Man monitoring servers

The Spamhaus Exploits Blocklist (XBL) is a comprehensive blocklist that is updated in near real-time

XBL lists the IP addresses of devices that are infected with malware, worms, and Trojans; third party exploits, such as open proxies; or devices controlled by botnets. The constantly updated list is designed to protect networks from malware and spam by preventing mailservers and routers from accepting connections from compromised computing devices.

Mailservers can be configured to block connections from IPs that are listed on the XBL. Routers can also be configured to prevent XBL-listed computers from accessing their networks. By blocking connections from compromised computers, the Spamhaus XBL helps to reduce the distribution of malware and spam and can be used to mitigate DDoS attacks.

Any IP address that exhibits behaviour consistent with malware infection and botnet command and control activity is added to the XBL

XBL is the Spamhaus brand name for its Composite Block List (CBL). The CBL team uses automated tools to observe SMTP connections to a vast number of mailservers and spam traps. Any IP address that exhibits behaviour consistent with malware infection and botnet command and control activity is added to the XBL.

This blocklist comprises individual IP addresses of computers that have been observed to be involved in sending malicious email, rather than IP address ranges or networks.

The XBL only lists IP addresses of computing devices that attempt to send malicious spam. IP addresses that are not used to send email will not be included in the XBL, even if they are involved in other malicious activity.

IP addresses can be quickly removed from the XBL once malware has been removed from individual devices and the XBL listings automatically expire after 72 hours.

XBL is part of the combined Spamhaus domain name server block list (DNSBL) service, comprising SBL, XBL and PBL (see Spamhaus Zen).

How Spamhaus XBL works:

The mailserver DNSBL feature is configured to query whenever another IP address attempts to deliver email to it. System administrators can configure the mailserver to perform one of the following tasks whenever a connection is requested from an IP address listed in the XBL:

  • Refuse the connection and reject delivery of the email message
  • Accept the connection, but save the email in a system spam folder
  • Accept the connection but tag the email as **SPAM** and deliver it to the recipient, to enable them to decide whether the message is legitimate (a false positive)
  • Accept the connection, but silently drop the email message
  • Configure the mailserver to delay transmission of emails after a certain number of messages have been received, to combat spammers sending bulk emails: a practice known as ‘tar pitting.’ For example, 10,000 emails that have a 2 second delay added for every 20 emails sent would be subject to a 5 hour delay.
  • Follow the policy set by the systems administrator

How to benefit from XBL

  • Spamhaus Technology subscribers with more than 5,000 users can access near real-time XBL updates via rsync
  • Spamhaus Technology datafeed subscribers can configure their servers to query a designated datafeed mirror.
  • For users undertaking fewer than 100,000 XBL queries a day, mailservers can be configured to query, or, via a public mirror.
  • Within IT environments where it is not practical to use XBL on a mailserver, anti-spam filters, such as SpamAssassin, can also be configured to check XBL.

Click for your free 30 day trial

Discover why we’re the most trusted Mailfilter and Security solution with a 30 day free trial

Our customers

Many of the world’s largest internet service providers rely on Spamhaus threat intelligence to block harmful email traffic and protect their customers.

AOL Logo
Microsoft Logo
AT&T Logo
Comcast Logo
COX Logo
1∧1 Logo
Century Link Logo
 Mail RU Logo
Time Warner Cable Logo
Sonic Net Logo

With over 12 years experience, we are trusted experts

Get in touch

Latest News

Brian Krebs | Bitcanal - "Hijack Factory" Shunned from Web

Brian Krebs covers the Bitcanal "Hijack Factory" story which hit the news this week. In the article Krebs highlights that virtually all of Bitcanal's IP address ranges had been listed by Spamhaus.

Read more

Doug Madory | Shutting down the BGP Hijack Factory - Bitcanal

This week sees Spamhaus featuring in the news again. Bitcanal, a notorious bad actor, who has continually hijacked Border Gateway Protocol (BGP) routes, has effectively been kicked off the internet. Doug Madory, Director of Internet Analysis at Oracle Dyn, takes an in-depth look at the story: Shutting down the BGP Hijack Factory.

Read more

Connect with Spamhaus Technology

Keep up to date with the latest news at Spamhaus Technology.