other.
  • If domains are used in legitimate traffic for enough time to establish a good reputation, DBL will notice that and remove the listing.
    • DBL will also notice if domains are used for activities that cause poor reputations, such as spam or other "blackhat" pursuits.
Snowshoe spamming
  • This is a technique that uses many domains and IPs, which change frequently.
  • Legitimate bulk email builds a reputation over time on durable, long-term domains and IPs.
  • Because of that investment in time and effort, reputable mailers don't use nearly as many domains, and fewer IPs, than snowshoers.
  • Domains which act like they are snowshoeing will get treated like snowshoers.
Authentication
  • Having solid domain authentication is a necessary tool in today's email ecosystem, but SPF, DKIM, and/or DMARC can all be used by spammers as well as by good senders.
  • DBL listings occur for domains with and without those records.
Bulk email/Marketing email
  • If a domain is being used in bulk email, be sure best practices are followed for sending only confirmed opt-in, solicited bulk mail.
  • See our Marketing FAQs for more information.
  • It can also help to consult industry experts or good deliverability consultants for further assistance.
Role Accounts and Feedback Loops
  • These are a domain's abuse detection system.
  • If they are not set up and functional, there is a huge loss of visibility into abuse issues on a network.
  • They should be used to identify problems including spam, and to stop those problems before they degrade a domain's reputation.
Clean hosting
  • Domains should be hosted on good, clean ISPs which do not allow abuse of their network.
  • "Clean" includes a domain's NS, A, MX and website DNS records.
  • Hosting a domain on spam-friendly IPs or servers, or at ISPs that tolerate network abuse, including spam, has a negative effect on the reputation of all domains on that network.
  • Mail server IPs should be identified with proper rDNS (PTR records) and mail servers should identify themselves with a proper HELO value (also RFC 5321 4.1.1.1).


All about removing domains from the DBL
Does a DBL listing expire automatically?
  • DBL is highly automated and most listings will expire automatically after they cease to appear in spam.
  • Domains are listed in DBL Zone automatically, and they may re-list automatically after removal if they are re-detected.
Can a domain be removed from the DBL before the expiry?
  • While DBL is careful to not list innocent domains, it's possible that a domain may need to be removed from DBL before the listing expires.
  • If a domain is listed and believed to be eligible for removal, please use the Blocklist Removal Center link on the Spamhaus homepage, look up the domain and follow the instructions returned by that lookup form.
    • Using the form does not guarantee removal.
    • Excessive removers and other removal form abusers may be blocked.
How long does a removal take?
  • Once the removal request is approved, the request will be processed immediately.
  • It should only take a few minutes, but some users may lag up to 24 hours in removing domains from their local systems.
  • If the listing remains active after 24 hours after the removal is approved, please contact us.
Is there a cost or fee for removal from the DBL?
  • Absolutely not.
  • There is never any charge or fee associated with removing any Spamhaus listing.
  • Any offer from anyone to remove any Spamhaus listing for a fee is a scam.
  • Spamhaus has no affiliation with anyone offering any 'blocklist removal' service, nor can any third party influence or expedite removals from any Spamhaus database.


Can you scan my site and check that it is secure?
We don't scan at all.

Scanning is not a very effective way to detect many of these hacks. We watch Internet traffic for signs of abuse, spam and botnet traffic. When we see those signs it means for certain that the web site or server is insecure, infected or compromised.



ABUSED-LEGIT Q&A


What does the "abused-legit" classification mean in the DBL?
"Abused-legit" is a class of domains which are generally legitimate but are abused by spammers. The domain owners are legitimate businesses or people whose servers have been hacked.
  • These listings have a DBL return code in the 127.0.1.100+ range.
    • Among the most common abuses we see are hacked content management systems (WordPress, Drupal or Joomla, for example)
      • These return 127.0.1.102 in dbl.spamhaus.org
      • Many have Stealrat botnet infections and give return 127.0.1.105 or 127.0.1.106 return codes.
As with all DBL entries, we list these domains as soon as we detect abuse in order to protect DBL users.
  • Because we know there are legitimate users of these domains, we provide immediate, no-questions-asked removals for administrators of these domains.
  • These DBL listings also expire more quickly, usually a day after last detection.
  • Admins of "abused legit" sites should follow the normal removal procedure starting from our Blocklist Removal Center. It will route your removal request appropriately.
Once the CMS or webserver has been fixed, we strongly suggest that administrators replace the pages the spammer inserted;
  • The replacement pages should return an appropriate "page not found" HTTP errors.
  • 403, 404 or 410 are suitable responses
  • This is particularly important when the domain is part of a shared web hosting resource that was abused.
Removing "abused-legit" listings

Listing, delisting and removal of "abused legit" domains work just like regular DBL listings.

The DBL is tuned to minimize listings which could cause false positives
  • "Abused legit" listings time out much faster than other listings.
  • Keeping false positives as near zero as possible, like all of DBL, is an important goal of the "abused legit" segment of DBL.
  • Admins of "abused legit" sites should follow the normal DBL removal procedure starting from our Blocklist Removal Center. It will route the removal request appropriately.


Help for domains listed as "abused legit" in the DBL
If a domain is listed in the DBL as "abused-legit" these are the basic steps to follow:
  1. If it is at all possible, the website/server should be taken offline while it is being fixed.
  2. All of the infected files must be removed.
  3. The CMS and all plugins and extensions must be updated to the latest and most secure versions.
  4. Be sure the server itself is secure, or ask a system administrator to perform a security audit.
  5. All passwords must be changed. Strong passwords should be used, and two factor authentication added wherever possible.
For more in depth information please refer to the Spamhaus FAQ regarding hacked CMS:


Do the "abused legit" or "abused redirector" listings include full URL/URI links?
DBL listings include only the domain, not the full directory path of URL/URIs.

However, in some cases, additional DBL information may be available for admins of hacked CMS sites. Start the removal procedure from our Blocklist Removal Center and follow the steps from there.

We suggest that all domains, especially redirector domains, set up appropriate Role Accounts and Feedback Loops which can help provide notification of problems.



DBL USAGE QUESTIONS


What do the 127.*.*.* Return Codes mean?
The DBL uses DNS return codes in the 127.0.1.0/24 range. Queries regarding any domain listed in DBL and all IP queries will return a response code. If no code is returned (NXDOMAIN) the domain is not listed in DBL. DBL return codes in current and future use are:

Return Codes Data Source
127.0.1.2 spam domain
127.0.1.4 phish domain
127.0.1.5 malware domain
127.0.1.6 botnet C&C domain
127.0.1.102 abused legit spam
127.0.1.103 abused spammed redirector domain
127.0.1.104 abused legit phish
127.0.1.105 abused legit malware
127.0.1.106 abused legit botnet C&C
127.0.1.255 IP queries prohibited!

This table will be updated as specific DBL categories are added and 127.0.1.* return codes are assigned to them.

The following special codes indicate an error condition and should not be taken to imply that the queried domain is "listed":

Return Code Zone Description
127.255.255.252 Any Typing error in DNSBL name
127.255.255.254 Any Anonymous query through public resolver
127.255.255.255 Any Excessive number of queries


Is the DBL included in the Spamhaus Zen DNSBL?
Spamhaus Zen is an IP address DNSBL zone. Zen lists numeric IP address zones only, does not list domains and does not include the DBL.

The DBL is a purely domain-based zone, and must be queried separately by software capable of extracting domains from email message bodies and headers.


Can the DBL be used to look up IP addresses?
No. The DBL cannot be used that way.

The DBL is a domain-only blocklist and does not include or support IP addresses.
  • It only includes domain names in the form of text strings.
  • It should not be used the same way as the Spamhaus IP-based DNSBLs.
  • An IP query against the DBL always returns a positive (listed) return code.
    • If legitimate emails containing http links specified as IP addresses (e.g. "http://1.1.1.1"), are expected to be delivered, wrongly using DBL this way will reject them.
"dbl.spamhaus.org" must not be configured in any email server's "DNSBL" or "RBLs" feature, spam firewall, or spam filter unless it specifically states that blocklists entered there are used for domain checking only. If this is unclear, please refer to the spam filter developer.

Spamhaus DNS returns the code 127.0.1.255 to IP queries to the DBL zone, along with a TXT record referring to this FAQ page.

If an IP lookup DNSBL is required, Spamhaus Zen is a good choice. More information can be found on the DNSBL FAQ page.


Can DBL be used in a Response Policy Zone (RPZ)?
The DBL can be used with a Response Policy Zone (RPZ).

Also known as a "DNS firewall," an RPZ is highly effective at protecting networks and their users from spam as well as malware of many kinds including bots, spyware and other malicious attack vectors.

For more in-depth information, please see our news article Spamhaus' DBL as a Response Policy Zone (RPZ) and the RPZ whitepaper by Hugo M. Connery at the Technical University of Denmark.


Can DBL be used with Microsoft Exchange ?
Unfortunately Microsoft does not include native support for DBL or other domain blocking lists in their Exchange product. However, Exchange users can use DBL through a third party product such as Vamsoft ORF.


Can the DBL be used to filter blog spam?
The Spamhaus DBL can be effective used to defend against blog spam.
  • Many of the same actors that send spam email also spam blog comment sections and guestbooks.
  • Most blogging software does a good job in catching comment spam, but if needed, the DBL is able to detect some of the domains used, and can flag or block these postings.


Can wildcard quesries be used with the DBL?
The DBL supports wildcard lookups. Querying the full hostname will return a positive result if the host's domain is listed. In other words, DBL lists at the main domain level, and all hostnames and subdomains of that domain also return a "listed" result. Therefore, it is optional and not necessary to strip the hostname down to query the actual domain only.

For example, if spammer.tld is listed:
    $ host spammer.tld.dbl.spamhaus.org
    spammer.tld.dbl.spamhaus.org has address 127.0.1.2
Any *.spammer.tld sub-domain will also get the same response:
    $ host www.barclays.bank.spammer.tld.dbl.spamhaus.org
    www.barclays.bank.spammer.tld.dbl.spamhaus.org has address 127.0.1.2
The wildcard query works for subdomains only, and not variations of the domain itself:
    $ host notspammer.tld.dbl.spamhaus.org
    notspammer.tld.dbl.spamhaus.org not found: 3(NXDOMAIN)
This enables the DBL to be used for either URI type queries (domains in links advertised in spam) and RHSBL type queries such as rDNS, HELO string, Sender and other email headers.


URL shortening or re-directing services and the DBL
Can URL shortening services use the DBL to deny bad domains?

The DBL can be used to protect URL-shorteners from abuse.
  • Spammers frequently use URL shortening services to try and avoid spam filtering systems that use tools such as the DBL.
  • URL shortening services should check every URL's domain against the DBL and not allow those that are listed.
NOTE: Domains that map to SBL-listed IP space should also be disallowed. What can URL shorteners and redirectors do to prevent abuse?
  • DBL has a specific return code for abused redirectors in the DBL zone: 127.0.1.103.
  • Don't string several redirectors together!
    • This includes 'Don't shorten shorteners' and 'Don't accept referrals from shorteners.'
  • Don't redirect to domains on the DBL
  • Don't redirect to domains with the A RR on SBL and possibly XBL (your call).
  • Check blocklists at the time of URL creation and again, later, as traffic on the new URL ramps up (a day or a week).
  • Don't allow users to change the landing URL after the redirect is created.
  • Don't provide an interstitial link to the spammer's payload if abuse is detected: fully suspend the offending URL (404 or 410 HTTP return).
  • Do create and maintain Role Accounts & Feedback Loops (FBLs) to help detect abuse, and process that information promptly.
  • Also see http://www.surbl.org/redirection-sites.


  • Is there any code available to query the DBL in my application?
    We have seen that people have published code to do DNS lookups on the DBL.
    • Lockergnome.net wrote one in PHP.
    • This Python code was written for checking SURBL and could be modified to work with the DBL.


    How can I test the DBL?
    There are two ways to test the DBL.
    1. The DBL follows RFC5782 for determining whether a URI zone is operational with an entry for TEST.
    2. The DBL has a specific domain for testing DBL applications: dbltest.com.
      • To test functionality of the DBL, use "host" or "dig" from the command line to do a manual query.
      • If using the web to look up a domain in the DBL, the domain lookup form at our Blocklist Removal Center should be used.
    NOTE: Do not query our website with automated tools!

    RFC5782 operational test
    Query: test.dbl.spamhaus.org
    Result: test.dbl.spamhaus.org IN A 127.0.1.2
    "Listed" Test Results
    Query: dbltest.com.dbl.spamhaus.org
    Result: dbltest.com.dbl.spamhaus.org IN A 127.0.1.2
    "Not Listed" Test Results
    Query: example.com.dbl.spamhaus.org
    Result: Host example.com.dbl.spamhaus.org not found: 3(NXDOMAIN)

    (Note: the IANA reserved "example.com" domain will never appear in the DBL zone)
    Test Point TXT Record
    Query: TXT dbltest.com.dbl.spamhaus.org
    Result: TXT "http://www.spamhaus.org/query/dbl?domain=dbltest.com"


    Running SpamAssassin and Rspamd with Spamhaus data
    We have developed our datasets with the final goal of being the most compatible with existing software. The two most biggest open source antispam projects are SpamAssassin and Rspamd.

    To show the best way to use our data with these products, we have created two dedicated Github projects that contains the most up to date use-cases. The projects contains instructions, ruleset and code to make the best out of our DQS product, either in the free version and with the paid-for zones. NOTE: The DBL should not be used in versions of SpamAssassin prior to 3.3.1 because older versions of SpamAssassin make both IP and text queries to URI blocklists, and DBL is domain-only. Using it with older versions of SpamAssassin will produce unexpected results.



    The DBL and Project Golden Shield


    I am in China. Why is the DBL listing non-spam domains such as twitter.com, facebook.com or pinterest.com?
    The DBL is not listing twitter.com, facebook.com, pinterest.com or other social network domains.

    Network traffic entering or exiting China can be altered if it contains particular keywords or domains.
    • This is due to the policy set by the Golden Shield Project (also known as the Great Firewall of China) which is operated by the Chinese Ministry of Public Security (MPS) division.
    • The interference of the Chinese government's system has the following consequences for the DBL:
      • Spamhaus has servers located in China, to better serve our Chinese customers, but the DBL is not available on those servers. They are only used to answers queries relative to IP addresses (SBL, PBL, XBL).
      • Spamhaus users in China will get all DBL answers from servers located outside China, and it is possible the answers will be altered as described above.
      • It is therefore very important that all users in China validate our responses by having their software check that the A record is a valid one in the range 127.0.1.0-127.0.1.255.
      • Any other code is a result of the actions of the Golden Shield Project and the queried domain is not listed by DBL.


    © 1998-2020 The Spamhaus Project SLU. All rights reserved.
    Legal  |  Privacy