Have you been blocked?
All blocklists are researched and managed by The Spamhaus Project.
Simply click on the link below, which will take you to the Project’s IP and Domain Reputation Checker. From here you will be able to enter your IP or Domain and begin your request for removal.
Please note that the Project’s IP and Domain Reputation Checker is the only place where removals are handled.
IT and security teams consistently face multiple business challenges. Discover how our solutions can help overcome some of those issues.
From processing issues, to email-borne threats our blocklists easily integrate with your current email set-up to improve anti-spam & anti-virus email filtering.
Employ our threat intelligence to increase visibility across security events, reveal potential weaknesses in your network, and threats to your brand.
Stay on top of the latest threats and proactively combat botnet infections, and other forms of abuse, with our solutions.
From clicking on phishing emails to visiting malware dropper sites, our threat intelligence provides automatic protection for your users.
Data for Integration
Enhance your service and create competitive advantage by integrating Spamhaus’ world-class IP and domain reputation data.
Our products provide additional layers of security for networks and email. They also present security teams with additional insight into malicious behavior.
Border Gateway Protocol (BGP) Firewall
Block the worst of the worst at your network edge, taking advantage of your existing BGP-capable routers. Configuration only takes minutes.
Data Query Service (DQS)
Benefit from industry-leading real time blocklists. These DNSBLs easily plug into your existing email infrastructure to block spam and other email threats.
A powerful research tool to investigate relationships between internet infrastructures. Quickly pivot to new areas of concern to rapidly investigate potential threats.
Immediately block connections to dangerous sites, including phishing and malware dropper websites. A ‘set and forget’ solution.
Spamhaus Intelligence API
Threat intelligence data in API format to enable users to easily integrate metadata relating to threats with their own applications, programs, and products.
abuse.ch Real Time Feeds - coming soon
Actionable data signals on cyber threats, with a focus on malware and botnets, to strengthen threat investigations, detections, and help prevent data breaches.
Integration | MDaemon
Block over 99% of email-borne threats with Spamhaus’ real time DNS blocklists and MDaemon® Email Server.
Integration | Halon
Safeguard your email stream using Spamhaus’ real time DNS blocklists and Halon’s secure email infrastructure.
Integration | Messageware
Enhance Microsoft Exchange protection by blocking malicious IP addresses from connecting to your on-premise server in real time.
A wide range of datasets, providing multiple layers of protection. They can be plugged directly into your existing hardware, making them an affordable choice.
Exploits Dataset Statistics
View the geolocation, hosting network, malware names associated with each detection, and other critical data points.
Border Gateway Protocol (BGP) Feeds
Do Not Route Or Peer (DROP) and Botnet Controller List (BCL) datafeeds can peer with your existing BGP-capable router.
Domain (DBL), Zero Reputation (ZRD) and Hash blocklists (HBL) enable you to block content in emails, filtering out a higher rate of email-borne threats.
Data for Investigation
Passive DNS and extended datasets give you additional information on internet resources. They provide deeper insights into incidents and possible threats.
DNS Firewall Threat Feeds
A wide range of feeds to apply to your DNS recursive server. Choose the right level of protection for your organization.
Spam (SBL), Policy (PBL), Exploits (XBL) and Auth (AuthBL) blocklists allow you to filter email from IPs associated with spam, botnets, and other threats.
abuse.ch Threat Intelligence Feeds – coming soon
URLhaus, MalwareBazaar, ThreatFox, YARAify, Feodo Tracker and Sandnet enrich CTI feeds and support vulnerability mangement.
Find out more about us.
Learn more about Spamhaus; who we are, and what we do.
Find a partner
Discover our partners and how they can support you.
Become a partner
Learn about the benefits of being a Spamhaus partner and how to get started.
Discover a wide range of blog posts, case studies and reports.
Spamhaus’ insight into malware, botnet C&Cs, and the domain reputation landscape.
Commonly asked questions about Spamhaus products and processes.
The Blocklist Tester
A tool to help you check if your servers are correctly configured to use Spamhaus DNSBLs.
The Reputation Portal
A tool for ASN owners to get visibility of their IPs’ reputation and proactively manage listings.
Help for the Project's legacy DNSBLs users
Using the Project’s legacy blocklists and suddenly experiencing email issues? This page may be able to help.
In depth information about the technical details and implementation of our products.
Posted by Spamhaus Technology on 8 Feb 2024
Having looked at best practices for utilizing blocklists in the first part of this series, let’s explore the value of maximizing your own data to protect your network from malicious inbound emails. After all, your email infrastructure contains data that may only occur on your specific network, and nowhere else. By leveraging this unique data source, incoming emails can be classified to determine whether they are malicious or not. However, before we delve into these techniques, it is necessary to first:
Having a scalable, modern, and robust email infrastructure that provides all the necessary security and anti-abuse features, to protect against phishing, spam, and malware, is vital. An email infrastructure should enable blocking of connections from servers abused by spammers, emails with malicious URLs, connections from unauthorized countries, and high volumes of emails being sent to a single recipient – as well as providing analysis and scoring. Where email filtering is enabled, filters must be adjustable based on a business’s tolerance for false positives. Realistically, no business wants to allocate resources and people to a problem that doesn’t exist.
Alongside content inspection, email authentication checks should run to verify the source of incoming emails. There are two key authentication records mailbox providers should be looking to enforce. Sender Policy Framework (SPF) and Domain-based Message Authentication Reporting and Conformance (DMARC) are both must-have inbound spam defenses for any modern email marketing infrastructure. Other authentication methods can also be deployed, such as DomainKeys Identified Mail (DKIM) and Brand Indicators for Message Identification (BIMI).
The risk here is brand impersonation. Malicious parties may send emails posing as well-known brands, for example, Google. If an organization isn’t enforcing SPF and DMARC, someone could spoof google.com and send to its users, creating a gateway for abuse.
But authentication is only the tip of the iceberg. There are reams of data available to enhance defenses against malicious actors.
It’s important to be mindful of misconfigured email servers. These can be a sign of potential compromise or malicious activity, so it’s important to approach connection requests with caution. It is recommended to reject connections from email servers that are HELOing/rDNS themselves as an IP address, a non-existent domain, or empty text. By doing this, you can help ensure that your email server remains secure and is protected from potential threats.
Get to know your ‘as usual’ email traffic. Regularly analyzing email traffic is your ticket to quickly identify good traffic and traffic that should be monitored more closely. With enough analysis, typical traffic becomes predictable and easily recognizable. Consequently, anything outside of ‘normal’ can be identified and highlighted as suspicious. However, exercising caution when enforcing traffic rules is essential to avoid mistakenly blocking legitimate emails. Allowing some room for error can help prevent important messages from being blocked.
With a deep understanding of normal email traffic, you can assign reputation to IPs and domains sending emails to your network. This can provide a further alert to any unusual activity. Using information such as the number of messages sent, the number of users sent to, the time of sending, and how often those IPs or domains send, allows the infrastructure to assign reputation to those resources. Furthermore, these reputational factors could help determine whether to reject, defer, or accept an email.
The insights gained from historical data are just as valuable as monitoring real-time data flow. By simply maintaining 30 days (minimum) of historical SMTP data on IPs seen connecting to the network, it is possible to monitor who is sending and rejecting any unwanted connections. For example, an unexpected burst of email could indicate a spam campaign. Using historical data, a rate limit can be applied to newly seen or previously low-volume IP ranges attempting to send large volumes of email to an infrastructure.
Similarly, IP ranges that are sending or checking a large number of unknown users could be an indicator to defer or reject the emails. As we know, spammers often maintain large lists that contain many unknown users or abuse services that attempt to verify addresses. Therefore, an IP address with a higher-than-average rejection rate for unknown users should be investigated. And, more than likely, rejected!
But what if bad actors are already inside? The truth is that users can be compromised from within the email infrastructure and send malicious emails internally.
Email within an organization is often subject to less filtering than those at the network level, making it vulnerable to malicious activity. Hence, paying attention to unusual indicators such as employees emailing outside of their usual working hours or communicating with individuals they typically don’t correspond with is essential. Is it normal for Suzie from Customer Success to email the Finance Director at 2 am? It seems unlikely!
By monitoring such activity, security teams can detect potential threats and take appropriate action. This could include rate limiting or suspending the user to deter malicious actors and prevent a severe business email compromise.
It’s important to keep in mind that safeguarding a network against inbound malicious emails can be overwhelming, and the strategies shared are just a few recommended practices. While they are aimed at enhancing network security in the long run, it’s not necessary to implement them all at once. Even small steps towards implementing these strategies can help improve your network security.
Remember, security is like an onion with many layers, and diversifying between different tools and techniques will only enhance protection against malicious email threats.
Don’t have the time or resources to analyze your own data? Share basic email connection data (no PII!) with Spamhaus for targeted email protection, like security service provider, Censornet – learn more here.
8 November 2023
Discover how Censornet AI security platform integrates Spamhaus’ real time blocklists with two-way sharing of basic email connection data, to provide 'exceptional' email protection for its users.
15 February 2022
One of the first steps to ensuring good domain/IP reputation and consequently successful email deliverability is authentication and encryption - it helps receivers "trust" your email. This article provides a clear overview of what's required including SPF, DKIM and DMARC.