The Spamhaus Project: How to Get Off the Blacklist

Summary

Status:	Active
Terms:	Free
Zones:	6
Website:	www.spamhaus.org
Lookup and Removal:	www.spamhaus.org/lookup/
About:	www.spamhaus.org/organization/
FAQ:	www.spamhaus.org/faq/
Contact:	www.spamhaus.org/organization/contacts/

Background

The Spamhaus Project is one of the largest anti-spam DNS blacklist services known. Founded in 1998, Spamhaus has operations in Geneva, Switzerland, and London in addition to the 28 investigators and forensic specialists located in 8 countries. Spamhaus is a true 24 hour a day anti-spam operation. With over 60 public DNS Servers distributed across 18 countries, Spamhaus is able to serve billion of DNS requests to the world over, all free of charge. It has been estimated that 1.4 billion users mailboxes are in some way protected by The Spamhaus Project every day. Alongside Spamhaus, the Spamcop blacklist service is another trusted tool for combating spam globally.

The Spamhaus project is not only a publisher of IP address space that is known to be the source of spam and other nefarious emails, but also actively works with all forms of law enforcement and legal entities to bring justice to those affected by the large scale spamming actions of others. Because of this, Spamhaus has formed The Register Of Known Spam Operations (ROKSO), which is used by ISP’s and law enforcement to track and monitor the activities of the most egregious offenders of large scale network spam attacks. ROKSO currently tracks the top 100 known professional spam senders and “gangs” worldwide, in order to help mount legal prosecutions against large scale offenders.

The Spamhaus Project is a non profit organization. All members are volunteers, equipment is provided through sponsors or donation. The Spamhaus Foundation was formed in addition to The Spamhaus Project to ensure the long term viability of The Spamhaus Project.

Listing criteria

The listing criteria for Spamhaus varies greatly. If it had to be summed up, as with all other IP based DNS blacklists, listing occurs when spam is seen or reported. However, because Spamhaus maintains a total of 6 different blacklists, significant granular control can be achieved so that as little, or as much spam can be classified as the end user desires. Spamhaus recently added to its traditional IP based blacklists a Domain Block List (DBL) which will list domains that have been used within spam emails.

Zones

sbl.spamhaus.org

The SBL (Spamhaus Block List) lists IP’s of hosts that appear to be under the control of, or in use by senders of unsolicited commercial or bulk email. Any listing in the SBL must meet Spamhaus’s internal definition of spam, which is that a message will be deemed spam if is is both commercial and bulk.

Some of the methods and criteria the SBL will use are similar to other DNS blacklists, such as spamtraps, partnership DNS blacklists, obvious spam, and attacks. Other methods are compromised machines including web, dns, and any service that is under the direct control of spammers. Also in the SBL are lists of IP’s associated with known spammer operations. ROKSO comes in handy for the SBL, as when a known spammer operation moves IP address space, the listings in the SBL can be updated to follow their operations. Finally, the SBL also lists known ISP’s that are spammer friendly, and those ISP’s that host the data and promote the delivery of data for spammers and those listed within the ROKSO database.

• SBL Home Page
• SBL FAQ

xbl.spamhaus.org

The XBL (Spamhaus Exploits Block List) is a real time database of known IP addresses of hijacked PC’s infected by 3rd party exploits. These can include, but are not limited to: HTTP, SOCKS, Analog X, WinGate, Formmail etc. The XBL also lists hosts that have shown to have been infected with sophisticated worms and viruses, complete with built in SMTP spam engines and other trojan horse type exploits. The XBL contains the worst of the worst hosts on the internet, often listing hosts that are part of multi thousand spamming and fraud networks.

The Spamhaus XBL also incorporates the CBL (Composite Blocking List – cbl.abuseat.org), and NJABL (Open Proxy IP List – www.njabl.org). These incorporations are not direct copies of the aforementioned zones. While Spamhaus considers these DNSBL’s to be highly trusted, and adhere to the highest of ethical standards, Spamhaus still maintains some minor adjustments to the data feeds in order to improve efficiency and reduce false positives. As a result of this partnership, you should not use any combination of the three DNS blacklists, choose one or the other, but do not combine XBL, CBL, or NJABL in any form.

• XBL Home Page
• XBL FAQ

pbl.spamhaus.org

The PBL (Spamhaus Policy Block List) is a list of IP addresses that have no reason to be delivering unauthenticated SMTP email to any host on the internet. For example, most residential ISP’s that provide internet access to end users, expressly forbid the user of their connections to be used for any “server” based activity. This includes, but it not limited to, SMTP servers. While some ISP’s have business class divisions of their internet access, the residential side of their offerings does not allow one to directly submit email from their dynamic IP connection.

The PBL is not maintained directly by Spamhaus. Each network maintainer is given their own tools to maintain and manage their dynamic IP ranges, or those IP’s in which sending email would violate their internal policy. In the past, it was up to server administrators to track down the dynamic IP ranges of large ISP’s, the PBL provides a central repository of dynamic IP’s that is maintained by the ISP’s themselves. Most ISP’s have taken the time to list their IP ranges in the PBL, though it should be considered, this is not a complete list, and is also highly US centric. If by chance you are maintaining a static IP address that has been accidentally mixed into the PBL dynamic blocking list, Spamhaus provides tools to allow your single IP address to be excluded.

• PBL Home Page
• PBL FAQ

dbl.spamhaus.org

The DBL (Spamhaus Domain Block List) is Spamhaus’s newest addition to their service. The DBL maintains a list of domains, usually website URL’s, that have been found within the body of emails. Any server that is capable of parsing the body of a message, and extracting a URL from within the body, then comparing it to the DBL, is a candidate for use of the DBL.

In addition to pure email body content checks, it is also possible to use the DBL to check for domains within the SMTP level headers of an email message. This includes the HELO, rDNS connecting IP, From domain, Repy-To domain, Message-ID domain, and any other header field which may contain a domain.

The DBL is maintained as a pure “zero false positive” list, meaning that, no domain should ever be listed that has not been used as part of some spam tactic. While many DNS based blacklists and URI/URL/domain lists do try to achieve zero false positives, it would be wise to keep watch of your logs, as no system is infallible.

• DBL Home Page
• DBL FAQ

zen.spamhaus.org

The ZEN blacklist is Spamhaus’s combination zone. Over time, spamhaus has had several different methods for calling out multiple combinations of it’s zones. As it stands today, you can either chose to make DNS queries to individual zones as listed above, or combinations of them, or, use one zone, which includes them all. zen.spamhaus.org is the primary zone that contains all of Spamhaus’s data, and in turn, is the zone that most people use.

• ZEN Home Page

Spamhaus Don’t Route Or Peer List

The DROP (Spamhaus Don’t Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list at all, and is designed to be downloaded as a file, with primary intentions being that the user of the DROP list will install it within their firewall. The DROP list has very little flux it, and is recommend that the update frequency with which it is downloaded need not be more than once a day.

The DROP list may eventually become available as part of BGP, announced via an Autonomous System Number (ASN), making it much simpler for large edge providers to implement the DROP list into their networks. Until that times comes, Spamhaus provides links to a number of scripts that will aid in getting the DROP list installed on most platforms and most common routers and firewalls.

• DROP Home Page
• DROP FAQ

Removal Process

The removal process of Spamhaus can vary depending on the zone you find yourself listed in. For example, being listed in the PBL, is more than likely desirable, whereas, being a legitimate SMTP email sender, being listed in the DBL would be seriously undesirable. In most cases, using the Blacklist Removal Center, will show if you are listed, why, and how to begin the process of removal.

The Spamhaus Project also maintains a blog, which is a good source of day to day information on what is going on within the project. It is a good idea to keep up to date on this blog, with Spamhaus being so large, and having such a broad scope within the DNS blacklist community.

Related Articles

• General blacklist removal instructions
• Check to see if an IP is blacklisted
• How do I report spam?
• What is a DNSBL (blacklist)?
• Ask for help to diagnose and resolve listing issues