Frequently Asked Questions relating to Spamhaus data
Frequently asked questions relating to our data and research.Categories
- Botnet Controller (BCL)
- Commercial Data
- Consumer
- CSS Blocklist (CSS)
- DNSBL Usage
- Domain Blocklist (DBL)
- DROP
- Exploits Blocklist (XBL)
- General Definitions
- General Questions
- Hacked - General Help
- Hash Blocklist (HBL)
- ISP General Questions
- Legal Questions
- Malware Questions
- Marketing Email
- Media Enquiries
- Online Scams
- Organization
- Policy Blocklist (PBL)
- Port 25 General Questions
- Reputation Statistics
- ROKSO
- Spamhaus Blocklist (SBL)
- Zero Reputation Domain (ZRD)
Categories
General Definitions
The word "Spam" as applied to Email means "Unsolicited Bulk Email".
Unsolicited means that the Recipient has not granted verifiable permission for the message to be sent. Bulk means that the message is sent as part of a larger collection of messages, all having substantively identical content.
A message is Spam only if it is both Unsolicited and Bulk.
Unsolicited Email is normal email (examples: first contact enquiries, job enquiries, sales enquiries)
Bulk Email is normal email (examples: subscriber newsletters, customer communications, discussion lists)
Technical Definition of Spam
An electronic message is "spam" if (A) the recipient's personal identity and context are irrelevant because the message is equally applicable to many other potential recipients; AND (B) the recipient has not verifiably granted deliberate, explicit, and still-revocable permission for it to be sent.
Understanding the Spam Issue
Spam is an issue about consent, not content. Whether the Unsolicited Bulk Email ("UBE") message is an advert, a scam, porn, a begging letter or an offer of a free lunch, the content is irrelevant - if the message was sent unsolicited and in bulk then the message is spam.
Spam is not a sub-set of UBE, it is not "UBE that is also a scam or that doesn't contain an unsubscribe link". All email sent unsolicited and in bulk is Spam.
This distinction is important because legislators spend inordinate amounts of time attempting to regulate the content of spam messages, and in doing so come up against free speech issues, without realizing that the spam issue is solely about consent.
Various jurisdictions have implemented legislation to control what they call "spam". One particular example is US S.877 (CAN-SPAM Act 2004). Each law addresses "spam" in different ways, and as a consequence, often has different definitions of what they cover, whether they call it "spam" or not. Spamhaus uses the industry standard definition "Unsolicited Bulk Email" which underlines that "it's not about content, it's about consent". As such, arguments as to whether Unsolicited Bulk Email messages are covered under CAN-SPAM or are compliant with CAN-SPAM, are entirely irrelevant.
Important facts about Unsolicited Bulk Email:
- The sending of Unsolicited Bulk Email ("UBE") is banned by all Internet service providers worldwide.
- Spamhaus's anti-spam blocklist, the SBL, used by more than 3 Billion Internet users, is based on the internationally-accepted definition of Spam as "Unsolicited Bulk Email". Therefore anyone sending UBE on the Internet, regardless of whether the content is commercial or not, illegal or not, is a sender of spam - and thus a spammer. All senders of UBE need to be fully aware that (A) they are breaking their ISP's Terms of Business contracts and they will lose their Internet accounts and access if they send UBE and (B) they will be placed on the Spamhaus Block List (SBL) if they send UBE.
A ‘botnet controller,’ ‘botnet C2,’ or ‘botnet command & control’ server is commonly abbreviated to ‘botnet C&C.’ Fraudsters use these to control malware-infected machines (bots) and extract personal and valuable data from malware-infected victims.
Botnet C&Cs play a vital role in operations conducted by cybercriminals who are using infected machines to send out spam or ransomware, launch DDoS attacks, commit e-banking fraud or click fraud, or mine cryptocurrencies such as Bitcoin.
Desktop computers and mobile devices, like smartphones, aren’t the only machines that can become infected. There is an increasing number of devices connected to the internet, for example, the Internet of Things (IoT), devices like webcams, network attached storage (NAS), and many more items. These are also at risk of becoming infected.
It is a database containing IP addresses, domains, or hashes. These lists are compiled by specialist research teams, who have observed the listed internet resources to either be:
- Directly involved in malicious behavior, e.g., sending spam, distributing malware, hosting botnets, hosting phishing websites, etc., or
- Having a bad reputation associated with them.
Presented in a DNS zone, blocklists can be utilized by anyone managing their own email infrastructure to filter potentially malicious emails.
An IP address is a network address for your computer so the Internet knows where to send you data, including emails. For a more technical overview of what an IP is, see Wikipedia.
A domain name is a unique name that is associated with an IP address, to access websites, in addition to other internet resources. For example, the domain name of The Spamhaus Project is “spamhaus.org.”
Every website has an individual domain name that serves as an address, which is used to access the website. For a more technical overview of what a domain is, please see Wikipedia.
The term “Initial Access Brokers” (IABs) refers to threat actors who operate in groups trying to breach corporate networks. They use various tactics, techniques, and procedures (TTPs) to achieve their goals.
Once they have penetrated a network, they will ascertain key facts relating to the breached network, for example, location, size, and industry. This enables them to place a value on an asset. The broker will then negotiate with potential buyers who want to purchase access to the victim’s network.
A TLD is everything that follows the final stop in a domain name, i.e., the last segment of the domain name, before the “path”, as shown in the diagram below:
The Internet Corporation for Assigned Names and Numbers (ICANN) has authority over all TLDs used on the internet, and it delegates the responsibility of running these TLDs to registries; for example, .com is run by Verisign.
TLDs can be split up into two areas, general TLDs (gTLDs) like .com, which are usually open to anyone to use, and country-code TLDs (ccTLDs) which, historically were specific to a particular region or area and therefore restricted for use to people or organizations within these geographies. Nowadays, however, many ccTLDs are treated like gTLDs.