Policy Block List
   HOME

TheInfoList



OR:

The Spamhaus Project is an international organisation based in the
Principality of Andorra , image_flag = Flag of Andorra.svg , image_coat = Coat of arms of Andorra.svg , symbol_type = Coat of arms , national_motto = la, Virtus Unita Fortior, label=none (Latin)"United virtue is stro ...
, founded in 1998 by
Steve Linford Stephen John "Steve" Linford (born 12 December 1956) is a British entrepreneur and anti-spam campaigner best known for founding The Spamhaus Project. Biography Linford was born in London, England, in 1956. His family moved to Rome, Italy, where ...
to track
email spam Email spam, also referred to as junk email, spam mail, or simply spam, is unsolicited messages sent in bulk by email (spamming). The name comes from a Monty Python sketch in which the name of the canned pork product Spam is ubiquitous, unavoida ...
mers and
spam Spam may refer to: * Spam (food), a canned pork meat product * Spamming, unsolicited or undesired electronic messages ** Email spam, unsolicited, undesired, or illegal email messages ** Messaging spam, spam targeting users of instant messaging ( ...
-related activity. The name ''spamhaus'', a pseudo-German expression, was coined by Linford to refer to an
internet service provider An Internet service provider (ISP) is an organization that provides services for accessing, using, or participating in the Internet. ISPs can be organized in various forms, such as commercial, community-owned, non-profit, or otherwise private ...
, or other firm, which spams or knowingly provides service to spammers.


Anti-spam lists

The Spamhaus Project is responsible for compiling several widely used anti-spam lists. Many
internet service provider An Internet service provider (ISP) is an organization that provides services for accessing, using, or participating in the Internet. ISPs can be organized in various forms, such as commercial, community-owned, non-profit, or otherwise private ...
s and
email server Within the Internet email system, a message transfer agent (MTA), or mail transfer agent, or mail relay is software that transfers electronic mail messages from one computer to another using SMTP. The terms mail server, mail exchanger, and MX host ...
s use the lists to reduce the amount of spam that reaches their users. In 2006, the Spamhaus services protected 650 million email users, including the European Parliament, US Army, the White House and Microsoft, from billions of spam emails a day. Spamhaus distributes the lists in the form of DNS-based Blacklists (
DNSBL A Domain Name System blocklist, Domain Name System-based blackhole list, Domain Name System blacklist (DNSBL) or real-time blackhole list (RBL) is a service for operation of mail servers to perform a check via a Domain Name System (DNS) query whe ...
s) and Whitelists (
DNSWL A DNSWL ("DNS-based whitelist") is a "whitelist" of semi-trusted locations on the Internet. The locations consist of IP addresses which may be reputed with no or low occurrences of spamming. Generic need for whitelisting Natural language unders ...
s). The lists are offered as a free public service to low-volume mail server operators on the Internet. Commercial spam filtering services and other sites doing large numbers of queries must instead sign up for an
rsync rsync is a utility for efficiently transferring and synchronizing files between a computer and a storage drive and across networked computers by comparing the modification times and sizes of files. It is commonly found on Unix-like operat ...
-based feed of these DNSBLs, which Spamhaus calls its Datafeed Service. Spamhaus outlines the way its DNSBL technology works in a document called Understanding DNSBL Filtering. The Spamhaus Block List (SBL) targets "verified spam sources (including spammers, spam gangs and spam support services)." Its goal is to list
IP addresses An Internet Protocol address (IP address) is a numerical label such as that is connected to a computer network that uses the Internet Protocol for communication.. Updated by . An IP address serves two main functions: network interface ident ...
belonging to known spammers, spam operations, and spam-support services. The SBL's listings are partially based on the
ROKSO The Spamhaus Project is an international organisation based in the Principality of Andorra, founded in 1998 by Steve Linford to track email spammers and Spam (electronic), spam-related activity. The name ''spamhaus'', a pseudo-German expression, ...
index of known spammers. The Exploits Block List (XBL) targets "illegal 3rd party exploits, including
open proxies An open proxy is a type of proxy server that is accessible by any Internet user. Generally, a proxy server only allows users ''within a network group'' (i.e. a closed proxy) to store and forward Internet services such as Domain Name System, DN ...
, worms/viruses with built-in spam engines, virus-infected PCs & servers and other types of trojan-horse exploits." That is to say it is a list of known open proxies and exploited computers being used to send spam and viruses. The XBL includes information gathered by Spamhaus as well as by other contributing DNSBL operations such as the
Composite Blocking List In computer networking, the Composite Blocking List (CBL) is a DNS-based Blackhole List of suspected E-mail spam sending computer infections. Overview The CBL takes its source data from very large spamtraps/mail infrastructures, and only lists IP ...
(CBL). The Policy Block List (PBL) is similar to a
Dialup Users List A Dial-up/Dynamic User List (DUL) is a type of DNSBL which contains the IP addresses an ISP assigns to its customer on a temporary basis, often using DHCP or similar protocols. Dynamically assigned IP addresses are contrasted with static IP addres ...
. The PBL lists not only dynamic IP addresses but also static addresses that should not be sending email directly to third-party servers. Examples of such are an
ISP An Internet service provider (ISP) is an organization that provides services for accessing, using, or participating in the Internet. ISPs can be organized in various forms, such as commercial, community-owned, non-profit, or otherwise private ...
's core routers, corporate users required by policy to send their email via company servers, and unassigned IP addresses. Much of the data is provided to Spamhaus by the organizations that control the IP address space, typically ISPs. The Domain Block List (DBL) was released in March 2010 and is a list of domain names, which is both a domain
URI Uri may refer to: Places * Canton of Uri, a canton in Switzerland * Úri, a village and commune in Hungary * Uri, Iran, a village in East Azerbaijan Province * Uri, Jammu and Kashmir, a town in India * Uri (island), an island off Malakula Islan ...
Blocklist and
RHSBL A Domain Name System blocklist, Domain Name System-based blackhole list, Domain Name System blacklist (DNSBL) or real-time blackhole list (RBL) is a service for operation of mail servers to perform a check via a Domain Name System (DNS) query whe ...
. It lists spam domains including spam payload URLs, spam sources and senders ("right-hand side"), known spammers and spam gangs, and phish, virus and
malware Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depri ...
-related sites. It later added a zone of "abused URL shortners", a common way spammers insert links into spam emails. The Botnet Controller List (BCL) was released in June 2012 and is a list of IP addresses. It lists IP addresses of which Spamhaus believes to be operated by cybercriminals for the exclusive purpose of hosting botnet Command&Control infrastructure. Such infrastructure is commonly used by cybercriminals to control malware infected computers. The Composite SnowShoe (CSS) is an automatically produced dataset of IP addresses that are involved in sending low-reputation email. Listings can be based on HELO greetings without an A record, generic looking rDNS or use of fake domains, which could indicate spambots or server misconfiguration. CSS is part of SBL. The Spamhaus White List (SWL) was released in October 2010 and was a whitelist of IPv4 and IPv6 addresses. The SWL was intended to allow mail servers to separate incoming email traffic into 3 categories: Good, Bad and Unknown. Only verified legitimate senders with clean reputations were approved for whitelisting and there were strict terms to keeping a Spamhaus Whitelist account. The Domain White List (DWL) was released in October 2010 and was a whitelist of domain names. The DWL enables automatic certification of domains with
DKIM DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect forged sender addresses in email (email spoofing), a technique often used in phishing and email spam. DKIM allows the receiver to check that an email claimed ...
signatures. Only verified legitimate senders with clean reputations were approved for whitelisting and there are strict terms to keeping a whitelist account. Spamhaus also provides two combined lists. One is the SBL+XBL and the second is called ZEN, which combines all the Spamhaus IP address-based lists.


Register of Known Spam Operations

The Spamhaus Register of Known Spam Operations (ROKSO) is a database of spammers and spam operations who have been terminated from three or more ISPs due to spamming. It contains publicly sourced information about these persons and their domains, addresses and aliases. The ROKSO database allows ISPs to screen new customers, ensuring that ROKSO-listed spammers find it difficult to get hosting. A listing on ROKSO also means that all IP addresses associated with the spammer (their other domains, sites, servers, etc.) get listed on the Spamhaus SBL as "under the control of a ROKSO-listed spammer" whether there is spam coming from them or not (as a preemptive measure). There is a special version of ROKSO, available to
law enforcement Law enforcement is the activity of some members of government who act in an organized manner to enforce the law by discovering, deterring, rehabilitating, or punishing people who violate the rules and norms governing that society. The term en ...
agencies, containing data on hundreds of spam gangs, with evidence, logs and information on illegal activities of these gangs considered too sensitive to publish in the public part of ROKSO.


Don't Route Or Peer list

The Spamhaus Don't Route Or Peer (DROP) List is a text file delineating CIDR blocks that have been stolen or are otherwise "totally controlled by spammers or 100% spam hosting operations". As a small subset of the SBL, it does not include address ranges registered to ISPs and sublet to spammers, but only those network blocks wholly used by spammers. It is intended to be incorporated in firewalls and routing equipment to drop all network traffic to and from the listed blocks. The DROP webpage FAQ states the data is free for all to download and use. In 2012 Spamhaus offered a
BGP Border Gateway Protocol (BGP) is a standardized exterior gateway protocol designed to exchange routing and reachability information among autonomous system (Internet), autonomous systems (AS) on the Internet. BGP is classified as a path-vector ...
feed of the same DROP data.


Companies

The Spamhaus Group consists of a number of independent companies which focus on different aspects of Spamhaus anti-spam technology or provide services based around it. At the core is The Spamhaus Project SLU, a not-for-profit company based in Andorra which tracks spam sources and cyber threats such as phishing, malware and botnets and publishes free DNSBLs. Commercial services are managed by a British data delivery company Spamhaus Technology Ltd., based in London UK which manages data distribution services for large scale spam filter systems.


Awards

* National Cyber Forensics Training Alliance 2008 Cyber Crime Fighter Award * Internet Service Providers Association's Internet Hero of 2003 Award * Greatest Contribution to anti-spam in the last 10 years presented to Spamhaus by
Virus Bulletin ''Virus Bulletin'' is a magazine about the prevention, detection and removal of malware and spam. It regularly features analyses of the latest virus threats, articles exploring new developments in the fight against viruses, interviews with anti-vi ...
Magazine.


Conflicts


e360 lawsuit

In September 2006, David Linhardt, the
owner-operator An owner-operator is a small business or microbusiness owner who also runs the day-to-day operations of the company. Owner-operators are found in many business models and franchising companies in many different industries like restaurant chains, ...
of American bulk-emailing company "e360 Insight LLC", filed suit against Spamhaus in Illinois for blacklisting his mailings. Spamhaus had the case moved from the state court to the U.S.
Federal District Court The United States district courts are the trial courts of the U.S. federal judiciary. There is one district court for each federal judicial district, which each cover one U.S. state or, in some cases, a portion of a state. Each district cou ...
for the
Northern District of Illinois The United States District Court for the Northern District of Illinois (in case citations, N.D. Ill.) is the federal trial-level court with jurisdiction over the northern counties of Illinois. Appeals from the Northern District of Illinois ar ...
and asked to have the case dismissed for lack of
jurisdiction Jurisdiction (from Latin 'law' + 'declaration') is the legal term for the legal authority granted to a legal entity to enact justice. In federations like the United States, areas of jurisdiction apply to local, state, and federal levels. Jur ...
. The court, presided over by Judge Charles Kocoras, proceeded with the case against Spamhaus without considering the jurisdiction issue, prompting British MP
Derek Wyatt Derek Murray Wyatt (born 4 December 1949) is a British politician who served as Member of Parliament (MP) for Sittingbourne and Sheppey from 1997 to 2010, having previously been a councillor in the London Borough of Haringey (1994–95) where ...
to call for the judge to be suspended from office. Not having had its objection to jurisdiction examined, Spamhaus refused to participate in the U.S. case any further and withdrew its counsel. However, Spamhaus was deemed by the court to have "technically accepted jurisdiction" by having initially responded at all, and the judge, angry at Spamhaus having walked out of his court, awarded e360 a default judgement totaling US$11,715,000 in damages. Spamhaus subsequently announced that it would ignore the judgement because default judgements issued by U.S. courts without a trial "have no validity in the U.K. and cannot be enforced under the British legal system". Following the ruling in its favour, e360 filed a motion to attempt to force
ICANN The Internet Corporation for Assigned Names and Numbers (ICANN ) is an American multistakeholder group and nonprofit organization responsible for coordinating the maintenance and procedures of several databases related to the namespaces ...
to remove the domain records of Spamhaus until the default judgement had been satisfied. This raised international issues regarding ICANN's unusual position as an American organization with worldwide responsibility for domain names, and ICANN protested that they had neither the ability nor the authority to remove the domain records of Spamhaus, which is a UK-based company. On 20 October 2006, Judge Kocoras issued a ruling denying e360's motion against ICANN, stating in his opinion that "there has been no indication that ICANN snot nindependent entit
rom Spamhaus Rom, or ROM may refer to: Biomechanics and medicine * Risk of mortality, a medical classification to estimate the likelihood of death for a patient * Rupture of membranes, a term used during pregnancy to describe a rupture of the amniotic sac * R ...
thus preventing a conclusion that tis acting in concert" with Spamhaus and that the court had no authority over ICANN in this matter. The court further ruled that removing Spamhaus's domain name registration was a remedy that was "too broad to be warranted in this case", because it would "cut off all lawful online activities of Spamhaus via its existing domain name, not just those that are in contravention" of the default judgment. Kocoras concluded, " ile we will not condone or tolerate noncompliance with a valid order of this court .e., Spamhaus' refusal to satisfy the default judgementneither will we impose a sanction that does not correspond to the gravity of the offending conduct". In 2007, Chicago law firm Jenner & Block LLP took up Spamhaus's case ''
pro bono publico ( en, 'for the public good'), usually shortened to , is a Latin phrase for professional work undertaken voluntarily and without payment. In the United States, the term typically refers to provision of legal services by legal professionals for pe ...
'' and appealed the ruling. The U.S. federal
Court of Appeals for the Seventh Circuit The United States Court of Appeals for the Seventh Circuit (in case citations, 7th Cir.) is the U.S. federal court with appellate jurisdiction over the courts in the following districts: * Central District of Illinois * Northern District of Ill ...
vacated the damages award and remanded the matter back to the district court for a more extensive inquiry to determine damages. In January 2008, e360 Insight LLC filed for bankruptcy and closed down, citing astronomical legal bills associated with this court case as the reason for its demise. In 2010, Judge Kocoras reduced the $11.7 million damages award to $27,002—$1 for tortious interference with prospective economic advantage, $1 for claims of defamation, and $27,000 for "existing contracts". Both parties appealed, but e360's case for increasing the damages was sharply criticized by Judge
Richard Posner Richard Allen Posner (; born January 11, 1939) is an American jurist and legal scholar who served as a federal appellate judge on the U.S. Court of Appeals for the Seventh Circuit from 1981 to 2017. A senior lecturer at the University of Chica ...
of the Seventh Circuit: "I have never seen such an incompetent presentation of a damages case," Posner said. "It's not only incompetent, it's grotesque. You've got damages jumping around from $11 million to $130 million to $122 million to $33 million. In fact, the damages are probably zero." On 2 September 2011 the court reduced the damages award to just $3 total, and ordered the plaintiff e360 to pay the costs of the appeal for the defence.


Spamhaus versus nic.at

In June 2007, Spamhaus requested the national
domain registry A domain name registry is a database of all domain names and the associated registrant information in the top level domains of the Domain Name System (DNS) of the Internet that enables third party entities to request administrative control of a do ...
of
Austria Austria, , bar, Östareich officially the Republic of Austria, is a country in the southern part of Central Europe, lying in the Eastern Alps. It is a federation of nine states, one of which is the capital, Vienna, the most populous ...
, nic.at, to suspend a number of domains, claiming they were registered anonymously by phishing gangs for illegal bank
phishing Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwar ...
purposes. The registry nic.at rejected the request and argued that they would break Austrian law by suspending domains, even though the domains were used for criminal purposes, and demanded proof that the domains were registered under false identities. For some time the domains continued to phish holders of accounts at European banks. Finally, Spamhaus put the mail server of nic.at on their SBL spam blacklist under the SBL's policy "Knowingly Providing a Spam Support Service for Profit" for several days which caused interference of mail traffic at nic.at. All of the phishing domains in question have been since deleted or suspended by their DNS providers.


Blocking of Google Docs IPs

In August 2010, Spamhaus added some Google-controlled IP addresses used by Google Docs to its SBL spam list, due to Google Docs being a large source of uncontrolled spam. Google quickly fixed the problem and Spamhaus removed the listing. Though initially wrongly reported by some press to be IPs used by Gmail, later it was clarified that only Google Docs was blocked.


CyberBunker dispute and DDoS attack

In March 2013,
CyberBunker CyberBunker was an Internet service provider located in the Netherlands and Germany that, according to its website, "hosted services to any website except child pornography and anything related to terrorism". The company first operated in a forme ...
, an internet provider named after its former headquarters in a surplus NATO
bunker A bunker is a defensive military fortification designed to protect people and valued materials from falling bombs, artillery, or other attacks. Bunkers are almost always underground, in contrast to blockhouses which are mostly above ground. ...
in the Netherlands that "offers anonymous hosting of anything except child porn and anything related to terrorism" was added to the Spamhaus blacklist used by email providers to weed out spam. Shortly afterwards, beginning on March 18, Spamhaus was the target of a
distributed denial of service In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connect ...
(DDoS) attack exploiting a long-known vulnerability in the
Domain Name System The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to ...
(DNS) which permits origination of massive quantities of messages at devices owned by others using
IP address spoofing In computer networking, IP address spoofing or IP spoofing is the creation of Internet Protocol (IP) packets with a false source IP address, for the purpose of impersonating another computing system. Background The basic protocol for sending ...
. Devices exploited in the attack may be as simple as a
cable converter box A cable converter box or television converter box is an electronic tuning device that transposes/converts channels from a cable television service to an analog RF signal on a single channel, usually VHF or 4, or to a different output for dig ...
connected to the internet. The attack was of a previously unreported scale (peaking at 300 Gbit/s; an average large-scale attack might reach 50 Gbit/s, and the largest previous publicly reported attack was 100 Gbit/s) was launched against Spamhaus's DNS servers; the effects of the attack had lasted for over a week. Steve Linford, chief executive for Spamhaus, said that they had withstood the attack, using the assistance of other internet companies such as
Google Google LLC () is an American multinational technology company focusing on search engine technology, online advertising, cloud computing, computer software, quantum computing, e-commerce, artificial intelligence, and consumer electronics. ...
to absorb the excess traffic. Linford also claimed that the attack was being investigated by five different national cyber-police-forces around the world, who had chosen to remain anonymous to avoid similar attacks on their own infrastructure. Spamhaus also hired
Cloudflare Cloudflare, Inc. is an American content delivery network and DDoS mitigation company, founded in 2009. It primarily acts as a reverse proxy between a website's visitor and the Cloudflare customer's hosting provider. Its headquarters are in San ...
, a DDoS mitigation company, to assist them by distributing their internet services across Cloudflare's worldwide network, after which the focus of the attack was redirected to the companies that provide Cloudflare's network connections. Spamhaus alleged that CyberBunker, in cooperation with "criminal gangs" from Eastern Europe and Russia, was behind the attack; CyberBunker did not respond to the
BBC #REDIRECT BBC #REDIRECT BBC #REDIRECT BBC Here i going to introduce about the best teacher of my life b BALAJI sir. He is the precious gift that I got befor 2yrs . How has helped and thought all the concept and made my success in the 10th board ex ...
's request for comment on the allegation; however, Sven Olaf Kamphuis, the owner of CyberBunker, posted to his
Facebook Facebook is an online social media and social networking service owned by American company Meta Platforms. Founded in 2004 by Mark Zuckerberg with fellow Harvard College students and roommates Eduardo Saverin, Andrew McCollum, Dustin M ...
account on 23 March "Yo anons, we could use a little help in shutting down illegal slander and blackmail censorship project 'spamhaus.org,' which thinks it can dictate its views on what should and should not be on the Internet." According to ''
The New York Times ''The New York Times'' (''the Times'', ''NYT'', or the Gray Lady) is a daily newspaper based in New York City with a worldwide readership reported in 2020 to comprise a declining 840,000 paid print subscribers, and a growing 6 million paid ...
'' Kamphuis also claimed to be the spokesman of the attackers, and said in a message "We are aware that this is one of the largest DDoS attacks the world had publicly seen", and that CyberBunker was retaliating against Spamhaus for "abusing their influence". ''The NYT'' added that security researcher
Dan Kaminsky Daniel Kaminsky (February 7, 1979 – April 23, 2021) was an American computer security researcher. He was a co-founder and chief scientist of WhiteOps, a computer security company. He previously worked for Cisco, Avaya, and IOActive, where h ...
said "You can’t stop a DNS flood ... The only way to deal with this problem is to find the people doing it and arrest them". The attack was attributed by network engineers to an anonymous group unhappy with Spamhaus, later identified by the victims of the attack as Stophaus, a loosely organized group of "bulletproof spam and malware hosters". On 26 April 2013, the owner of CyberBunker, Sven Olaf Kamphuis, was arrested in Spain for his part in the attack on Spamhaus. He was held in jail for 55 days pending extradition to the Netherlands, was released pending trial, and was ultimately found guilty and sentenced to 240 days in jail, with the remaining days suspended. The British National Cyber Crime Unit revealed that a London schoolboy had been secretly arrested as part of a suspected organised crime gang responsible for the DDoS attacks. A briefing document giving details of the schoolboy's alleged involvement states: "The suspect was found with his computer systems open and logged on to various virtual systems and forums. The subject has a significant amount of money flowing through his bank account. Financial investigators are in the process of restraining monies."


''Ames v. The Spamhaus Project Ltd''

In 2014, Spamhaus was sued by California-based entrepreneurs Craig Ames and Rob McGee, who were involved with a bulk email marketing services business, initially through a US corporation called Blackstar Media LLC, and later as employees of Blackstar Marketing, a subsidiary of the English company Adconion Media Group Limited, which bought Blackstar Media in April 2011. Although an initial motion by Spamhaus to strike out the claims failed, they ultimately prevailed when the claimants dropped their case and paid Spamhaus' legal costs.


See also

*
Anti-spam techniques (email) Various anti-spam techniques are used to prevent email spam (unsolicited bulk email). No technique is a complete solution to the spam problem, and each has trade-offs between incorrectly rejecting legitimate email (false positives) as opposed to ...
*
Brian Haberstroh Brian Haberstroh is a businessman in New Hampshire who once ran Distributed Mail Corporation, which distributed software used to forward e-mail for other companies. Spam accusations Prior to 2005, Distributed Mail Corporation created a software a ...
*
Comparison of DNS blacklists __NOTOC__ The following table lists technical information for assumed reputable DNS blacklists used for blocking spam. Notes "Collateral listings"—Deliberately listing non-offending IP addresses, in order to coerce ISPs to take action agains ...
*
news.admin.net-abuse.email news.admin.net-abuse.email (sometimes abbreviated nanae or n.a.n-a.e, and often incorrectly spelled with a hyphen in "email") is a Usenet newsgroup devoted to discussion of the abuse of email systems, specifically through spam and similar attac ...
*
SpamCop SpamCop is an email spam reporting service, allowing recipients of unsolicited bulk or commercial email to report IP addresses found by SpamCop's analysis to be senders of the spam to the abuse reporting addresses of those IP addresses. SpamCop u ...


References


External links

* {{DEFAULTSORT:Spamhaus Project