Blocklist Removal Center
About Spamhaus  |  FAQs  |  News Blog   
Frequently Asked Questions (FAQ)
DNSBL Usage
General Questions
Glossary
Hacked... Here's help
ISP Spam Issues
Legal Questions
Marketing FAQs
Online Scams
Organization
ROKSO FAQ
Spamhaus BCL
Spamhaus CSS
Spamhaus DBL
Spamhaus HBL
Spamhaus PBL
Spamhaus SBL
Spamhaus XBL
Spamhaus DROP
 » BGPf FAQs
 » Datafeed FAQs



Spamhaus SBL


DEFINITION: "Spamhaus BlockList" (SBL)

What is the SBL?

LISTED ON SBL Q&A

Listing Criteria for inclusion in the SBL
Removing an IP listed in the SBL Q&A
I am a system administrator. How can I remove my IP(s) from the SBL ?

SBL USAGE QUESTIONS

How do I use the SBL?
What zone should my server or spam filter query?
How often is the SBL zone updated?
How does Spamhaus SBL organize network names?
Using SBL to block Apache websites
Can the SBL can also block domains? What is "URIBL_SBL"?
Using SpamAssassin and Rspamd with Spamhaus data



DEFINITION: "Spamhaus BlockList" (SBL)


What is the SBL?
The Spamhaus Block List (SBL) is a realtime database of IP addresses of spam sources, including known spammers, spam gangs, spam operations and spam support services. SBL listings are made according to policies outlined in SBL Policy & Listing Criteria.

The database is maintained every day, around the clock, by Spamhaus Project team members around the world.




LISTED ON SBL Q&A


Listing Criteria for inclusion in the SBL

The criteria for listing IP addresses in the SBL is:

SBL Listing Criteria
Spam Sources
Sources of unsolicited bulk email identified by Spamhaus
Snowshoe spam ranges
Snowshoe spam style configurations, particularly ranges and domains with poor or frequently changing identification
Spam Hosting
IPs that host spam-advertised websites or other resources used by spammers or malware operations
Spam Operations
Known spam or malware operations listed in the Spamhaus Register of Known Spam Operations (ROKSO)
Spam Services
IPs that host services that support spam or malware operations, including but not limited to:

Bulletproof hosting. DNS, web, mail or other services provided with either explicit or tacit actions not to disconnect customers who spam or engage in cybercrime.

Spamware. Sales or distribution of software whose main purpose is to aid in the sending of high volume unsolicited bulk email.

Scrapers. Sales or distribution of software whose main purpose is to automatically collect email addresses from web sites or whois records.

List providers. Providers of email lists without explicit, informed and prior consent.

Email appenders. Services that append email addresses to existing lists of names or companies.
Security Threats
Any IP address that is deemed to be a security risk to Spamhaus SBL users, including but not limited to:

Botnet controllers. IPs that host botnet command and control (C&C) servers.

Malware. IPs that host malware-infected websites or other resources that participate in any aspect of attempting to infect other computers, or extract data or personal information, without the knowledge or consent of their owners.

Phish sites. IPs that host fake login pages to bank and financial institution websites, customer email accounts, customer web hosting sites, VPNs, and other sites in an attempt to steal sensitive private information and/or login credentials.

Ransomware. IPs that host websites or other resources that participate in any aspect of holding user data for ransom by encrypting it and then demanding payment for the key to decrypt it ("Ransomware").

Hacking Attempts. IPs that are the source of attempts to crack passwords, scan for vulnerabilites, or other attempts to trespass on other computers without the knowledge or consent of their owners.


Removing an IP listed in the SBL Q&A
Is my IP listed in SBL?
  • First, check that your IP really is in SBL, or any other Spamhaus list, using the Blocklist Removal Center. Check your domain there, too. If it is listed, follow the links and instructions provided.
How do I get an IP removed from the SBL?
  • The criteria for removal from the SBL are explained on the SBL Delisting Procedure page.
  • Removals of Spamhaus listings are governed by our removals policy only. All removals from the SBL or ROKSO are the sole decision of The Spamhaus Project.
Removing IPs from the SBL as an end-user
  • If you are an end-user, please contact your system administrator, ISP, or ESP and ask them to address the problem.
Is there any fee for SBL removal?
  • There is never any charge or fee associated with removing any Spamhaus listing.
  • Any offer from anyone to remove any Spamhaus listing for a fee is a scam.
  • Spamhaus has no affiliation with anyone offering any 'blocklist removal' service, nor can any third party influence or expedite removals from any Spamhaus database.
When will my IP be removed from the SBL?

Once the abuse issue has been terminated, the ISP should request removal by by sending a removal request to the SBL removal queue. This can be done by clicking the "contact the SBL Team" mailto link on the bottom of each SBL listing page.

Here is an example of one way of handling a general case of a spammer's dedicated account:
  • The server needs to be taken down or disconnected (unless it is a virtual or shared server);
  • Any DNS entries served by the ISPs main DNS servers for the SBL-listed customer should be cleared;
  • Any PTR entries need to be cleared or set back to defaults;
  • The ISP's MX server should no longer accept mail for the SBL-listed customer;
  • If the IP addresses were SWiP'd or in rWhois, they should be removed or a request for removal to the RIR should have been made.
NOTE: While there are deliverability consultants who can greatly help improve email sending practices, it is important to know that none of them have any special privilege to influence, expedite or modify SBL or ROKSO listings.


I am a system administrator. How can I remove my IP(s) from the SBL ?
Removal requests must be sent by the Internet Service Provider in charge of the listed IP address(es). Therefore, from the system administrator point of view, the process is the following:
  • Consult the the SBL listing page to understand what the spam problem is.
  • Solve the problem, making sure that it has been solved permanently.
  • Contact the Abuse/Security desk of your Internet provider, describe the situation and how the problem was solved (we always need to know how the problem was solved), and if they agree that the problem has been solved, ask them to send a removal request to the SBL Removals Team.
  • The removal procedure is described at the bottom of every SBL listing page.



SBL USAGE QUESTIONS


How do I use the SBL?
The Spamhaus Block List (SBL) is in a format intended to be used by the mail servers of ISPs or corporations.

The SBL can be used by almost all modern mail servers, by setting the mail server's anti-spam DNSBL feature (sometimes called "Blacklist DNS Servers" or "RBL servers") to query sbl.spamhaus.org.

  • Use of the SBL in query mode is free of charge for users with normal mail server traffic.
  • ISPs and corporate networks with heavy email traffic will need to use our Data Feed service.
  • End users who want SBL protection can ask their email provider if they use the SBL, and if not, ask them to implement it.
    • If this is not possible, end users can look for spam filtering software that is able to use "DNSBL" systems (sometimes called "Blacklist DNS Servers" or "RBL servers"). Most will have the SBL, ZEN, or the older SBL-XBL as a default or available as an option.
For greater spam filtering effectiveness, we recommend using ZEN, which is a combined zone that contains the complete SBL, XBL and PBL data. Your server can safely reject SMTP connections from any IP listed in ZEN by setting its DNSBL check to query only zen.spamhaus.org.
  • NOTE:If your application uses second-stage filtering such as URI checks or full header traversal, please check the following FAQs for further information and cautions.

We ask that all ISPs using our DNSBL zones inform their customers of the fact. Use of known-to-be-effective spam blocklists is normally seen as a service advantage and strong sales point.

  • All SBL, XBL and PBL users are welcome to use the "email protected by" SBL, XBL and PBL web badges on sites.
For information on how to configure a mail server to use sbl.spamhaus.org please refer to the mail server documentation/manuals, call the software or MTA vendor, or ask a relevant IT department for help. Due to the vast diversity of mail servers in use, we can not offer technical help with the use of the SBL.


What zone should my server or spam filter query?
The Spamhaus SBL can be queried at the DNS zone sbl.spamhaus.org.
  • Like other Spamhaus DNS zones, it has no 'A' record;
  • For information about the technicalities of deploying and using SBL (and other Spamhaus DNSBLs), there is an extensive FAQ.


How often is the SBL zone updated?
The SBL DNS zone is rebuilt and reloaded every 5 minutes, 24/7, to ensure that new spam problems are swiftly blocked and that fixed problems are swiftly removed.
  • To ensure high redundancy, Spamhaus has over 80 public DNSBL mirror servers located around the world.
  • All respond in realtime to public queries.


How does Spamhaus SBL organize network names?

SBL records include a field assigning each record to a network identity, usually a domain but sometimes a "NETNAME" if a domain is not used in the IP-whois record. Spamhaus uses the top-level assignment of IP addresses by a Regional Internet Registry (RIR) for those SBL names. SBL notifications and Spamhaus statistics are based on those network names.



Using SBL to block Apache websites
There is an Apache tool written by Luca Ercoli called mod_spamhaus that works for this.
  • Blocked users should be provided a way to see why they have been denied.
  • NOTE: This uses the SBL and not the XBL or PBL.
    • XBL contains dynamic IP addresses, meaning the user you would be blocking is probably not going to be the user with the exploited device.
    • The PBL just contains large ranges that should not send email directly to the internet. Please avoid blocking innocent users.
By Default, the tool "mod_spamhaus" only blocks POST, PUT, OPTIONS, CONNECT methods.
  • GET can be added to the list of methods blocked in /etc/apache2/mods-enabled/mod-spamhaus.conf to prevent miscreants from seeing your website (avoiding the harvesting of email addresses, DDoSing, etc).
  • This webpage called Using mod_spamhaus to block TOR in Apache shows this sort of configuration.
On moderate-traffic websites, we strongly recommend a proper DNS caching system be used, and on high traffic sites our Data Feed Service must be implemented.


Can the SBL can also block domains? What is "URIBL_SBL"?
SpamAssassin includes rules for this purpose. They are URIBL_SBL and URIBL_SBL_A:
  • URIBL_SBL checks if the IP of the authoritative nameserver of a given domain is listed in the SBL.
  • URIBL_SBL_A checks if the IP of a given hostname is listed in the SBL.
    • URIBL_SBL_A was introduced in SpamAssassin 3.4.3
Our SpamAssassin plugin retroactively enables 3.4.0 and 3.4.1 to use the same rules.


Using SpamAssassin and Rspamd with Spamhaus data
We have developed our datasets with the final goal of being the most compatible with existing software. The two biggest open source antispam projects are SpamAssassin and Rspamd.

To show the best way to use our data with these products, we have created two dedicated Github projects. The projects contain instructions, rulesets, and code to make the best out of our DQS product.



© 1998-2021 The Spamhaus Project SLU. All rights reserved.
Legal  |  Privacy