FAQs

A ‘botnet controller,’ ‘botnet C2,’ or ‘botnet command & control’ server is commonly abbreviated to ‘botnet C&C.’ Fraudsters use these to control malware-infected machines (bots) and extract personal and valuable data from malware-infected victims.

Botnet C&Cs play a vital role in operations conducted by cybercriminals who are using infected machines to send out spam or ransomware, launch DDoS attacks, commit e-banking fraud or click fraud, or mine cryptocurrencies such as Bitcoin.
Desktop computers and mobile devices, like smartphones, aren’t the only machines that can become infected. There is an increasing number of devices connected to the internet, for example, the Internet of Things (IoT), devices like webcams, network attached storage (NAS), and many more items. These are also at risk of becoming infected.

To view the current email address reports will be sent to go to account settings. To make changes to this email address please contact us.

We have archive data going back to 2014, however the API accesses a live database that only retains one year’s worth of data.

Record counts vary considerably. The record count for the standard Passive DNS data is around 370 million deduped records. That total doesn’t include some derivative feeds such as the new domain feed, which we generally only make available as an add-on or special stand-alone product.

We do not actively monitor this number. It is certainly in the billions – likely around 40+ billion.

Anyone or any network that has the ability to block or filter IP address ranges on their network by using router equipment can use BGP data feeds.

Yes, we can provide historical data, but this is an additional cost. To find out about pricing, contact sales who will talk through your use case and share the best pricing.

Apply to access the beta domain data via this form. One of our team will be in touch to set up your access. Once you’ve received confirmation that access has been enabled, you can log into the customer portal and create a user profile.

With our free tool, the Blocklist Tester, you can check if your email servers are correctly configured to use the Spamhaus Blocklists. Simply visist: https://blt.spamhaus.com/

The Developer License is available for 6 months.

This portal allows network owners to view and manage IPs listed on Spamhaus’s IP reputation datasets, including:

• Spamhaus Blocklist (SBL)
• eXploits Blocklist (XBL)
• CSS Blocklist (CSS)

Users of the portal can request removals, see their most abused /24s, and set up daily reports of IP listings.

Please note that this portal is only available for those who own IP ranges.

If your email management system indicates that your emails are not being delivered, then a first step is to check the affected IP addresses or domains using the lookup tool on the Spamhaus Blocklist Removal Center.

The listings for both IP addresses and domains are maintained & controlled exclusively by The Spamhaus Project, which has clear procedures for dealing with list removals. Spamhaus Technology and its Authorised Partners manage the datafeed services and associated infrastructure for the threat intelligence listings developed by The Spamhaus Project. The content & policy of listings are exclusively maintained & controlled by The Spamhaus Project.

Yes. The Developer License can be renewed after 6 months.

Registration

• Go to the home page (https:manage.spamhaus.com) and click on Register for an account.
• Complete the form and submit.
• Confirm your email address via the link we email to you.
• Set a password for your account.
• Once the team has approved your application, data from your ranges will populate.
• If we have further questions regarding your application, we will use the Ticket Center for communications.

The Dashboard

• Network overview – displays the number of ranges and IPs assigned to your network and any range requests (additions or deletions) that are currently pending.
• View all ranges and listing summary – see all your ranges, along with the number of listings on the Spamhaus Blocklist (SBL), CSS Blocklist (CSS), and Exploits Blocklist (eXBL).
• Your IP listings – an overview of the total number of SBL, XBL & CSS listings you have across your network and percentage changes over the past 30 days.
• Listing highlights – most recently listed IPs, longest listed IPs and the most abused /24s on your network.

CIDR/Network ranges with listing overview

This lists each network range by /24, along with the corresponding number or percentage change of SBL, XBL and CSS listings for each /24. You can click on the range to see a /24 heatmap and request removals.

Export – you can export all the ranges listed or just those with listings to a CSV file.

/24 heatmap

This provides a clear visual representation of what IPs are listed on the selected /24. Listings can be filtered by blocklist i.e. SBL, CSS and XBL.

To request removal click on the individual IP address.

Removals

• To view why an IP is listed enter the IP address into the search bar or navigate to the listing from the /24 heatmap.
• Read the information provided by our researchers relating to the listing, follow and action any advice provided, check the tick box, and select Next Steps.
• Where possible your request will automatically be actioned, however, in some circumstances we may need to raise a ticket to get further information relating to your request. All correspondence will be done via our Ticket Center.

Tickets – communicating with Spamhaus

• All communications with the Spamhaus team are managed via the Ticket Center including:
  • Questions relating to your account set-up.
  • Adding or deleting ranges.
  • Changing the email address that reports are sent to.
  • Questions relating to removal requests.
  • General questions – these can be submitted via the contact us form.

Listing notifications

Users can use our API to receive notifications of listings or designate a notification email address and receive daily reports of listings in CSV format.

Users

View all the users with access to the Portal for your network.

Reporting preferences

Choose whether you would like to receive reputation updates relating to listings for your network via email, or via the API.

To change the email address these updates are sent to please contact us.

If you’re not sure how well the Spamhaus Blocklists/DNSBLs will perform to reduce incoming spam on your network, and your email traffic is too high to test using our free public DNS mirrors, you can test the Data Query Service service offered by Spamhaus for 30 days, free of charge and with no obligations.

5,000 queries per month are including in the Developer License.

A ‘hijacked netblock’ is a netblock brought back from the dead, also called a ‘zombie netblock’. The original owner of the block may have left it derelict for any number of reasons. Squatters then reclaim it with various ploys including registering an abandoned domain name to accept email to the point-of-contact domain contact, or printing up bogus letterhead, or doing a bit of social engineering over the telephone. Some hijackers even outright steal IP space that is allocated to someone else, just by announcing it under their Border Gateway Protocol (BGP) Autonomous System Number (ASN).

ASNs can be hijacked too. Old abandoned ASNs are taken by a spammer, or spammer supplier, to announce various IP ranges. It’s quite possible to have a hijacked netblock advertised by a hijacked ASN!

Click on the robot in the header and select “Reporting Preferences.”

From here, you can select whether you receive them directly via an API or get them sent daily to your specified notification email.

Customers will be able to plug the Spamhaus Intelligence API (SIA) into a SIEM device, however, they will need to develop a connector of some type unless the SIEM can make API calls natively.

Go to your Dashboard and click on “Add rages” or “Delete ranges.” Complete the form and submit. Our team will review your submission and update you via the Ticket Center.

The application process is designed to allow organizations to initiate an application without committing to taking the service or making a payment, until they are satisfied with the service and have agreed to the service terms. The process is:

1. Complete and submit the sign up form for either a free 30 day trial or free service account form
2. Receive and click on the email validation link to confirm your interest to us
3. For Passive DNS and Data Query Service you will gain immediate access to the data. For DNS Firewall and Border Gateway Protocol (BGP) Feeds we require a small amount of time to set you up.
4. You will be sent an email confirming your data access. This email will also contain instructions on how to access the data.
5. You will be given a Spamhaus Customer Portal account to access your service agreement, technical manual(s), contact for help, and subscription options if required.
6. Please Note: Your contract for the Datafeed/Service is directly with Spamhaus and its Partners, and not with The Spamhaus Project. The Spamhaus Project does not have any commercial activities.

If free additional query volumes are needed for short testing periods, please contact our team, providing your use case and requirements.

It is a yearly subscription.

Data received from subscribers contains no Personally Identifiable Information (PII) so there is no compromise of organizational, customer or employee data. All data is transported to Spamhaus with encryption in place.

Passive DNS does not store which client (or person) made a query, just the fact that at some point in time, a domain has been associated with a specific DNS record . This ensures that privacy is maintained throughout the system.

BGP datafeeds are designed to serve null advisories to ISPs or network providers using BGP, which is implemented on the router level. However, Spamhaus also offers the DROP list in plain text format which can be implemented using nearly any kind of device or software (eg. Network gateways, Firewalls, Web-proxies etc).

The term “Initial Access Brokers” (IABs) refers to threat actors who operate in groups trying to breach corporate networks. They use various tactics, techniques, and procedures (TTPs) to achieve their goals.

Once they have penetrated a network, they will ascertain key facts relating to the breached network, for example, location, size, and industry. This enables them to place a value on an asset. The broker will then negotiate with potential buyers who want to purchase access to the victim’s network.

Spamhaus Technology and its Partners manage the datafeed services and associated infrastructure for the threat intelligence listings developed by The Spamhaus Project.

The content & policy of listings, for IP addresses and domains, are maintained & controlled exclusively by The Spamhaus Project which has clear procedures for dealing with list removals. Please start by using the Spamhaus Blocklist Removal Center lookup tool, and follow the instructions from there.

This is done via an API call as detailed in our technical documentation.

There are two query limits: Soft and hard.  The soft limit will generate a warning email.  The hard limit will prevent access.  Further information can be found in our technical documentation.

No. If you adopt the BGP data feeds or the botnet C&C list in your network, you are not allowed to redistribute the feed to other networks. The export of these feeds/prefixes to other networks is prohibited. Please see our Terms & Conditions.

Spamhaus wants to ensure that its data is only given to reputable and qualified organizations, therefore we need to know who you are before offering you access to Spamhaus data.

The Spamhaus Service Agreement is between you and Spamhaus and our Partners. You can view these service terms when you sign up for a free trial or free service account, before clicking submit.

As a Spamhaus customer, you also have access to the Spamhaus Service Agreement via the Customer Portal, which can be downloaded in PDF format.

Currently, the Extended Exploits Blocklists (eXBL) is available via SIA.  However, there are plans to introduce additional datasets soon.

Only CIDR formats up to /24 can queried in SIA.

Yes. Where volume and usage hasn’t changed for a customer, we adjust pricing approximately every two years in line with inflation and market value. For customers whose usage has changed their pricing will be changed accordingly, annually on renewal. There will be exceptional cases where changes may be made mid-contract, where usage is greatly exceeding contracted limits.

The datasets accessed via the API are built from our broad-reaching sensor network, the same that is used to compile our DNS Blocklists.  Through machine learning, heuristics and manual investigation connections are analyzed to identify indicators of compromise.

Spamhaus evaluates every Datafeed service application to ensure the applicant is bona fide, and is not involved in the provision or support of spam services. We reserve the right to refuse a service at our discretion.

Refusal may be due to a number of issues, including supplying to ISPs with excessive listings on any of our datasets. Everyone who uses the internet has a responsibility to keep it a safe environment. Any ISPs who we deem to have excessive abuse on their network, and are doing little to remediate the issues will not get access to our data.

DNS Firewall Threat Feeds are Response Policy Zone (RPZ) feeds that provide automatic protection against phishing sites and malware downloads. They are delivered in industry standard RPZ format which allows a recursive DNS resolver to choose specific actions to be performed. This includes dropping, blocking, and passing through traffic.

There are many networks, domains, and IP addresses on the internet whose sole purpose is to cause harm to or steal information from unsuspecting users who visit their servers and sites.

For example: a phishing domain, created for the sole purpose of stealing data, can be used for a spam campaign that is sent to users on your network asking them to verify their account. The email is received and is not blocked by your spam filtering, so the message gets delivered into your user’s inbox. When the user clicks on the link to verify their account, because the site is listed in the Threat Feeds, their computer is unable to resolve the phishing website.

This action will protect your user from surrendering their personal information, and potentially prevent their workstation from becoming infected with botnet software. Blocking malicious content also offers you the potential to educate your users immediately.

If you chose to use Spamhaus’ Managed Service this is not an issue. However, where you are running your own DNS infrastructure and want to use our Dedicated Service, here are our recommendations:

While it is possible that the current hardware that is running your DNS resolver may be able to handle the processing of DNS Firewall Threat Feeds, we recommend the following hardware configuration:

8 core CPU
8 gigabytes of RAM
Bare-metal dedicated server

Please ensure that you are running the most up-to-date version of your resolver software.

A DNS resolver will return an NXDOMAIN (invalid domain) response when it is matched against a threat feed listing.

Those utilizing the Dedicated Service can point to an internal IP resource that will allow the block to redirect to an information page that can provide a warning, some education, or insight into why something was blocked.

Log into your server and run the following command(s):

• curl -4 https://deteque.com/whatsmyip/
• curl -6 https://deteque.com/whatsmyip/

The result from these commands will provide you with the IP that you need to enter into our Customer Portal under the Access tab of your DNS firewall settings.

Please note that if you have multiple servers pointing to our services, you will need to run this command on each server that you will be pointing to our service.

Once you have entered the IP addresses, it can take up to one hour to be provisioned in our systems.

The DROP list contains network ranges which can cause so much damage that Spamhaus provides it to all, free-of-charge. We believe that due to the vital nature of the DROP list data, it will be available free-of-charge to any place, regardless of size or business type, to protect internet users. If you wish to redistribute the plain text feeds, name Spamhaus as source of the data and retain both the copyright statement and the date & time stamps at the top of the text file.

Rbldnsd defines a few different dataset types. To optimize performance and memory usage, we recommend Datafeed users to choose ip4set for SBL and SWL, ip4trie for PBL, and ip4tset for XBL.

However, using ip4tset will result in a return code 127.0.0.4 for all XBL listings. In the majority of cases this is acceptable, but if you need to distinguish between the different XBL return codes you should use ip4set also for XBL.

DBL and DWL must always use the dnset dataset type.

Public mirrors are required to use ip4set for all the IP zones, and dnset for DBL and DWL.

Please DO NOT auto-fetch the DROP list more than once per hour.

The DROP list changes quite slowly. There is no need to update cached data more than once per hour, in fact once per day is more than enough in most cases. Automated downloads must be at least one hour apart. Excessive downloads may result in your IP being firewalled.

The major part of spam filtering done by appliances such as the Barracuda is DNSBL filtering. If you are using any Spamhaus lookup in any part of a Barracuda or similar spam filter appliance you must ensure that you have a current Spamhaus Data Query Service (DQS) subscription.

Historically, we have had cases of people using the Free Spamhaus Public Mirrors in conjunction with Barracuda appliances. This is an abuse of the Free Public Mirrors usage terms: If an organization’s email volume is big enough to require a Barracuda or similar spam filter appliance, then it almost certain that their usage will be above the limits applied to the free public DNSBL servers. Due to substained abuse of these public mirrors, and the Free low-volume DQS account, a control system has been implemented, and over-queriers will be flagged and blocked.

Please ensure that if you are using Spamhaus DNSBLs in any part of your corporate spam filtering setup, you have a current Spamhaus DQS subscription.

DROP (Don’t Route Or Peer) is an advisory “drop all traffic” list.

• The DROP list will not include any IP space allocated to a legitimate network and reassigned.
• DROP does include netblocks that are hijacked or leased by professional spam or cybercrime operations (used for dissemination of malware, trojan downloaders, botnet controllers, etc).
• These are direct allocations from ARIN, RIPE, APNIC, LACNIC, or other Regional Internet Registries and “portable allocations” (known as “PI”) from RIPE.

The EDROP list includes net blocks controlled by professional spammers and cyber criminals that are not directly allocated, thus it will contain only netblocks that are sub-allocations.