Have you been blocked?
All blocklists are researched and managed by The Spamhaus Project.
Simply click on the link below, which will take you to the Project’s IP and Domain Reputation Checker. From here you will be able to enter your IP or Domain and begin your request for removal.
Please note that the Project’s IP and Domain Reputation Checker is the only place where removals are handled.
IT and security teams consistently face multiple business challenges. Discover how our solutions can help overcome some of those issues.
From processing issues, to email-borne threats our blocklists easily integrate with your current email set-up to improve anti-spam & anti-virus email filtering.
Employ our threat intelligence to increase visibility across security events, reveal potential weaknesses in your network, and threats to your brand.
Stay on top of the latest threats and proactively combat botnet infections, and other forms of abuse, with our solutions.
From clicking on phishing emails to visiting malware dropper sites, our threat intelligence provides automatic protection for your users.
Data for Integration
Enhance your service and create competitive advantage by integrating Spamhaus’ world-class IP and domain reputation data.
Our products provide additional layers of security for networks and email. They also present security teams with additional insight into malicious behavior.
Border Gateway Protocol (BGP) Firewall
Block the worst of the worst at your network edge, taking advantage of your existing BGP-capable routers. Configuration only takes minutes.
Data Query Service (DQS)
Benefit from industry-leading real time blocklists. These DNSBLs easily plug into your existing email infrastructure to block spam and other email threats.
A powerful research tool to investigate relationships between internet infrastructures. Quickly pivot to new areas of concern to rapidly investigate potential threats.
Immediately block connections to dangerous sites, including phishing and malware dropper websites. A ‘set and forget’ solution.
Spamhaus Intelligence API
Threat intelligence data in API format to enable users to easily integrate metadata relating to threats with their own applications, programs, and products.
abuse.ch Real Time Feeds - coming soon
Actionable data signals on cyber threats, with a focus on malware and botnets, to strengthen threat investigations, detections, and help prevent data breaches.
Integration | MDaemon
Block over 99% of email-borne threats with Spamhaus’ real time DNS blocklists and MDaemon® Email Server.
Integration | Halon
Safeguard your email stream using Spamhaus’ real time DNS blocklists and Halon’s secure email infrastructure.
Integration | Messageware
Enhance Microsoft Exchange protection by blocking malicious IP addresses from connecting to your on-premise server in real time.
A wide range of datasets, providing multiple layers of protection. They can be plugged directly into your existing hardware, making them an affordable choice.
Exploits Dataset Statistics
View the geolocation, hosting network, malware names associated with each detection, and other critical data points.
Border Gateway Protocol (BGP) Feeds
Do Not Route Or Peer (DROP) and Botnet Controller List (BCL) datafeeds can peer with your existing BGP-capable router.
Domain (DBL), Zero Reputation (ZRD) and Hash blocklists (HBL) enable you to block content in emails, filtering out a higher rate of email-borne threats.
Data for Investigation
Passive DNS and extended datasets give you additional information on internet resources. They provide deeper insights into incidents and possible threats.
DNS Firewall Threat Feeds
A wide range of feeds to apply to your DNS recursive server. Choose the right level of protection for your organization.
Spam (SBL), Policy (PBL), Exploits (XBL) and Auth (AuthBL) blocklists allow you to filter email from IPs associated with spam, botnets, and other threats.
abuse.ch Threat Intelligence Feeds – coming soon
URLhaus, MalwareBazaar, ThreatFox, YARAify, Feodo Tracker and Sandnet enrich CTI feeds and support vulnerability mangement.
Find out more about us.
Learn more about Spamhaus; who we are, and what we do.
Find a partner
Discover our partners and how they can support you.
Become a partner
Learn about the benefits of being a Spamhaus partner and how to get started.
Discover a wide range of blog posts, case studies and reports.
Spamhaus’ insight into malware, botnet C&Cs, and the domain reputation landscape.
Commonly asked questions about Spamhaus products and processes.
The Blocklist Tester
A tool to help you check if your servers are correctly configured to use Spamhaus DNSBLs.
The Reputation Portal
A tool for ASN owners to get visibility of their IPs’ reputation and proactively manage listings.
Help for the Project's legacy DNSBLs users
Using the Project’s legacy blocklists and suddenly experiencing email issues? This page may be able to help.
In depth information about the technical details and implementation of our products.
Frequently asked questions relating to our products and data. if you have a question that isn't answered here please feel free to contact us with it.
Anyone or any network that has the ability to block or filter IP address ranges on their network by using router equipment can use BGP data feeds.
To view the current email address reports will be sent to go to account settings. To make changes to this email address please contact us.
We have archive data going back to 2014, however the API accesses a live database that only retains one year’s worth of data.
Record counts vary considerably. The record count for the standard Passive DNS data is around 370 million deduped records. That total doesn’t include some derivative feeds such as the new domain feed, which we generally only make available as an add-on or special stand-alone product.
We do not actively monitor this number. It is certainly in the billions – likely around 40+ billion.
Yes, we can provide historical data, but this is an additional cost. To find out about pricing, contact sales who will talk through your use case and share the best pricing.
Apply to access the beta domain data via this form. One of our team will be in touch to set up your access. Once you’ve received confirmation that access has been enabled, you can log into the customer portal and create a user profile.
A ‘botnet controller,’ ‘botnet C2,’ or ‘botnet command & control’ server is commonly abbreviated to ‘botnet C&C.’ Fraudsters use these to control malware-infected machines (bots) and extract personal and valuable data from malware-infected victims.
Botnet C&Cs play a vital role in operations conducted by cybercriminals who are using infected machines to send out spam or ransomware, launch DDoS attacks, commit e-banking fraud or click fraud, or mine cryptocurrencies such as Bitcoin.
Desktop computers and mobile devices, like smartphones, aren’t the only machines that can become infected. There is an increasing number of devices connected to the internet, for example, the Internet of Things (IoT), devices like webcams, network attached storage (NAS), and many more items. These are also at risk of becoming infected.
With our free tool, the Blocklist Tester, you can check if your email servers are correctly configured to use the Spamhaus Blocklists. Simply visist: https://blt.spamhaus.com/
No, tags are not included in the MalwareBazaar historical malware sample data (full.csv).
A file can only be present once on MalwareBazaar, therefore it is not technically possible to upload two copies of the same sample.
MalwareBazaar only tracks malware samples. No adware (PUA/PUP). No benign files. Samples older than 10 days, PUAs/PUPs and benign files should not be uploaded to the repository.
There are some mechanisms in place to flag PUA/PUP files, where files are reviewed and removed manually by the admin. However, it is important to note that there is no automatic enforcement of the PUA/PUP policy.
Submission vetting is manual and relies on researchers and users reporting such submissions. Where unacceptable files are reported by the community, files are removed promptly, and the responsible user banned.
If your email management system indicates that your emails are not being delivered, then a first step is to check the affected IP addresses or domains using the lookup tool on the Spamhaus Blocklist Removal Center.
The listings for both IP addresses and domains are maintained & controlled exclusively by The Spamhaus Project, which has clear procedures for dealing with list removals. Spamhaus Technology and its Authorised Partners manage the datafeed services and associated infrastructure for the threat intelligence listings developed by The Spamhaus Project. The content & policy of listings are exclusively maintained & controlled by The Spamhaus Project.
The Developer License is available for 6 months.
This portal allows network owners to view and manage IPs listed on Spamhaus’s IP reputation datasets, including:
Users of the portal can request removals, see their most abused /24s, and set up daily reports of IP listings.
Please note that this portal is only available for those who own IP ranges.
To make a submission to abuse.ch, you will need to authenticate using this platform https://auth.abuse.ch/.
Full details on the process for submissions are detailed below:
If you’re not sure how well the Spamhaus Blocklists/DNSBLs will perform to reduce incoming spam on your network, and your email traffic is too high to test using our free public DNS mirrors, you can test the Data Query Service service offered by Spamhaus for 30 days, free of charge and with no obligations.
Yes. The Developer License can be renewed after 6 months.
This lists each network range by /24, along with the corresponding number or percentage change of SBL, XBL and CSS listings for each /24. You can click on the range to see a /24 heatmap and request removals.
Export – you can export all the ranges listed or just those with listings to a CSV file.
This provides a clear visual representation of what IPs are listed on the selected /24. Listings can be filtered by blocklist i.e. SBL, CSS and XBL.
To request removal click on the individual IP address.
Users can use our API to receive notifications of listings or designate a notification email address and receive daily reports of listings in CSV format.
View all the users with access to the Portal for your network.
Choose whether you would like to receive reputation updates relating to listings for your network via email, or via the API.
To change the email address these updates are sent to please contact us.
If you believe a listing may be a false positive or should be removed from the URLhaus database, you can report this to abuse.ch in the URLhaus web interface.
Please follow the below steps:
A ‘hijacked netblock’ is a netblock brought back from the dead, also called a ‘zombie netblock’. The original owner of the block may have left it derelict for any number of reasons. Squatters then reclaim it with various ploys including registering an abandoned domain name to accept email to the point-of-contact domain contact, or printing up bogus letterhead, or doing a bit of social engineering over the telephone. Some hijackers even outright steal IP space that is allocated to someone else, just by announcing it under their Border Gateway Protocol (BGP) Autonomous System Number (ASN).
ASNs can be hijacked too. Old abandoned ASNs are taken by a spammer, or spammer supplier, to announce various IP ranges. It’s quite possible to have a hijacked netblock advertised by a hijacked ASN!
5,000 queries per month are including in the Developer License.
Customers will be able to plug the Spamhaus Intelligence API (SIA) into a SIEM device, however, they will need to develop a connector of some type unless the SIEM can make API calls natively.
Click on the robot in the header and select “Reporting Preferences.”
From here, you can select whether you receive them directly via an API or get them sent daily to your specified notification email.
Each of abuse.ch’s platforms has its submission policy, detailed below. If your submissions are outside the policy, your access to submit data will be revoked.
The application process is designed to allow organizations to initiate an application without committing to taking the service or making a payment, until they are satisfied with the service and have agreed to the service terms. The process is:
If free additional query volumes are needed for short testing periods, please contact our team, providing your use case and requirements.
Go to your Dashboard and click on “Add rages” or “Delete ranges.” Complete the form and submit. Our team will review your submission and update you via the Ticket Center.
If you are blocked from making submissions via any of abuse.ch’s platforms, you have likely violated the relevant submission policy. All policies are detailed below:
To reinstate access, please get in touch with abuse.ch using the above form, confirming you have read and agreed to the applicable policy.
BGP datafeeds are designed to serve null advisories to ISPs or network providers using BGP, which is implemented on the router level. However, Spamhaus also offers the DROP list in plain text format which can be implemented using nearly any kind of device or software (eg. Network gateways, Firewalls, Web-proxies etc).
Data received from subscribers contains no Personally Identifiable Information (PII) so there is no compromise of organizational, customer or employee data. All data is transported to Spamhaus with encryption in place.
Passive DNS does not store which client (or person) made a query, just the fact that at some point in time, a domain has been associated with a specific DNS record . This ensures that privacy is maintained throughout the system.
It is a yearly subscription.
Spamhaus Technology and its Partners manage the datafeed services and associated infrastructure for the threat intelligence listings developed by The Spamhaus Project.
The content & policy of listings, for IP addresses and domains, are maintained & controlled exclusively by The Spamhaus Project which has clear procedures for dealing with list removals. Please start by using the Spamhaus Blocklist Removal Center lookup tool, and follow the instructions from there.
This is done via an API call as detailed in our technical documentation.
The term “Initial Access Brokers” (IABs) refers to threat actors who operate in groups trying to breach corporate networks. They use various tactics, techniques, and procedures (TTPs) to achieve their goals.
Once they have penetrated a network, they will ascertain key facts relating to the breached network, for example, location, size, and industry. This enables them to place a value on an asset. The broker will then negotiate with potential buyers who want to purchase access to the victim’s network.
No. If you adopt the BGP data feeds or the botnet C&C list in your network, you are not allowed to redistribute the feed to other networks. The export of these feeds/prefixes to other networks is prohibited. Please see our Terms & Conditions.
There are two query limits: Soft and hard. The soft limit will generate a warning email. The hard limit will prevent access. Further information can be found in our technical documentation.
No, IPv6 addresses are not listed in the Botnet Controller List at this time. Miscreants do not currently use these to host botnet command and controllers.
Once our researchers observe botnet command and controllers hosted on IPv6 addresses, they will be listed immediately.
Spamhaus wants to ensure that its data is only given to reputable and qualified organizations, therefore we need to know who you are before offering you access to Spamhaus data.
The Spamhaus Service Agreement is between you and Spamhaus and our Partners. You can view these service terms when you sign up for a free trial or free service account, before clicking submit.
As a Spamhaus customer, you also have access to the Spamhaus Service Agreement via the Customer Portal, which can be downloaded in PDF format.
Currently, the Extended Exploits Blocklists (eXBL) is available via SIA. However, there are plans to introduce additional datasets soon.
Yes. Where volume and usage hasn’t changed for a customer, we adjust pricing approximately every two years in line with inflation and market value. For customers whose usage has changed their pricing will be changed accordingly, annually on renewal. There will be exceptional cases where changes may be made mid-contract, where usage is greatly exceeding contracted limits.
Only CIDR formats up to /24 can queried in SIA.
Spamhaus evaluates every Datafeed service application to ensure the applicant is bona fide, and is not involved in the provision or support of spam services. We reserve the right to refuse a service at our discretion.
Refusal may be due to a number of issues, including supplying to ISPs with excessive listings on any of our datasets. Everyone who uses the internet has a responsibility to keep it a safe environment. Any ISPs who we deem to have excessive abuse on their network, and are doing little to remediate the issues will not get access to our data.
The datasets accessed via the API are built from our broad-reaching sensor network, the same that is used to compile our DNS Blocklists. Through machine learning, heuristics and manual investigation connections are analyzed to identify indicators of compromise.
DNS Firewall Threat Feeds are Response Policy Zone (RPZ) feeds that provide automatic protection against phishing sites and malware downloads. They are delivered in industry standard RPZ format which allows a recursive DNS resolver to choose specific actions to be performed. This includes dropping, blocking, and passing through traffic.
There are many networks, domains, and IP addresses on the internet whose sole purpose is to cause harm to or steal information from unsuspecting users who visit their servers and sites.
For example: a phishing domain, created for the sole purpose of stealing data, can be used for a spam campaign that is sent to users on your network asking them to verify their account. The email is received and is not blocked by your spam filtering, so the message gets delivered into your user’s inbox. When the user clicks on the link to verify their account, because the site is listed in the Threat Feeds, their computer is unable to resolve the phishing website.
This action will protect your user from surrendering their personal information, and potentially prevent their workstation from becoming infected with botnet software. Blocking malicious content also offers you the potential to educate your users immediately.
If you chose to use Spamhaus’ Managed Service this is not an issue. However, where you are running your own DNS infrastructure and want to use our Dedicated Service, here are our recommendations:
While it is possible that the current hardware that is running your DNS resolver may be able to handle the processing of DNS Firewall Threat Feeds, we recommend the following hardware configuration:
8 core CPU
8 gigabytes of RAM
Bare-metal dedicated server
Please ensure that you are running the most up-to-date version of your resolver software.
A DNS resolver will return an NXDOMAIN (invalid domain) response when it is matched against a threat feed listing.
Those utilizing the Dedicated Service can point to an internal IP resource that will allow the block to redirect to an information page that can provide a warning, some education, or insight into why something was blocked.
Log into your server and run the following command(s):
The result from these commands will provide you with the IP that you need to enter into our Customer Portal under the Access tab of your DNS firewall settings.
Please note that if you have multiple servers pointing to our services, you will need to run this command on each server that you will be pointing to our service.
Once you have entered the IP addresses, it can take up to one hour to be provisioned in our systems.
Rbldnsd defines a few different dataset types. To optimize performance and memory usage, we recommend Datafeed users to choose ip4set for SBL and SWL, ip4trie for PBL, and ip4tset for XBL.
However, using ip4tset will result in a return code 127.0.0.4 for all XBL listings. In the majority of cases this is acceptable, but if you need to distinguish between the different XBL return codes you should use ip4set also for XBL.
DBL and DWL must always use the dnset dataset type.
Public mirrors are required to use ip4set for all the IP zones, and dnset for DBL and DWL.
The DROP list contains network ranges which can cause so much damage that Spamhaus provides it to all, free-of-charge. We believe that due to the vital nature of the DROP list data, it will be available free-of-charge to any place, regardless of size or business type, to protect internet users. If you wish to redistribute the plain text feeds, name Spamhaus as source of the data and retain both the copyright statement and the date & time stamps at the top of the text file.
Please DO NOT auto-fetch the DROP list more than once per hour.
The DROP list changes quite slowly. There is no need to update cached data more than once per hour, in fact once per day is more than enough in most cases. Automated downloads must be at least one hour apart. Excessive downloads may result in your IP being firewalled.
The major part of spam filtering done by appliances such as the Barracuda is DNSBL filtering. If you are using any Spamhaus lookup in any part of a Barracuda or similar spam filter appliance you must ensure that you have a current Spamhaus Data Query Service (DQS) subscription.
Historically, we have had cases of people using the Free Spamhaus Public Mirrors in conjunction with Barracuda appliances. This is an abuse of the Free Public Mirrors usage terms: If an organization’s email volume is big enough to require a Barracuda or similar spam filter appliance, then it almost certain that their usage will be above the limits applied to the free public DNSBL servers. Due to substained abuse of these public mirrors, and the Free low-volume DQS account, a control system has been implemented, and over-queriers will be flagged and blocked.
Please ensure that if you are using Spamhaus DNSBLs in any part of your corporate spam filtering setup, you have a current Spamhaus DQS subscription.
DROP (Don’t Route Or Peer) is an advisory “drop all traffic” list.
The EDROP list includes net blocks controlled by professional spammers and cyber criminals that are not directly allocated, thus it will contain only netblocks that are sub-allocations.