We use cookies for your best browsing experience, site traffic analysis, and targeted advertisement management. Using this site, you consent to our use of cookies. If you don't accept our policy, please close this page

Cookies Policy

What is Spamhaus and How Does It Work?

Jan 19, 2022

Spamhaus analyses large amounts of data and lists internet resources that have a poor reputation due to a connection with malicious activity. Internet resources refer to domains, IP addresses, email addresses, crypto wallet addresses, and malware files.

Malicious activity refers to any kind of phishing, ransomware, malware, and spam. According to Spamhaus, ‘spam’ refers to any messages that are sent in bulk and unsolicited.

Over a 24-hour period, Spamhaus assesses and processes around three million domains, four billion SMTP connections, and around eighteen thousand malware samples. IT and security specialists use lists of domains and IP addresses analyzed by Spamhaus.

How does Spamhaus work?

Spamhaus works with the broader internet community and has a vast sensor network that collects connection data within networks, including industry-leading internet providers, government organizations around the world, and specialist analysts and researchers. They also gather data from internal spam traps and honey pots.

Spamhaus logo

Spamhaus was founded by Steve Linford in 1998. He didn’t like the amount of spam that he was seeing online and began listing any IP addresses associated with it. This quickly gained momentum as like-minded people from around the world began to join in the fight against spam and abuse online.

Since then, the Spamhaus Project has been compiling reputation lists of domain names for IP addresses and domains with email service providers globally.

The project works with researchers from a wide range of backgrounds from all over the world, with one main thing in common – a passion for effecting change and making sure that the internet is a safer place.

Techniques used by Spamhaus

Spamhaus uses a range of processes to analyze and apply reputation to the data that it collects, from manual investigations to machine learning. Once an internet resource has met the listing policy criteria, it will be listed.

What is the Spamhaus blocklist?

The Spamhaus Blocklist is a real-time database of IP addresses that have been identified as a source of spam according to Spamhaus’ listing criteria. The list will include any IPs that spread threats in the email body or send unsolicited bulk emails. These are low-reputation emails that have a tendency to send spam from their email servers.

While bulk emails might be commonly received by lots of people, they are not always spam. For example, bulk emails can include advertisements that you subscribe to or email newsletters. But, on the other hand, spam can be used by cyber criminals as a way to spread malware and cyberattacks through unsolicited bulk email.

They could use various types of scams, such as trojan-horse exploits, illegal third-party exploits, sending through phishing domains or other types of activities where law enforcement agencies might need to get involved.

The purpose of the list of domain names is to help Spamhaus users reduce incoming email traffic from any IP addresses that may be connected to spam. Currently, Spamhaus protects over three billion user mailboxes from spam mail.

Remove blacklist by Spamhaus project

How do people get their domains and IPs removed from Spamhaus blocklists? Spamhaus offers a ‘checker’ tool that allows users who have had their domain or IP address listed to search for the listing.

This allows them to get more information on why they were listed in the first place, request removal, and learn more about what they need to do to avoid being listed again with their internet service provider.

Once Spamhaus project researchers receive a removal request, they will go through the process of confirming that it is a genuine request and answer any questions that the user might have before they approve the removal.

Unsurprisingly, Spamhaus receives lots of removal requests from bad actors because not everybody who gets put on a blocklist is going to be innocent. Many spam gangs still use spam-like activities but just want to get removed to recover their email reputation – so they can send more email spam.

Cybercriminals and email spammers will often take it quite personally when they are prevented from making money, and some Spamhaus researchers have even had cyber threats over junk email.

How to get removed from Spamhaus blacklist

When spam is noticeably being sent from an IP address, it will be listed on a Spamhaus blacklist or DNSBL.

These lists are designed to protect email users from opening potentially harmful spam that is sent from IP addresses that display suspicious activity. There are various reasons why your IP address might be listed on a Spamhaus blocklist, including:

Spam trap address on your mailing list

By their nature, spammers use huge lists of email addresses, many of which may be scraped from websites. Addresses are also sometimes bought and sold in underground marketplaces, often by unscrupulous email marketers who are simply looking to make some extra money.

Anti-spam companies such as Spamhaus will maintain their own secret email addresses known as ‘spam traps’. They purposely advertise these addresses on websites, for example, to lure spammers to add them to their address books.

Spam traps are essentially fake emails on an internet mail server, such as [email protected]. Once a spammer sends an email to this address, they immediately trigger a spam filter.

The Spamhaus anti-spam technology relies on a comprehensive blocklist containing a large number of spam traps. A legitimate sender will not send to spam traps because their list was acquired through legitimate means and not spam sources. Also, they won’t risk their sender reputation with a list scraped from a domain.

Sending to a spam trap address

Once a spammer has added the spam trap address to their mailing list, they will likely send it spam email. Bear in mind that bulk email marketing services rarely hit spam traps, because their emails are acquired in legitimate ways.

Getting listed

Before the spamming malware delivers the spam message, it first needs to tell the spam trap mail server the email address that it is trying to deliver to. Once the spam trap address is received by the spam trap server, the compromised user’s IP address and machine will be added to the block list.

So, removing spam traps is a smart way to improve your sender reputation.

Spamhaus Zen Blacklist removal if you’re not sending spam

Most ISP networks and many cloud hosting networks assign IP addresses dynamically, which means that the same IP address might be used by computers belonging to different people or companies over a few days or weeks.

On some networks, especially mobile networks, the problem can be even worse; multiple users can be sharing a single public IP address through the NAT process. If you are currently sharing or have recently shared an IP address with a user who has been sending spam, then your IP address could be blacklisted even if you are not a spammer.

Spamhaus Zen Blacklist removal request – how to get delisted

If your IP address has been blacklisted, you are probably wondering what you can do about it. The answer to this question will depend on the type of user that you are and the kind of IP address that you have.

If your IP address has been blacklisted, the first step is to determine whether your machine or any machine that shares your IP address has been sending spam. If you are sure that there is nothing in your controlof sending spam messages, you can visit Spamhaus’ blacklist removal pages and request the removal of your address.

You will be able to see why your IP address has been blacklisted and explain your situation to Spamhaus.

It’s important to be able to verify that you are not actually sending spam. In many cases where somebody’s IP address is blacklisted, it’s actually coming from a phone or computer within their home or office network that has been compromised and is sending spam.

In this situation, you will need to take steps to fix this situation as any attempt to de-list your listing or move to a new IP address will fail quickly, and may lead to more severe blacklisting.

Outbound spam filtering is an ideal option for ISPs and hosting companies to help customers determine if they are sending spam.

If the block listing is definitely the result of somebody else’s behavior or you are unable to remove your IP from the list, then the best option is to find a new address space or IP address. You can obtain a new IP address in a range of ways depending on the kind of internet user that you are. Some of the most common options include:

  1. Mobile or Residential ISP: Consider ‘refreshing your DHCP lease’ to recycle your IP address. If this does not work, you can ask your email provider to give you a new IP address.
  2. Cloud Hosting: Consider using a service like SendGrid to send out email so you appear as a more legitimate sender.
  3. Commercial ISP: If you are certain that your network is clean, you can contact your ISP and ask to be provided with a new static IP address.
  4. Dedicated Hosting: Check any other IP addresses near yours. You may have been dragged along if there are others listed. If possible, ask to be moved to a new subnet.

Spamhaus Zen delist: step by step

If you suspect that your IP might have been blacklisted, the first step is to check the reputation of the IP address. Follow these steps:

Run Spamhaus Zen domain check or IP check

Access the IP and domain reputation checker by Spamhaus. Enter your IP or domain into the search box and click on the lookup tool.

If your IP address is on a block list, your search result may come up with a warning message. You can then click on ‘Show Details’ to find out more information and potentially resolve the issue and save your sender reputation.

Indicate the reason for the block

Spamhaus Zen may add IP addresses to the list for various reasons. Look through your server logs to investigate the reason; this can reveal data about any suspicious activity both inside and outside your network. If you find the problem, take steps to fix it. Maybe there were spam complaints or internet threats from your domain?

For example, an email marketing services business could get a list of emails with fake domains and have their content team send out emails to them. The reason for the block? Sending to email addresses without previous consent. As a result, Spamhaus Zen puts them on a blocklist and their domain reputation gets hurt.

Request removal

You should fill out the form to provide your contact information and click Submit to request removal from the Spamhaus Zen blocklist. Spamhaus will process your removal form immediately after accepting it, however, the removal process may take up to 24 hours.

There are many reasons why IP addresses may be blacklisted by Spamhaus, and it does not always mean that your device is sending spam in every email message. If you are on the Spamhaus blocklist, it’s important to thoroughly investigate the issue.

Wrapping up

Spamhaus is one of the major email blacklist operators and if you find yourself on their list of malicious domains, you will inevitably face huge deliverability issues. You don’t have to do any illegal activities to get on their database of spammers, but you should check why you landed there and find ways to get out.

One of the easiest ways to remove this domain threat is to keep a clean list of email addresses. With Bouncer, you can verify and validate your email lists, making sure to remove all spam traps, misspelled and outdated emails and in general, keeping your email marketing efforts flourishing.

Ready to get rolling? Sign up today and validate your first 100 emails for free!

Line and dots