Before we discuss what is Spamhaus and what it does, let’s talk about spam mail first. If someone asks you what’s the approximate percentage of spam mails out of the total incoming emails the US, Europe, what’d be your best guess? 40%? 50%? More? Less?

In North America, Europe and Australasia, 90% of the incoming email could be spam – the number can be as high as 96%.

Source: Spamhaus

If you send a number of emails, you need to know what is Spamhaus and what it does. This post will cover everything from what is Spamhaus, what Spamhaus does, and what are the different blockslists that Spamhaus maintains. Finally, we will answer some of the most frequently asked questions about Spamhaus.

In the next post, we’ll answer additional questions, mainly about how to get out of Spamhaus blocklists.

About Spamhaus

The Spamhaus Project, mostly known as Spamhaus, is a not-for-profit body that works to track spam and minimize the risks of spam or malicious emails. It maintains realtime information on spammers. 

Since it was founded in 1998, Spamhaus has been working with email service providers, internet service providers, security agencies, business organizations, and governments. This helps prevent malware, spams, phishing, and other fraudulent activities from harming users. It is currently headquartered in Andorra.

The Spamhaus blocklists

The Spamhaus blocklist is a list of all IP addresses of known spammers that Spamhaus maintains. A realtime database, the Spamhaus blocklist (SBL) includes spammers, cyber criminals, phishing operators, support services (like hosting) that assist spammers through various services, and other bad actors.

In addition to that, it also lists potential spammers, many of whom send Unsolicited Bulk Email (UBE). There are several email marketing mistakes you might commit, some of which could be serious and land you in the blocklist.

For instance, the blocklist can also include perfectly legitimate organizations and businesses whose main offense is sending emails in big numbers without the recipients’ permission. So if you scrape email addresses or purchase email lists and then send emails to these addresses, Spamhaus will very likely list you.

All in all, being on the Spamhaus blocklist is bad. Your reach can come crumbling down if you are on the list. The best thing to do is to follow best practices that’d keep you off the list.

That’s because getting out of the blocklist is typically time-consuming. Besides, it is expensive in terms of lost opportunities and costs of resources you need to dedicate or hire in order to address the issue.

What are the different blocklists that Spamhaus maintains

To make sure their threat intelligence is highly accurate and all-encompassing, Spamhaus technology maintains multiple blocklists.

Here are the lists and associated terms you need to understand:

• SBL
• XBL
• PBL
• DBL
• ZEN
• DROP

The Spamhaus Block List (SBL)

Think of the SBL as a list of rejection-worthy IP addresses: if the IP is listed on the SBL, it’s best to not accept email from them. Email systems on the internet can send queries to SBL (formally speaking, the SBL Advisory), asking for the database of listed IP addresses. If an IP is listed, your mailbox admin can block the requests from these IPs. 

The SBL blocklists both: the spammer’s IP and the spammer’s URL. Emails to SBL listings will return the code 127.0.0.2.

If the Spamhaus team is satisfied that the issues that led to an IP being listed are resolved, it will delist the IP.

Exploits Block List (XBL)

Sometimes, systems and PCs are inadvertent senders of unsolicited email. That typically happens when the system is hijacked and infected. This infection, in turn, could have been a result of worms, trojan-horses, open proxies and the like.

Like the SBL, the XBL is also a part of ZEN.

Policy Block List (PBL)

The IPs are listed on other blocklists because they are proven (or suspected) spammers. In contrast, IP addresses are listed on PBL for a slightly different reason. 

Some IPs are not supposed to send emails to MX servers of third parties, except to a set designated by the ISP.

Consider the IPs that ISPs may have assigned to broadband customers. Their function is to carry out a specified service; sending emails is not a part of their normal activity. If they start sending emails, they’d be placed on the PBL.

It’s worthwhile to note that the email ecosystem hasn’t completely banned these IPs from sending emails – it’s just that they can send emails to only a few, pre-defined MX servers.

The Domain Block List (DBL)

This is also a queriable database like other blocklists. It contains the names of all the domains that have a poor reputation. 

A domain can violate various policies and thus fall into the DBL. This happens automatically without the need for human intervention. A set of complex rules decide which domains Spamhaus will list under the DBL. These rules, in turn, draw their inputs from multiple sources and email flows.

However, the Spamhaus teams can also manually add erring domainsto the DBL.

ZEN

You could use the word masterlist for ZEN. That’s because ZEN is actually the combination of all the lists: SBL, XBL, and PBL blocklists.

If you’re looking to configure your IP blocklist, be sure to include only ZEN. Do not combine ZEN along with other Spamhaus IP blocklists, like the SBL or PBL.

By using the ZEN list along with the other blocklists, you will only slow down your queries. That’s because duplication will lengthen the query, since the system will check with ZEN as well as the other blocklist (say SBL). 

Worried about where your email is landing? Check out our post where we discuss and explain email deliverability, as also its best practices.

Don’t Route Or Peer (DROP)

The DROP list, which actually is tiny when you compare it to the SBL, consists of originators of malicious message traffic. Even if the number in this blocklist may be small (no one can know for sure), their impact could be more serious. 

That’s because this list has actual cyber-crime operations and distributors of all forms of botnet controllers and malware. It’s highly likely that a considerable number of those on the list could have leased their infrastructure to spammers and they are guilty beyond doubt. It’s also possible that a few of these were hijacked.

As a result, this list is an advisory “drop all traffic” list. Firewalls and routing equipments use the DROP list the most. The DROP is key in helping fend off malicious senders.

Frequently asked questions on how Spamhaus works

What is Spamhaus?

The Spamhaus Project, or simply Spamhaus, is an organization that tracks spam, malware, online threats, and frauds. Founded in 1998, it is a not-for-profit body and offers insights to major corporations and government agencies.

What does Spamhaus do?

The primary goal of Spamhaus is to collect intelligence on spammers and cyber-fraudsters. The Spamhaus technology is geared to detect and filter out spam or malicious emails.

They compile this intelligence into anti-spam lists that email servers, internet service providers (ISPs), governments, military networks, and other security agencies use to protect email users from spam. Effectively, it protects over 3BN mailboxes.

Who uses Spamhaus?

Most of its users include governments, ISPs, email service providers, (ESPs), defense agencies, and corporations. Other users may include researchers, universities, and marketing agencies.

We understand Yahoo uses it. Google seems to be using at least some data that Spamhaus generates. Most mailbox providers use it too. The blocklist that Spamhaus maintains is the most commonly used anti-spam list.

How does Spamhaus detect spam?

Spammers and cybercriminals include links to their websites in their emails. Spamhaus uses advanced technology to identify, filter, and block these websites and domains in order to curb and minimize their email reach in realtime.

What is the Spamhaus blocklist?

The Spamhaus Block List (SBL), earlier known as Spamhaus blacklist, is a database of IP addresses that the SBL Policy defines as spammers. It is a realtime database and includes spammers and spam support services, as well as cyber criminals, spam gangs, phishers, malware makers, and even senders of unsolicited bulk emails.

What is the Spamhaus listing policy?

The SBL Policy considers the below as unsafe for recipients and hence lists them on the blocklists:

• UBE senders
• Senders using fake names or nonsensical domain names
• Emails sent from IPs associated with known spam-supporting sites and services
• Supporters of spam, malware, phishing sites, ransomware
• IPs associated with malafide hacking attempts
• IPs identified or deemed as risky to users

Bulk email senders with genuine, bonafide intentions, would do well to read further the details here.

How do I check if my IP address is blocked in Spamhaus?

Check it directly from Spamhaus. Go to this page and enter your domain name or the IP address you want to check.

How does Spamhaus define spam?

Perhaps one of the best ways to understand how Spamhaus defines spam can be captured by the expression Unsolicited Bulk Email or UBE. If you are sending emails en masse to people who have not agreed to receive such emails to you, that’s spam.

Send bulk emails only to people who’ve agreed to receive emails from you. Also,use only valid, deliverable email addresses and try and stop your emails from going to the spam folder of the recipient. That’s because as a bulk email sender, you want your emails to land in the inbox, not elsewhere.

Does Spamhaus use the email content to define spam?

No. Spamhaus clearly states that it “…does not evaluate the content or legality of the contents of an email message…” to define spam. Any bulk email that satisfies the SBL team that the IP or IP range meets the listing criteria could fall into the blocklist.

Who is responsible for complying with the Spamhaus SBL policy?

Senders of bulk email messages, their support services and the websites that the email message promote are responsible for compliance.

How soon can SBL listing happen?

Immediately. As soon as the IP or IP range falls under the definition of spam as defined by the SBL Policy, they could list you.

Moreover, the listings can be preemptive if Spamhaus decides the IP or services involved carry distinct signs associated with spammers or bad actors.

Will SBL issue a warning before blocklisting?

No. Spamhaus will blocklist without any warning, since they believe in taking action realtime. Hence there is no waiting period, grace period, or notice period.

Is it difficult to get out of SBL?

Generally speaking, yes. However, there is no single answer. It all depends upon a wide range of factors, including what list you are on and what’s your email bounce rate. For instance, if you’re on the CSS, you don’t need to contact Spamhaus. Instead, you’ll need to check your email list.

All in all, you want to remain careful and stay out of the the blocklist rather than work hard to get delisted.

Is Spamhaus free?

The Spamhaus site clearly says the service is free for “low-volume, non-commercial users only”. Here’s the link to the policy that will help you see if you qualify.

How do I remove my IP from Spamhaus?

While our next post will discuss this in detail, here are the general steps involved. You may need to add new actions points, depending upon the exact reason behind the listing:

1. First, make sure you’ve been blocklisted. In some cases, technical problems can fail to deliver your emails and you begin to assume you’ve been blocklisted.
2. Find what list you are on. 
3. Based on that, find the reason why you’ve been blocklisted. 
4. Address and resolve the issue that brought you to listing.
5. Finally, send a request to the SBL team. Explain to them the steps you’ve taken and make a request to delist you.
6. If you’ve missed something or if the SBL team recommends any additional steps, be sure to follow it.
7. Follow up with the team. Always be courteous and transparent. Do not hide facts from Spamhaus.