Spamhaus

DBL


Spamhaus DBL

Reliably Blocks Malware, Phish, and Spam

The Spamhaus Domain Blocklist (DBL) is a list of domains that are involved in spam and abuse on the Internet. It lists a wide variety of domains used to send spam, host spam content, or provide DNS services to other spam domains.


Features

The DBL contains many types of domain used in spam and abuse, ranging from malware to phish to legitimate domains that have been hacked by a spammer. It contains two categories of domains: spam domains are owned and used by spammers solely for spam, and legitimate domains which have been hacked or abused by spammers to send spam or host spammed content. Spam domains are not engaged in any legitimate activity, while abused legitimate domains might appear in legitimate email headers or message bodies. When your mailservers or spam filters query the DBL, the DBL provides a response that identifies the type of abuse that the domain is involved in, allowing you to handle each situation appropriately.

Within each category are several specific types of domain. Spammer-owned domains are further classified as follows:

  • Spam domains. Domains owned and used by spammers to send spam, host spammed content, or provide support to spam operations.
  • Phish domains. Domains used to send phish, host phish websites, or provide support to phish operations.
  • Malware domains. Domains used to send malware, host malware, or provide support to operations engaged in malware distribution.
  • Botnet Command and Control (C&C) domains. Domains that control networks of computers that are infected with spam-sending malware ().

Legitimate domains that have been hacked or otherwise appropriated to participate in spam activities are classified as follows:

  • Abused-legit spam domains. Legitimate domains that send spam or host spammed content. Domains that appear in this category usually host websites that have been hacked and host spammed content.
  • Abused-legit redirector domains. Legitimate domains that host a redirect to a spam website.
  • Abused-legit phish domains. Legitimate domains that send phish or host phish websites. As with abused-legit spam domains, this category is used mostly for hacked or compromised websites that host phish pages.
  • Abused-legit malware domains. Legitimate domains that send email that contains malware or a link to a malware website, or that host malware. Domains that appear in this category usually host websites that have been infected with malware themselves, and that engage in “drive-by” attempts to infect any computer that visits the website.
  • Abused-legit botnet C&C domains. Legitimate domains that have been hacked and that are used to control botnets.

Spamhaus updates the DBL frequently, often within minutes of detecting spam. The Spamhaus Datafeed Service provides access to these updates in near-real-time, allowing you to stop most spam before it can reach your users.


Use Cases

Spamhaus data feed customers usually load the DBL data onto an internal DNS server that is configured to act as a DNSBL for their networks. They then configure their mailservers to query this internal DNSBL.

The DBL is designed to be used in a number of scenarios:

  • Include the DBL in your mailserver configuration to reject inbound email from IPs with rDNS that includes a listed domain, that contain From or Reply-to headers set to a listed domain, or that contain a URL in the message body that includes a listed domain.

NOTE: The abused-legit category of domains is not designed for outright blocking. You should configure your mailserver to block only if the domain is identified as an outright spam, phish, or malware domain. (Botnet C&C domains rarely send email or host spammed content.)

  • Include the DBL in your spam filters to score and tag inbound email that contains a listed domain in the headers or message bodies of email.
  • Use the DBL to filter email sent by your smarthosts or SMTP AUTH outbound mailservers, and block or hold email that contains URLs at a DBL-listed domain.