Spam Resource Newsletter

DELIVTERMS: Spamhaus


Spamhaus, in the context of my day-to-day role as a deliverability consultant, is best described as a publisher of anti-spam blocklists. They in fact do publish a multitude of blocklists:

  • SBL: Their primary IP address-based blocking list. Spamming companies and ISPs are listed here both manually, based upon review and investigation by somebody at Spamhaus, and also in an automated fashion using logic that results in "CSS" listings on the SBL. Entities listed on the SBL (for reasons other than CSS) typically have to contact Spamhaus to discuss potential resolution to an issue before Spamhaus will remove ("delist") an IP address. Spamhaus generally (but perhaps not always) wants to talk to the service provider or sending platform more-so than the end client.
  • DBL: Their primary domain-based blocking list. This is run in a fashion more automated than the SBL and affected senders can usually self-remove their domain from the DBL. (But if the spam issues causing the listing don't get solved, that domain will likely end up listed in the DBL again.)
  • XBL: Their "Exploits Blocking List" meant to help block spam from botnets and infected computers. If you end up listed on XBL it's likely because your computer or web server is infected with malware. It's pretty rare for a legitimate sender to end up listed here.
  • PBL: This "Policy Blocking List" is mean to allow ISPs to proactively reject mail from IP addresses connected to computers that aren't supposed to be mail servers. Sometimes these get hacked and misused to send spam. Sometimes a legitimate user of the IP address might be trying to send mail through that server, but against the policies set by their ISP. It should be exceedingly rare for a legitimate sender to end up listed here.
  • ZEN: Spamhaus ZEN is a blocklist that combines all of the data from the above blocklists.

They also publish these other non-blocklist things worth mentioning:

  • DROP: This stands for "Do not Route or Peer," and it's a subset of Spamhaus data that likely contains "the worst of the worst." It is published by Spamhaus in a way that allows ISPs and internet networking companies to outright block ALL traffic to/from that subset of bad guy IP addresses.
  • ROKSO: The "Register of Known Spam Operations" is Spamhaus expressing their opinion on a subset of the bad guy spammers they've dealt with or continue to deal with. A lot of really bad guy spammers try to hide who they are to prevent getting sued or blocked from using certain internet accounts, so this data can be helpful for researchers trying to identify commonality between various spam operations that may not appear connected at first glance. Again, this isn't something a legitimate marketer should ever have to deal with.

Spamhaus was founded in 1998 and over time grew to be widely respected in the anti-spam and anti-abuse communities. The Spamhaus blocking lists are subscribed to by many ISPs and mailbox providers around the world. Meaning, if your sending IP address or domain ends up on a Spamhaus blocking list, you WILL have significant deliverability problems as a result.

You can learn more about Spamhaus directly from their website or from Wikipedia.

You'll occasionally find various rants online from people who are very upset about Spamhaus. Sometimes because they don't understand what Spamhaus is or how spam filtering works, or sometimes because they do understand and they're mad that this "random" organization can have "all this power." Fact is, Spamhaus's wide usage comes from their wide trust. Every ISP using Spamhaus to make filtering decisions has opted-in to this filtering, and likely even is paying for access to the Spamhaus data. In other words, when Comcast blocks your mail because you got listed by Spamhaus, that's because Comcast had to specifically choose to block mail from Spamhaus-listed IP addresses. Spamhaus didn't force that on Comcast, or anyone else.

Some of the folks involved with Spamhaus tend not to advertise that fact publicly and some choose to do so under pseudonyms. If you're ever wondering why that is, it's because there are crazy people out there who would be happy to try to cause them harm. Security journalist Brian Krebs often talks about how a certain subset of bad guys in far off lands have tried hard to do some bad stuff to him. I know that many of these same bad guys also hold grudges against Spamhaus folks. Keep in mind that blocking misguided marketing mail is only a tiny bit of what anti-spam groups like Spamhaus have to deal with. 

Like every other anti-spam blocklist, filter, or network security service or application, it is all published by humans or created based on rules devised by humans, and humans are sometimes imperfect. What some are quick to brand the bad guys, I know from personal experience to be friendly, helpful folks who just want to help stop spam. YMMV.

Want to learn more about deliverability terminology? If so, be sure to visit the DELIVTERMS section here on Spam Resource.

1 Comments

Comments policy: Al is always right. Kidding, mostly. Be polite, please and thank you.

  1. "Spamhaus's wide usage comes from their wide trust". Well said!

    ReplyDelete
Previous Post Next Post