What does Spamhaus do?

The basics of what Spamhaus does

Spamhaus analyzes vast amounts of data and lists internet resources with poor reputation because they are connected with malicious activity.

Even that short sentence probably requires some explanation:

• By “internet resources,” I mean IP addresses [1], domains [2], cryptowallet addresses, email addresses, and malware files.
• By “malicious activity,” I mean all sorts of “badness,” including ransomware, malware, phishing, and spam. I should note that Spamhaus’ definition of “spam” is “if the message was sent unsolicited and in bulk.”
• By “huge amounts of data,” I mean on average over a 24 hour period we assess and process approximately:
  • 4 billion SMTP connections (connections relating to emails)
  • 3 million domains
  • 18,000 malware samples

IT and security specialists use these lists of IP addresses and domains. They provide the industry with control and insight to protect their users from “badness,” i.e., malicious activities as outlined above. And when I say “users,” I mean you, reading this.

How are these IP and domain reputation lists compiled? 

In a nutshell, with hard work, years of experience, and working with the broader internet community.

Let’s start with that final point, the broader internet community. Without a community sharing data, the internet would be like the wild west. In fact, that’s how it is often described when it was in its infancy.

BUT YOU CAN’T SHARE DATA (I hear you shouting). Correct. Personally identifiable information (PII) can’t be shared, nor should it be. Ever. However, the infrastructure that supports your internet-based activities has connections relating to them, be that sending an email, surfing the web, or logging into your company’s accounting system.

These connections don’t contain PII. Nonetheless, when analyzed, they can reveal if they are being used by bad actors to commit fraud, or in some cases, your local butcher who is naively spamming his customers with marketing emails.

Data is shared from far and wide

Spamhaus has a vast network of sensors collecting connection data within networks. From government organizations around the world to industry-leading internet providers to specialized researchers and analysts. Oh, and let’s not forget internal spam traps and honey pots. Data comes from the four corners of this mortal coil.

At this point, you may be asking, “Why do people trust Spamhaus with this data?” It’s a fair question… that leads me onto “experience.”

Over two decades of operating independently & ethically

Remember how I referred to the internet being a little bit like the wild west? Well, Spamhaus was founded in 1998 by Steve Linford. He didn’t like the amount of spam and abuse he was seeing on the internet, so he started listing IP addresses associated with it. Quickly this gained momentum as like-minded geeks (no offense Steve) from across the globe joined the fight against abuse on the internet.

The Spamhaus Project has been compiling IP and domain reputation lists for years. If you want to be involved with this kind of work, you want to work for Spamhaus. The Project’s researchers come from all different types of backgrounds across the world. Still, they have one vital thing in common – a passion for effecting change, moving the dial, and making the internet a safer place.

I know it all sounds rather righteous, but believe me, it’s true. You will be hard pushed to find a group of people more intent on doing what’s right for the internet. This driving force within Spamhaus demands ethical behavior.

So, given the experience, culture, and independence (we don’t answer to shareholders), you can understand why organizations far and wide trust us with this data.

So, what do researchers do with all this data?

Compiling the listings without prejudice

Firstly, it’s probably wise to point out that the Spamhaus Project’s researchers and analysts have defined policies to follow. Opinion and bias don’t have a role to play in the listings. The policies, i.e., the criteria for what is listed, are carefully defined, honed over the years together with the industry to detect what internet resources are potentially malicious. And these policies work – recently, our researchers identified an email that wasn’t legitimate but was being sent from the FBI’s infrastructure. Someone had hacked into its system and was sending spam to numerous contacts.

Poor choices can lead to a blocklist listing

Obviously, it isn’t just those busy hacking into the FBIs’ infrastructure that may trigger being listed. Many individuals and organizations get listed through naive behavior. Often it isn’t just one issue that can cause your IP or domain name to be listed, but several. For example, you may be hosting your website on shared infrastructure, along with a plethora of phishing websites. Or you could be emailing a vast number of contacts within the first week of registering your domain, without having any sort of authentication set up. Technical and behavioral issues like these could lead to being listed on the Domain Blocklist.

What techniques do we use to process the data?

Numerous processes are used to analyze and apply reputation to the data, from machine learning to heuristics to manual investigations. Once an internet resource has met the criteria of the listing policy, it is… yes, you got it, listed.

Removing IPs and domains from a Spamhaus listing

It’s all very well listing all these IPs and domains. But how do people get their IPs and domains etc., removed from these blocklists?

There is the “Checker” that enables users who have their IP address or domain listed to search for the listing. The user can discover why they were listed in the first place, what they need to do to ensure they’re not listed again, and finally, request removal.

Once our researchers receive the removal request, they’ll confirm it’s genuine, try and answer any questions the user may have before finally approving removal.

A helping hand to those less technically savvy

Not so long ago, Alex, one of the Senior Threat Analysts, painstakingly worked with an elderly gentleman via the Checker to resolve the issues he was experiencing with sending mail. Between the two of them, they spent hours working out why he was being repeatedly listed. The problem was finally narrowed down to his doorbell that was sending spam! Read more about that in “When doorbells go rogue!”

This is a serious business

Unsurprisingly, there are numerous removal requests by bad actors… because not everyone who gets listed on a blocklist is innocent, far from it.  Some of our researchers have had death threats – no word of a lie. When you’re stopping a cybercriminal from making money, they can take it very personally.

What has all this got to do with you?

While you may not have heard of Spamhaus, our IP and domain reputation data is currently protecting over 3 billion users.

This data is integrated into numerous well-known security software applications.

Internet Service Providers and hosting companies use it to help identify malicious behavior on their network.

The researchers, analysts, and engineers of the Spamhaus Project are the silent protectors of the internet. Cheesy. But true.

A note for anyone technical reading this – I know I have taken liberties in my interpretation of DNS and email. I am aware that anyone with in-depth knowledge of this area will be ranting as they read this article. Please forgive me; I have adopted the KISS (Keep it Simple Stupid) approach to help a layman understand what Spamhaus does. 🙂

___________________________

[1] IP addresses – everything connected to the internet has an IP address, including your doorbell! Get the technical detail here – https://en.wikipedia.org/wiki/IP_address

[2] Domains – is the text that is mapped to an IP address. Get the technical detail here https://en.wikipedia.org/wiki/Domain_name