The Spamhaus Project

news

SBL/ZEN DNS lookups to return DROP/eDROP status

by The Spamhaus TeamApril 05, 20162 minutes reading time

Anvil For many years Spamhaus has maintained two text lists named DROP (Don't Route Or Peer) and EDROP (Extended Don't Route Or Peer). These lists contain netblocks that are "hijacked" or leased by professional spam or cybercrime operations, and were originally designed to be used by network edge devices such as routers or firewalls to block all traffic. They are provided at no cost to the community on the Spamhaus website.

All networks in DROP and EDROP are also listed in the Spamhaus blocklist (SBL); DNS lookups for those IPs have always returned 127.0.0.2 (listed) status. However, it has not been possible to determine whether a listed IP was also listed in DROP/EDROP from the DNS lookup result.

To allow spam filters and other anti-spam software to support more aggressive spam scores for networks listed on DROP or eDROP, and to support access rules for other protocols such as HTTP, starting on 1st June 2016, the sbl.spamhaus.org, sbl-xbl.spamhaus.org and zen.spamhaus.org zones will return the new code 127.0.0.9 in addition to the standard return code 127.0.0.2 for IP addresses that are listed in DROP or eDROP.

Those who program or maintain spam filters or other anti-spam software can test any new rules immediately by looking up the test address 127.0.0.9, or its IPv6 sibling ::ffff:7f00:9.

Spamhaus reminds its users that, since February 2016, the public version of the SBL has also contained IPv6 data and answered IPv6 lookups. Spamhaus plans to add IPv6 data to the XBL and PBL in the future. However, the majority of spam coming from IPv6 IPs at this time is snowshoe spam, which falls in the SBL territory. Spammers have been purchasing and using large IPv6 blocks in an attempt to more easily bypass spam filtering and deliver email to inboxes on IPv6-connected email facilities.