|
Rationale
|
|
90% of spam received by Internet users in North America and Europe is sent by a hard-core group of under 200 spam outfits, almost all of whom are listed in the ROKSO database. These known, professional, chronic spammers, many with criminal records for theft and fraud, are loosely grouped into gangs ("spam gangs") and move from network to network seeking out Internet Service Providers ("ISPs") with poor spam control and taking advantage of the slowness of some service providers to terminate them.
These and other 'direct-from-spammer' spam sources account for some 50% of spam received by Internet mail relays worldwide, the other 50%, although mostly sent by the same spammers, comes via 3rd party exploits such as open proxies and open relays.
The Spamhaus Block List ("SBL") is a database of IP addresses of direct spam sources; spammers, spam gangs and spam support services (but not open proxies or open relays), queriable in realtime by mail systems throughout the Internet for the purpose of refusing mail from known spam senders.
All SBL entries are backed up with evidence which has fully satisfied the Spamhaus Project team that the IP is under the control of a spammer, spam operation or a spam support service and that the IP or netblock represents an unwanted nuisance or threat to mail systems using the SBL.
SBL listings are immediate and, in the case of known spam gangs, are preemptive. The SBL does not require warnings or have a 'grace period' and does not require physical evidence of spam received from any specific IP to qualify a listing (in the case of known spam gangs, any IPs under their control are listed on sight). Warnings are however sent to block owners before listing large netblocks and for listings greater than single /32s the ISP and Block Owner (or upstream) is advised wherever possible of the listing.
Listing Criteria
The criteria for listing IPs in the SBL is:
|
Spam Sources
|
Spammers sending bulk email verified to be unsolicited (spam) directly from static IPs under the spammer's control. |
|
Spam Gangs
|
Spam gangs listed in ROKSO - including preemptively listing new netblocks each time known spammers move to new hosts. |
|
Spam Services
|
Spammers' mail servers, web servers, DNS and other servers used in spamming. |
|
Spam Support
Services
|
Services providing 'bullet-proof' hosting for spam service purposes, serving 'spamware' sites, or knowingly providing services for spam service purposes. |
Updating Criteria
Spamhaus does not perform scans to update records. It is the ISP's responsibility to advise the Spamhaus Project of any changes which affect a listing. On being advised of changes, Spamhaus will endeavor to amend the listing as quickly as possible.
De-listing Criteria
IPs are removed immediately from the SBL upon receipt of notification from the IP owner (Internet Service Provider) that the spamming activity has been terminated. In the case of known spam gangs however, where listings are often made preemptively based on the gangs past performance and history, an SBL listing will normally remain in place until the gang has been completely removed from the ISPs' network.
Where we have a proven working relationship with any Internet Service Provider, the SBL team implicitly trusts the Internet Service Provider's Abuse Manager and will normally remove listings on the Abuse Manager's word.
Timeouts
If not removed manually from the database, all SBL records eventually time out and are automatically removed. Each SBL record has a timeout value set by the record Editor as deemed appropriate for the listing. Unidentified spam sources normally have a short time-out of 2, 7 or 14 days, persistent spammers may have a timeout set at 6 months, while known spam gangs with ARIN-assigned IPs will normally have the timeout set at one year or more.
Also see the Frequently Asked Questions (FAQs) page for further information.
|
 |
|
|
