Have you been blocked?
All blocklists are researched and managed by The Spamhaus Project.
Simply click on the link below, which will take you to the Project’s IP and Domain Reputation Checker. From here you will be able to enter your IP or Domain and begin your request for removal.
Please note that the Project’s IP and Domain Reputation Checker is the only place where removals are handled.
IT and security teams consistently face multiple business challenges. Discover how our solutions can help overcome some of those issues.
From processing issues, to email-borne threats our blocklists easily integrate with your current email set-up to improve anti-spam & anti-virus email filtering.
Employ our threat intelligence to increase visibility across security events, reveal potential weaknesses in your network, and threats to your brand.
Stay on top of the latest threats and proactively combat botnet infections, and other forms of abuse, with our solutions.
From clicking on phishing emails to visiting malware dropper sites, our threat intelligence provides automatic protection for your users.
Data for Integration
Enhance your service and create competitive advantage by integrating Spamhaus’ world-class IP and domain reputation data.
Our products provide additional layers of security for networks and email. They also present security teams with additional insight into malicious behavior.
Border Gateway Protocol (BGP) Firewall
Block the worst of the worst at your network edge, taking advantage of your existing BGP-capable routers. Configuration only takes minutes.
Data Query Service (DQS)
Benefit from industry-leading real time blocklists. These DNSBLs easily plug into your existing email infrastructure to block spam and other email threats.
A powerful research tool to investigate relationships between internet infrastructures. Quickly pivot to new areas of concern to rapidly investigate potential threats.
Immediately block connections to dangerous sites, including phishing and malware dropper websites. A ‘set and forget’ solution.
Spamhaus Intelligence API
Threat intelligence data in API format to enable users to easily integrate metadata relating to threats with their own applications, programs, and products.
A wide range of datasets, providing multiple layers of protection. They can be plugged directly into your existing hardware, making them an affordable choice.
Border Gateway Protocol (BGP) Feeds
Do Not Route Or Peer (DROP) and Botnet Controller List (BCL) datafeeds can peer with your existing BGP-capable router.
Domain (DBL), Zero Reputation (ZRD) and Hash blocklists (HBL) enable you to block content in emails, filtering out a higher rate of email-borne threats.
Data for Investigation
Passive DNS and extended datasets give you additional information on internet resources. They provide deeper insights into incidents and possible threats.
DNS Firewall Threat Feeds
A wide range of feeds to apply to your DNS recursive server. Choose the right level of protection for your organization.
Spam (SBL), Policy (PBL), Exploits (XBL) and Auth (AuthBL) blocklists allow you to filter email from IPs associated with spam, botnets, and other threats.
Find out more about us.
Learn more about Spamhaus; who we are, and what we do.
Find a parter
Discover our partners and how they can support you.
Become a partner
Learn about the benefits of being a Spamhaus partner and how to get started.
Discover a wide range of blog posts, case studies and reports.
Spamhaus’ insight into malware, botnet C&Cs, and the domain reputation landscape.
Commonly asked questions about Spamhaus products and processes.
The Blocklist Tester
A tool to help you check if your servers are correctly configured to use Spamhaus DNSBLs.
The Reputation Portal
A tool for ASN owners to get visibility of their IPs’ reputation and proactively manage listings.
Help for the Project's legacy DNSBLs users
Using the Project’s legacy blocklists and suddenly experiencing email issues? This page may be able to help.
In depth information about the technical details and implementation of our products.
Posted by Riccardo Alfieri on 28 Apr 2022
Here’s a cautionary tale to anyone and everyone who uses email. The learning is simple: Always be vigilant, especially if the contents of an email ask to provide personal information or click on links and download files.
As the pandemic is becoming endemic, many countries have created dedicated registration programs to facilitate tourism. One example is Thailand’s Thailand Pass. Travelers must upload Covid test results and their vaccination status to help border security manage entry into Thailand.
Unfortunately, this database of travelers got hacked recently, as detailed here. Many tourists got caught in the malspam campaign that kicked off after the breach. The Spamhaus researchers had the chance to analyze an infected machine of one such victim. Here is what they found:
Let’s call our unlucky tourist Mr X (original, we know!). Mr X’s flight was due to leave for Bangkok on the 22-Feb-22. Being an organized sort, he had already completed the required steps to get his Thailand Pass and was ready for his trip. But on 17-Feb-22, he received the following two emails:
You will note that the sender domains are passthailandteam.com and teampassthailand.com. These domains are definitely not related to the Thai government. However, if you don’t spend 24/7 looking for malicious emails, it’s understandable that they could easily be deemed legitimate.
With a little research, one can establish that these domains were registered on 15-Feb-22 and 16-Feb-22, respectively, just days before the miscreants used them to send email. In our world, this usually raises a giant red flag – how often do you register a domain and immediately use it? The answer is almost never!
Back to Mr X, who was due to fly five days after receiving the above two communications – these emails panicked him. Who wouldn’t be unnerved? Here he was busy picturing himself landing in Bangkok, making his way to the beach and drinking a Singha beer, watching the world go by, only to suddenly think he may not be allowed even to enter the country.
Diligently Mr X followed the instructions in the email, providing his full name, date of birth, and the last four digits of his passport number. The reason for requesting these details? We can’t be sure, but we strongly suspect it’s related to identity theft.
Meanwhile, the link in the second email led to a website where a ZIP called “qr_thailand_pass.zip” was downloaded. Once opened, the ZIP contained a seemingly innocuous HTML file that, when opened, showed the following webpage:
However, in the background, the VBS file downloaded and executed a Remote Administration Tool (or RAT) from https://archive.org/download/auto_20220216/auto.txt.
What’s interesting to note is that the miscreants hosted their malicious payload on “archive.org”. This is a very well-known website with a good reputation. In doing this, the cybercriminals were most likely trying to evade security software blocking websites with poor reputation.
Without giving these emails another thought, Mr X happily went on his trip. While in Thailand, on 02-Mar-22, he received a notification from Google Cloud Platform (GCP) with a charge of €93. Since he had some services with Google, he dismissed the notification as one of the usual recurring charges and continued to enjoy his vacation.
March passed, and Mr X received a notification from GCP that its charges for the past month were almost €1600! Suddenly alarm bells were ringing, so he contacted the Spamhaus researchers to investigate further.
The team uncovered that the crooks had created an exceptionally “CPU-hungry” Google Compute Engine (GCE) instance that had been grinding away for the whole of March and into April until they shut it down.
Upon reviewing the platform logs, they established that the instance was created on 18-Feb-22, only a few hours after Mr X downloaded and executed the infected file on his computer.
Before deleting the GCE instance, the Spamhaus researchers accessed it and found a Monero coin miner running, in addition to a RAT. This explained the huge charges – GCE bills are based on CPU usage, and mining cryptocurrency is a highly intensive process when it comes to CPUs.
“Whoah, surely Mr X has multi-factor authentication (MFA) on his Google account?” you may be asking. “How did the miscreants manage to create the GCE instance?” The answer is that both activities logged on 18/Feb/22 and 19/Feb/22 coincided with Mr X having his computer powered on. The hackers used the previously installed RAT to take control of Mr X’s machine, and since his browser was already logged in to his Google account, they didn’t need MFA to create the GCE instance.
Fortunately for Mr X, the credit card company reimbursed the fraudulent expenses. However, he also had to have his compromised passport cancelled and a new one reissued… Mr X is an Italian resident. To anyone who has had the misfortune to deal with Italian bureaucracy, you will sympathize with Mr X, understanding what an arduous and painful process this was!
Keep safe (not only on your travels) – it doesn’t take huge technical knowledge to follow the above points, and it could save you a significant amount of time, money, and stress that goes with falling victim to malicious internet behavior.
15 December 2022
Downloading a free application and installing it on an internet-connected device can lead to you not being able to send email. This is because some apps allow third parties to access your device without your knowledge. These third parties then use your network connection for malicious purposes, causing your IP address to be listed as unsafe.
2 November 2022
As of Wednesday, November 9th, the CSS dataset will start to grow. We anticipate the addition of 1.5 million listings over the next 4-6 months; that's approximately a 100% increase! Find out why and the impact to you in this blog.
23 March 2022
Here, fTLD, the registry for .bank and .insurance top-level domains (TLDs), provides their view of how a TLD can make it simple for users to trust their interactions with websites.