I regularly get asked the above question, shortly after I've been asked the classic ice-breaker, "what do you do?" My response to the latter is, "I work in marketing for a company called Spamhaus." We then work through the inevitable "Spamwho?" to end up with 'What do they do?" I usually respond with a simple "cyber security" because that's generally as much as a layperson understands. I certainly don't mention "we're the authority on IP and domain reputation," because to be fair, not so many years ago, even I would have gone "what?"   I write this article for all of you out there who aren't deeply embedded in this industry because the people I work with are remarkable. The world should know what they are doing to quietly protect all those who say "Spamwho?" be that your grandma or the network nerd at work.

The basics of what Spamhaus does

Spamhaus analyzes vast amounts of data and lists internet resources with poor reputation because they are connected with malicious activity.

Even that short sentence probably requires some explanation:

  • By “internet resources,” I mean IP addresses [1], domains [2], cryptowallet addresses, email addresses, and malware files.
  • By “malicious activity,” I mean all sorts of “badness,” including ransomware, malware, phishing, and spam. I should note that Spamhaus’ definition of “spam” is “if the message was sent unsolicited and in bulk.”
  • By “huge amounts of data,” I mean on average over a 24 hour period we assess and process approximately:
    • 4 billion SMTP connections (connections relating to emails)
    • 3 million domains
    • 18,000 malware samples

IT and security specialists use these lists of IP addresses and domains. They provide the industry with control and insight to protect their users from “badness,” i.e., malicious activities as outlined above. And when I say “users,” I mean you, reading this.

How are these IP and domain reputation lists compiled? 

In a nutshell, with hard work, years of experience, and working with the broader internet community.

Let’s start with that final point, the broader internet community. Without a community sharing data, the internet would be like the wild west. In fact, that’s how it is often described when it was in its infancy.

BUT YOU CAN’T SHARE DATA (I hear you shouting). Correct. Personally identifiable information (PII) can’t be shared, nor should it be. Ever. However, the infrastructure that supports your internet-based activities has connections relating to them, be that sending an email, surfing the web, or logging into your company’s accounting system.

These connections don’t contain PII. Nonetheless, when analyzed, they can reveal if they are being used by bad actors to commit fraud, or in some cases, your local butcher who is naively spamming his customers with marketing emails.

Data is shared from far and wide

Spamhaus has a vast network of sensors collecting connection data within networks. From government organizations around the world to industry-leading internet providers to specialized researchers and analysts. Oh, and let’s not forget internal spam traps and honey pots. Data comes from the four corners of this mortal coil.

At this point, you may be asking, “Why do people trust Spamhaus with this data?” It’s a fair question… that leads me onto “experience.”

Over two decades of operating independently & ethically

Remember how I referred to the internet being a little bit like the wild west? Well, Spamhaus was founded in 1998 by Steve Linford. He didn’t like the amount of spam and abuse he was seeing on the internet, so he started listing IP addresses associated with it. Quickly this gained momentum as like-minded geeks (no offense Steve) from across the globe joined the fight against abuse on the internet.

The Spamhaus Project has been compiling IP and domain reputation lists for years. If you want to be involved with this kind of work, you want to work for Spamhaus. The Project’s researchers come from all different types of backgrounds across the world. Still, they have one vital thing in common – a passion for effecting change, moving the dial, and making the internet a safer place.

I know it all sounds rather righteous, but believe me, it’s true. You will be hard pushed to find a group of people more intent on doing what’s right for the internet. This driving force within Spamhaus demands ethical behavior.

So, given the experience, culture, and independence (we don’t answer to shareholders), you can understand why organizations far and wide trust us with this data.

So, what do researchers do with all this data?

Compiling the listings without prejudice

Firstly, it’s probably wise to point out that the Spamhaus Project’s researchers and analysts have defined policies to follow. Opinion and bias don’t have a role to play in the listings. The policies, i.e., the criteria for what is listed, are carefully defined, honed over the years together with the industry to detect what internet resources are potentially malicious. And these policies work – recently, our researchers identified an email that wasn’t legitimate but was being sent from the FBI’s infrastructure. Someone had hacked into its system and was sending spam to numerous contacts.

Poor choices can lead to a blocklist listing

Obviously, it isn’t just those busy hacking into the FBIs’ infrastructure that may trigger being listed. Many individuals and organizations get listed through naive behavior. Often it isn’t just one issue that can cause your IP or domain name to be listed, but several. For example, you may be hosting your website on shared infrastructure, along with a plethora of phishing websites. Or you could be emailing a vast number of contacts within the first week of registering your domain, without having any sort of authentication set up. Technical and behavioral issues like these could lead to being listed on the Domain Blocklist.

What techniques do we use to process the data?

Numerous processes are used to analyze and apply reputation to the data, from machine learning to heuristics to manual investigations. Once an internet resource has met the criteria of the listing policy, it is… yes, you got it, listed.

Removing IPs and domains from a Spamhaus listing

It’s all very well listing all these IPs and domains. But how do people get their IPs and domains etc., removed from these blocklists?

There is the “Checker” that enables users who have their IP address or domain listed to search for the listing. The user can discover why they were listed in the first place, what they need to do to ensure they’re not listed again, and finally, request removal.

Once our researchers receive the removal request, they’ll confirm it’s genuine, try and answer any questions the user may have before finally approving removal.

A helping hand to those less technically savvy

Not so long ago, Alex, one of the Senior Threat Analysts, painstakingly worked with an elderly gentleman via the Checker to resolve the issues he was experiencing with sending mail. Between the two of them, they spent hours working out why he was being repeatedly listed. The problem was finally narrowed down to his doorbell that was sending spam! Read more about that in “When doorbells go rogue!”

This is a serious business

Unsurprisingly, there are numerous removal requests by bad actors… because not everyone who gets listed on a blocklist is innocent, far from it.  Some of our researchers have had death threats – no word of a lie. When you’re stopping a cybercriminal from making money, they can take it very personally.

What has all this got to do with you?

While you may not have heard of Spamhaus, our IP and domain reputation data is currently protecting over 3 billion users.

This data is integrated into numerous well-known security software applications.

Internet Service Providers and hosting companies use it to help identify malicious behavior on their network.

The researchers, analysts, and engineers of the Spamhaus Project are the silent protectors of the internet. Cheesy. But true.

 

A note for anyone technical reading this – I know I have taken liberties in my interpretation of DNS and email. I am aware that anyone with in-depth knowledge of this area will be ranting as they read this article. Please forgive me; I have adopted the KISS (Keep it Simple Stupid) approach to help a layman understand what Spamhaus does. 🙂

___________________________

[1] IP addresses – everything connected to the internet has an IP address, including your doorbell! Get the technical detail here – https://en.wikipedia.org/wiki/IP_address

[2] Domains – is the text that is mapped to an IP address. Get the technical detail here https://en.wikipedia.org/wiki/Domain_name

The Blocklist Tester

To ensure our DNSBLs protect your email stream, a simple tool is available called the Blocklist Tester. It’s quick and easy to use; once you have verified an email address associated with your email server, test emails are sent. These emails contain resources listed on our blocklists and should be rejected.

Once the test is complete, a full detailed report is available, and the SMTP exchange of each email sent is available to help you understand where any problems may lie in your configuration.

  • It's free to use for any Spamhaus DNSBL user
  • Multiple test scenarios - SMTP, content or both
  • Detailed test reports for troubleshooting

Help for Spamhaus Public Mirror Users

If you are using the Spamhaus Project’s Public Mirrors and are suddenly experiencing issues with your email stream, it is likely that you are having issues parsing newly introduced error codes.

We have collated all the information you need to help you understand what you need to do to fix the problem and find out why these error codes have been introduced.

  • What has happened to impact your email stream?
  • Why were these measures implemented?
  • What can you do to quickly resolve the issue?

Spamhaus Intelligence API (SIA)

This API provides access to multiple datasets containing metadata relating to compromised IP addresses. These IP addresses may be exhibiting compromised behavior, including malware, worm, and trojan infections, and SMTP-specific traffic emitting spam, or cybercriminals are using them to control infected computers – botnet command & controllers.

The breadth of data available via an easily consumable API provides security developers with scores of opportunities.

  • Save valuable time investigating and reporting
  • Simple and quick to access
  • Data you can trust in

DNS Firewall Threat Feeds

Applied at the DNS level of your infrastructure, these threat feeds automatically stop users from accessing malicious sites including phishing and malware dropper websites.

These threat feeds can be integrated with existing recursive DNS servers, or for those who don’t manage their own DNS, we have a managed service available.

  • Reduce IT costs
  • Set and forget
  • Save money on risk insurance

Passive DNS

Our Passive DNS allows you to quickly and easily navigate through billions of DNS records to shine a spotlight on potentially malicious internet resources associated with your network or domain.

  • Reduce investigation times
  • Enrich data sources
  • Protect customers and end-users

View, request and manage IP & Domain removals from the Customer Portal

26 April 2022

News Technical Information

Spamhaus' commercial customers now have easy access to our IP and domain Reputation Checker via the Customer Portal.

Are you using the most effective Spamhaus Blocklist service?

1 April 2022

Blog

If you've been using Spamhaus Project's free DNSBLs you need to be aware this is a legacy service. With an easy config change you could be getting more value from the Spamhaus data.

Egress prevent business email compromise with Spamhaus’ Data Query Service

8 March 2022

Case Study

Global email and data security company, Egress uses Spamhaus’ Data Query Service to provide users with simple intelligence about malicious actors.