
- Protecting email
- Protecting networks, firewalls and DNS
- Protecting BGP
About Spamhaus Technology
Spamhaus is the trusted authority on threat intelligence data, with over two decades of experience. This experience, the quality and accuracy of data, alongside our robust infrastructure, is what sets us apart.
Data from Spamhaus protects and provides insight across networks and email worldwide. Spamhaus’ datasets are used by leading global technology companies, internet service providers and hosting companies, among others.
Keep ahead of the threat
By identifying spammers, bot herders and cyber criminals, Spamhaus protects over three billion mailboxes worldwide, every day. Reputation-based threat intelligence in an essential element of multi-layered security.
Email is mission critical to all businesses and organizations, retaining a unique position as the most common communication tool across the internet. However its widespread use makes it a key channel for cyber criminals to take advantage of your data, your money and your networks. For more than a decade we have been helping organizations protect against such activity through our reputation-based threat intelligence.
You need to trust your connections online and with Spamhaus data, you have a first line of defense advising you of the reputation of email entering your network


domains assessed
18,000 malware samples
processed every day
SMTP connections
analyzed daily
of heuristics are used to
identify the safe from the
potentially malicious
botnet nodes listed
daily
mailboxes are
protected globally
Who can use this?
- Email administrators
- Email engineers who manage their own email infrastructure
- Free 30 day trial for data query service. See: https://www.spamhaustech.com/free-trial/free-trial-for-data-query-service/
What can Spamhaus data be integrated with?
- Any major mail transfer agent (MTA). If your MTA can consume Domain System Block Lists (DNSBLs) you can use Spamhaus block lists
Product outline
With a 99%+ block rate, this easy to configure service doesn’t rely on expensive hardware. Spamhaus block lists can be used with open-source tools like SpamAssassin, or integrated with your current anti-spam platform, keeping costs to a minimum.
The Spamhaus Data Query Service (DQS) comprises of a number of real-time IP block lists and domain block lists.
For website, form and portal protection our data-sets are also available via API.
Which Spamhaus block lists are available for use with the Data Query Service?
IP Block Lists
IP addresses observed to be involved in sending or hosting spam, including hijacked servers and computers infected with botnet malware. Spamhaus ZEN combines the power of all our IP data sets into a single block lists.
Spamhaus Block List – SBL
IPs identified to Spamhaus’ best ability as likely:
- Direct spam sources,
- Spammer hosting/DNS
- Spam gangs
- Spam support services.
Filters out a significant majority of email threats before they have a chance to access your network. More time for you and your security team to focus on in-depth analysis and investigation.
Exploits Block List – XBL
IP addresses hosting:
- Bots
- Malware-infected computers.
- Automated tools observe SMTP connections for spamtrap and production mail servers.
Cyber criminals exploit and hijack legitimate networks so with XBL you can block email traffic from what might first appear to be a trusted source.
Policy Block List – PBL
IP address ranges for end-user devices from which email should never be sent:
- IoT devices
- Home routers
- Smart TVs
The PBL lists IPs not because they are actively sending spam, but as a pre-emptive measure to prevent spam from networks that should send no email at all.
Content Block Lists
Constantly updated block lists that focus on low reputation/malicious domains and cryptographic hashes.
Domain Block List – DBL
- Domains owned by spammers and used for spam or other malicious purposes.
- Domains owned by non-spammers, used for legitimate purposes, but hacked by spammers.
Includes basic spam, phishing, malware, botnet C&C and redirector domains.
Zero Reputation Domain – ZRD
Cyber criminals use newly registered and active domains to send spam and drive traffic to harmful websites hoping to claim victims before a domain has been analyzed.
ZRD automatically adds newly-registered and previously dormant domains to a block list for 24 hours.
Legitimate organizations will rarely activate a domain and start using it immediately after registration. ZRD prevents clicking on links and visiting domains until it is established that they are not associated with malicious activities.
Hash Block List – HBL
This blocklist contains the following content areas: Cryptowallet (Bitcoin etc.), Malware and Email addresses.
Hash Blocklists (HBL) are lists of cryptographic hashes associated with malicious content, as opposed to IP addresses or domains. They are extremely useful for filtering fraudulent emails coming from ISPs, domains, or IP addresses that Spamhaus is unable to list e.g. Gmail. Additionally, they can block emails containing malware files.
Who can use this?
- Network engineers
- Security operation centre (SOC) teams who are running their own DNS infrastructures
What can Spamhaus data be integrated with?
Spamhaus DNS Firewall Threat Feeds can be used with a variety of major DNS software, in addition to DNS hardware:
DNS software
- Bind
- PowerDNS
- Unbound*
- Knot**
DNS appliances (DDIs)
- Infoblox
- Efficient IP
- Bluecat
* Requires feedback to Farsight for their proprietary plug-in “Fast Response Policy Zones” (RPZ)
** Partially supports DNS Firewall Feeds, however, does not support NSDname.
Firewalls
- Vendor support varies, please contact us for further information.
Which Spamhaus block lists are available for use with DNS Firewall
You can choose which threat feeds you use, based on the amount of risk your business needs to be exposed to.
Who can use this?
- Network engineers
- Security operation centre (SOC) teams who manage their own network edge routers
What can Spamhaus data be integrated with?
Any network edge routersProduct outline
Provide your network with the most up to date protection against botnets and external attacks on your organization’s servers. Simply configure your edge router to peer with a Spamhaus Border Gateway Protocol feed (BGPf) router and a null route. This will allow you to block all communication to, and from, botnet Command & Control servers, neutralising botnet nodes within your network and stopping data egress, even if devices are still infected with malware.Which Spamhaus datasets are available for use with Border Gateway Protocol?
Spamhaus Do not route or Peer (DROP) feedsWho can use this?
- Security professionals,
- Brand Protection Specialists,
- Malware Researchers
- Penetration Testers
How can Spamhaus Passive DNS data be accessed?
- Web browser
- API
- Real-time continuous data-feed
- Splunk integration being released in second half of 2020
Product outline
Spamhaus Passive DNS tool has flexible and fast search capabilities for users to query DNS infrastructure e.g. domain names, IP addresses and NameServers etc. This allows investigators to quickly pivot to new areas of badness from a single entity. The fuzzy search functionality on Passive DNS enables brand protection specialists to search for all potential variations on their brand name and view what IP address the domain is being hosted on, along with the time this domain was both first and last observed. The UI is simple and effective, like ”Google” for DNS data. Discover how easy Passive DNS is to use.
Featured blogs

Webinar: Domain hijacking – a prevalent problem
The threat landscape is constantly changing as cybercriminals continually try to avoid detection, and increase the number of legitimate resources they can utilize. Recently domain hijacking has become more prevalent. Every day this year, Spamhaus has observed over a 100 hijacked domains at one single domain registrar.

Mint Security to resell Spamhaus services
Mint Security starts to resell and support Spamhaus’s services in Finland. Block lists provided by Spamhaus protect 3 billion mailboxes every day. Spamhaus also operates in DNS services and BGP routers.

Spamhaus Botnet Threat Report 2019 – A comprehensive overview how criminal botnets work
Researchers at Spamhaus Malware Labs identified and blocked 17,602 botnet C&C servers hosted on 1,210 different networks. That is an enormous 71.5% increase from the number of botnet C&Cs seen in 2018. Since 2017, the number of newly detected botnet C&Cs has almost doubled from 9,500 to 17,602.

Botnet command & control domain registrations go through the roof in 2018
When Spamhaus Malware Labs observe a 100% increase in the number of domains that are being registered by cybercriminals to host a botnet command & control (C&C) it’s time to stop. Cybercriminals prefer to use a domain name registered exclusively to host a botnet C&C