What is Spamhaus and How Does It Work?

Jan 19, 2022
7
Spamhaus analyses large amounts of data and lists internet resources that have a poor reputation due to a connection with malicious activity. Internet resources refer to domains, IP addresses, email addresses, crypto wallet addresses, and malware files.
Malicious activity refers to any kind of phishing, ransomware, malware, and spam. According to Spamhaus, ‘spam’ refers to any messages that are sent in bulk and unsolicited. Over a 24-hour period, Spamhaus assess and process around three million domains, four billion SMTP connections, and around eighteen thousand malware samples. IT and security specialists use lists of domains and IP addresses analyzed by Spamhaus.

How Does Spamhaus Work?

Spamhaus works with the broader internet community and has a vast sensor network that collects connection data within networks, including industry-leading internet providers, government organizations around the world, and specialist analysts and researchers. They also gather data from internal spam traps and honey pots.

Spamhaus was founded by Steve Linford in 1998. He didn’t like the amount of spam that he was seeing online and began listing any IP addresses associated with it. This quickly gained momentum as like-minded people from around the world begin to join in with the fight against spam and abuse online. Since then, the Spamhaus Project has been compiling reputation lists for IP addresses and domains.  The project works with researchers from a wide range of backgrounds from all over the world, with one main thing in common – a passion for effecting change and making sure that the internet is a safer place.

Techniques Used By Spamhaus

Spamhaus uses a range of processes to analyze and apply reputation to the data that it collects, from manual investigations to machine learning. Once an internet resource has met the listing policy criteria, it will be listed.

What is the Spamhaus Blocklist?

The Spamhaus Blocklist is a real-time database of IP addresses that have been identified as a source of spam according to Spamhaus’ listing criteria. The list will include any IPs that spread threats or send unsolicited bulk emails. While bulk emails might be commonly received by lots of people, they are not always spam. For example, bulk emails can include advertisements that you subscribe to or email newsletters. But, on the other hand, spam can be used by cybercriminals as a way to spread malware and cyberattacks. The purpose of the list is to help Spamhaus users reduce traffic from any IP addresses that may be connected to spam. Currently, Spamhaus protects over three billion user mailboxes from spam mail.

Remove Blacklist By Spamhaus

How do people get their domains and IPs removed from Spamhaus blocklists? Spamhaus offers a ‘checker’ tool that allows users who have had their domain or IP address listed to search for the listing. This allows them to get more information on why they were listed in the first place, request removal, and learn more about what they need to do to avoid being listed again. Once Spamhaus researchers receive a removal request, they will go through the process of confirming that it is a genuine request and answer any questions that the user might have before they approve the removal.

Unsurprisingly, Spamhaus receives lots of removal requests from bad actors because not everybody who gets put on a blocklist is going to be innocent. Cybercriminals will often take it quite personally when they are prevented from making money, and some Spamhaus researchers have even had death threats.

How to Get Removed From Spamhaus Blacklist – How Are Addresses Blacklisted?

When spam is noticeably being sent from an IP address, it will be listed on a Spamhaus blacklist or DNSBL. These lists are designed to protect email users from opening potentially harmful spam that is sent from IP addresses that display suspicious activity. There are various reasons why your IP address might be listed on a Spamhaus blocklist, including:

  1. Spam Trap Address on Your Mailing List

By their nature, spammers use huge lists of email addresses, many of which may be scraped from websites. Addresses are also sometimes bought and sold in underground marketplaces, often by unscrupulous email marketers who are simply looking to make some extra money. Anti-spam companies such as Spamhaus will maintain their own secret email addresses known as ‘spam traps’. They purposely advertise these addresses on websites, for example, to lure spammers to add them to their address books.

  1. Sending to a Spam Trap Address

Once a spammer has added the spam trap address to their mailing list, they will likely send it spam email.

  1. Getting Listed

Before the spamming malware delivers the spam message, it first needs to tell the spam trap mail server the email address that it is trying to deliver to. Once the spam trap address is received by the spam trap server, the compromised user’s IP address and machine will be added to the block list.

Spamhaus Zen Blacklist Removal if You’re Not Sending Spam

Most ISP networks and many cloud hosting networks assign IP addresses dynamically, which means that the same IP address might be used by computers belonging to different people or companies over a few days or weeks. On some networks, especially mobile networks, the problem can be even worse; multiple users can be sharing a single public IP address through the NAT process. If you are currently sharing or have recently shared an IP address with a user who has been sending spam, then your IP address could be blacklisted even if you are not a spammer.

Spamhaus Zen Blacklist Removal Request – How to Get Delisted

If your IP address has been blacklisted, you are probably wondering what you can do about it. The answer to this question will depend on the type of user that you are and the kind of IP address that you have. If your IP address has been blacklisted, the first step is to determine whether your machine or any machine that shares your IP address has been sending spam. If you are sure that there is nothing in your control sending spam messages, you can visit Spamhaus’ blacklist removal pages and request the removal of your address. You will be able to see why your IP address has been blacklisted and explain your situation to Spamhaus.

It’s important to be able to verify that you are not actually sending spam. In many cases where somebody’s IP address is blacklisted, it’s actually coming from a phone or computer within their home or office network that has been compromised and is sending spam. In this situation, you will need to take steps to fix this situation as any attempt to de-list your listing or move to a new IP address will fail quickly, and may lead to more severe blacklisting. Outbound spam filtering is an ideal option for ISPs and hosting companies to help customers determine if they are sending spam.

If the block listing is definitely the result of somebody else’s behavior or you are unable to remove your IP from the list, then the best option is to find a new address space or IP address. You can obtain a new IP address in a range of ways depending on the kind of internet user that you are. Some of the most common options include:

  1. Mobile or Residential ISP: Consider ‘refreshing your DHCP lease’ to recycle your IP address. If this does not work, you can ask your provider to give you a new IP address.
  2. Cloud Hosting: Consider using a service like SendGrid to send out email.
  3. Commercial ISP: If you are certain that your network is clean, you can contact your ISP and ask to be provided with a new static IP address.
  4. Dedicated Hosting: Check any other IP addresses near yours. You may have been dragged along if there are others listed. If possible, ask to be moved to a new subnet.

Spamhaus Zen Delist Step By Step

If you suspect that your IP might have been blacklisted, the first step is to check the reputation of the IP address. Follow these steps:

Run Spamhaus Domain Check or IP Check

Access the IP and domain reputation checker by Spamhaus. Enter your IP or domain into the search box and click lookup. If your IP address is on a block list, your search result may come up with a warning message. You can then click on ‘Show Details’ to find out more information and potentially resolve the issue.

Indicate the Reason for the Block

Spamhaus may add IP addresses to the list for various reasons. Look through your server logs to investigate the reason; this can reveal data about any suspicious activity both inside and outside your network. If you find the problem, take steps to fix it.

Request Removal

You should fill out the form to provide your contact information and click Submit to request removal from the Spamhaus blocklist. Spamhaus will process your removal form immediately after accepting it, however, the removal process may take up to 24 hours.

There are many reasons why IP addresses may be blacklisted by Spamhaus, and it does not always mean that your device is sending spam. If you are on the Spamhaus blocklist, it’s important to thoroughly investigate the issue.

Line and dots
Line and dots