FAQs from Spamhaus
DEFINITION: “Domain BlockList” (DBL)
What is the DBL?The Spamhaus DBL is a list of domain names with poor reputations. It is published in a domain DNSBL format. These domain reputations are calculated from many factors, and maintained in a database which in turn feeds the DBL zone itself.
It ONLY lists domains. No IP addresses are listed by the DBL.The DBL’s reputation database is maintained by a dedicated team of specialists.Data from many sources is used to build and maintain a large set of rules.The DBL zone is is continually updated, and the data is served from over 80 mirrors world-wide.These rules control an automated system that constantly analyses a large portion of the world’s email flow and the domains in it.Most DBL listings occur automatically, although where necessary Spamhaus researchers will add or remove listings manually.Listings will expire without intervention after the domain stops matching the criteria that caused the listing.DBL data is exchanged with other Spamhaus systems which can result in further listings in the DBL, or in IP addresses being listed in other Spamhaus zones.
LISTED IN DBL Q&A
Why is a domain listed in DBL?The Spamhaus Domain Block List (DBL) evaluates many factors for inclusion of domains. We do not discuss the specific criteria we use.Domains must match several criteria in order to be listed.We will not reveal specific listing criteria in most cases.DBL listings are constantly reevaluated by our systems, and listings do expire automatically when listing criteria are no longer met.These are general observations to help domains build a good reputation and avoid DBL listings.NOTE: These observations are universal and do not apply only to the Spamhaus reputation systems.
Domain reputationReputations are built over time, and building a good reputation takes longer than building a bad reputation.Experience has shown that an unknown reputation has a much higher risk of emitting spam than known-good domains, so unknown reputations begin as “poor” by default.Anonymity does not contribute to a good reputation.Domain and IP address reputations affect each other.If domains are used in legitimate traffic for enough time to establish a good reputation, DBL will notice that and remove the listing.The DBL will notice if domains are used for activities that cause poor reputations, such as spam, cybercrime or other “blackhat” pursuits.Snowshoe spammingThis is a technique that uses many domains and IP addresses, which change frequently.Legitimate bulk email builds a reputation over time on durable, long-term domains and IP addresses.Because of that investment in time and effort, reputable mailers don’t use nearly as many domains, and fewer IP addresses, than snowshoers.Domains which act like they are snowshoeing will get treated like snowshoers.AuthenticationHaving solid domain authentication is a necessary tool in today’s email ecosystem, but SPF, DKIM, and/or DMARC can all be used by spammers as well as by good senders.DBL listings occur for domains with and without those records.Bulk email/Marketing emailIf a domain is being used in bulk email, be sure best practices are followed for sending only confirmed opt-in, solicited bulk mail.See our Marketing FAQs for more information.It can also help to consult industry experts or good deliverability consultants for further assistance.Role Accounts and Feedback LoopsThese are a domain’s abuse detection system.If they are not set up and functional, there is a huge loss of visibility into abuse issues on a network.They should be used to identify problems including spam, and to stop those problems before they degrade a domain’s reputation.Clean hostingDomains should be hosted on good, clean ISPs which do not allow abuse of their network.”Clean” includes a domain’s NS, A, MX and website DNS records.Hosting a domain on spam-friendly IPs or servers, or at ISPs that tolerate network abuse, including spam, has a negative effect on the reputation of all domains on that network.Mail server IPs should be identified with proper rDNS (PTR records) and mail servers should identify themselves with a proper HELO value (also RFC 5321 4.1.1.1).
All about removing domains from the DBLDoes a DBL listing expire automatically?DBL is highly automated and most listings will expire automatically after they cease to appear in spam.Domains are listed in DBL Zone automatically, and they may re-list automatically after removal if they are re-detected.Can a domain be removed from the DBL before the expiry?While DBL is careful to not list innocent domains, it’s possible that a domain may need to be removed from DBL before the listing expires.If a domain is listed and believed to be eligible for removal, please use the Blocklist Removal Center link on the Spamhaus homepage, look up the domain and follow the instructions returned by that lookup form.Using the form does not guarantee removal.Excessive removers and other removal form abusers may be blocked.How long does a removal take?Once the removal request is approved, the request will be processed immediately.It should only take a few minutes, but some users may lag up to 24 hours in removing domains from their local systems.If the listing remains active after 24 hours after the removal is approved, please contact us.Is there a cost or fee for removal from the DBL?Absolutely not.There is never any charge or fee associated with removing any Spamhaus listing.Any offer from anyone to remove any Spamhaus listing for a fee is a scam.Spamhaus has no affiliation with anyone offering any ‘blocklist removal’ service, nor can any third party influence or expedite removals from any Spamhaus database.
Can you scan my site and check that it is secure?We don’t scan at all.
Scanning is not a very effective way to detect many of these hacks. We watch Internet traffic for signs of abuse, spam and botnet traffic. When we see those signs it means for certain that the web site or server is insecure, infected or compromised.
ABUSED-LEGIT Q&A
What does the “abused-legit” classification mean in the DBL?“Abused-legit” is a class of domains which are generally legitimate but are abused by spammers. The domain owners are legitimate businesses or people whose servers have been hacked.These listings have a DBL return code in the 127.0.1.100+ range.Among the most common abuses we see are hacked content management systems (WordPress, Drupal or Joomla, for example)These return 127.0.1.102 in dbl.spamhaus.orgMany have Stealrat botnet infections and give return 127.0.1.105 or 127.0.1.106 return codes.As with all DBL entries, we list these domains as soon as we detect abuse in order to protect DBL users.Because we know there are legitimate users of these domains, we provide immediate, no-questions-asked removals for administrators of these domains.These DBL listings also expire more quickly, usually a day after last detection.Admins of “abused legit” sites should follow the normal removal procedure starting from our Blocklist Removal Center. It will route your removal request appropriately.Once the CMS or webserver has been fixed, we strongly suggest that administrators replace the pages the spammer inserted;The replacement pages should return an appropriate “page not found” HTTP errors.403, 404 or 410 are suitable responsesThis is particularly important when the domain is part of a shared web hosting resource that was abused.Removing “abused-legit” listings
Listing, delisting and removal of “abused legit” domains work just like regular DBL listings.
The DBL is tuned to minimize listings which could cause false positives”Abused legit” listings time out much faster than other listings.Keeping false positives as near zero as possible, like all of DBL, is an important goal of the “abused legit” segment of DBL.Admins of “abused legit” sites should follow the normal DBL removal procedure starting from our Blocklist Removal Center. It will route the removal request appropriately.
Help for domains listed as “abused legit” in the DBLIf a domain is listed in the DBL as “abused-legit” these are the basic steps to follow:If it is at all possible, the website/server should be taken offline while it is being fixed.All of the infected files must be removed.The CMS and all plugins and extensions must be updated to the latest and most secure versions.Be sure the server itself is secure, or ask a system administrator to perform a security audit.All passwords must be changed. Strong passwords should be used, and two factor authentication added wherever possible.For more in depth information please refer to the Spamhaus FAQ regarding hacked CMS:Hacked Website or CMS – General InformationCMS-Specific help
Do the “abused legit” or “abused redirector” listings include full URL/URI links?DBL listings include only the domain, not the full directory path of URL/URIs.
However, in some cases, additional DBL information may be available for admins of hacked CMS sites. Start the removal procedure from our Blocklist Removal Center and follow the steps from there.
We suggest that all domains, especially redirector domains, set up appropriate Role Accounts and Feedback Loops which can help provide notification of problems.
DBL USAGE QUESTIONS
What do the 127.*.*.* Return Codes mean?The DBL uses DNS return codes in the 127.0.1.0/24 range. Queries regarding any domain listed in DBL and all IP queries will return a response code. If no code is returned (NXDOMAIN) the domain is not listed in DBL. DBL return codes in current and future use are:
Return CodesData Source127.0.1.2spam domain127.0.1.4phish domain127.0.1.5malware domain127.0.1.6botnet C&C domain127.0.1.102abused legit spam127.0.1.103abused spammed redirector domain127.0.1.104abused legit phish127.0.1.105abused legit malware127.0.1.106abused legit botnet C&C127.0.1.255IP queries prohibited!This table will be updated as specific DBL categories are added and 127.0.1.* return codes are assigned to them.
The following special codes indicate an error condition and should not be taken to imply that the queried domain is “listed”:
Return CodeZoneDescription127.255.255.252AnyTyping error in DNSBL name127.255.255.254AnyAnonymous query through public resolver127.255.255.255AnyExcessive number of queries
Is the DBL included in the Spamhaus Zen DNSBL?Spamhaus Zen is an IP address DNSBL zone. Zen lists numeric IP address zones only, does not list domains and does not include the DBL.
The DBL is a purely domain-based zone, and must be queried separately by software capable of extracting domains from email message bodies and headers.
Can the DBL be used to look up IP addresses? No. The DBL cannot be used that way.
The DBL is a domain-only blocklist and does not include or support IP addresses.It only includes domain names in the form of text strings.It should not be used the same way as the Spamhaus IP-based DNSBLs.An IP query against the DBL always returns a positive (listed) return code.If legitimate emails containing http links specified as IP addresses (e.g. “http://1.1.1.1″), are expected to be delivered, wrongly using DBL this way will reject them.”dbl.spamhaus.org” must not be configured in any email server’s “DNSBL” or “RBLs” feature, spam firewall, or spam filter unless it specifically states that blocklists entered there are used for domain checking only. If this is unclear, please refer to the spam filter developer.
Spamhaus DNS returns the code 127.0.1.255 to IP queries to the DBL zone, along with a TXT record referring to this FAQ page.
If an IP lookup DNSBL is required, Spamhaus Zen is a good choice. More information can be found on the DNSBL FAQ page.
Can DBL be used in a Response Policy Zone (RPZ)?The DBL can be used with a Response Policy Zone (RPZ).
Also known as a “DNS firewall,” an RPZ is highly effective at protecting networks and their users from spam as well as malware of many kinds including bots, spyware and other malicious attack vectors.
For more in-depth information, please see our news article Spamhaus’ DBL as a Response Policy Zone (RPZ) and the RPZ whitepaper by Hugo M. Connery at the Technical University of Denmark.
Can DBL be used with Microsoft Exchange ?Unfortunately Microsoft does not include native support for DBL or other domain blocking lists in their Exchange product. However, Exchange users can use DBL through a third party product such as Vamsoft ORF.
Can the DBL be used to filter blog spam?The Spamhaus DBL can be effective used to defend against blog spam.Many of the same actors that send spam email also spam blog comment sections and guestbooks.Most blogging software does a good job in catching comment spam, but if needed, the DBL is able to detect some of the domains used, and can flag or block these postings.
Can wildcard queries be used with the DBL?The DBL supports wildcard lookups. Querying the full hostname will return a positive result if the host’s domain is listed. In other words, DBL lists at the main domain level, and all hostnames and subdomains of that domain also return a “listed” result. Therefore, it is optional and not necessary to strip the hostname down to query the actual domain only.
For example, if spammer.tld is listed:$ host spammer.tld.dbl.spamhaus.orgspammer.tld.dbl.spamhaus.org has address 127.0.1.2$ host www.barclays.bank.spammer.tld.dbl.spamhaus.orgwww.barclays.bank.spammer.tld.dbl.spamhaus.org has address 127.0.1.2$ host notspammer.tld.dbl.spamhaus.orgnotspammer.tld.dbl.spamhaus.org not found: 3(NXDOMAIN)Any *.spammer.tld sub-domain will also get the same response:The wildcard query works for subdomains only, and not variations of the domain itself:This enables the DBL to be used for either URI type queries (domains in links advertised in spam) and RHSBL type queries such as rDNS, HELO string, Sender and other email headers.
URL shortening or re-directing services and the DBLCan URL shortening services use the DBL to deny bad domains?
Yes, it can be used to protect URL shorteners from abuse.Spammers frequently use URL shortening services to try and avoid spam filtering systems that use tools such as the DBL.URL shortening services should check every URL’s domain against the DBL and not allow those that are listed.What further can URL shorteners and redirectors do to prevent abuse?Don’t string several shorteners/redirectors together!This includes ‘Don’t shorten other shorteners’ and ‘Don’t accept referrals from other shorteners.’DBL has a specific return code for abused shorteners/redirectors in the DBL zone: 127.0.1.103.For more in-depth information, see our blog article Changes in Spamhaus DBL DNSBL return codes.Don’t redirect to domains with the ‘A’ Record on the SBL (and possibly the XBL – your decision).Check blocklists at the time of URL creation and again, later, as traffic on the new URL ramps up (a day or a week’s time later).Don’t allow users to change the landing URL after the redirect is created.Don’t provide an interstitial link to the spammer’s payload if abuse is detected: Fully suspend the offending URL (404 or 410 HTTP return).Code a system to prevent automated URL creation (using good CAPTCHA or other bot-stopping tools).If you have access to the Spamhaus ZRD product, consider not creating URLs for brand new domains with no reputation.Do create and maintain Role Accounts & Feedback Loops (FBLs) to help detect abuse, and process that information promptly.The ISP Spam Issues FAQ can provide more tips on dealing with abuse of Internet resources in general, especially “Role Accounts & Feedback Loops”.Also see http://www.surbl.org/redirection-sites.
Is there any code available to query the DBL in my application?We have seen that people have published code to do DNS lookups on the DBL.Lockergnome.net wrote one in PHP. Find the code here.This Python code was written for checking SURBL and could be modified to work with the DBL.
How can I test the DBL?There are two ways to test the DBL.The DBL follows RFC5782 for determining whether a URI zone is operational with an entry for TEST.The DBL has a specific domain for testing DBL applications: dbltest.com.To test functionality of the DBL, use “host” or “dig” from the command line to do a manual query.If using the web to look up a domain in the DBL, the domain lookup form at our Blocklist Removal Center should be used.NOTE: Do not query our website with automated tools!
RFC5782 operational testQuery: test.dbl.spamhaus.orgResult: test.dbl.spamhaus.org IN A 127.0.1.2“Listed” Test ResultsQuery: dbltest.com.dbl.spamhaus.orgResult: dbltest.com.dbl.spamhaus.org IN A 127.0.1.2“Not Listed” Test ResultsQuery: example.com.dbl.spamhaus.orgResult: Host example.com.dbl.spamhaus.org not found: 3(NXDOMAIN)(Note: the IANA reserved “example.com” domain will never appear in the DBL zone)Test Point TXT RecordQuery: TXT dbltest.com.dbl.spamhaus.orgResult: TXT “http://www.spamhaus.org/query/dbl?domain=dbltest.com”
Using SpamAssassin and Rspamd with Spamhaus dataWe have developed our datasets with the final goal of being the most compatible with existing software. The two biggest open source antispam projects are SpamAssassin and Rspamd.
To show the best way to use our data with these products, we have created two dedicated Github projects. The projects contain instructions, rulesets, and code to make the best out of our DQS product.
The DBL and Project Golden Shield
I am in China. Why is the DBL listing non-spam domains such as twitter.com, facebook.com or pinterest.com?The DBL is not listing twitter.com, facebook.com, pinterest.com or other social network domains.
Network traffic entering or exiting China can be altered if it contains particular keywords or domains.This is due to the policy set by the Golden Shield Project (also known as the Great Firewall of China) which is operated by the Chinese Ministry of Public Security (MPS) division.The interference of the Chinese government’s system has the following consequences for the DBL:Spamhaus has servers located in China, to better serve our Chinese customers, but the DBL is not available on those servers. They are only used to answers queries relative to IP addresses (SBL, PBL, XBL).Spamhaus users in China will get all DBL answers from servers located outside China, and it is possible the answers will be altered as described above.It is therefore very important that all users in China validate our responses by having their software check that the A record is a valid one in the range 127.0.1.0-127.0.1.255.Any other code is a result of the actions of the Golden Shield Project and the queried domain is not listed by DBL.
