Have you been blocked?
All blocklists are researched and managed by The Spamhaus Project.
Simply click on the link below, which will take you to the Project’s IP and Domain Reputation Checker. From here you will be able to enter your IP or Domain and begin your request for removal.
Please note that the Project’s IP and Domain Reputation Checker is the only place where removals are handled.
IT and security teams consistently face multiple business challenges. Discover how our solutions can help overcome some of those issues.
From processing issues, to email-borne threats our blocklists easily integrate with your current email set-up to improve anti-spam & anti-virus email filtering.
Employ our threat intelligence to increase visibility across security events, reveal potential weaknesses in your network, and threats to your brand.
Stay on top of the latest threats and proactively combat botnet infections, and other forms of abuse, with our solutions.
From clicking on phishing emails to visiting malware dropper sites, our threat intelligence provides automatic protection for your users.
Data for Integration
Enhance your service and create competitive advantage by integrating Spamhaus’ world-class IP and domain reputation data.
Our products provide additional layers of security for networks and email. They also present security teams with additional insight into malicious behavior.
Border Gateway Protocol (BGP) Firewall
Block the worst of the worst at your network edge, taking advantage of your existing BGP-capable routers. Configuration only takes minutes.
Data Query Service (DQS)
Benefit from industry-leading real time blocklists. These DNSBLs easily plug into your existing email infrastructure to block spam and other email threats.
A powerful research tool to investigate relationships between internet infrastructures. Quickly pivot to new areas of concern to rapidly investigate potential threats.
Immediately block connections to dangerous sites, including phishing and malware dropper websites. A ‘set and forget’ solution.
Spamhaus Intelligence API
Threat intelligence data in API format to enable users to easily integrate metadata relating to threats with their own applications, programs, and products.
abuse.ch Real Time Feeds - coming soon
Actionable data signals on cyber threats, with a focus on malware and botnets, to strengthen threat investigations, detections, and help prevent data breaches.
Integration | MDaemon
Block over 99% of email-borne threats with Spamhaus’ real time DNS blocklists and MDaemon® Email Server.
Integration | Halon
Safeguard your email stream using Spamhaus’ real time DNS blocklists and Halon’s secure email infrastructure.
Integration | Messageware
Enhance Microsoft Exchange protection by blocking malicious IP addresses from connecting to your on-premise server in real time.
A wide range of datasets, providing multiple layers of protection. They can be plugged directly into your existing hardware, making them an affordable choice.
Exploits Dataset Statistics
View the geolocation, hosting network, malware names associated with each detection, and other critical data points.
Border Gateway Protocol (BGP) Feeds
Do Not Route Or Peer (DROP) and Botnet Controller List (BCL) datafeeds can peer with your existing BGP-capable router.
Domain (DBL), Zero Reputation (ZRD) and Hash blocklists (HBL) enable you to block content in emails, filtering out a higher rate of email-borne threats.
Data for Investigation
Passive DNS and extended datasets give you additional information on internet resources. They provide deeper insights into incidents and possible threats.
DNS Firewall Threat Feeds
A wide range of feeds to apply to your DNS recursive server. Choose the right level of protection for your organization.
Spam (SBL), Policy (PBL), Exploits (XBL) and Auth (AuthBL) blocklists allow you to filter email from IPs associated with spam, botnets, and other threats.
abuse.ch Threat Intelligence Feeds – coming soon
URLhaus, MalwareBazaar, ThreatFox, YARAify, Feodo Tracker and Sandnet enrich CTI feeds and support vulnerability mangement.
Find out more about us.
Learn more about Spamhaus; who we are, and what we do.
Find a partner
Discover our partners and how they can support you.
Become a partner
Learn about the benefits of being a Spamhaus partner and how to get started.
Discover a wide range of blog posts, case studies and reports.
Spamhaus’ insight into malware, botnet C&Cs, and the domain reputation landscape.
Commonly asked questions about Spamhaus products and processes.
The Blocklist Tester
A tool to help you check if your servers are correctly configured to use Spamhaus DNSBLs.
The Reputation Portal
A tool for ASN owners to get visibility of their IPs’ reputation and proactively manage listings.
Help for the Project's legacy DNSBLs users
Using the Project’s legacy blocklists and suddenly experiencing email issues? This page may be able to help.
In depth information about the technical details and implementation of our products.
Posted by Spamhaus Team on 15 Apr 2023
Here we're exploring the "Freenom effect" on the current top-level domain (TLD) landscape as domain registries at the lower end of pricing within the domain name marketplace feel the effect of Freenom's current situation.
For at least three months, Freenom’s doors have been firmly shut to new domain registrations. You’d expect this to be nothing but good news, given their history, as highlighted in a number of our reports.
But what if you’re operating in this competitive market? It will come as no surprise to learn that domain registries are reaching out to our domain experts to understand recent negative rankings better. Coincidence? We think not.
Our domain experts have never seen a change as dramatic as that of the TLD landscape over the first quarter of 2023. Yes, there are the expected fluctuations of domain registrations linked to current events, seasonal activities, or short bursts of aggressive promotion typically fuelled by speculators and abusive or highly fraudulent registrations. Yet, for the first time, Spamhaus researchers observed all five Freenom-operated TLDs dramatically decrease in abuse numbers.
Domain listings by ccTLD
This is an unprecedented change, given these TLDs have been a constant in the statistics Spamhaus reports on, relating specifically to domains associated with spam, phishing, and malware. Why the sudden change?
Located in the Netherlands, Freenom was the world’s first and only free domain registration service. Sounds great if you want to purchase domains, but not from our point of view. Unfortunately, free domains tend to attract the less desirable user and all their associated badness, i.e., abuse. In fact, Freenom services are well known to security experts for providing domain registration services to malware authors, botnet operators, and phishing operations.
In particular, are five free country code top-level domains (ccTLDS), .tk (ccTLD of Tokelau), .ml (ccTLD of Mali), .ga (ccTLD of Gabon), .cf (cc TLD of Central African Republic), .gq (cc TLD of Equatorial Guinea). Usually, domain registrants would use such ccTLDs for their applicable country or region. However, these five ccTLDs operated by Freenom, are primarily operated outside of their country, making them more akin to general top-level domains (gTLDs).
As highlighted earlier, Freenom’s TLDs have had a poor reputation for a long time across many areas of internet security. Still, the fact that miscreants could endlessly rotate through new names meant that supplies were endless. As a result, these five TLDs have experienced exceptionally high levels of abuse and, subsequently, high volumes of bad domains due to being free.
That was until this year when Freenom announced the doors were closed to new registrations. What’s most interesting is why?
Freenom appears to be experiencing “temporary technical issues”, which have been ongoing since at least January 26th when some forum users reported the problems. Could this be a consequence of Meta’s recent court filing in March against Freenom and another (unrelated) legal case against Freenom, based in the Netherlands? It would be a reasonable assumption.
The good news remains, Freenom’s abused domain numbers are decreasing due to the fact new registrations are no longer being accepted. BUT there is a flip side to this good news; assuming Freenom continues with its “technical issues,” a change is being forced upon the operations of those who rely on access to a never-ending supply of free domains to circumvent domain-based blocking. Operators who utilized Freenom’s TLDs will need to find somewhere else for domain registrations or shut down their operations – the latter being a scenario we know is unlikely.
In Quarter 1 of 2023, there was a noticeable shift in the percentage split between abused ccTLDs and gTLDs, with the latter increasing from 61% to 71%. Meanwhile, over the past week, proactive domain registries have been in contact due to their recent (negative) rankings on the Spamhaus Project website. With no significant change in abuse noted at their end and continued vigorous efforts to suspend abusive domains (if only all registries were so closely focused on abuse), what is the problem?
Our analysis reveals almost all the new entries in the gTLD list are or have been, heavily discounted at popular registrars in the first quarter of this year. Once again, proving that low pricing inevitably attracts abusive registrations.
Now that Freenom’s never-ending reservoir is gone (or so it seems), the alternatives for actual domains (instead of free hostnames at dynamic DNS providers) are all paid options. Therefore, if you are a registry operating a TLD at the lower end of the pricing scale, you are in a prime position to be targeted by bad actors.
Looking to the future, it’s unlikely that all malicious operators who relied on these domains will disappear. Cybercrime is often profitable, and while free domains will produce the best margins, cheap is almost always a viable alternative.
As the latest domain data suggests, those registries that operate TLDs at the lower end of the pricing spectrum are significantly more susceptible to abusive registrations. We strongly advise registries and registrars to review their tools and processes, ensuring increased vigilance against a surge in registrations by bad actors for malware, phishing, spam, and other fraudulent activity.
Read ‘Troubles in Tokelau, malfeasance in Mali`… what’s happening with Freenom?‘ and access the ‘Q1 2023 Domain Reputation Update‘.
24 April 2023
In the first quarter of 2023 we noticed a sharp decline in new registrations in Freenom's TLDs – good and bad. So, what is happening?
14 April 2023
Researchers observed unprecedented change, with a decrease in registration and abuse number for all five Freenom ccTLDs, including a steep decline for .ml (-74%). Yet with this, significant increases for gTLDs .store and .fun. Is this the Freenom effect?
12 April 2023
Botnet C&C operators continued to escalate in Q1. Spamhaus researchers saw a 23% increase in newly observed botnet C&C servers - with Cobalt Strike and Quakbot ever-present. Get all the latest insights, including the rise in popularity of credential stealer RecordBreaker in this report.