Frequently Asked Questions relating to Spamhaus data
Frequently asked questions relating to our data and research.Categories
- Botnet Controller (BCL)
- Commercial Data
- Consumer
- CSS Blocklist (CSS)
- DNSBL Usage
- Domain Blocklist (DBL)
- DROP
- Exploits Blocklist (XBL)
- General Definitions
- General Questions
- Hacked - General Help
- Hash Blocklist (HBL)
- ISP General Questions
- Legal Questions
- Malware Questions
- Marketing Email
- Media Enquiries
- Online Scams
- Organization
- Policy Blocklist (PBL)
- Port 25 General Questions
- Reputation Portal
- Reputation Statistics
- ROKSO
- Spamhaus Blocklist (SBL)
- Zero Reputation Domain (ZRD)
Categories
Spamhaus Blocklist (SBL)
The Spamhaus Block List (SBL) is a realtime database of IP addresses of spam sources, including known spammers, spam gangs, spam operations and spam support services. SBL listings are made according to policies outlined in SBL Policy & Listing Criteria.
The database is maintained every day, around the clock, by Spamhaus Project team members around the world.
Snowshoe spam ranges
Snowshoe spam style configurations, particularly ranges and domains with poor or frequently changing identification.
Spam Hosting
IPs that host spam-advertised websites or other resources used by spammers or malware operations.
Spam Operations
Known spam or malware operations listed in the Spamhaus Register of Known Spam Operations (ROKSO).
Spam Services
IPs that host services that support spam or malware operations, including but not limited to:
- Bulletproof hosting: DNS, web, mail or other services provided with either explicit or tacit actions not to disconnect customers who spam or engage in cybercrime.
- Spamware: Sales or distribution of software whose main purpose is to aid in the sending of high volume unsolicited bulk email.
- Scrapers: Sales or distribution of software whose main purpose is to automatically collect email addresses from web sites or whois records.
Security Threats
Any IP address that is deemed to be a security risk to Spamhaus SBL users, including but not limited to:
- Botnet controllers: IPs that host botnet command and control (C&C) servers.
- Malware: IPs that host malware-infected websites or other resources that participate in any aspect of attempting to infect other computers, or extract data or personal information, without the knowledge or consent of their owners.
- Phish sites: IPs that host fake login pages to bank and financial institution websites, customer email accounts, customer web hosting sites, VPNs, and other sites in an attempt to steal sensitive private information and/or login credentials.
- Ransomware: IPs that host websites or other resources that participate in any aspect of holding user data for ransom by encrypting it and then demanding payment for the key to decrypt it (“ransomware”).
- Hacking Attempts: IPs that are the source of attempts to crack passwords, scan for vulnerabilites, or other attempts to trespass on other computers without the knowledge or consent of their owners.
If you are an end-user, please contact your system administrator, Internet Service Provider (ISP), or Email Service Provider (ESP) and ask them to address the problem.
- The criteria for removal from the SBL is explained on the Spamhaus Blocklist page.
- Removals of Spamhaus listings are governed by our removals policy only. All removals from the SBL or ROKSO are the sole decision of The Spamhaus Project.
Once the abuse issue has been terminated, the ISP should request removal by by sending a removal request to the SBL removal queue. This can be done by clicking the “contact the SBL Team” mailto link on the bottom of each SBL listing page.
Here is an example of one way of handling a general case of a spammer’s dedicated account:
- The server needs to be taken down or disconnected (unless it is a virtual or shared server);
- Any DNS entries served by the ISPs main DNS servers for the SBL-listed customer should be cleared;
- Any PTR entries need to be cleared or set back to defaults;
- The ISP’s MX server should no longer accept mail for the SBL-listed customer;
- If the IP addresses were SWiP’d or in rWhois, they should be removed or a request for removal to the RIR should have been made.
NOTE: While there are deliverability consultants who can greatly help improve email sending practices, it is important to know that none of them have any special privilege to influence, expedite or modify SBL or ROKSO listings.
- There is never any charge or fee associated with removing any Spamhaus listing.
- Any offer from anyone to remove any Spamhaus listing for a fee is a scam.
- Spamhaus has no affiliation with anyone offering any ‘blocklist removal’ service, nor can any third party influence or expedite removals from any Spamhaus database.
Removal requests must be sent by the Internet Service Provider in charge of the listed IP address(es). Therefore, from the system administrator point of view, the process is the following:
- Consult the the SBL listing page to understand what the spam problem is.
- Solve the problem, making sure that it has been solved permanently.
- Contact the Abuse/Security desk of your Internet provider, describe the situation and how the problem was solved (we always need to know how the problem was solved), and if they agree that the problem has been solved, ask them to send a removal request to the SBL Removals Team.
- The removal procedure is described at the bottom of every SBL listing page.
The Spamhaus Blocklist (SBL) is in a format intended to be used by corporate or ISP mail servers.
The SBL can be used by almost all modern mail servers, by setting the mail server’s anti-spam DNSBL feature (sometimes called “Blacklist DNS Servers” or “RBL servers”) to query sbl.spamhaus.org.
- Use of the SBL in query mode is free of charge for users with normal mail server traffic.
- ISPs and corporate networks with heavy email traffic will need to use the Commercial service.
- End users who want SBL protection can ask their email provider if they use the SBL, and if not, ask them to implement it.
- If this is not possible, end users can look for spam filtering software that is able to use “DNSBL” systems (sometimes called “Blacklist DNS Servers” or “RBL servers”). Most will have the SBL, ZEN, or the older SBL-XBL as a default or available as an option.
For greater spam filtering effectiveness, we recommend using ZEN, which is a combined zone that contains the complete SBL, XBL and PBL data. Your server can safely reject SMTP connections from any IP listed in ZEN by setting its DNSBL check to query only zen.spamhaus.org.
- **NOTE:**If your application uses second-stage filtering such as URI checks or full header traversal, please check the following FAQs for further information and cautions.
We ask that all ISPs using our DNSBL zones inform their customers of the fact. Use of known-to-be-effective spam blocklists is normally seen as a service advantage and strong sales point.
- All SBL, XBL and PBL users are welcome to use the “email protected by” SBL, XBL and PBL web badges on sites.
For information on how to configure a mail server to use sbl.spamhaus.org please refer to the mail server documentation/manuals, call the software or MTA vendor, or ask a relevant IT department for help. Due to the vast diversity of mail servers in use, we can not offer technical help with the use of the SBL.
The Spamhaus SBL can be queried at the DNS zone sbl.spamhaus.org.
- Like other Spamhaus DNS zones, it has no ‘A’ record
- For information about the technicalities of deploying and using SBL (and other Spamhaus DNSBLs), there is an extensive FAQ.
The SBL DNS zone is rebuilt and reloaded every 5 minutes, 24/7, to ensure that new spam problems are swiftly blocked and that fixed problems are swiftly removed.
- To ensure high redundancy, Spamhaus has over 80 public DNSBL mirror servers located around the world.
- All respond in realtime to public queries.
The Spamhaus Blocklist (SBL) records include a field assigning each record to a network identity, usually a domain but sometimes a “NETNAME” if a domain is not used in the IP-whois record. Spamhaus uses the top-level assignment of IP addresses by a Regional Internet Registry (RIR) for those SBL names. SBL notifications and Spamhaus statistics are based on those network names.
There is an Apache tool written by Luca Ercoli called mod_spamhaus that works for this purpose.
- Blocked users should be provided a way to see why they have been denied.
- NOTE: This uses the SBL and not the XBL or PBL.
- XBL contains dynamic IP addresses, meaning the user you would be blocking is probably not going to be the user with the exploited device.
- The PBL just contains large ranges that should not send email directly to the internet. Please avoid blocking innocent users.
By Default, the tool “mod_spamhaus” only blocks POST, PUT, OPTIONS, CONNECT methods.
- GET can be added to the list of methods blocked in /etc/apache2/mods-enabled/mod-spamhaus.conf to prevent miscreants from seeing your website (avoiding the harvesting of email addresses, DDoSing, etc).
- This webpage called Using mod_spamhaus to block TOR in Apache shows this sort of configuration.
On moderate-traffic websites, we strongly recommend a proper DNS caching system be used, and on high traffic sites our Data Feed Service must be implemented.
SpamAssassin includes rules for this purpose. They are URIBL_SBL and URIBL_SBL_A:
- URIBL_SBL checks if the IP of the authoritative nameserver of a given domain is listed in the SBL.
- URIBL_SBL_A checks if the IP of a given hostname is listed in the SBL.
- URIBL_SBL_A was introduced in SpamAssassin 3.4.3
Our SpamAssassin plugin retroactively enables 3.4.0 and 3.4.1 to use the same rules.
We have developed our datasets with the final goal of being the most compatible with existing software. The two biggest open source antispam projects are SpamAssassin and Rspamd.
To show the best way to use our data with these products, we have created two dedicated Github projects. The projects contain instructions, rulesets, and code to make the best out of our DQS product.