IP Blocklists

This list contains IP addresses that are observed to be involved in sending spam, snowshoe spamming, bulletproof hosting companies, and hijacked IP space.

The SBL can be used as both a sender IP blocklist and a URI blocklist, to help protect your mailstreams from spam.

Senders whose IP addresses have been listed in the SBL will receive a bounceback message, allowing them to check the email addresses of recipients, or correct any other sending issues.

This blocklist is included in ZEN which combines the listings contained in the SBL, XBL, and PBL. This makes it easier and faster to query, and is available via our Data Query Service (DQS). For further information on consuming our blocklists via API, please contact us.

Containing individual IPv4 and IPv6 addresses exhibiting signs of compromise – e.g., the presence of malware inadvertently downloaded on a device, or software like some “free VPN” applications that use the customer device to do network activity on behalf of other unknown people, or security problems on various devices connected to the LAN such as routers or cameras allowing unauthorized access. In such cases, the compromised IP appears to be part of a botnet made of thousands or even millions of compromised systems, carrying on malicious activities unknown to its legitimate user.

To see the size and coverage of this dataset, see Uncovering the value in the Exploits dataset.

The constantly updated list is designed to protect networks from malware and spam by preventing mail servers from accepting connections from compromised computing devices. The XBL is also available in an “enhanced” version (eXBL), which gives additional information for individual detections.

This blocklist is included in ZEN, which combines the listings contained in the SBL, XBL, and PBL. This makes it easier and faster to query and is available via our Data Query Service (DQS). For further information on consuming our blocklists via API, please contact us.

The Policy Blocklist (PBL) includes IP address ranges for end-user devices, such as home routers, smart TVs, and other Information of Things (IoT) devices, from which email should never be sent.  This protects networks from the potential of being compromised by malware spread by botnet command and controller servers (C&Cs).

This list covers the majority of end user IPv4 space, in addition to some IPv6 ranges. While some individual IP addresses are included, most PBL listings are in classless inter domain routing (CIDR) format and are at least /24 in size.

By managing your own IP address range on the PBL, your organization can protect other networks from receiving spam from infected devices on your network. This helps to protect email recipients from malware, preserves the reputation of your company and avoids your domain being added to a DNSBL, which would result in your organization’s outgoing emails being blocked. To register your IP ranges, visit the Spamhaus PBL page.

This blocklist is included in ZEN which combines the listings contained in the SBL, XBL, and PBL. This makes it easier and faster to query, and is available via our Data Query Service (DQS). For further information on consuming our blocklists via API, please contact us.

This dataset is an advisory “drop all traffic” list consisting of single IPv4 addresses that are being used to host botnet command and control (C&C) servers to control infected computers (bots).

This list contains dedicated C&C servers only i.e., threat actors are using all the IPs listed to host their botnet C&C infrastructure on dedicated hosts, which serve no other purpose than controlling botnets.

The BCL – Dedicated does not contain any subnets or CIDR prefixes larger than /32.

This subset is included in our IP blocklist subscription, and is available via our Data Query Service (DQS). It can also be consumed via an API, including related metadata. Or utilize BCL data at the network edge to prevent any infected devices on your network from communicating with a botnet C&C.

This list contains direct snowshoe spam sources, detected via automation. It may also include other senders that display a risk to our users.

CSS listings are influenced by: Email showing indications of unsolicited nature; Broad-spectrum aggregated views of email deliveries; Having poor list-hygiene; Sending out bad email due to a compromise (compromised account, webform or CMS); Other indicators of low reputation or abuse.

CSS listings are based on a wide range of inputs and are always the result of multiple events and heuristics. Listings include both IPv4 addresses (/32) and IPv6 addresses (/64).

This subset is included in our IP blocklist subscription, and is available via our Data Query Service (DQS). It can also be consumed via an API, including related metadata.

This is a subset of the XBL.  It lists IP addresses known to host bots using brute force or stolen SMTP-AUTH credentials to send spam, phishing and malware emails.

Botnets are often employed by cybercriminals to circumvent SMTP Auth: the security protocol that requires client machines to identify themselves to mailservers prior to being able to send or receive email.

We make the Auth Blocklist (Auth BL) available seperately, so you can use it at SMTP Auth as a score to make sure that someone isn’t trying to misuse a user’s account.

This subset is included in our IP blocklist subscription, and is available via our Data Query Service (DQS). It can also be consumed via an API.  For further information, please contact us.