Ad

Spamhaus Blacklist

Last Updated, 2020-05-11 email-delivery email-blacklist

The Spamhaus Project is one of the well-known names when it comes to blacklist, spam tracking, spam blocking services, malware, and botnet detection. It is a non-government service that provides a domain blacklist to a large number of email services and provides assistance to the corporates in the online and security domain. Spamhaus is responsible for servicing millions of users every day with billions of spams per day.

They provide a real-time domain reputation blacklist that is responsible for protecting over 3 billion users over the internet.

To meet the demand for its DNSBLs over millions of users on the internet, Spamhaus has one of the largest DNS infrastructures in the world. They have a network of over 80 public DNSBL servers spread across 18 countries, that serves billions of DNSBL queries to the public every day.

The usage of Spamhaus service is free for public usage and is restricted to low email volumes.

FAQ

Spamhaus Blacklists

Spamhaus provides various blacklists such as SBL, XBL, PBL, DBL let’s see these in detail.

SBL (Spamhaus Block List): The SBL is a realtime list that can be used by mail systems all over the Internet. These services allow mail server administrators to identify, tag, or block incoming connections from IP. The addresses that are listed in this list are ones that Spamhaus considers to be involved in the sending, hosting, or generating of Unsolicited Bulk Email, i.e. "Spam". 

The SBL is a database maintained by a dedicated team of Spamhaus specialists located in 10 countries.

XBL (Exploits Block List): The XBL is a realtime database of IP addresses of hijacked PCs that are infected by illegal exploits. This includes open proxies, worms and viruses, and other types of trojan-horse exploits.

PBL (Policy Block List): The Spamhaus PBL is a DNSBL database of the recipient's IP address ranges that should not be sending unauthenticated SMTP email to any mail server, except those that are provided for specifically by an ISP for the particular customer's use. 

The PBL helps companies enforce their Acceptable Use Policy for dynamic and non-MTA customer IP ranges.

DBL (Domain Block List): DBL is a list of domains with poor domain reputations. These domain reputations are calculated from multiple factors and maintained in a database which in turn feeds the DBL zone itself.

ZEN (zen.spamhaus.org): ZEN is basically a combination of all Spamhaus IP-based DNSBLs into one single comprehensive blocklist that makes querying faster and simpler. It contains the SBL, SBLCSS, XBL and PBL blocklists.

Note:- It is recommended by Spamhaus to use ZEN as a singular domain monitoring service. Since using it in conjunction with other Spamhaus lists will cause unnecessary DNS queries.

Spamhaus listing policy

SBL Policy

The Spamhaus SBL uses the listed instances to populate their blacklists.

Spam Sources

Unsolicited bulk email sources identified by Spamhaus.

Snowshoe spam ranges

Emails senders that show Snowshoe spam methods, and domains with poor or frequently changing identification. 

Snowshoe spamming is a method in which spammers try to reduce the penalty of spam filters by distributing their emails through multiple server IPs and domains.

Spam Hosting

IPs that host spam websites, or spammer resources like malware and more.

  • Spam Operations - Spam or malware operations listed in the Spamhaus Register of ROSKO (Known Spam Operations). This is a repository of information and evidence on known persistent spam operations maintained by Spamhaus.
  • Spam Services - IPs of the servers that host services that support spam or malware operations. This includes the following services:
  • Bulletproof hosting - These are the kind of domain or web hosting services that gives the users of these services the freedom to upload any type of material on their servers. And being a distinct thing spammers take advantage of these kinds of servers.
  • Spamware - The kind of malware that sends a high volume unsolicited bulk email through your server without you knowing it.
  • Scrapers - These are bots that scrape the Html code from the Html sites from the internet for harvesting emails. These emails are then sold online to marketing companies in need of user emails to send marketing emails.
  • List of providers - Online services that provide email lists free or paid.
  • Email appenders - These services append emails of users to the organization's domain to generate new email ids.

Security Threats

The IP address that is seen as a security risk to SBL users, that includes the listed threats and more.     

  • Botnet controllers, IPs that host botnet servers.
  • Malware-infected websites or other services that perform malicious email activities like hijacking and forceful email activity without the knowledge of the owner, or extraction of users' personal information.                                         
  • Phishing sites. IPs that host fake login pages to extract confidential information such as credit card details, login credentials, and bank details. 
  • Ransomware. IPs that host websites that work by holding user data to collect a ransom are suspicious to Spamhaus.                                         
  • Hacking Attempts. IPs that are the source of the activities like attempting to crack passwords attempts to sneak in on other computers without the knowledge or consent of their owners are considered Hacking attempts. 

PBL Policy

PBL IP address is added and maintained by the networks participating in the PBL. They work in together with the Spamhaus PBL team, to help apply their outbound email policies. 

The PBL contains a list of both dynamic and static IPs. It includes IP which by the policy should not be sending an email directly to the MX servers of third parties.

XBL Policy

XBL is a list of spam sources that are due to compromised systems. It is mostly composed of CBL data (www.abuseat.org). It also contains a list of compromised systems from other resources.

DBL Policy

The DBL's database is maintained by a team of data specialists that use various data from multiple sources. They use this data to tweak their automated processes policies to populate emails.

Most DBL listings occur automatically, although some of them are done by Spamhaus researchers who will add or remove listings manually. 

DBL data exchanged with other Spamhaus systems like firewall or security applications can result in further listings in the DBL, or in IP addresses being listed in different Spamhaus zones.

DNSBL records

Every SBL listed record has the following information beside it.

A reason for listing

This might be due to being a source of spam emails, hosting of spam services, or hosting malware services.

Evidence for listing claim

Every SBL record has a record of the spam activity done by it. It might be in the form of a sample form message or a link to the advertised site.

It also contains the DNS tracing of the server records that are fetched from Whois service.

Since the evidence for the spam is provided by third-party services too, special handling is done for showing proof of the spam. For example, the spam evidence will not be revealed if it is a Spam trap that got it listed.

This is done to prevent the effectiveness of the Spam Traps.

How to identify being blacklisted in Spamhaus   

Spamhaus sends an automatic notification to the owner of the network service that got listed. Spamhaus maintains it's own set of the contact list.

The emails are sent through their own regional Internet registry (RIR).

There can be exceptions, though. And Spamhaus deals with that by making an additional request to the network for contact details.

If the receiving end wishes not to receive notification from Spamhaus or the emails sent by the Spamhaus network are ignored by the receiver, then Spamhaus may decide not to send the emails to that user.

The manual identification for the listing in SBL can be done at https://www.spamhaus.org/sbl/policy/ manually.

You should get a message “Your-domain is not in the SBL” if you are not listed.

Delisting from Spamhaus

Delisting steps for SBL(Spamhaus Block List)

SBL listings are removed, only if the network's Abuse desk or administrator emails the SBL Team, and explain actions taken to fix the issue that caused the listing. 

If it has to be from an authoritative resource. 

Spamhaus expects the issue that caused the delisting to be resolved and may decline the removal request if sufficient measures were not taken to prevent further abuse.        

The SBL Team normally processes the removal request in 24 hours. 

SBL Delisting Procedure:

Request the removal of an SBL listing that must be made by the ISP whos IP is listed. The ESP must contact the SBL Team, by email, using the dynamic 'mailto' link visible on the SBL record page.                     

You must resolve all the issues that were the leading cause of the blacklisting of the domain. In the case of request of delisting is made without addressing the issue, Spamhaus will reject it.

Even if the underlying issue is resolved, if you don't comply with the Smaphaus policy, then your delisting request will be rejected. 

Delisting steps for DBL(Domain Blacklist)

  • Open Spamhaus Blacklist Removal Center page. On this page, you can look up your domain name by submitting the lookup fields.
  • After the lookup is done Either you will be shown that you are not blacklisted, or you are listed.
  • If you are listed, you will be seeing the message “abcd.xyz is listed in the DBL.”
  • You will also see your domain name with a link on your domain name. Click on that link.
  • You will be redirected to a page, the URL will look like this “https://www.spamhaus.org/dbl/removal/record/abcd.xyz
  • On this page, you will see a message like this “To remove abcd.xyz from the DBL, go to the DBL removal form”. Click on the DBL removal form link.
  • You will see a form like this.

Image

  • Enter your email address for communication. Remember, you will be receiving the notification for email removal through this link.
  • Then click on the Remove button.

Delisting steps for XBL, SBL, PBL

  • Open Spamhaus Blacklist Removal Center page. On this page, you can look up your IP address by submitting the lookup fields.

Image

  • Click on lookup. The lists you are not listed will be shown in green. And the ones you are being listed will be shown in red.

Image

  • Now from here, everything will depend on different scenarios.
  • In my case, this IP was listed on the CBL. So I was redirected to the CBL page and was shown entire details of listing and the reason for listing.
  • The page also consisted of the IP removal option button, but as this is a Spamhaus article we will stop here.

Conclusion

I hope this article has helped you understand the Spamhaus blacklists and method to delist your domain from the blacklist. In case you have any queries related to your domain blacklisting, then please feel free to comment below or reach out to the Pepipost Deliverability Expert Team at dx(at)pepipost(dot)com.