Spamhaus DROP and eDROP to become a single list

What are the Spamhaus DROP lists?

If you’re already familiar with the Spamhaus DROP lists, feel free to skip ahead to “Why merge eDROP with the DROP list?” In case you’re not familiar, the DROP lists are free advisory “drop all traffic” lists that include the worst of the worst IP ranges. They consist of netblocks that have been "hijacked" or leased by professional spammers, bulletproof hosters, or cyber-crime operations.

The DROP lists currently available are:

• DROP (.txt) and DROPv6 (.txt)
• eDROP (.txt) and eDROPv6 (.txt)

When implemented at a network’s or Internet Service Providers’ (ISP) edge routers, the DROP lists help protect from activity directly originating from rogue networks. This includes spam campaigns, encryption via ransomware, DNS-hijacking and exploit attempts, authentication attacks to discover working access credentials, harvesting, and DDoS attacks. They also prevent infected devices from communicating with adversaries using "bulletproof hosting" on listed networks.

How are DROP and eDROP different?

As outlined, DROP and eDROP lists include netblocks that are "hijacked" or leased by professional spam, cyber-crime operations, or bulletproof hosters. Yet there is a difference. DROP and DROPv6 lists consist of netblocks directly allocated by an established Regional Internet Registry (RIR) or National Internet Registry (NIR) such as AFRINIC, APNIC, RIPE NCC, LACNIC or KRNIC.

eDROP and eDROPv6, on the other hand, are an extension of the DROP list that include suballocated netblocks, and are intended to be used in conjunction with the direct allocations on the DROP list.

Why merge eDROP with the DROP list?

The DROP list was initially created to contain IP ranges directly operated by cybercriminals (based on RIR records showing direct assignments to them). The decision to introduce eDROP as a separate list was based on the idea that, while most organizations would use both lists without making distinctions, some operators may have wished to use the “safer” DROP list only, particularly for usage at the routing level.

But then, IPv4 space became exhausted, and direct allocations from RIRs are no longer possible. So, in the majority of cases, organizations now acquire IP addresses as subleases from brokers, normally on a temporary basis. This means the considerations that led us to split listings between DROP and eDROP no longer hold. Therefore, we are switching back to a single DROP list (as was the case before 2012), and disregarding the allocation/assignment mechanism used - focusing only on usage of the listed block by professional cybercrime operations and bulletproof hosters.

By consolidating the DROP and eDROP lists, organizations will have access to the most up-to-date and accurate information to protect their network from the most dangerous IP traffic.

What is the impact for DROP and eDROP users?

For users of both the DROP and eDROP lists, the impact is minimal. Your protection will be maintained, as the eDROP data moves to the existing DROP list. The eDROP files will remain but they will be empty. We’d recommend updating your configuration to remove eDROP, but this is purely for config hygiene; it is not mandatory, and therefore, not updating it will not impact your protection.

In cases where users are only utilizing eDROP lists currently, you must update your configuration to instead use DROP moving forward. By not taking this action, you will not benefit from the network protection that eDROP currently provides.

Who should use the DROP lists?

Network administrators can use the lists to enhance existing blocking/filtering and security measures. In addition, Tier-1 and backbone providers can also use these datasets to filter out malicious traffic from listed netblocks by using them in firewalls and routing equipment.

In addition, the lists can also be used:

• To identify devices infected with malware in your network by noting, in the logs, attempts to make contact (typically via DNS or web) with DROP-listed IP space.
• For vetting proposed IP ranges of new transit customers.
• To score DROP ranges exceptionally high in software such as SpamAssassin.
• In a DNS RPZ zone, to invalidate lookups in these IP ranges.

Any device or software that can process IP networks to make a decision can be used to process the datasets, including network gateways, firewalls, web proxies, DNS resolvers, and more.

How to access the DROP list

The combined DROP/eDROP list will be available to download in JSON and TXT format on April 10th, 2024 - where required, please ensure your configuration is updated from this point.

Accessing DROP commercially via our partner Spamhaus Technology

Given the importance of the DROP list, this data is made available free of charge to any organization that would like to implement this extra layer of protection.

For a more robust, commercially-focused solution, which also includes datasets listing compromised and dedicated botnet command and controllers (C&Cs), we make data available via our partner Spamhaus Technology. Find out more about Spamhaus Technology’s BGP Firewall.

Any questions?

Feel free to reach out to us via Linkedin, X or Mastodon.