FAQs

Anyone or any network that has the ability to block or filter IP address ranges on their network by using router equipment can use BGP data feeds.

To view the current email address reports will be sent to go to account settings. To make changes to this email address please contact us.

We have archive data going back to 2014, however the API accesses a live database that only retains one year’s worth of data.

Record counts vary considerably. The record count for the standard Passive DNS data is around 370 million deduped records. That total doesn’t include some derivative feeds such as the new domain feed, which we generally only make available as an add-on or special stand-alone product.

We do not actively monitor this number. It is certainly in the billions – likely around 40+ billion.

Yes, we can provide historical data, but this is an additional cost. To find out about pricing, contact sales who will talk through your use case and share the best pricing.

Apply to access the beta domain data via this form. One of our team will be in touch to set up your access. Once you’ve received confirmation that access has been enabled, you can log into the customer portal and create a user profile.

Yes, the domain is rated as neutral.

A ‘botnet controller,’ ‘botnet C2,’ or ‘botnet command & control’ server is commonly abbreviated to ‘botnet C&C.’ Fraudsters use these to control malware-infected machines (bots) and extract personal and valuable data from malware-infected victims.

Botnet C&Cs play a vital role in operations conducted by cybercriminals who are using infected machines to send out spam or ransomware, launch DDoS attacks, commit e-banking fraud or click fraud, or mine cryptocurrencies such as Bitcoin.
Desktop computers and mobile devices, like smartphones, aren’t the only machines that can become infected. There is an increasing number of devices connected to the internet, for example, the Internet of Things (IoT), devices like webcams, network attached storage (NAS), and many more items. These are also at risk of becoming infected.

With our free tool, the Blocklist Tester, you can check if your email servers are correctly configured to use the Spamhaus Blocklists. Simply visist: https://blt.spamhaus.com/

No, tags are not included in the MalwareBazaar historical malware sample data (full.csv).

A file can only be present once on MalwareBazaar, therefore it is not technically possible to upload two copies of the same sample.

MalwareBazaar only tracks malware samples. No adware (PUA/PUP). No benign files. Samples older than 10 days, PUAs/PUPs and benign files should not be uploaded to the repository.

There are some mechanisms in place to flag PUA/PUP files, where files are reviewed and removed manually by the admin. However, it is important to note that there is no automatic enforcement of the PUA/PUP policy.

Submission vetting is manual and relies on researchers and users reporting such submissions. Where unacceptable files are reported by the community, files are removed promptly, and the responsible user banned.

For email, a reputation score of -5 would mean a domain is listed, and when used by organizations that filter and block email, this domain would be blocked. 

However, in cybersecurity, you are dealing with levels of risk. As the reputation score is unrelated to whether the domain is benign, suspicious or malicious, it is more difficult to allocate a score threshold related to definitions or grades of maliciousness. You would need at least two fields to get a maliciousness score – for example, the reputation score and a tag associated with malicious behavior.

Here is an example:

Domain: example.com
Score: -6
Tags: malware

A score of -6 is not automatically malicious. A tag of “malware” does not necessarily mean it’s malicious either, as many large service providers have tags such as “malware” or “phishing” associated with their domain. At a minimum, you would need both fields to determine, within your own business, a threshold score defining malicious domains while minimizing false positives. 

If a domain is not in our database, you will receive a 404 error. Please be aware that Spamhaus Intelligence API also does not accept subdomains and will return a 404 error.

No. The score is based on a summary of IOCs and signals and is a measure of reputation, not maliciousness.

Therefore, a score of -50 indicates that a domain has a very poor reputation. The reason that reputation is poor will depend on the IOCs and metadata associated with that entity. For example, it may be due to phishing if the metadata collected implies this.

Poor reputation can also be achieved by association, e.g., with negatively rated domains, ASNs, registries, etc. Again, these are signals rather than conclusions of malicious activity.

It’s also important to note that not all entities will have IOCs from the same sources. For example, a reputation score of 10 from the dimension “human (research)” is proportional with what we know when we allocate the score based on available sources. If another domain has a score of 10, but this time from the “identity” dimension, it will be in line with what we know at the time, based on the sources we have. i.e., it is not meant to be conclusive evidence of good or bad.

There are two Botnet Controller Lists:

1. “BCL – Decidcated” which lists IPs of servers dedicated to hosting botnet C&Cs only.
2. “BCL – Compromised” which lists the IP addresses of legitimate devices that bad actors have compromised and are using to host botnet C&Cs. As a result, there is a minimal chance that null routing these nodes can potentially lead to blocking legitimate traffic that these devices are supposed to generate or receive.

We provide these compromised entries as a separate community to allow users to choose whether they want to include this data. However, we do recommend that all users include this community. It is irrelevant whether a device is being used for legitimate purposes. If it hosts a botnet C&C, you should block packets between your network and this IP address. The hosting provider of this IP address will have received an abuse report detailing the problem on their network, and the time to live (TTL) of compromised BCL listings is significantly shorter than dedicated BCL listings. Therefore, the chance of blocking legitimate traffic is minimal.

Yes. In addition to the reputation score, relevant domains may be categorized with one of the following tags: “abused,” “adware,” “botnet,” “botnetcc,” “cdn,” or “compromised.”

You find more information here: https://docs.spamhaus.com/sia/docs/source/10-API-Interface/310-Domains.html#tag-list.

There is no limit. However, +/—50 would indicate a very good/bad reputation.

The eDROP list was combined into the DROP list on 10 April 2024. So, the protection offered by eDROP can now be gained by utilizing the DROP list alone.

For more information on why this update was made, please read this blog post from The Spamhaus Project: https://www.spamhaus.org/resource-hub/network-security/spamhaus-drop-and-edrop-to-become-a-single-list/

URLhaus data is available as of June 6, 2024. You can utilize the data through the Developer License, free for six months, which also enables you to provide feedback on the data and usability. More datasets from abuse.ch will become available in API format as part of our broader partnership with abuse.ch.

If your email management system indicates that your emails are not being delivered, then a first step is to check the affected IP addresses or domains using the lookup tool on the Spamhaus Blocklist Removal Center.

The listings for both IP addresses and domains are maintained & controlled exclusively by The Spamhaus Project, which has clear procedures for dealing with list removals. Spamhaus Technology and its Authorised Partners manage the datafeed services and associated infrastructure for the threat intelligence listings developed by The Spamhaus Project. The content & policy of listings are exclusively maintained & controlled by The Spamhaus Project.

The Developer License is available for 6 months.

This portal allows network owners to view and manage IPs listed on Spamhaus’s IP reputation datasets, including:

• Spamhaus Blocklist (SBL)
• eXploits Blocklist (XBL)
• CSS Blocklist (CSS)

Users of the portal can request removals, see their most abused /24s, and set up daily reports of IP listings.

Please note that this portal is only available for those who own IP ranges.

To make a submission to abuse.ch, you will need to authenticate using this platform https://auth.abuse.ch/.

Full details on the process for submissions are detailed below:

• Malware samples to MalwareBazaar: https://bazaar.abuse.ch/upload/
• Malware URLs to URLhaus: https://urlhaus.abuse.ch/
• Indicators of compromise (IOCs) to ThreatFox: https://threatfox.abuse.ch/share/
• Deploy YARA rules via YARAify:https://yaraify.abuse.ch/yarahub/

If you’re not sure how well the Spamhaus Blocklists/DNSBLs will perform to reduce incoming spam on your network, and your email traffic is too high to test using our free public DNS mirrors, you can test the Data Query Service service offered by Spamhaus for 30 days, free of charge and with no obligations.

Yes. The Developer License can be renewed after 6 months.

Registration

• Go to the home page (https:manage.spamhaus.com) and click on Register for an account.
• Complete the form and submit.
• Confirm your email address via the link we email to you.
• Set a password for your account.
• Once the team has approved your application, data from your ranges will populate.
• If we have further questions regarding your application, we will use the Ticket Center for communications.

The Dashboard

• Network overview – displays the number of ranges and IPs assigned to your network and any range requests (additions or deletions) that are currently pending.
• View all ranges and listing summary – see all your ranges, along with the number of listings on the Spamhaus Blocklist (SBL), CSS Blocklist (CSS), and Exploits Blocklist (eXBL).
• Your IP listings – an overview of the total number of SBL, XBL & CSS listings you have across your network and percentage changes over the past 30 days.
• Listing highlights – most recently listed IPs, longest listed IPs and the most abused /24s on your network.

CIDR/Network ranges with listing overview

This lists each network range by /24, along with the corresponding number or percentage change of SBL, XBL and CSS listings for each /24. You can click on the range to see a /24 heatmap and request removals.

Export – you can export all the ranges listed or just those with listings to a CSV file.

/24 heatmap

This provides a clear visual representation of what IPs are listed on the selected /24. Listings can be filtered by blocklist i.e. SBL, CSS and XBL.

To request removal click on the individual IP address.

Removals

• To view why an IP is listed enter the IP address into the search bar or navigate to the listing from the /24 heatmap.
• Read the information provided by our researchers relating to the listing, follow and action any advice provided, check the tick box, and select Next Steps.
• Where possible your request will automatically be actioned, however, in some circumstances we may need to raise a ticket to get further information relating to your request. All correspondence will be done via our Ticket Center.

Tickets – communicating with Spamhaus

• All communications with the Spamhaus team are managed via the Ticket Center including:
  • Questions relating to your account set-up.
  • Adding or deleting ranges.
  • Changing the email address that reports are sent to.
  • Questions relating to removal requests.
  • General questions – these can be submitted via the contact us form.

Listing notifications

Users can use our API to receive notifications of listings or designate a notification email address and receive daily reports of listings in CSV format.

Users

View all the users with access to the Portal for your network.

Reporting preferences

Choose whether you would like to receive reputation updates relating to listings for your network via email, or via the API.

To change the email address these updates are sent to please contact us.

If you believe a listing may be a false positive or should be removed from the URLhaus database, you can report this to abuse.ch in the URLhaus web interface.

Please follow the below steps:

1. Search for the URL or Domain here: https://urlhaus.abuse.ch/browse/
2. Select the entry.
3. Select the “Actions” dropdown.
4. Select “Report a False Positive”.

A ‘hijacked netblock’ is a netblock brought back from the dead, also called a ‘zombie netblock’. The original owner of the block may have left it derelict for any number of reasons. Squatters then reclaim it with various ploys including registering an abandoned domain name to accept email to the point-of-contact domain contact, or printing up bogus letterhead, or doing a bit of social engineering over the telephone. Some hijackers even outright steal IP space that is allocated to someone else, just by announcing it under their Border Gateway Protocol (BGP) Autonomous System Number (ASN).

ASNs can be hijacked too. Old abandoned ASNs are taken by a spammer, or spammer supplier, to announce various IP ranges. It’s quite possible to have a hijacked netblock advertised by a hijacked ASN!

5,000 queries per month are including in the Developer License.

Customers will be able to plug the Spamhaus Intelligence API (SIA) into a SIEM device, however, they will need to develop a connector of some type unless the SIEM can make API calls natively.

Click on the robot in the header and select “Reporting Preferences.”

From here, you can select whether you receive them directly via an API or get them sent daily to your specified notification email.

Each of abuse.ch’s platforms has its submission policy, detailed below. If your submissions are outside the policy, your access to submit data will be revoked.

• URLhaus (malware URLs): https://urlhaus.abuse.ch/api/#policy
• MalwareBazaar (confirmed malware files): https://bazaar.abuse.ch/api/#policy
• ThreatFox (confirmed indicators of compromise): https://threatfox.abuse.ch/faq/#policy

The application process is designed to allow organizations to initiate an application without committing to taking the service or making a payment, until they are satisfied with the service and have agreed to the service terms. The process is:

1. Complete and submit the sign up form for either a free 30 day trial or free service account form
2. Receive and click on the email validation link to confirm your interest to us
3. For Passive DNS and Data Query Service you will gain immediate access to the data. For DNS Firewall and Border Gateway Protocol (BGP) Feeds we require a small amount of time to set you up.
4. You will be sent an email confirming your data access. This email will also contain instructions on how to access the data.
5. You will be given a Spamhaus Customer Portal account to access your service agreement, technical manual(s), contact for help, and subscription options if required.
6. Please Note: Your contract for the Datafeed/Service is directly with Spamhaus and its Partners, and not with The Spamhaus Project. The Spamhaus Project does not have any commercial activities.

If free additional query volumes are needed for short testing periods, please contact our team, providing your use case and requirements.

Go to your Dashboard and click on “Add rages” or “Delete ranges.” Complete the form and submit. Our team will review your submission and update you via the Ticket Center.

If you are blocked from making submissions via any of abuse.ch’s platforms, you have likely violated the relevant submission policy. All policies are detailed below:

• URLhaus (malware URLs only): https://urlhaus.abuse.ch/api/#policy
• MalwareBazaar (confirmed malware files only): https://bazaar.abuse.ch/api/#policy
• ThreatFox (confirmed indicators of compromise only): https://threatfox.abuse.ch/faq/#policy

To reinstate access, please get in touch with abuse.ch using the above form, confirming you have read and agreed to the applicable policy.

BGP datafeeds are designed to serve null advisories to ISPs or network providers using BGP, which is implemented on the router level. However, Spamhaus also offers the DROP list in plain text format which can be implemented using nearly any kind of device or software (eg. Network gateways, Firewalls, Web-proxies etc).

Data received from subscribers contains no Personally Identifiable Information (PII) so there is no compromise of organizational, customer or employee data. All data is transported to Spamhaus with encryption in place.

Passive DNS does not store which client (or person) made a query, just the fact that at some point in time, a domain has been associated with a specific DNS record . This ensures that privacy is maintained throughout the system.

It is a yearly subscription.

Spamhaus Technology and its Partners manage the datafeed services and associated infrastructure for the threat intelligence listings developed by The Spamhaus Project.

The content & policy of listings, for IP addresses and domains, are maintained & controlled exclusively by The Spamhaus Project which has clear procedures for dealing with list removals. Please start by using the Spamhaus Blocklist Removal Center lookup tool, and follow the instructions from there.

This is done via an API call as detailed in our technical documentation.

The term “Initial Access Brokers” (IABs) refers to threat actors who operate in groups trying to breach corporate networks. They use various tactics, techniques, and procedures (TTPs) to achieve their goals.

Once they have penetrated a network, they will ascertain key facts relating to the breached network, for example, location, size, and industry. This enables them to place a value on an asset. The broker will then negotiate with potential buyers who want to purchase access to the victim’s network.

No. If you adopt the BGP data feeds or the botnet C&C list in your network, you are not allowed to redistribute the feed to other networks. The export of these feeds/prefixes to other networks is prohibited. Please see our Terms & Conditions.

There are two query limits: Soft and hard.  The soft limit will generate a warning email.  The hard limit will prevent access.  Further information can be found in our technical documentation.

No, IPv6 addresses are not listed in the Botnet Controller List at this time. Miscreants do not currently use these to host botnet command and controllers.

Once our researchers observe botnet command and controllers hosted on IPv6 addresses, they will be listed immediately.

Spamhaus wants to ensure that its data is only given to reputable and qualified organizations, therefore we need to know who you are before offering you access to Spamhaus data.

The Spamhaus Service Agreement is between you and Spamhaus and our Partners. You can view these service terms when you sign up for a free trial or free service account, before clicking submit.

As a Spamhaus customer, you also have access to the Spamhaus Service Agreement via the Customer Portal, which can be downloaded in PDF format.

Currently, the Extended Exploits Blocklists (eXBL) is available via SIA.  However, there are plans to introduce additional datasets soon.

Yes. Where volume and usage hasn’t changed for a customer, we adjust pricing approximately every two years in line with inflation and market value. For customers whose usage has changed their pricing will be changed accordingly, annually on renewal. There will be exceptional cases where changes may be made mid-contract, where usage is greatly exceeding contracted limits.

Only CIDR formats up to /24 can queried in SIA.

Spamhaus evaluates every Datafeed service application to ensure the applicant is bona fide, and is not involved in the provision or support of spam services. We reserve the right to refuse a service at our discretion.

Refusal may be due to a number of issues, including supplying to ISPs with excessive listings on any of our datasets. Everyone who uses the internet has a responsibility to keep it a safe environment. Any ISPs who we deem to have excessive abuse on their network, and are doing little to remediate the issues will not get access to our data.

The datasets accessed via the API are built from our broad-reaching sensor network, the same that is used to compile our DNS Blocklists.  Through machine learning, heuristics and manual investigation connections are analyzed to identify indicators of compromise.

DNS Firewall Threat Feeds are Response Policy Zone (RPZ) feeds that provide automatic protection against phishing sites and malware downloads. They are delivered in industry standard RPZ format which allows a recursive DNS resolver to choose specific actions to be performed. This includes dropping, blocking, and passing through traffic.

There are many networks, domains, and IP addresses on the internet whose sole purpose is to cause harm to or steal information from unsuspecting users who visit their servers and sites.

For example: a phishing domain, created for the sole purpose of stealing data, can be used for a spam campaign that is sent to users on your network asking them to verify their account. The email is received and is not blocked by your spam filtering, so the message gets delivered into your user’s inbox. When the user clicks on the link to verify their account, because the site is listed in the Threat Feeds, their computer is unable to resolve the phishing website.

This action will protect your user from surrendering their personal information, and potentially prevent their workstation from becoming infected with botnet software. Blocking malicious content also offers you the potential to educate your users immediately.

If you chose to use Spamhaus’ Managed Service this is not an issue. However, where you are running your own DNS infrastructure and want to use our Dedicated Service, here are our recommendations:

While it is possible that the current hardware that is running your DNS resolver may be able to handle the processing of DNS Firewall Threat Feeds, we recommend the following hardware configuration:

8 core CPU
8 gigabytes of RAM
Bare-metal dedicated server

Please ensure that you are running the most up-to-date version of your resolver software.

A DNS resolver will return an NXDOMAIN (invalid domain) response when it is matched against a threat feed listing.

Those utilizing the Dedicated Service can point to an internal IP resource that will allow the block to redirect to an information page that can provide a warning, some education, or insight into why something was blocked.

Log into your server and run the following command(s):

• curl -4 https://deteque.com/whatsmyip/
• curl -6 https://deteque.com/whatsmyip/

The result from these commands will provide you with the IP that you need to enter into our Customer Portal under the Access tab of your DNS firewall settings.

Please note that if you have multiple servers pointing to our services, you will need to run this command on each server that you will be pointing to our service.

Once you have entered the IP addresses, it can take up to one hour to be provisioned in our systems.

Rbldnsd defines a few different dataset types. To optimize performance and memory usage, we recommend Datafeed users to choose ip4set for SBL and SWL, ip4trie for PBL, and ip4tset for XBL.

However, using ip4tset will result in a return code 127.0.0.4 for all XBL listings. In the majority of cases this is acceptable, but if you need to distinguish between the different XBL return codes you should use ip4set also for XBL.

DBL and DWL must always use the dnset dataset type.

Public mirrors are required to use ip4set for all the IP zones, and dnset for DBL and DWL.

The DROP list contains network ranges which can cause so much damage that Spamhaus provides it to all, free-of-charge. We believe that due to the vital nature of the DROP list data, it will be available free-of-charge to any place, regardless of size or business type, to protect internet users. If you wish to redistribute the plain text feeds, name Spamhaus as source of the data and retain both the copyright statement and the date & time stamps at the top of the text file.

Please DO NOT auto-fetch the DROP list more than once per hour.

The DROP list changes quite slowly. There is no need to update cached data more than once per hour, in fact once per day is more than enough in most cases. Automated downloads must be at least one hour apart. Excessive downloads may result in your IP being firewalled.

The major part of spam filtering done by appliances such as the Barracuda is DNSBL filtering. If you are using any Spamhaus lookup in any part of a Barracuda or similar spam filter appliance you must ensure that you have a current Spamhaus Data Query Service (DQS) subscription.

Historically, we have had cases of people using the Free Spamhaus Public Mirrors in conjunction with Barracuda appliances. This is an abuse of the Free Public Mirrors usage terms: If an organization’s email volume is big enough to require a Barracuda or similar spam filter appliance, then it almost certain that their usage will be above the limits applied to the free public DNSBL servers. Due to substained abuse of these public mirrors, and the Free low-volume DQS account, a control system has been implemented, and over-queriers will be flagged and blocked.

Please ensure that if you are using Spamhaus DNSBLs in any part of your corporate spam filtering setup, you have a current Spamhaus DQS subscription.

DROP (Don’t Route Or Peer) is an advisory “drop all traffic” list.

• The DROP list will not include any IP space allocated to a legitimate network and reassigned.
• DROP does include netblocks that are hijacked or leased by professional spam or cybercrime operations (used for dissemination of malware, trojan downloaders, botnet controllers, etc).
• These are direct allocations from ARIN, RIPE, APNIC, LACNIC, or other Regional Internet Registries and “portable allocations” (known as “PI”) from RIPE.

The EDROP list includes net blocks controlled by professional spammers and cyber criminals that are not directly allocated, thus it will contain only netblocks that are sub-allocations.