Have you been blocked?
All blocklists are researched and managed by The Spamhaus Project.
Simply click on the link below, which will take you to the Project’s IP and Domain Reputation Checker. From here you will be able to enter your IP or Domain and begin your request for removal.
Please note that the Project’s IP and Domain Reputation Checker is the only place where removals are handled.
IT and security teams consistently face multiple business challenges. Discover how our solutions can help overcome some of those issues.
From processing issues, to email-borne threats our blocklists easily integrate with your current email set-up to improve anti-spam & anti-virus email filtering.
Employ our threat intelligence to increase visibility across security events, reveal potential weaknesses in your network, and threats to your brand.
Stay on top of the latest threats and proactively combat botnet infections, and other forms of abuse, with our solutions.
From clicking on phishing emails to visiting malware dropper sites, our threat intelligence provides automatic protection for your users.
Our products provide additional layers of security for networks and email. They also present security teams with additional insight into malicious behavior.
Border Gateway Protocol (BGP)
Block the worst of the worst at your network edge, taking advantage of your existing BGP-capable routers. Configuration only takes minutes.
Data Query Service (DQS)
Benefit from industry-leading real time blocklists. These DNSBLs easily plug into your existing email infrastructure to block spam and other email threats.
A powerful research tool to investigate relationships between internet infrastructures. Quickly pivot to new areas of concern to rapidly investigate potential threats.
Immediately block connections to dangerous sites, including phishing and malware dropper websites. A “˜set and forget’ solution.
Spamhaus Intelligence API
Threat intelligence data in API format to enable users to easily integrate metadata relating to threats with their own applications, programs, and products.
A wide range of datasets, providing multiple layers of protection. They can be plugged directly into your existing hardware, making them an affordable choice.
Border Gateway Protocol (BGP) Feeds
Do Not Route Or Peer (DROP) and Botnet Controller List (BCL) datafeeds can peer with your existing BGP-capable router.
Domain (DBL), Zero Reputation (ZRD) and Hash blocklists (HBL) enable you to block content in emails, filtering out a higher rate of email-borne threats.
Data for Investigation
Passive DNS and extended datasets give you additional information on internet resources. They provide deeper insights into incidents and possible threats.
DNS Firewall Threat Feeds
A wide range of feeds to apply to your DNS recursive server. Choose the right level of protection for your organization.
Spam (SBL), Policy (PBL), Exploits (XBL) and Auth (AuthBL) blocklists allow you to filter email from IPs associated with spam, botnets, and other threats.
Find out more about us.
Learn more about Spamhaus; who we are, and what we do.
Find out who we work with and how you can become a Spamhaus Partner.
Discover a wide range of blog posts, case studies and reports.
Commonly asked questions about Spamhaus products and processes.
In depth information about the technical details and implementation of our products.
Frequently asked questions relating to our products and data. if you have a question that isn't answered here please feel free to contact us with it.
Anyone or any network that has the ability to block or filter IP address ranges on their network by using router equipment can use BGP data feeds.
The DROP list contains network ranges which can cause so much damage that Spamhaus provides it to all, free-of-charge. We believe that due to the vital nature of the DROP list data, it will be available free-of-charge to any place, regardless of size or business type, to protect internet users. If you wish to redistribute the plain text feeds, name Spamhaus as source of the data and retain both the copyright statement and the date & time stamps at the top of the text file.
The Developer License is available for 6 months.
If your email management system indicates that your emails are not being delivered, then a first step is to check the affected IP addresses or domains using the lookup tool on the Spamhaus Blocklist Removal Center.
The listings for both IP addresses and domains are maintained & controlled exclusively by The Spamhaus Project, which has clear procedures for dealing with list removals. Spamhaus Technology and its Authorised Partners manage the datafeed services and associated infrastructure for the threat intelligence listings developed by The Spamhaus Project. The content & policy of listings are exclusively maintained & controlled by The Spamhaus Project.
Yes. The Developer License can be renewed after 6 months.
If you’re not sure how well the Spamhaus Blocklists/DNSBLs will perform to reduce incoming spam on your network, and your email traffic is too high to test using our free public DNS mirrors, you can test the Data Query Service service offered by Spamhaus for 30 days, free of charge and with no obligations.
5,000 queries per month are including in the Developer License.
Customers will be able to plug the Spamhaus Intelligence API (SIA) into a SIEM device, however, they will need to develop a connector of some type unless the SIEM can make API calls natively.
A ‘hijacked netblock’ is a netblock brought back from the dead, also called a ‘zombie netblock’. The original owner of the block may have left it derelict for any number of reasons. Squatters then reclaim it with various ploys including registering an abandoned domain name to accept email to the point-of-contact domain contact, or printing up bogus letterhead, or doing a bit of social engineering over the telephone. Some hijackers even outright steal IP space that is allocated to someone else, just by announcing it under their Border Gateway Protocol (BGP) Autonomous System Number (ASN).
ASNs can be hijacked too. Old abandoned ASNs are taken by a spammer, or spammer supplier, to announce various IP ranges. It’s quite possible to have a hijacked netblock advertised by a hijacked ASN!
The choice of which service to apply for, Datafeed Query Service or Datafeed Rsync Service, depends on how big your network is, and how high your email traffic is.
If you have 1,000’s of users and very high email traffic, or you want to serve our DNSBL data locally to multiple mail servers on your network, we recommend you use the Rsync Service. The Rsync Service requires some setup on your end (requires you also set up Rbldnsd) and usually a dedicated server (although you can also run Rbldnsd on the same machine as your DNS server). The Rsync Service should only be chosen if you understand why you want Rsync/Rbldnsd.
If your network is medium-sized, small, or you want a uncomplicated solution with no software to install, the best choice is the Datafeed Query Service (DQS). With this service the Datafeed Service Group assigns you a unique account ID and access to a set of private Datafeed Query Service servers. The Query Service is very simple to install (it should take you literally one minute to set up on most moderns mail servers). It requires no extra software or servers.
Both services have the same performance. You can switch from Query Service to Rsync Service later on if you find reason to need Rsync Service.
If free additional query volumes are needed for short testing periods, please contact our team, providing your use case and requirements.
The application process is designed to allow organizations to initiate an application without committing to taking the service or making a payment, until they are satisfied with the service and have agreed to the service terms. The process is:
Data received from subscribers contains no Personally Identifiable Information (PII) so there is no compromise of organizational, customer or employee data. All data is transported to Spamhaus with encryption in place.
Passive DNS does not store which client (or person) made a query, just the fact that at some point in time, a domain has been associated with a specific DNS record . This ensures that privacy is maintained throughout the system.
It is a yearly subscription.
BGP datafeeds are designed to serve null advisories to ISPs or network providers using BGP, which is implemented on the router level. However, Spamhaus also offers the DROP list in plain text format which can be implemented using nearly any kind of device or software (eg. Network gateways, Firewalls, Web-proxies etc).
Spamhaus Technology and its Partners manage the datafeed services and associated infrastructure for the threat intelligence listings developed by The Spamhaus Project.
The content & policy of listings, for IP addresses and domains, are maintained & controlled exclusively by The Spamhaus Project which has clear procedures for dealing with list removals. Please start by using the Spamhaus Blocklist Removal Center lookup tool, and follow the instructions from there.
This is done via an API call as detailed in our technical documentation.
There are two query limits: Soft and hard. The soft limit will generate a warning email. The hard limit will prevent access. Further information can be found in our technical documentation.
No. If you adopt the BGP data feeds or the botnet C&C list in your network, you are not allowed to redistribute the feed to other networks. The export of these feeds/prefixes to other networks is prohibited. Please see our Terms & Conditions.
Spamhaus wants to ensure that its data is only given to reputable and qualified organizations, therefore we need to know who you are before offering you access to Spamhaus data.
The Spamhaus Service Agreement is between you and Spamhaus and our Partners. You can view these service terms when you sign up for a free trial or free service account, before clicking submit.
As a Spamhaus customer, you also have access to the Spamhaus Service Agreement via the Customer Portal, which can be downloaded in PDF format.
Currently, the Extended Exploits Blocklists (eXBL) is available via SIA. However, there are plans to introduce additional datasets soon.
Please DO NOT auto-fetch the DROP list more than once per hour.
The DROP list changes quite slowly. There is no need to update cached data more than once per hour, in fact once per day is more than enough in most cases. Automated downloads must be at least one hour apart. Excessive downloads may result in your IP being firewalled.
Yes. Where volume and usage hasn’t changed for a customer, we adjust pricing approximately every two years in line with inflation and market value. For customers whose usage has changed their pricing will be changed accordingly, annually on renewal. There will be exceptional cases where changes may be made mid-contract, where usage is greatly exceeding contracted limits.
Only CIDR formats up to /24 can queried in SIA.
Spamhaus evaluates every Datafeed service application to ensure the applicant is bona fide, and is not involved in the provision or support of spam services. We reserve the right to refuse a service at our discretion.
Refusal may be due to a number of issues, including supplying to ISPs with excessive listings on any of our datasets. Everyone who uses the internet has a responsibility to keep it a safe environment. Any ISPs who we deem to have excessive abuse on their network, and are doing little to remediate the issues will not get access to our data.
The datasets accessed via the API are built from our broad-reaching sensor network, the same that is used to compile our DNS Blocklists. Through machine learning, heuristics and manual investigation connections are analyzed to identify indicators of compromise.
DNS Firewall Threat Feeds are Response Policy Zone (RPZ) feeds that provide automatic protection against phishing sites and malware downloads. They are delivered in industry standard RPZ format which allows a recursive DNS resolver to choose specific actions to be performed. This includes dropping, blocking, and passing through traffic.
There are many networks, domains, and IP addresses on the internet whose sole purpose is to cause harm to or steal information from unsuspecting users who visit their servers and sites.
For example: a phishing domain, created for the sole purpose of stealing data, can be used for a spam campaign that is sent to users on your network asking them to verify their account. The email is received and is not blocked by your spam filtering, so the message gets delivered into your user’s inbox. When the user clicks on the link to verify their account, because the site is listed in the Threat Feeds, their computer is unable to resolve the phishing website.
This action will protect your user from surrendering their personal information, and potentially prevent their workstation from becoming infected with botnet software. Blocking malicious content also offers you the potential to educate your users immediately.
While it is possible that the current hardware that is running your DNS resolver may be able to handle processing of DNS Firewall Threat Feeds, we recommend the following hardware configuration:
8 core CPU
8 gigabytes of RAM
Bare-metal dedicated server
For software the most recent version of BIND must be installed. Note: many of the yum, apt-get, and dnf repositories will have an out of date version available. It is recommended that updates to BIND be downloaded directly from ISC.
In most cases, a DNS resolver will return an NXDOMAIN (invalid domain) response when is matched against a threat feed listing. However, it is possible to point to an internal IP resource that will allow the block to redirect to an informational page that can provide a warning, some education, or insight into why something was blocked.
Rbldnsd defines a few different dataset types. To optimize performance and memory usage, we recommend Datafeed users to choose ip4set for SBL and SWL, ip4trie for PBL, and ip4tset for XBL.
However, using ip4tset will result in a return code 127.0.0.4 for all XBL listings. In the majority of cases this is acceptable, but if you need to distinguish between the different XBL return codes you should use ip4set also for XBL.
DBL and DWL must always use the dnset dataset type.
Public mirrors are required to use ip4set for all the IP zones, and dnset for DBL and DWL.
The major part of spam filtering done by appliances such as the Barracuda is DNSBL filtering. If you are using any Spamhaus lookup in any part of a Barracuda or similar spam filter appliance you must ensure that you have a current Spamhaus Data Query Service (DQS) subscription.
Historically, we have had cases of people using the Free Spamhaus Public Mirrors in conjunction with Barracuda appliances. This is an abuse of the Free Public Mirrors usage terms: If an organization’s email volume is big enough to require a Barracuda or similar spam filter appliance, then it almost certain that their usage will be above the limits applied to the free public DNSBL servers. Due to substained abuse of these public mirrors, and the Free low-volume DQS account, a control system has been implemented, and over-queriers will be flagged and blocked.
Please ensure that if you are using Spamhaus DNSBLs in any part of your corporate spam filtering setup, you have a current Spamhaus DQS subscription.
DROP (Don’t Route Or Peer) is an advisory “drop all traffic” list.
The EDROP list includes net blocks controlled by professional spammers and cyber criminals that are not directly allocated, thus it will contain only netblocks that are sub-allocations.