Frequently Asked Questions relating to Spamhaus data

Don’t Route Or Peer (DROP) is an advisory “drop all traffic” list.

DROP is a tiny subset of the SBL which is designed for use by firewalls and routing equipment.

• The DROP list will not include any IP space allocated to a legitimate network and then reassigned – even if reassigned to confirmed spammers.
• DROP does include netblocks that have been hijacked or are leased by professional spam or cyber-crime operations and are used for dissemination of malware, trojan downloaders, botnet controllers, etc.
• DROP is composed of direct allocations from ARIN, RIPE, APNIC, LACNIC, or other Regional Internet Registries and “portable allocations” (known as “PI”) from RIPE.

Spamhaus strongly recommends the use of DROP by Tier-1 and backbone networks. Consulting the DROP list webpage when someone asks you to route some suspicious IPs can help avoid customers that will cause big problems on your network.

Update: eDROP data was combined into the DROP list on 10 April 2024 - learn more here.

Extended Don’t Route Or Peer (EDROP) is an extended version of the DROP list.

• EDROP includes netblocks controlled by professional spamming operations and cyber criminals, that are not directly allocated.
• Direct allocations will only be listed in DROP.
• EDROP only includes netblocks that are sub-allocations.

Spamhaus strongly recommends the use of EDROP by Tier-1 and backbone networks. Consulting the DROP list webpage when someone asks you to route some suspicious IPs can help avoid taking on customers that will cause big problems on your network.

DROP can be used by any appliance that has the ability to block or filter IP address ranges on their network.

The DROP list is also open for all to download and use, there is no fee for usage. Our requirements are simple:

• When used in a product, credit for the use must be given to The Spamhaus Project, and the date and copy text should remain with the file and data.

Please check regularly to ensure you have the latest version of the DROP list.

• The check and update should be automated. Importing this list into a network filter without regular updates can cause problems.
• The DROP list data should not be downloaded from our website more than once per day.

NOTE:

Most of the other Spamhaus data-sets (SBL, XBL, PBL) are designed for filtering during the SMTP connection.

• The DROP list is small in comparison and should not be considered a replacement for them.
• DROP can be used to enhance existing filtering and security measures.

For Internet Service Providers (ISPs) or organisations that can run the Border Gateway Protocol (BGP) on their border routers, Spamhaus offers DROP along with its botnet C&C list (BGPCC) as a BGP feed, with which any networking device can peer using the BGP procotol. More information about this service can be found on the Spamhaus BGPf page.

All the networks listed in DROP are also listed in the SBL list. A DNS lookup for SBL and ZEN does return a listed status for those networks.

• A 127.0.0.9 return code indicates listings in DROP.

Please DO NOT auto-fetch the DROP list more than once per hour!

The DROP list changes quite slowly. There is no need to update cached data more than once per hour, in fact once per day is more than enough in most cases.

Automated downloads must be at least one hour apart.

NOTE: Excessive downloads may result in your IP being firewalled from the Spamhaus website.

Ranges in DROP are connected to the corresponding SBL record mentioned in the DROP file.

• Once the SBL record is removed, the ranges will automatically leave DROP.
• To request removal from ASN-DROP, you can use the IP and Domain Reputation Checker to search for the ASN, then follow the steps detailed.

If your router is a Cisco device and you don’t have BGP support on it (or don’t want to use it), you can also use a script called cisco-tools, developed by Marco d’Itri.

• The tool can be downloaded directly from his website.
• Every time cisco-tools is run by crontab, it will download the list and report if there are changes. When run interactively it will remove old entries and ask whether any new entry should be used or not.

Here is a short list of helpful links for various firewalls, web filters & proxies:

• On the OISF Community website: Suricata rules from Emerging Threats.
• Code in PHP to create IPTables.
• Here is a Bash script to sync the DROP list into a Quagga/Linux route server: spamhaus2quagga.sh.
• A script to add the DROP list into Linux iptables:spamhaus.sh.

NOTE: The data file & CIDR ranges may have to be manipulated for each system’s unique requirements.

USE AT YOUR OWN RISK!

For those who use PC routers, here’s a little Perl script to turn the CIDR blocks in the DROP list into Unix route commands. Different versions of route have slightly different syntax, so you need to pick the one that works with your version. Some versions of route take CIDR notation, others require netmasks, so un-comment the one that works for you. (Note the obvious perl one-liner to turn a bit number into a dotted quad.)

To make day-to-day changes, use -o oldfile where oldfile is the previous version, and it’ll give you just route delete and route add for the changes. This script is set up to fetch the current list and update once a day, which is frequent enough for nearly all networks, given the slow day-to-day churn and very conservative listing policy of the DROP list.

Please DO NOT auto-fetch the DROP list more than once per hour!

These are all old, but still useful. Use at your own discretion!

#!/usr/bin/perl 

# -\*- perl -\*-
use Getopt::Std; 
use strict; 
use vars qw{%nets $n $m $opt\_o};

getopts(‘o:’);
while(<>) { 
	if(($n, $m) = m{(\\d+\\.\\d+\\.\\d+\\.\\d+)/(\\d+)}) { 
    	# local sanity check 
        die “local network $n”
        
        if $n =~ /^127.|^208.31./;
        
        $nets{$n} = $m; 
    } else { 
    	print “#??? $\_\\n”; 
    } 
}

# do old thing here sometime 
if($opt\_o) { open(OLD, $opt\_o) or die “Cannot open $opt\_o $!”;</p> <p> while(<OLD>) { if(($n, $m) = m{(\\d+\\.\\d+\\.\\d+\\.\\d+)/(\\d+)}) { my $mask = join ‘.’,unpack “CCCC”, pack “N”, -1<<(32-$m);</p> <p> if(exists $nets{$n} and $nets{$n} == $m) { print “# exists route add -net $n/$m\\n”; delete $nets{$n}; } else { #print “route delete -net $n -netmask $mask\\n”; print “route delete -net $n/$m\\n”; } } else { print “#??? $\_\\n”; } } close OLD; }</p> <p>while(($n, $m) = each %nets) { my $mask = join ‘.’,unpack “CCCC”, pack “N”, -1<<(32-$m);</p> <p> #print “route add -net $n -netmask $m 127.1 -blackhole # m\\n”; print “route add -net $n/$m 127.1 -blackhole\\n”;</p> <p>}

Here’s the code for using DROP in Linux firewalls:

#!/bin/bash
#Script to add firewall rules to a linux system to completely block
#all traffic to and from networks in the spamhaus drop list.
#Copyright 2009, William Stearns, wstearns@pobox.com
#Released under the GPL. This and other tools can be found at
#http://www.stearns.org/
#Sole (optional) command line parameter is the file location of the
#drop list, such as:
#cd /var/lib/
#wget http://www.spamhaus.org/drop/drop.lasso
# ./spamhaus-drop /var/lib/drop.lasso
#While the DROP file should be regularly updated, this should
#probably be about once per day or less frequently; do _not_
#download DROP more than once an hour.
if [ -n “$1″ ]; 
then DropList=”$1″
else DropList=”./drop.lasso”
fi

if [ ! -s “$DropList” ]; then
echo “Unable to find drop list file $DropList . Perhaps do:” >&2
echo “wget http://www.spamhaus.org/drop/drop.lasso -O $DropList”
echo “exiting.” >&2
exit 1
fi
if [ ! -x /sbin/iptables ]; then
echo “Missing iptables command line tool, exiting.” >&2
exit 1
fi
cat “$DropList”
| sed -e 's/;.*//'
| grep -v '^ *$'
| while read OneNetBlock ; do
/sbin/iptables -I INPUT -s “$OneNetBlock” -j DROP
/sbin/iptables -I OUTPUT -d “$OneNetBlock” -j DROP
/sbin/iptables -I FORWARD -s “$OneNetBlock” -j DROP
/sbin/iptables -I FORWARD -d “$OneNetBlock” -j DROP
done

Bill Stearns also provides this tcpdump command line. It’s tested on Linux and probably works in any Unix/Posix environment, including Cygwin on Windows. A tcpdump error message “Warning: Kernel filter failed: Cannot allocate memory” seems to indicate that the filter can’t fit in kernel memory, and it appears that tcpdump then switches over to filtering in userspace.

tcpdump -tnp \`cat /var/lib/drop.lasso 
| sed -e 's/;.\*//' 
| grep -v '^ \*$' 
| ( read OneAddr ; echo -n "net $OneAddr" ; while read OneAddr ; do echo -n " or net $OneAddr" ; done ; echo )\`

Here is a script that converts the DROP list into Qmail’s tcpserver blacklist:

#!/usr/bin/perl 
#
# This script converts CIDR notation from STDIN or specified files to 
# the format used for generating tcpserver’s blacklist.  
#
# Usage example:  
#
# Add this cronjob: 
# 0 0 \* \* \* /usr/bin/wget http://www.spamhaus.org/drop/drop.lasso -O- 2>/dev/null|/usr/bin/drop2blacklist.pl >/etc/tcp.smtp.droplist  
#
# Then generate your tcpserver’s CDB files as follow (or modify qmailctl as needed): 
#
# cat /etc/tcp.smtp /etc/tcp.smtp.droplist|tcprules /etc/tcp.smtp.cdb /etc/.tcp.smtp.tmp 
# chmod 644 /etc/tcp.smtp.cdb 
# 
# 
# Author: Thomas Guyot-Sionnest <tguyot@gmail.com> 
# This script has been released into the public domain. 
# This script comes with absolutely no warranty. 

use strict; 
use warnings; 
use Net::IP;
# Make this an empty string to remove the trailing dot 
my $dot = ‘.’;
while (<>) { 
next if (m/^\\s\*(?:;.\*)?$/); 
s/\\s\*;.\*//; 
my $ip = Net::IP->new($\_) or die (“Invalid IP Address: ‘$\_’\\n”); 
die (“IPv6 not supported\\n”) if ($ip->version() != 4); 
print map { “$\_:deny\\n” } rangeexpand($ip->ip(), $ip->last\_ip()); 
}</p> <p>
sub rangeexpand { 
my $lowr = shift; 
my $highr = shift;</p> <p> 
return ipexpand(split(/\\./, “$lowr.$highr”)); 
}</p> <p>
sub ipexpand { 
my @low = splice(@\_,0,4); 
my @high = splice(@\_,0,4);</p> <p> 
my @list; 
if ($low\[0\] != $high\[0\]) { 
push(@list, ipexpand(@low,$low\[0\],255,255,255)); 
for (my $i=$low\[0\]+1; $i<$high\[0\]; $i++) { 
push(@list, ipexpand($i,0,0,0,$i,255,255,255)); 
} 
push(@list,ipexpand($high\[0\],0,0,0,@high)); 
} elsif ($low\[1\] != $high\[1\]) { 
if ($low\[1\] == 0 && $high\[1\] == 255) { 
push(@list,”$low\[0\]$dot”); 
} else { 
push(@list,ipexpand(@low,$low\[0\],$low\[1\],255,255)); 
for (my $i=$low\[1\]+1; $i<$high\[1\]; $i++) { 
push(@list,ipexpand($low\[0\],$i,0,0,$low\[0\],$i,255,255)); 
} 
push(@list,ipexpand($high\[0\],$high\[1\],0,0,@high)); 
} 
} elsif ($low\[2\] != $high\[2\]) { 
if ($low\[2\] == 0 && $high\[2\] == 255) { 
push(@list,”$low\[0\].$low\[1\]$dot”); 
} else { 
push(@list,ipexpand(@low,$low\[0\],$low\[1\],$low\[2\],255)); 
for (my $i=$low\[2\]+1; $i<$high\[2\]; $i++) { 
push(@list,ipexpand($low\[0\],$low\[1\],$i,0,$low\[0\],$low\[1\],$i,255)); 
} 
push(@list,ipexpand($high\[0\],$high\[1\],$high\[2\],0,@high)); 
} 
} elsif ($low\[3\] != $high\[3\]) { 
if ($low\[3\] == 0 && $high\[3\] == 255) { 
push(@list,”$low\[0\].$low\[1\].$low\[2\]$dot”); 
} else { 
push(@list,map { “$low\[0\].$low\[1\].$low\[2\].$\_” } $low\[3\]..$high\[3\]); } 
} else { 
push(@list,”$low\[0\].$low\[1\].$low\[2\].$low\[3\]”); }</p> <p> return @list 
}

If you are a long term user of the text (.txt) DROP files a jq command can be used to convert the JSON file:

DROP

tail -1 drop_v4.json | jq -r '"; Spamhaus DROP List \(.timestamp | strftime("%Y/%m/%d")) - \(.copyright)\n; https://www.spamhaus.org/drop/drop_v4.json\n; Last-Modified: \(.timestamp | strftime("%a, %d %b %Y %H:%M:%S UTC"))\n; Expires: \(.timestamp+93600 | strftime("%a, %^C%b %Y %H:%M:%S UTC"))"' > drop.txt 
jq -r 'select(.type == null) | (.cidr) + " ; " + (.sblid)' drop_v4.json >> drop.txt 
echo "; EOF" >> drop.txt

DROPv6

tail -1 drop_v6.json | jq -r '"; Spamhaus IPv6 DROP List \(.timestamp | strftime("%Y/%m/%d")) - \(.copyright)\n; https://www.spamhaus.org/drop/drop_v6.json\n; Last-Modified: \(.timestamp | strftime("%a, %d %b %Y %H:%M:%S UTC"))\n; Expires: \(.timestamp+93600 | strftime("%a, %^C%b %Y %H:%M:%S UTC"))"' > dropv6.txt 
jq -r 'select(.type == null) | (.cidr) + " ; " + (.sblid)' drop_v6.json >> dropv6.txt 
echo "; EOF" >> dropv6.txt

A “hijacked” or a “zombie” netblock is a block of IPs that have been “brought back from the dead”, often by a spammer:

• The original owner of the block leaves it derelict for any number of reasons.
• Squatters then reclaim it with various ploys. This may include registering an abandoned domain name to accept email for the domain contact, printing false letterhead, or doing some social engineering over the telephone.
• Some hijackers even outright steal IP-space allocated to someone else just by announcing it under their BGP Autonomous System Number.
• Autonomous Systems Numbers can be hijacked as well. Abandoned ASNs are taken by a spammer or spammer’s supplier to announce various IP ranges, so it’s possible to have a hijacked netblock advertised by a hijacked ASN!

Hijacked netblocks can be found in ranges assigned by every Regional Internet Registry (RIR).

Restoring the proper ownership of a hijacked netblock means finding the original owner – which is often a dissolved company – and jumping through RIR hoops. It’s a slow and laborious process, important but not suitable to stopping today’s spam.

The peering/transit arrangements for these netblocks changes very quickly.

• Spamhaus lists the entire hijacked netblock in the SBL, categorized by RIR, and then provides additional pointer records for networks carrying the traffic for that netblock.
• While such records are often only a single router’s IP address, the record will indicate the greater problem and the full range of IPs.
• Spamhaus may also provide additional SBL records within a hijacked netblock because SWiPs or single IPs within the netblock are assigned to different spammers.
  • These can serve as pointers to the upstream, as the block is sometimes SWiPed as portable subnets. Each spammer is then left to find their own transit.

Many of these hijacked netblocks find their way into a ROKSO record specifically for them. Spamhaus lists entire hijacked networks. Some of these netblocks are known to be controlled by a particular spammer and are thus listed under that spammer’s ROKSO records.

Other good uses for DROP include:

• Logging customer queries for DNS servers in any DROP-listed IP space. This is a very good way to discover which are infected with malware.
• Vetting new transit customers proposed IP ranges against DROP; those ranges are often looking for new routing options.
• Scoring DROP ranges extra high in such software as SpamAssassin.
• Using DROP ranges in a DNS RPZ zone to invalidate lookups in these ranges. The Spamhaus Technology website offers more information on using DROP in a DNS Firewall Threat Feed.

The DROP list contains IP ranges which are so dangerous to internet users that Spamhaus provides it to anyone who wants to use it, free of charge. Spamhaus believes that due to the vital nature of the DROP list data, it should be available at no cost to anyplace, regardless of size or business type, to protect internet users.

Yes. DROP listings are re-evaluated on a daily basis. Many factors can trigger changes to listings, including contact with involved parties, observation or notification of false positives, automatically detected network reassignments, and more.

eDROP data was combined into the DROP list on 10 April 2024. You will still benefit from this protection by ensuring your set up is configured to utilize DROP list alone.

To understand why this update was made, read here https://www.spamhaus.org/resource-hub/network-security/spamhaus-drop-and-edrop-to-become-a-single-list/

The Spamhaus DROP (Don’t Route Or Peer) list contains autonomous system numbers (ASNs) that are hijacked or leased by professional spam or cyber-crime operations and used for dissemination of malware, trojan downloaders, botnet controllers, etc, and send no legitimate traffic.

ASNs are listed on the ASN-DROP list if they meet the criteria for inclusion in it: if we are observing them to have been hijacked or leased by professional spam or cyber-crime operations.

To request removal from ASN-DROP, you can use the IP and Domain Reputation Checker to search for the ASN, then follow the steps detailed.