Which datasets are included?
The datasets include: Malicious Network Ranges, Botnet C2 IPs, Compromised IPs, Non-mail Emitting IPs, and Bruteforce IPs. It is compiled using a wide range of investigative techniques, including machine learning, heuristics, and manual investigations. They analyze 9 billion SMTP connections daily.
Here is an overview of each IP-based DNSBL dataset:
Malicious network ranges (Spamhaus Blocklist, SBL)
This dataset contains IP addresses that are observed to be involved in sending spam, snowshoe spamming, bulletproof hosting companies, and hijacked IP space. This data can be used as both a sender IP blocklist and a URI blocklist, to help protect your mailstreams from spam.
Senders whose IP addresses have been listed will receive a bounceback message, allowing them to check the email addresses of recipients, or correct any other sending issues.
Discover all the ways you can access and consume ‘Malicious network ranges’ data.
Compromised IPs (eXpoits Blocklist, XBL)
Containing individual IPv4 and IPv6 addresses exhibiting signs of compromise – e.g., the presence of malware inadvertently downloaded on a device, or software like some “free VPN” applications that use the customer device to do network activity on behalf of other unknown people, or security problems on various devices connected to the LAN such as routers or cameras allowing unauthorized access. In such cases, the compromised IP appears to be part of a botnet made of thousands or even millions of compromised systems, carrying on malicious activities unknown to its legitimate user.
To see the size and coverage of this dataset, see Uncovering the value in the Compromised IP dataset.
The constantly updated datset is designed to protect networks from malware and spam by preventing mail servers from accepting connections from compromised computing devices. The data is also available in an “enhanced” version, which gives additional information for individual detections.
Discover all the ways you can access and consume ‘Compromised IPs’ data.
Non-mail emitting IPs (Policy Blocklist, PBL)
This dataset includes IP address ranges for end-user devices, such as home routers, smart TVs, and other Information of Things (IoT) devices, from which email should never be sent. This protects networks from the potential of being compromised by malware spread by botnet command and controller servers (C&Cs).
This data covers the majority of end user IPv4 space, in addition to some IPv6 ranges. While some individual IP addresses are included, most listings are in classless inter domain routing (CIDR) format and are at least /24 in size. By managing your own IP address range, your organization can protect other networks from receiving spam from infected devices on your network. This helps to protect email recipients from malware, preserves the reputation of your company and avoids your domain being added to a DNSBL, which would result in your organization’s outgoing emails being blocked. To register your IP ranges, visit the Spamhaus Project's Policy Blocklist page.
Discover all the ways you can access and consume ‘Non-mail emitting IPs ranges’ data.
Botnet C2 IPs (Botnet Controller List, BCL)
This is an advisory “drop all traffic” dataset consisting of single IPv4 addresses that are being used to host botnet command and control (C&C) servers to control infected computers (bots).
It contains dedicated C&C servers only i.e., threat actors are using all the IPs listed to host their botnet C&C infrastructure on dedicated hosts, which serve no other purpose than controlling botnets. The status of these botnet controllers is re-evaluated several times a day to ensure only active botnet controllers are being blocked.
The BCL – Dedicated does not contain any subnets or CIDR prefixes larger than /32.
Discover all the ways you can access and consume ‘Botnet C2 IPs’ data.
Email Spam IPs (Combined Spam Sources, CSS)
This dataset contains direct snowshoe spam sources, detected via automation. It may also include other senders that display a risk to our users. Listings are influenced by: Email showing indications of unsolicited nature; Broad-spectrum aggregated views of email deliveries; Having poor list-hygiene; Sending out bad email due to a compromise (compromised account, webform or CMS); Other indicators of low reputation or abuse.
Listings are based on a wide range of inputs and are the result of multiple events and heuristics, and include both IPv4 (/32) and IPv6 addresses (/64).
Discover all the ways you can access and consume ‘Email Spam IPs’ data.
Bruteforce IPs (Auth Blocklist, Auth BL)
This is a subset of the compromised IPs dataset. It includes IP addresses known to host bots using brute force or stolen SMTP-AUTH credentials to send spam, phishing and malware emails.
Botnets are often employed by cybercriminals to circumvent SMTP Auth: the security protocol that requires client machines to identify themselves to mailservers prior to being able to send or receive email.
We make the dataset available separately, so you can use it at SMTP Auth as a score to make sure that someone isn’t trying to misuse a user’s account.
Discover all the ways you can access and consume ‘Bruteforce IPs’ data.
Email filtering with Spamhaus IP-based DNSBLs
All our IP-based datasets are included in a single subscription, available via Real-Time DNS Blocklists making it easier and faster to query.
Once IP-based DNSBLs have filtered out the majority of threats, content-based email filtering can provide an additional layer of protection for enhanced security and greater peace of mind - learn more here.