Have you been blocked?
All blocklists are researched and managed by The Spamhaus Project.
Simply click on the link below, which will take you to the Project’s IP and Domain Reputation Checker. From here you will be able to enter your IP or Domain and begin your request for removal.
Please note that the Project’s IP and Domain Reputation Checker is the only place where removals are handled.
IT and security teams consistently face multiple business challenges. Discover how our solutions can help overcome some of those issues.
From processing issues, to email-borne threats our blocklists easily integrate with your current email set-up to improve anti-spam & anti-virus email filtering.
Employ our threat intelligence to increase visibility across security events, reveal potential weaknesses in your network, and threats to your brand.
Stay on top of the latest threats and proactively combat botnet infections, and other forms of abuse, with our solutions.
From clicking on phishing emails to visiting malware dropper sites, our threat intelligence provides automatic protection for your users.
Data for Integration
Enhance your service and create competitive advantage by integrating Spamhaus’ world-class IP and domain reputation data.
Our products provide additional layers of security for networks and email. They also present security teams with additional insight into malicious behavior.
Border Gateway Protocol (BGP) Firewall
Block the worst of the worst at your network edge, taking advantage of your existing BGP-capable routers. Configuration only takes minutes.
Data Query Service (DQS)
Benefit from industry-leading real time blocklists. These DNSBLs easily plug into your existing email infrastructure to block spam and other email threats.
A powerful research tool to investigate relationships between internet infrastructures. Quickly pivot to new areas of concern to rapidly investigate potential threats.
Immediately block connections to dangerous sites, including phishing and malware dropper websites. A ‘set and forget’ solution.
Spamhaus Intelligence API
Threat intelligence data in API format to enable users to easily integrate metadata relating to threats with their own applications, programs, and products.
abuse.ch Real Time Feeds - coming soon
Actionable data signals on cyber threats, with a focus on malware and botnets, to strengthen threat investigations, detections, and help prevent data breaches.
Integration | MDaemon
Block over 99% of email-borne threats with Spamhaus’ real time DNS blocklists and MDaemon® Email Server.
Integration | Halon
Safeguard your email stream using Spamhaus’ real time DNS blocklists and Halon’s secure email infrastructure.
Integration | Messageware
Enhance Microsoft Exchange protection by blocking malicious IP addresses from connecting to your on-premise server in real time.
A wide range of datasets, providing multiple layers of protection. They can be plugged directly into your existing hardware, making them an affordable choice.
Exploits Dataset Statistics
View the geolocation, hosting network, malware names associated with each detection, and other critical data points.
Border Gateway Protocol (BGP) Feeds
Do Not Route Or Peer (DROP) and Botnet Controller List (BCL) datafeeds can peer with your existing BGP-capable router.
Domain (DBL), Zero Reputation (ZRD) and Hash blocklists (HBL) enable you to block content in emails, filtering out a higher rate of email-borne threats.
Data for Investigation
Passive DNS and extended datasets give you additional information on internet resources. They provide deeper insights into incidents and possible threats.
DNS Firewall Threat Feeds
A wide range of feeds to apply to your DNS recursive server. Choose the right level of protection for your organization.
Spam (SBL), Policy (PBL), Exploits (XBL) and Auth (AuthBL) blocklists allow you to filter email from IPs associated with spam, botnets, and other threats.
abuse.ch Threat Intelligence Feeds – coming soon
URLhaus, MalwareBazaar, ThreatFox, YARAify, Feodo Tracker and Sandnet enrich CTI feeds and support vulnerability mangement.
Find out more about us.
Learn more about Spamhaus; who we are, and what we do.
Find a partner
Discover our partners and how they can support you.
Become a partner
Learn about the benefits of being a Spamhaus partner and how to get started.
Discover a wide range of blog posts, case studies and reports.
Spamhaus’ insight into malware, botnet C&Cs, and the domain reputation landscape.
Commonly asked questions about Spamhaus products and processes.
The Blocklist Tester
A tool to help you check if your servers are correctly configured to use Spamhaus DNSBLs.
The Reputation Portal
A tool for ASN owners to get visibility of their IPs’ reputation and proactively manage listings.
Help for the Project's legacy DNSBLs users
Using the Project’s legacy blocklists and suddenly experiencing email issues? This page may be able to help.
In depth information about the technical details and implementation of our products.
Posted by Simon McGarr on 2 Feb 2023
With so much talk about the Spamhaus Informational listings and the subsequent talk of cleaning up mailing lists and practices, here are sound words of advice from Simon McGarr, Managing Director of Data Compliance Europe, on the subject of consent.
Once upon a time, when I was a young man trying to be helpful about my parent’s house, I decided to clean out the ashes in the fire. I’d watched my father on his hands and knees plenty of times, using a brush and steel coal shovel to transfer the ashes into a battered steel bucket. It looked like no fun at all. I realized that, foolish middle-aged parent that he was, he must have missed the obvious solution. Why not just vacuum up all those ashes? Not for me, the cinders and ash of Grimm’s fairytales. I would apply modern technology for better living.
I quickly finished the job, leaving a dust-free hearth.
I don’t know why nobody has ever thought of this before, I said to myself. Then I turned around and found the vacuum cleaner was on fire. Some eejit had filled it full of hot ash and embers.
Sometimes, as I learned then, there is a reason nobody has thought of your brilliant idea before.
This experience popped into my head as I considered the story I’m about to tell you from the Spamhaus listing archives.
Our friendly data controllers wanted to use a database of email contacts they had obtained (by means unknown) for commercial purposes. They wanted to sell access to this database of email addresses to their clients and use it themselves. However, they knew, dimly in the back of their minds, that there was some Data Protection issue under the General Data Protection Regulation (GDPR). Then, like my younger self, someone among our Data Controllers stopped suddenly one day and thought to themselves, “I don’t know why nobody has ever thought of this before.”
Their idea wasn’t to suck up a load of rubbish – quite the opposite.
They were going to send rubbish, I mean emails, to people. And after the people had received the emails, they believed they could use those email addresses legitimately.
The subject line they chose was “Notice of Data Processing. This is not an advertisement.”
And to be fair, you will probably agree with that subject line’s assessment once you understand their concept…
Here was the big idea: what if we sent out a sort of Privacy Notice to everyone by email? We could even follow the format of the GDPR’s requirement for a Privacy Notice, and then we tell them that we’re processing their data on the legal basis of ‘legitimate interest.’ both ours and our clients.
Having thought it, they then acted upon that thought. And how.
They sent these messages out to millions and millions of email addresses.
The problem here, as you may have guessed by now, is that there is actually a reason why nobody has ever thought, let alone done, this before.
And that reason is that emailing people for commercial purposes (which is what even emails headed ‘this is not an advertisement’ are doing when you send them to benefit a commercial, corporate entity) is not an activity solely subject to the GDPR.
Commercial email to EU addresses is also subject to the e-Privacy Directives and their various national transpositions in each of the EU member states.
Good question. The e-Privacy Directive is known in the arcana of European law as a lex specialis. The GDPR is the general data protection regulation (the clue is in the name). Meanwhile, the e-Privacy rules amend those general provisions with specific, different rules for specific circumstances. Like, for example, sending commercial emails.
So, while legitimate interest is permitted as a legal basis for data processing under Article 6 of the GPDR, the e-Privacy Directive restricts the legal basis on which data may be processed for the purposes of sending out commercial email to only one basis – consent.
Here’s Article 13.1 of the e-Privacy Directive as inserted by Directive 2009/136/EC. You can quote this at parties if you want to be considered charming and popular.
1. The use of … electronic mail for the purposes of direct marketing may be allowed only in respect of subscribers or users who have given their prior consent.
Just so everybody has an incentive to behave themselves, it goes on at Article 13.7 to insert a clause to ensure that every single person in the EU who receives an email that breaks that consent rule has a right to sue for defined penalties.
You’ll notice the requirement for ‘prior consent‘. The definition of consent it uses is set out in Article 4(11) of the GDPR, which sets out four requirements for;
‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
Let’s break these down.
1) Freely Given
What is the power relationship between the human being and the institution looking for consent? If not consenting resulted in “negative consequences” for the individual, any consent received couldn’t be said to be truly free.
So, employers shouldn’t rely on consent received from their employees for processing data. Similarly, public authorities should not rely on consent as the basis of data processing of citizens or residents. In both cases, the power imbalance is too great for most consents to be freely given. The threat, even if unspoken, of potential negative consequences is too large. While there are some exceptions to this general rule, they revolve around very limited situations (limited in terms of the number of data subjects effected and the extent of the data processing involved).
Our friends in data control haven’t even got as much as some compelled consent to rely upon.
There’s some considerable overlap with the sources of the requirements for freely given consent and specific consent. This makes sense because, before you can get freely given consent, you must know what it is that you seek consent to do. Therefore you need to have a specific purpose for every form of processing so that you can seek specific, granular consent for that purpose.
“Specificity” is the mortal enemy of function creep – the gradual addition of new purposes for data.
By definition, if a data controller wants to increase the number of uses applied to data collected from a subject, more consent information is required. And to allow for specific consent to be given for each different use, the data controller must give the data subject a separate granular opportunity to consent.
For consent to be informed, it is necessary to inform the data subject of certain elements that are crucial to make a choice. Therefore, WP29 is of the opinion that at least the following information is required for obtaining valid consent:
i) the controller’s identity,
ii) the purpose of each of the processing operations for which consent is sought,
iii) what (type of) data will be collected and used,
iv) the existence of the right to withdraw consent,
v) information about the use of the data for automated decision-making in accordance with Article 22 (2)(c)34 where relevant, and
vi) on the possible risks of data transfers due to absence of an adequacy decision and of appropriate safeguards as described in Article 46.
Concerning item (i) and (iii), WP29 notes that in a case where the consent sought is to be relied upon by multiple (joint) controllers or if the data is to be transferred to or processed by other controllers who wish to rely on the original consent, these organizations should all be named. European Data Protection Board
The notice sent out (‘not an advertisement’) made an effort to tell the recipients some of these things, perhaps with some intention to claim they had been appropriately informed and given ‘implied consent’ if they didn’t object. The problem with that idea comes with the final part of the puzzle.
It isn’t enough to presume consent. It’s necessary to receive an unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. People have to take a step to indicate their consent- using pre-ticked boxes or presuming that consent is given by not objecting will not meet the requirement.
To recap, sending out a data processing notice by mass email doesn’t get you a clean database of European email addresses that you can say have given valid, informed consent to receive commercial email. It just gets you millions and millions of potential instances of regulatory and civil liabilities.
As I learned to my cost all those years ago, nobody’s ever thought of this before because sometimes you’ve come up with an idea so bad, you’ve managed to create a trash fire in a vacuum.
Simon McGarr is a lawyer with McGarr Solicitors in Dublin, and the managing director of Data Compliance Europe, a global consultancy on GDPR and data protection matters. He is a Senior Policy Advisor for M3WAAG and a guest lecturer with the European Academy of Law in Trier as well as the External Examiner for the Law Society of Ireland on Data Protection. He has represented clients in both the landmark Digital Rights Ireland and Schrems I cases before the Grand Chamber of the Court of Justice of the EU.
24 February 2023
Spamhaus Project's informational listings have received a lot of attention recently, including some helpful of feedback - namely, the intelligence is helpful but it creates too much "noise" in the SBL. So the Project Team will be making changes in the near future.
15 December 2022
Downloading a free application and installing it on an internet-connected device can lead to you not being able to send email. This is because some apps allow third parties to access your device without your knowledge. These third parties then use your network connection for malicious purposes, causing your IP address to be listed as unsafe.
16 August 2022
The recent spate of informational listings from The Spamhaus Project researchers created waves in the sending community. But more pertinently, it’s highlighted poor sending practices. Here’s further explanation, and helpful hints and tools to help calm the waters.