From Wttw

Jump to: navigation, search


Spamhaus is one of the oldest operating blocklists. They are also one of the most widely used blocklists. They publish a number of different lists, each with their own listing criteria and addressing a different type of email abuse.

Spamhaus is staffed by at least a dozen volunteers spread across the world, who handle listings and delistings. Some Spamhaus volunteers interact with law enforcement to help track spammers and spam sources across the world.


The SBL is the Spamhaus Block List. Listing criteria for the SBL is documented at SBL Policy & Listing Criteria. "IP addresses are listed on the SBL because they appear to Spamhaus to be under the control of, or made available for the use of, senders of Unsolicited Bulk Email ("spammers"). The SBL database will normally include IPs identified to Spamhaus's best ability as likely direct spam sources, spammer hosting/DNS, spam gangs and spam support services."

SBL Listing criteria[1]

Spam Sources Sources of unsolicited bulk email sent to Spamhaus Spamtraps or submitted to Spamhaus by trusted 3rd party intelligence.
Spam Services Servers, including mail, web, dns and other servers identified as being an integral part of a spam operation or being under the direct control of spammers.
Spam Operations Known spam operations and gangs listed in Spamhaus ROKSO registry, including preemptively listing new IPs each time known spammers move to new hosts.
Spam Support Services Services providing service to known spam operations listed on ROKSO, services providing 'bullet-proof hosting' for spam service purposes, services obfuscating or anonymising spam senders, services selling or providing hosting for the sales or distribution of spamware or address lists, and networks knowingly hosting spammers as either stated or de facto policy.

SBL delisting criteria

The SBL team does publish complete delisting instructions. Delisting usually requires that the listee change practices so that mail is not sent to people who did not request mail from that sender. Often, this means that a commercial sender will need to re-confirm permission for their entire list. I recommend that commercial senders who are listed contact their ISP or ESP to handle the listing. If you do not have the support of an ISP or ESP there are a few things to keep in mind when contacting the SBL volunteers.

  • Use the published email address, do not contact individuals, even if you know them personally. Use the standard process.
  • Read the listing data and collect as much information as possible before contacting the SBL removals team
  • Don't waste time explaining how legal your email is, the Spamhaus definition is 'unsolicited bulk email.'
  • Expect the SBL team to explain the listing but not necessarily suggest specifics for remediation.

The SBL volunteers are normally quite responsive, but occasionally it will take 3 - 5 days to get a response.


The XBL is the Exploits Block List. This list consists of data pulled from two independently maintained lists, the CBL and NJABL. Both these lists only list machines that are exhibiting characteristics of a machine infected with a virus. Delisting from the XBL requires recipients contact either the CBL or NJABL, depending on which list the IP address is listed on.


The PBL is the Policy Block List. This list consists of IP addresses that, as a matter of policy, should not be sending email directly to a MX. There are two types of listings on the PBL, those maintained by the Spamhaus Volunteers and those maintained by the ISPs that own the IP addresses. Typical listings on the PBL are IP addresses belonging to webservers, DNS servers, data storage servers, cloud servers and residential connections. Anyone can sign up at the Spamhaus website and exempt a specific IP address from a listing.


The CSS is a component of the SBL list that focuses on snowshoe spammers. There is no manual way to be delisted, but IPs that have ceased spamming are delisted 3 days after the mail stops.


ZEN is a single list for users to query that combines the data from the SBL, XBL and PBL.


ROKSO is the register of known spam operations. This is not simply a list of IP addresses, but also of all known information about a particular group of spammers including business partners and affiliates. In order to qualify for a listing on ROKSO the listee must have 3 documented disconnections from upstream providers. Typically the disconnection information is provided directly by the ISP abuse desk to the Spamhaus volunteers. While many spammers have attempted to be removed from ROKSO by claiming that they left the ISP willingly, Spamhaus usually relies on data from the ISP over the word of the listee.

Removal from ROKSO is more stringent than removal from other Spamhaus lists. There must be no detected spam from the listed operation for a minimum of 6 months. Once the spam has stopped for that period of time, Spamhaus will entertain removal requests.


  1. retrieved Jan 2010
Personal tools