When a Spamhaus check reveals that you are on a Spamhaus blocklist (sometimes mistakenly called a blacklist), what should you do? The Spamhaus Project maintains a few different blocklists, such as the Spamhaus SBL and the DBL, and for each Spamhaus blocklist removal entails a couple of steps which may differ between the lists, but which are similar and not difficult. Note that most of these blocklists are DNSBLs (DNS-based blocklists), which means that what gets listed on them is IP addresses, specifically IP addresses demonstrated to be the sources of spam.
All told, the Spamhaus Project maintains five primary lists, four of which are DNS-based blocklists (the SBL, the XBL, the PBL, and the DBL, plus Spamhaus Zen, which is a compilation of all four of those lists), and one of which, ROKSO, is a text-based, human-readable list of known (indeed notorious) spam operations. We’ll explain each of these in turn, then explain how to go about getting removed from them.
List of Spamhaus Project Blocklists
The Spamhaus SBL & SBLCSS
The SBL is perhaps the Spamhaus blocklist with which people are most familiar. In fact, SBL stands for “Spamhaus Block List”. The SBL is a general use blocklist of IP addresses from which Spamhaus “does not recommend the acceptance of electronic mail.” There is a sublist which is incorporated into the Spamhaus SBL, called the SBLCSS. The ‘CSS’ stands for “Composite SnowShoe”, and is specific to what is known as snowshoe spamming. Snowshoe spamming is when a spammer sends out spam across a wide range of IP addresses, with each individual IP address sending only a small percentage of the total spam load. The spammers’ theory is that if a whole lot of IP addresses each send just a little bit of spam, it will evade detection (or at least forestall detection for a period of time), and maybe even make it harder to block. The reason it’s called ‘snowshoe spamming’ is because the load is distributed across a broad base of IP addresses, much like a snowshoe distributes the wearer’s weight across a broad base, allowing the wearer to walk on deep snow instead of sink owing to a single point of weight.
The Spamhaus XBL
The Spamhaus XBL stands for the Spamhaus Exploits Blocklist (or, eXploits, if you prefer). The XBL contains the IP addresses of computers that are being exploited (hence the X in XBL) after having been infected by a virus, worm, or other malware. What this most often means, in plain English, is that someone’s computer has been infected and is being used to send spam or phishing email, or to otherwise distribute malware.
The Spamhaus PBL
The Spamhaus PBL is Spamhaus’ (violation of) Policy Block List. What this means is that if, for example, an ISP has a policy that email should not be being sent out directly through a certain block of its IP addresses, or certain types of IP addresses, the ISP can proactively have those IP addresses listed on the PBL. Many ISPs and other entities will voluntarily have such IP addresses listed on the PBL in an effort to make sure that spam does not emit from those IP addresses. Spamhaus themselves will list IP addresses in the PBL if they determine that there are IP addresses which should not be emitting email. An example of such an IP address is the IP address by which a home computer is connected to the Internet; email from home computers is sent through email services, not directly injected through the IP address which provides the Internet service to that home computer, and so there should be no email being sent directly from such an IP address.
The Spamhaus DBL
The Spamhaus DBL is, simply put, a list of domains with poor reputations. Spamhaus explains that “These domain reputations are calculated from many factors, and maintained in a database which in turn feeds the DBL zone itself.”
The Spamhaus ROKSO List
ROKSO stands for the Register of Known Spam Operations, and you have to try really hard to get on the ROKSO list. According to Spamhaus, the ROKSO list is a “depository of information and evidence on known persistent spam operations, assembled to assist service providers with customer vetting”, among other things.
Note: Spamhaus also maintains some other lists, but they are much less used in what would be the ordinary course of any business that would affect the average email sender. Those lists are the HBL, the BCL and the DROP lists.
How to Check to See Whether Your Domain or IP Address is Listed with Spamhaus
To check whether your IP address or domain is on any of the Spamhaus blocklists you can go to https://check.spamhaus.org/. Putting in your domain or IP address will search all of the blocklists at once, and let you know if you are on any of them.
Spamhaus Block Removal Process
Before we tell you how to remove your IP address or domain from Spamhaus, let’s tell you how not to do it. We recently came across a service calling itself an email deliverability service (keeping in mind that we are the ones who came up with the term ‘deliverability’ and were instrumental in founding the email deliverability industry) that counsels that “a great solution to the problem” of being listed at Spamhaus is to and we quote, “change your IP address”.
This is not only bad advice, it’s terrible advice. Changing your IP address is like being a notorious, easily recognized criminal, and changing the getaway car you are driving between bank heists. Your actions are the root cause of the listing, not the fact that the getaway car is a Ford or a Chevy.
Here’s their full, bad advice:
“What can you do if you are unable to remove your IP address from the blocklist? Most people decide to change their IP. And this is really a great solution to the problem. You can get a new IP address in different ways, it all depends on what kind of Internet user you are.
Here are the most common ways:
- If you are a local ISP or mobile user, then try reusing your IP address by “renewing your DHCP lease”; if that doesn’t help, ask your ISP for a new IP address.
- As a user of a commercial ISP, contact your ISP and ask for a new static IP address.
- As a cloud hosting user, you can send your email through a service like SendGrid.
- A dedicated hosting user should check other IPs near yours. If there are others on the list, you may have been dragged along. Ask to be transferred to a new subnet, if possible.
What to actually do if you are listed on any of the Spamhaus lists
As it turns out, at the same link where you can check to see whether you have a Spamhaus listing (https://check.spamhaus.org/), if you do have a Spamhaus listing it will also tell you how to get your IP address or domain delisted.
Most listings are the result of spam coming from the listed IP address or domain. So the solution is really pretty simple: stop sending spam. Of course, nobody who is sending what they consider to be amazing, awesome, valuable email wants to be told that their email, no matter how amazing, awesome, or valuable it is, is still spam. But if you are sending email to people who did not either request it or otherwise agree to receive it, it’s spam, like it or not. Remember: your definition of spam doesn’t matter; it’s the industry’s (inbox providers, ISPs, and spam filters) definition that matters. You can walk into a bank with a weapon and demand that they hand over the cash and call it “liberating money”, but the law still calls it bank robbery, and you’ll still go to jail for it.
The steps for getting delisted from each of the different blocklists may vary slightly, but they are generally pretty similar, and involve demonstrating ownership of the IP address or domain that is listed, and that you have taken the steps to remedy the issue which got you listed in the first place.
Of course, if you are listed on ROKSO that’s a whole other matter, and requires not only ceasing all spamming or spam-supporting activities, but a demonstrable history of not being involved with any spam or spam-supporting activities for at least 6 months.
As with just about everything to do with email reputation, it’s a whole lot easier to just do the right thing, and not get on a Spamhaus (or any other) blocklist in the first place.