Have you been blocked?
All blocklists are researched and managed by The Spamhaus Project.
Simply click on the link below, which will take you to the Project’s IP and Domain Reputation Checker. From here you will be able to enter your IP or Domain and begin your request for removal.
Please note that the Project’s IP and Domain Reputation Checker is the only place where removals are handled.
IT and security teams consistently face multiple business challenges. Discover how our solutions can help overcome some of those issues.
From processing issues, to email-borne threats our blocklists easily integrate with your current email set-up to improve anti-spam & anti-virus email filtering.
Employ our threat intelligence to increase visibility across security events, reveal potential weaknesses in your network, and threats to your brand.
Stay on top of the latest threats and proactively combat botnet infections, and other forms of abuse, with our solutions.
From clicking on phishing emails to visiting malware dropper sites, our threat intelligence provides automatic protection for your users.
Data for Integration
Enhance your service and create competitive advantage by integrating Spamhaus’ world-class IP and domain reputation data.
Our products provide additional layers of security for networks and email. They also present security teams with additional insight into malicious behavior.
Border Gateway Protocol (BGP)
Block the worst of the worst at your network edge, taking advantage of your existing BGP-capable routers. Configuration only takes minutes.
Data Query Service (DQS)
Benefit from industry-leading real time blocklists. These DNSBLs easily plug into your existing email infrastructure to block spam and other email threats.
A powerful research tool to investigate relationships between internet infrastructures. Quickly pivot to new areas of concern to rapidly investigate potential threats.
Immediately block connections to dangerous sites, including phishing and malware dropper websites. A ‘set and forget’ solution.
Spamhaus Intelligence API
Threat intelligence data in API format to enable users to easily integrate metadata relating to threats with their own applications, programs, and products.
A wide range of datasets, providing multiple layers of protection. They can be plugged directly into your existing hardware, making them an affordable choice.
Border Gateway Protocol (BGP) Feeds
Do Not Route Or Peer (DROP) and Botnet Controller List (BCL) datafeeds can peer with your existing BGP-capable router.
Domain (DBL), Zero Reputation (ZRD) and Hash blocklists (HBL) enable you to block content in emails, filtering out a higher rate of email-borne threats.
Data for Investigation
Passive DNS and extended datasets give you additional information on internet resources. They provide deeper insights into incidents and possible threats.
DNS Firewall Threat Feeds
A wide range of feeds to apply to your DNS recursive server. Choose the right level of protection for your organization.
Spam (SBL), Policy (PBL), Exploits (XBL) and Auth (AuthBL) blocklists allow you to filter email from IPs associated with spam, botnets, and other threats.
Find out more about us.
Learn more about Spamhaus; who we are, and what we do.
Find out who we work with and how you can become a Spamhaus Partner.
Discover a wide range of blog posts, case studies and reports.
Commonly asked questions about Spamhaus products and processes.
The Blocklist Tester
A tool to help you check if your servers are correctly configured to use Spamhaus DNSBLs.
Help for Spamhaus Public Mirror users
Using the Project’s Public Mirrors and suddenly experiencing email issues? This page may be able to help.
In depth information about the technical details and implementation of our products.
Posted by Sarah Miller on 30 Nov 2021
I regularly get asked the above question, shortly after I've been asked the classic ice-breaker, "what do you do?" My response to the latter is, "I work in marketing for a company called Spamhaus." We then work through the inevitable "Spamwho?" to end up with 'What do they do?" I usually respond with a simple "cyber security" because that's generally as much as a layperson understands. I certainly don't mention "we're the authority on IP and domain reputation," because to be fair, not so many years ago, even I would have gone "what?"
I write this article for all of you out there who aren't deeply embedded in this industry because the people I work with are remarkable. The world should know what they are doing to quietly protect all those who say "Spamwho?" be that your grandma or the network nerd at work.
Spamhaus analyzes vast amounts of data and lists internet resources with poor reputation because they are connected with malicious activity.
Even that short sentence probably requires some explanation:
IT and security specialists use these lists of IP addresses and domains. They provide the industry with control and insight to protect their users from “badness,” i.e., malicious activities as outlined above. And when I say “users,” I mean you, reading this.
In a nutshell, with hard work, years of experience, and working with the broader internet community.
Let’s start with that final point, the broader internet community. Without a community sharing data, the internet would be like the wild west. In fact, that’s how it is often described when it was in its infancy.
BUT YOU CAN’T SHARE DATA (I hear you shouting). Correct. Personally identifiable information (PII) can’t be shared, nor should it be. Ever. However, the infrastructure that supports your internet-based activities has connections relating to them, be that sending an email, surfing the web, or logging into your company’s accounting system.
These connections don’t contain PII. Nonetheless, when analyzed, they can reveal if they are being used by bad actors to commit fraud, or in some cases, your local butcher who is naively spamming his customers with marketing emails.
Spamhaus has a vast network of sensors collecting connection data within networks. From government organizations around the world to industry-leading internet providers to specialized researchers and analysts. Oh, and let’s not forget internal spam traps and honey pots. Data comes from the four corners of this mortal coil.
At this point, you may be asking, “Why do people trust Spamhaus with this data?” It’s a fair question… that leads me onto “experience.”
Remember how I referred to the internet being a little bit like the wild west? Well, Spamhaus was founded in 1998 by Steve Linford. He didn’t like the amount of spam and abuse he was seeing on the internet, so he started listing IP addresses associated with it. Quickly this gained momentum as like-minded geeks (no offense Steve) from across the globe joined the fight against abuse on the internet.
The Spamhaus Project has been compiling IP and domain reputation lists for years. If you want to be involved with this kind of work, you want to work for Spamhaus. The Project’s researchers come from all different types of backgrounds across the world. Still, they have one vital thing in common – a passion for effecting change, moving the dial, and making the internet a safer place.
I know it all sounds rather righteous, but believe me, it’s true. You will be hard pushed to find a group of people more intent on doing what’s right for the internet. This driving force within Spamhaus demands ethical behavior.
So, given the experience, culture, and independence (we don’t answer to shareholders), you can understand why organizations far and wide trust us with this data.
Firstly, it’s probably wise to point out that the Spamhaus Project’s researchers and analysts have defined policies to follow. Opinion and bias don’t have a role to play in the listings. The policies, i.e., the criteria for what is listed, are carefully defined, honed over the years together with the industry to detect what internet resources are potentially malicious. And these policies work – recently, our researchers identified an email that wasn’t legitimate but was being sent from the FBI’s infrastructure. Someone had hacked into its system and was sending spam to numerous contacts.
Obviously, it isn’t just those busy hacking into the FBIs’ infrastructure that may trigger being listed. Many individuals and organizations get listed through naive behavior. Often it isn’t just one issue that can cause your IP or domain name to be listed, but several. For example, you may be hosting your website on shared infrastructure, along with a plethora of phishing websites. Or you could be emailing a vast number of contacts within the first week of registering your domain, without having any sort of authentication set up. Technical and behavioral issues like these could lead to being listed on the Domain Blocklist.
Numerous processes are used to analyze and apply reputation to the data, from machine learning to heuristics to manual investigations. Once an internet resource has met the criteria of the listing policy, it is… yes, you got it, listed.
It’s all very well listing all these IPs and domains. But how do people get their IPs and domains etc., removed from these blocklists?
There is the “Checker” that enables users who have their IP address or domain listed to search for the listing. The user can discover why they were listed in the first place, what they need to do to ensure they’re not listed again, and finally, request removal.
Once our researchers receive the removal request, they’ll confirm it’s genuine, try and answer any questions the user may have before finally approving removal.
Not so long ago, Alex, one of the Senior Threat Analysts, painstakingly worked with an elderly gentleman via the Checker to resolve the issues he was experiencing with sending mail. Between the two of them, they spent hours working out why he was being repeatedly listed. The problem was finally narrowed down to his doorbell that was sending spam! Read more about that in “When doorbells go rogue!”
Unsurprisingly, there are numerous removal requests by bad actors… because not everyone who gets listed on a blocklist is innocent, far from it. Some of our researchers have had death threats – no word of a lie. When you’re stopping a cybercriminal from making money, they can take it very personally.
While you may not have heard of Spamhaus, our IP and domain reputation data is currently protecting over 3 billion users.
This data is integrated into numerous well-known security software applications.
Internet Service Providers and hosting companies use it to help identify malicious behavior on their network.
The researchers, analysts, and engineers of the Spamhaus Project are the silent protectors of the internet. Cheesy. But true.
A note for anyone technical reading this – I know I have taken liberties in my interpretation of DNS and email. I am aware that anyone with in-depth knowledge of this area will be ranting as they read this article. Please forgive me; I have adopted the KISS (Keep it Simple Stupid) approach to help a layman understand what Spamhaus does. 🙂
 IP addresses – everything connected to the internet has an IP address, including your doorbell! Get the technical detail here – https://en.wikipedia.org/wiki/IP_address
 Domains – is the text that is mapped to an IP address. Get the technical detail here https://en.wikipedia.org/wiki/Domain_name
To ensure our DNSBLs protect your email stream, a simple tool is available called the Blocklist Tester. It’s quick and easy to use; once you have verified an email address associated with your email server, test emails are sent. These emails contain resources listed on our blocklists and should be rejected.
Once the test is complete, a full detailed report is available, and the SMTP exchange of each email sent is available to help you understand where any problems may lie in your configuration.
If you are using the Spamhaus Project’s Public Mirrors and are suddenly experiencing issues with your email stream, it is likely that you are having issues parsing newly introduced error codes.
We have collated all the information you need to help you understand what you need to do to fix the problem and find out why these error codes have been introduced.
This API provides access to metadata relating to IP addresses exhibiting compromised behavior, including malware, worm and trojan infections, and SMTP-specific traffic emitting spam.
The breadth of data available via an easily consumable API provides security developers with scores of opportunities.
Applied at the DNS level of your infrastructure, these threat feeds automatically stop users from accessing malicious sites including phishing and malware dropper websites.
These threat feeds can be integrated with existing recursive DNS servers, or for those who don’t manage their own DNS, we have a managed service available.
Our Passive DNS allows you to quickly and easily navigate through billions of DNS records to shine a spotlight on potentially malicious internet resources associated with your network or domain.
20 January 2022
Q4 update on the botnet command and controllers our researchers are observing, including geolocation and who is hosting them.
19 January 2022
Find out how many botnet controllers our researchers observed in 2021, who was hosting them and where.
19 November 2021
When a new top-level domain (TLD) is starting out, we understand that it needs to find its way to being commercially viable. But registries need to walk a fine line between profit and managing abuse on their TLD.