Halon Protect
Integration

Integration details

• Accessing the integration

  Spamhaus’ real-time DNSBLs come pre-configured in the Halon email infrastructure and can be enabled within Halon’s web interface.

  The DNSBLs are delivered via the Spamhaus’ Data Query Service (DQS), and you’ll need to create a Spamhaus account and generate a DQS key, as part of the set up process.

  To get started, see “Setting up a 30-day free trial for Spamhaus Data Query Service”.

• How the integration works

  Spamhaus real-time DNSBL’s are integrated with Halon Protect in the mail transfer agent (MTA). This integration uses a two-stage process, to ensure email protection is as efficient as possible.

  1. Block known threats at SMTP connect:

  First, the IP address of each inbound email is assessed at the SMTP connect stage. This step removes all obvious spam sent from known botnets and spammers’ IP addresses. When an email is blocked at this stage, the sender will immediately receive a notification, ensuring that emails do not lie unread in junk folders for weeks.

  2. Detailed content analysis:

  Emails that pass the initial IP check can then be filtered by content. This step identifies emails containing malware or links to new websites that are controlled by spammers and cybercriminals.

  This stage relies on the following data:

  • Low reputation domains (Domain Blocklist)
  • Zero reputation domains (Zero Reputation Domains)
  • Low reputation resources (Hash Blocklist)

  The Low reputation resources data alone has caught >30% of spam messages for some customers.

• Datasets included

  The following data is included:

  • Bruteforce IPs (AuthBL)

  IP addresses known to host bots using stolen credentials or brute-forcing SMTP-AUTH (and other authentication protocols), helping detect and mitigate ongoing abuse from malicious login attempts.

  • Compromised IPs (Exploits Blocklist)

  IP addresses exhibiting signs of compromise, which can include downloaded malware, security vulnerabilities allowing unauthorized access, etc. Designed to protect networks from malware and spam by preventing connections from these IPs. Available in binary and contextual format.

  • Email Spam IPs (Combined Spam Sources Blocklist)

  Spam-emitting IPs that are direct snowshoe spam sources or senders posing a risk. This includes emails showing indications of an unsolicited nature, sending malicious emails due to a compromise, and other indicators of low reputation or abuse.

  • Highly malicious networks (DROP)

  The worst of the worst malicious traffic IPs - an advisory to “drop all traffic” - with activity directly originating from rogue networks, such as encryption via ransomware, DNS-hijacking, authentication attacks, harvesting, DDoS attacks, and spam campaigns.

  • Low reputation domains (Domain Blocklist)

  Domains and hosts used for suspicious or malicious activity, e.g., those associated with phishing, spam, malware, botnet command and controllers (C2s), and redirector domains; may be owned by malicious actors or have been hijacked. Available in binary and contextual formats.

  • Low reputation resources (Hash Blocklist)

  The worst of the worst IP traffic - it is an advisory to “drop all traffic” from these IPs. DROP seeks out activity directly originating from rogue networks, such as encryption via ransomware, DNS-hijacking and exploit attempts, authentication attacks to discover working access credentials, harvesting, DDoS attacks, and spam campaigns.

  • Malicious network ranges (Spamhaus Blocklist)

  This dataset exposes IPs being observed in a range of adversarial activities, derived through Open Source Intelligence (OSINT) from Spamhaus' most specialized and experienced researchers.

  • Non-mail emitting IPs (Policy Blocklist)

  IPs that should never send email directly to the MX servers of third parties. Networks add and maintain many of these ranges, resulting in strong data efficacy. Spamhaus supplements by identifying end-user IP space that is observed as having high concentrations of botnet zombies.

  • Zero reputation domains (Zero Reputation Domains)

  Newly registered or newly observed domains. These domains are included in this dataset for 24 hours; newly created domains are rarely used for legitimate purposes within 24 hours of registration, which provides a strong indicator of potential malicious behavior.

  
  

  Why does the data have two labels?

  We are moving to more transparent naming conventions. However, some organizations have been consuming these datasets for decades. To save any confusion, for old or new users, we’re currently documenting both names.

• Suitable users

  Any Halon Protect customer can use this integration. Set up is extremely simple, and you can trial the data free for 30 days.

• Setting up a 30-day free trial for Spamhaus Data Query Service

  To gain FREE unlimited access for 30 days to the Spamhaus’ Data Query Service and Halon integration, simply complete this form. You’ll receive an email asking you to verify your email address. If you haven’t already, you’ll be prompted to create an account with Spamhaus.

  What happens next?

  Once verified, log in to the Spamhaus Customer portal to view your API key, to input into Halon’s web interface.

  Overall this process should take just minutes and as soon as you reach the last step of inputting your query key into Halon’s platform, your email stream will be immediately protected in real time.

  Need help?

  If you have any questions, please add them to the comments box in the form. Once you gain access to the data, support is available should you require any.

  Trial duration

  A free trial lasts for 30 days. You’ll receive an email notification before the trial expires. To continue accessing the services, simply log in into the Customer Portal, and click “request quote” to upgrade to a paid subscription.