SpamAssassin
Plug-in

Integration details

• Suitable users

  You’ll need an existing SpamAssassin 4.0+ installation on your system.

  You’ll also need access to the real-time DNSBLs via Spamhaus’ Data Query Service (DQS) - this includes non-commercial users with a free DQS account.

• Access the plug-in

  Go here to access the configuration files for the plug-in and supporting documentation.

• How the plug-in works

  The plugin requires a valid API key to access Spamhaus data. First, you’ll need to sign up for a Spamhaus DQS account to receive your unique API key. A free account is available for low-volume users.

  Using the API Key, the plugin links your SpamAssasin spam filter to Spamhaus’ DNSBLs through DQS. This allows SpamAssassin to perform real-time lookups of Spamhaus’ DNSBLs to determine if an email’s IP, domain, or other internet resources (including email addresses, malicious files, URLs and, crypto wallets) are listed.

• Datasets included

  The following data is available to users of the commercial Spamhaus DQS:

  • Bruteforce IPs (AuthBL)

  IP addresses known to host bots using stolen credentials or brute-forcing SMTP-AUTH (and other authentication protocols), helping detect and mitigate ongoing abuse from malicious login attempts.

  • Compromised IPs (Exploits Blocklist)

  IP addresses exhibiting signs of compromise, which can include downloaded malware, security vulnerabilities allowing unauthorized access, etc. Designed to protect networks from malware and spam by preventing connections from these IPs. Available in binary and contextual format.

  • Email Spam IPs (Combined Spam Sources Blocklist)

  Spam-emitting IPs that are direct snowshoe spam sources or senders posing a risk. This includes emails showing indications of an unsolicited nature, sending malicious emails due to a compromise, and other indicators of low reputation or abuse.

  • Highly malicious networks (DROP)

  The worst of the worst malicious traffic IPs - an advisory to “drop all traffic” - with activity directly originating from rogue networks, such as encryption via ransomware, DNS-hijacking, authentication attacks, harvesting, DDoS attacks, and spam campaigns.

  • Low reputation domains (Domain Blocklist)

  Domains and hosts used for suspicious or malicious activity, e.g., those associated with phishing, spam, malware, botnet command and controllers (C2s), and redirector domains; may be owned by malicious actors or have been hijacked. Available in binary and contextual formats.

  • Low reputation resources (Hash Blocklist)

  The worst of the worst IP traffic - it is an advisory to “drop all traffic” from these IPs. DROP seeks out activity directly originating from rogue networks, such as encryption via ransomware, DNS-hijacking and exploit attempts, authentication attacks to discover working access credentials, harvesting, DDoS attacks, and spam campaigns.

  • Malicious network ranges (Spamhaus Blocklist)

  This dataset exposes IPs being observed in a range of adversarial activities, derived through Open Source Intelligence (OSINT) from Spamhaus' most specialized and experienced researchers.

  • Non-mail emitting IPs (Policy Blocklist)

  IPs that should never send email directly to the MX servers of third parties. Networks add and maintain many of these ranges, resulting in strong data efficacy. Spamhaus supplements by identifying end-user IP space that is observed as having high concentrations of botnet zombies.

  • Zero reputation domains (Zero Reputation Domains)

  Newly registered or newly observed domains. These domains are included in this dataset for 24 hours; newly created domains are rarely used for legitimate purposes within 24 hours of registration, which provides a strong indicator of potential malicious behavior.

  
  

  For a free non-commercial DQS account, all the datasets listed are available to query, with the exception of Low Reputation Resources (Hash Blocklist).

  
  

  Why are there two names for the data?

  We are moving to more transparent naming conventions. However, some organizations have been consuming these datasets for decades. To save any confusion, for old or new users, we’re currently documenting both names.

• Pricing

  The plugin itself is free to use, and can be accessed here.

  Subscriptions for the commercial DQS is based on monthly and per-second query volume, with final costs provided after the trial based on actual usage. Alternatively please contact our sales team.

  If you are a non-commercial entity or a small business with low query volumes, you may qualify for a Data Query Service account to access our real-time DNSBLs with no subscription costs.

  Here are the terms related to this service.