The Spamhaus Project - Frequently Asked Questions (FAQ)

Don't Route Or Peer (DROP) is an advisory "drop all traffic" list. DROP is a tiny subset of the SBL which is designed for use by firewalls and routing equipment.

The DROP list will not include any IP space allocated to a legitimate network and then reassigned - even if reassigned to confirmed spammers.
DROP does include netblocks that have been hijacked or are leased by professional spam or cyber-crime operations and are used for dissemination of malware, trojan downloaders, botnet controllers, etc.
DROP is composed of direct allocations from ARIN, RIPE, APNIC, LACNIC, or other Regional Internet Registries and "portable allocations" (known as "PI") from RIPE.

Spamhaus strongly recommends the use of DROP by Tier-1 and backbone networks. Consulting the DROP list webpage when someone asks you to route some suspicious IPs can help avoid customers that will cause big problems on your network.

What is EDROP?

Extended Don't Route Or Peer (EDROP) is an extended version of the DROP list.

EDROP includes netblocks controlled by professional spamming operations and cyber criminals that are not directly allocated.
EDROP only includes netblocks that are sub-allocations.
Direct allocations will only be listed in DROP.

Spamhaus strongly recommends the use of EDROP by Tier-1 and backbone networks. Consulting the DROP list webpage when when someone asks you to route some suspicious IPs can help avoid customers that will cause big problems on your network.

DROP USAGE QUESTIONS

Who should use the DROP / EDROP list?

DROP & EDROP can be used by any appliance that has the ability to block or filter IP address ranges on their network.

The DROP list is also open for all to download and use, the is no fee for usage. The only things we require are that:

When used in a product, credit for the use must be given to The Spamhaus Project, and the date and © text should remain with the file and data.

Please check regularly to ensure you have the latest version of the DROP list.

The check and update should be automated. Importing this list into a network filter without regular updates can cause problems.
The DROP list data should not be downloaded from our website more than once per day.

NOTE: Most of the other Spamhaus data-sets (SBL, XBL, PBL) are designed for filtering during the SMTP connection.

The DROP list is small in comparison and should not be considered a replacement for them.
DROP/EDROP can be used to enhance existing filtering and security measures.

For Internet Service Providers (ISPs) or organisations that can run the Border Gateway Protocol (BGP) on their border routers, Spamhaus offers DROP and EDROP along with its botnet C&C list (BGPCC) as BGP feed, with which any networking device peer using the BGP procotol. More information about this service can be found on the Spamhaus BGPf page.

Are DROP and EDROP also available via DNS lookups?
	All the networks listed in DROP and EDROP are also listed in the SBL list. A DNS lookup for SBL and ZEN does return a listed status for those networks. A 127.0.0.9 return code indicates listing in DROP or in EDROP.

How often should my system fetch the DROP / EDROP list?
	Please DO NOT auto-fetch the DROP / EDROP list more than once per hour! The DROP list changes quite slowly. There is no need to update cached data more than once per hour, in fact once per day is more than enough in most cases. Automated downloads must be at least one hour apart. Excessive downloads may result in your IP being firewalled from the Spamhaus website.

How can I remove a range or ASN from DROP, EDROP or ASNDROP?
	Ranges in DROP and EDROP are connected to the corresponding SBL record mentioned in the DROP and EDROP files. Once the SBL record is removed, the ranges will automatically leave DROP/EDROP. For ASN-DROP removals, please write to asn-drop@spamhaus.org.

Can I use DROP on my Cisco router, or other firewalls, web filters & proxies?

If your router is a Cisco device and you don't have BGP support on it (or don't want to use it), you can also use a script called cisco-tools, developed by Marco d'Itri.

The tool can be downloaded directly from his website.
Every time cisco-tools is run by crontab, it will download the list and report if there are changes. When run interactively it will remove old entries and ask whether any new entry should be used or not.

A short list of helpful links for various firewalls, web filters & proxies:

On the OISF Community website: Suricata rules from Emerging Threats.
Code in PHP to create IPTables.
Putting the Spamhaus DROP list in FreeBSD’s ipfw.
Here is a Bash script to sync the DROP/EDROP lists into a Quagga/Linux route server: spamhaus2quagga.sh.
A script to add the DROP list into Linux iptables:spamhaus.sh.

NOTE: The data file & CIDR ranges may have to be manipulated for each system's unique requirements. Some of these scripts are older, and do not also fetch and use the newer eDROP data. In such cases, a modification to add this should be implemented.

Can DROP be used on other operating systems?

For those who use PC routers, here's a little Perl script to turn the CIDR blocks in the DROP list into Unix route commands. Different versions of route have slightly different syntax, so you need to pick the one that works with your version. Some versions of route take CIDR notation, others require netmasks, so un-comment the one that works for you. (Note the obvious perl one-liner to turn a bit number into a dotted quad.)

To make day-to-day changes, use -o oldfile where oldfile is the previous version, and it'll give you just route delete and route add for the changes. This script is set up to fetch the current list and update once a day, which is frequent enough for nearly all networks, given the slow day-to-day churn and very conservative listing policy of the DROP list.

Please DO NOT auto-fetch the DROP list more than once per hour!

Usual disclaimers...use at your own discretion!

#!/usr/bin/perl
# -*- perl -*-

use Getopt::Std;
use strict;
use vars qw{%nets $n $m $opt_o};

getopts('o:');

while(<>) {
    if(($n, $m) = m{(\d+\.\d+\.\d+\.\d+)/(\d+)}) {
	# local sanity check
	die "local network $n" if $n =~ /^127.|^208.31./;

$nets{$n} = $m;
    } else {
	print "#??? $_\n";
    }
}

# do old thing here sometime
if($opt_o) {
    open(OLD, $opt_o) or die "Cannot open $opt_o $!";

while(<OLD>) {
	if(($n, $m) = m{(\d+\.\d+\.\d+\.\d+)/(\d+)}) {
	    my $mask = join '.',unpack "CCCC", pack "N", -1<<(32-$m);

if(exists $nets{$n} and $nets{$n} == $m) {
		print "# exists route add -net $n/$m\n";
		delete $nets{$n};
	    } else {
		#print "route delete -net $n -netmask $mask\n";
		print "route delete -net $n/$m\n";
	    }
	} else {
	    print "#??? $_\n";
	}
    }
    close OLD;
}

while(($n, $m) = each %nets) {
    my $mask = join '.',unpack "CCCC", pack "N", -1<<(32-$m);

#print "route add -net $n -netmask $m 127.1 -blackhole # m\n";
    print "route add -net $n/$m 127.1 -blackhole\n";

}

This site has a shell script for putting the Spamhaus DROP list in FreeBSD's ipfw.

Here's the code for using DROP in Linux firewalls:

#!/bin/bash

#Script to add firewall rules to a linux system to completely block
#all traffic to and from networks in the spamhaus drop list.

#Copyright 2009, William Stearns, wstearns@pobox.com
#Released under the GPL.  This and other tools can be found at
#http://www.stearns.org/

#Sole (optional) command line parameter is the file location of the
#drop list, such as:

#cd /var/lib/
#wget http://www.spamhaus.org/drop/drop.lasso
# ./spamhaus-drop /var/lib/drop.lasso

#While the DROP file should be regularly updated, this should 
#probably be about once per day or less frequently; do _not_ 
#download DROP more than once an hour.

if [ -n "$1" ]; then
	DropList="$1"
else
	DropList="./drop.lasso"
fi
if [ ! -s "$DropList" ]; then
	echo "Unable to find drop list file $DropList .  Perhaps do:" >&2
	echo "wget http://www.spamhaus.org/drop/drop.lasso -O $DropList"
	echo "exiting." >&2
	exit 1
fi

if [ ! -x /sbin/iptables ]; then
	echo "Missing iptables command line tool, exiting." >&2
	exit 1
fi

cat "$DropList" \
 | sed -e 's/;.*//' \
 | grep -v '^ *$' \
 | while read OneNetBlock ; do
	/sbin/iptables -I INPUT -s "$OneNetBlock" -j DROP
	/sbin/iptables -I OUTPUT -d "$OneNetBlock" -j DROP
	/sbin/iptables -I FORWARD -s "$OneNetBlock" -j DROP
	/sbin/iptables -I FORWARD -d "$OneNetBlock" -j DROP
done

Bill Stearns also provides this tcpdump command line. It's tested on Linux and probably works in any Unix/Posix environment, including Cygwin on Windows. A tcpdump error message "Warning: Kernel filter failed: Cannot allocate memory" seems to indicate that the filter can't fit in kernel memory, and it appears that tcpdump then switches over to filtering in userspace.

tcpdump -tnp `cat /var/lib/drop.lasso | sed -e 's/;.*//' | grep -v '^ *$' | ( read OneAddr ; echo -n "net $OneAddr" ; while read OneAddr ; do echo -n " or net $OneAddr" ; done ; echo )`

Here is a script that converts the DROP list into Qmail's tcpserver blacklist:

#!/usr/bin/perl
#
# This script converts CIDR notation from STDIN or specified files to
# the format used for generating tcpserver's blacklist.
#
# Usage example:
#
# Add this cronjob:
#   0 0 * * * /usr/bin/wget http://www.spamhaus.org/drop/drop.lasso -O- 2>/dev/null|/usr/bin/drop2blacklist.pl >/etc/tcp.smtp.droplist
#
# Then generate your tcpserver's CDB files as follow (or modify qmailctl as needed):
#   cat /etc/tcp.smtp /etc/tcp.smtp.droplist|tcprules /etc/tcp.smtp.cdb /etc/.tcp.smtp.tmp
#   chmod 644 /etc/tcp.smtp.cdb
#
#
# Author: Thomas Guyot-Sionnest <tguyot@gmail.com>
# This script has been released into the public domain.
# This script comes with absolutely no warranty.
#

use strict;
use warnings;
use Net::IP;

# Make this an empty string to remove the trailing dot
my $dot = '.';

while (<>) {
	next if (m/^\s*(?:;.*)?$/);
	s/\s*;.*//;
	my $ip = Net::IP->new($_) or die ("Invalid IP Address: '$_'\n");
	die ("IPv6 not supported\n") if ($ip->version() != 4);
	print map { "$_:deny\n" } rangeexpand($ip->ip(), $ip->last_ip());
}

sub rangeexpand {
	my $lowr = shift;
	my $highr = shift;

return ipexpand(split(/\./, "$lowr.$highr"));
}

sub ipexpand {
	my @low = splice(@_,0,4);
	my @high = splice(@_,0,4);

my @list;
	if ($low[0] != $high[0]) {
		push(@list, ipexpand(@low,$low[0],255,255,255));
		for (my $i=$low[0]+1; $i<$high[0]; $i++) {
			push(@list, ipexpand($i,0,0,0,$i,255,255,255));
		}
		push(@list,ipexpand($high[0],0,0,0,@high));
	} elsif ($low[1] != $high[1]) {
		if ($low[1] == 0 && $high[1] == 255) {
			push(@list,"$low[0]$dot");
		} else {
			push(@list,ipexpand(@low,$low[0],$low[1],255,255));
			for (my $i=$low[1]+1; $i<$high[1]; $i++) {
				push(@list,ipexpand($low[0],$i,0,0,$low[0],$i,255,255));
			}
			push(@list,ipexpand($high[0],$high[1],0,0,@high));
		}
	} elsif ($low[2] != $high[2]) {
		if ($low[2] == 0 && $high[2] == 255) {
			push(@list,"$low[0].$low[1]$dot");
		} else {
			push(@list,ipexpand(@low,$low[0],$low[1],$low[2],255));
			for (my $i=$low[2]+1; $i<$high[2]; $i++) {
				push(@list,ipexpand($low[0],$low[1],$i,0,$low[0],$low[1],$i,255));
			}
			push(@list,ipexpand($high[0],$high[1],$high[2],0,@high));
		}
	} elsif ($low[3] != $high[3]) {
		if ($low[3] == 0 && $high[3] == 255) {
			push(@list,"$low[0].$low[1].$low[2]$dot");
		} else {
			push(@list,map { "$low[0].$low[1].$low[2].$_" } $low[3]..$high[3]);
		}
	} else {
		push(@list,"$low[0].$low[1].$low[2].$low[3]");
	}

return @list
}

DROP/EDROP Q&A

What are "hijacked netblocks"?

A "hijacked" or a "zombie" netblock is a block of IPs that have been brought back from the dead, often by a spammer:

The original owner of the block leaves it derelict for any number of reasons.
Squatters then reclaim it with various ploys. including registering an abandoned domain name to accept email for the domain contact, printing false letterhead, or doing some social engineering over the telephone.
Some hijackers even outright steal IP-space allocated to someone else just by announcing it under their BGP Autonomous System Number.
- Autonomous Systems Numbers can be hijacked as well. Abandoned ASNs are taken by a spammer or spammer's supplier to announce various IP ranges, so it's possible to have a hijacked netblock advertised by a hijacked ASN!

Hijacked netblocks can be found in ranges assigned by every Regional Internet Registry (RIR). Restoring the proper ownership of a hijacked netblock means finding the original owner - which is often a dissolved company - and jumping through RIR hoops. It's a slow and laborious process, important but not suitable to stopping today's spam.

The peering/transit arrangements for these netblocks changes very quickly.

Spamhaus lists the entire hijacked netblock in the SBL, categorized by RIR, and then provides additional pointer records for networks carrying the traffic for that netblock.
While such records are often only a single router's IP address, the record will indicate the greater problem and the full range of IPs.
Spamhaus may also provide additional SBL records within a hijacked netblock because SWiPs or single IPs within the netblock are assigned to different spammers.
- These can serve as pointers to the upstream, as the block is sometimes SWiPed as portable subnets. Each spammer is then left to find their own transit.

Many of these hijacked netblocks find their way into a ROKSO record specifically for them. Spamhaus lists entire hijacked networks. Some of these netblocks are known to be controlled by a particular spammer and are thus listed under that spammer's ROKSO records.

What else can ISPs use DROP for?

Other good uses for DROP & EDROP incude:

Logging customer queries for DNS servers in any DROP-listed IP space is a very good way to discover which are infected with malware.
Vetting new transit customers proposed IP ranges against DROP; those ranges are often looking for new routing options.
Scoring DROP ranges extra high in such software as SpamAssassin.
Using DROP ranges in a DNS RPZ zone to invalidate lookups in these ranges. The Spamhaus Technology website offers more information on using DROP in a DNS Firewall Threat Feed.

The DROP list is free for any use, how can it be any good?
	The DROP list contains IP ranges which are so dangerous to internet users that Spamhaus provides it to anyone who wants to use it, free of charge. Spamhaus believes that due to the vital nature of the DROP list data, it should be available at no cost to anyplace, regardless of size or business type, to protect internet users.