The Hash Blocklist (HBL) is a formidable dataset to have in your email filtering arsenal. Highly regarded for its real time, automatic protection against malicious email content - today, it grows even stronger, with the inclusion of malicious and suspicious URLs. Discover how this enhancement will provide even better catch rates, for even more protection.

The importance of blocking by URL

In today’s digital landscape, sharing content via URL is just as common as sharing a file. This presents a big opportunity for cybercriminals. By tapping into this well-utilised communication method, vast amounts of malicious content are being shared, using online file storage providers, URL shorteners, and URL redirectors.

Yet, millions of people worldwide use the same URL services for legitimate purposes. So, for those tasked with the security of email infrastructure, this presents a challenge: to effectively block malicious content, without inadvertently blocking legitimate users too.
So, how can you maintain accuracy in content filtering without drowning in a sea of false positives?

Hash Blocklist to the rescue!

For those unfamiliar with the Hash Blocklist (HBL), it’s a list of cryptographic hashes derived from malicious content. It enables users to accurately block using specific email components, such as compromised email addresses, cryptowallets, malware files… and now both malicious and suspicious URLs!

The Hash Blocklist is an important piece of the email protection puzzle. Not all traffic can be safeguarded by using IP data, or even domain data. For example, emails from large ESPs, or emails containing malware files.

URLs have a similar challenge – as mentioned above. Filtering by IP/domain isn’t going to protect against an email containing malicious content. Why not? Well, if the domains or IPs of large providers were listed on a DNSBL then you’d block vast amounts of legitimate traffic. Imagine the carnage that would ensue by blocking! *shudders*

A more targeted approach is required. The policy associated with the URL component of the Hash Blocklist indicates that any URL Spamhaus observes as being unsafe, is to be listed. This includes online file storage providers (e.g., URL shorteners (e.g., and URL redirectors.

How does the Hash Blocklist list URLs?

When Spamhaus observes a URL that’s associated with malicious or suspicious content, the URL is assigned a hash – a unique 30+ character string used to identify the content. The URL can then be blocked based on this unique hash. But URLs come in all shapes and sizes.

For example, one technique used by malicious actors is to include the recipient’s name in the URL, so it seems more compelling to click on. While listing a URL in its raw format could protect one user, it’s much more efficient to create a standard form for each URL by normalizing the data. This improves catch rates and makes querying more efficient.

To create uniformity and increase its breadth of protection, Spamhaus uses four algorithms to normalize URLs. To ensure queries match the listed hash, users must also normalize their URLs in the same way.

For SpamAssassin users

For those using the SpamAssassin plug-in, this configuration to normalize URLs has already been implemented. So just make sure you’re using the latest version, and you’ll be set to go – see here.

For RspamD users, this update will soon follow, so keep an eye out.

For native users

To take advantage of this enhancement, already included in your subscription, there is some configuration work. Details can be found here. If you don’t have time to get this into your dev cycles straight away, don’t worry! Your current HBL implementation will continue to be effective, just without the additional protection against malicious URLs.

For new users, trial the data free for 30 days

Gain access to Spamhaus’ Content Blocklists -including both Domain and Hash data – as well as IP Blocklists. Access is free for 30 days, without the need for a credit card to trial – simply sign up via this form, alternatively contact one of the Spamhaus team.

If you’re still wanting to learn more, read about the value of our content blocklists, or find out what additional components are available on the Hash Blocklist.

Added security for email filtering

It’s safe to say that the Hash Blocklist is already one of our most loved blocklists – with one customer sharing, “This [Hash Blocklist] is a game-changer. It’s the biggest single effectiveness improvement we’ve had in 10+ years, all for a simple one-off implementation”, Manager, Global Cybersecurity Software Provider.

With this latest addition to the Hash Blocklist, you will maintain filtering accuracy, block harmful content, and help safeguard your email infrastructure from malicious URLs.

And a thank you to SURBL

No matter where your knowledge and expertise lie across cybersecurity, it’s well-acknowledged that having different sources of data is advantageous. And with that, compatibility is key for customers, for ease of use. So, a special thank you to SURBL, for supporting us to build this enhancement as a compatible solution.


Block malicious URLs with Hash Blocklist