The Spamhaus Project


The Spamhaus Project is an international organisation based in the Principality of Andorra, founded in 1998 by Steve Linford to track email spammers and spam-related activity. The name spamhaus, a pseudo-German expression, was coined by Linford to refer to an Internet service provider, or other firm, which spams or knowingly provides service to spammers.

Anti-spam lists

The Spamhaus Project is responsible for compiling several widely used anti-spam lists. Many Internet service providers and email servers use the lists to reduce the amount of spam that reaches their users. In 2006, the Spamhaus services protected 650 million email users, including the European Parliament, US Army, the White House and Microsoft, from billions of spam emails a day.
Spamhaus distributes the lists in the form of DNS-based blocklists. The lists are offered as a free public service to low-volume mail server operators on the internet. Commercial spam filtering services and other sites performing large scale usage must instead sign up for a commercial account through Spamhaus Technology its partner for distribution. Spamhaus outlines the way its DNSBL technology works in a document called "Understanding DNSBL Filtering."
The Spamhaus Blocklist targets "verified spam sources." Its goal is to list IP addresses belonging to, known spammers, spam operations, and spam-support services. The SBL's listings are partially based on the ROKSO index of known spammers.
The Exploits Blocklist targets "illegal 3rd party exploits, including open proxies, worms/viruses with built-in spam engines, virus-infected PCs & servers and other types of trojan-horse exploits." That is to say it is a list of known open proxies and exploited computers being used to send spam and viruses. The XBL includes information gathered by Spamhaus as well as by other contributing DNSBL operations such as the Composite Blocking List.
The Policy Blocklist is similar to a Dialup Users List. It lists not only dynamic IP addresses but also static addresses that should not be sending email directly to third-party servers. Examples of such are an ISP's core routers, corporate users required by policy to send their email via company servers, and unassigned IP addresses. Much of the data is provided to Spamhaus by the organizations that control the IP address space, typically ISPs.
The Domain Blocklist was released in March 2010 and is a list of domain names, which is both a domain URI blocklist and RHSBL. It lists spam domains including spam payload URLs, spam sources and senders, known spammers and spam gangs, and phish, virus and malware-related sites. It later added a zone of "abused URL shorteners", a common way spammers insert links into spam emails.
The Combined Spam Sources is an automatically produced dataset of IP addresses that are involved in sending low-reputation email. Listings can be based on HELO greetings without an A record, generic looking rDNS or use of fake domains, which could indicate spambots or server misconfiguration. CSS is part of SBL.
The ZEN Blocklist is a combined list, which includes all the Spamhaus IP-based DNS Blocklists.
The Botnet Controller List was released in June 2012 and is a list of IP addresses. It lists IP addresses of which Spamhaus personnel believe to be operated by cybercriminals for the exclusive purpose of hosting botnet Command&Control infrastructure. Such infrastructure is commonly used by cybercriminals to control malware infected computers.
The Spamhaus DROP lists are JSON files delineating CIDR blocks and ASNs that have been stolen or are otherwise "totally controlled by spammers or 100% spam hosting operations". As a small subset of the SBL, it does not include address ranges registered to ISPs and sublet to spammers, but only those network blocks wholly used by spammers. It is intended to be incorporated in firewalls and routing equipment to drop all network traffic to and from the listed blocks. The DROP webpage FAQ states the data is free for all to download and use. In 2012 Spamhaus Technology offered a BGP feed of the same data.
The Spamhaus Register of known spam operations is a database of spammers and spam operations who have been terminated from three or more ISPs due to spamming. It contains publicly sourced information about these persons and their domains, addresses and aliases.
ROKSO stopped being available to the public at some point after 2023. However, there is a special version available to law enforcement agencies, containing data on hundreds of spam gangs, with evidence, logs and information on illegal activities of these gangs.

Companies

The Spamhaus Group consists of a number of independent companies which focus on different aspects of Spamhaus anti-spam technology or provide services based around it. At the core is the Spamhaus Project SLU, a not-for-profit company based in Andorra which tracks spam sources and cyber threats such as phishing, malware and botnets and publishes free DNSBLs. Commercial services are managed by a British data delivery company Spamhaus Technology Ltd., based in London UK which manages data distribution services for large scale spam filter systems.

Awards

e360 lawsuit

In September 2006, David Linhardt, the owner-operator of American bulk-emailing company "e360 Insight LLC", filed a lawsuit in Illinois USA against Spamhaus in the UK for blacklisting his bulk mailings. Spamhaus being a British organisation with no ties to Illinois or the U.S. had the case moved from the state court to the U.S. Federal District Court for the Northern District of Illinois and asked to have the case dismissed for obvious lack of jurisdiction. The Illinois court however, presided over by Judge Charles Kocoras, ignored the request for dismissal and proceeded with the case against British-based Spamhaus without considering the jurisdiction issue, prompting British MP Derek Wyatt to call for the judge to be suspended from office. Not having had its objection to jurisdiction examined, Spamhaus refused to participate in the U.S. case any further and withdrew its counsel. Judge Kocoras however, angry at Spamhaus having ‘walked out’ of his court, deemed British-based Spamhaus to have "technically accepted jurisdiction" by having initially responded at all, and awarded e360 a Default Judgement totalling US$11,715,000 in damages. Spamhaus subsequently announced that it would ignore the judgement because default judgements issued by U.S. courts without a trial "have no validity in the U.K. and cannot be enforced under the British legal system".
Following the default ruling in its favour, e360 filed a motion to attempt to force ICANN to remove the domain records of Spamhaus until the default judgement had been satisfied. This raised international issues regarding ICANN's unusual position as an American organization with worldwide responsibility for domain names, and ICANN protested that they had neither the ability nor the authority to remove the domain records of Spamhaus, which is a UK-based company. On 20 October 2006, Judge Kocoras issued a ruling denying e360's motion against ICANN, stating in his opinion that "there has been no indication that ICANN not independent entit , thus preventing a conclusion that is acting in concert" with Spamhaus and that the court had no authority over ICANN in this matter. The court further ruled that removing Spamhaus's domain name registration was a remedy that was "too broad to be warranted in this case", because it would "cut off all lawful online activities of Spamhaus via its existing domain name, not just those that are in contravention" of the default judgment. Kocoras concluded, "hile we will not condone or tolerate noncompliance with a valid order of this court neither will we impose a sanction that does not correspond to the gravity of the offending conduct".
In 2007, Chicago law firm Jenner & Block LLP took up Spamhaus's case pro bono publico and successfully appealed the default ruling. The U.S. federal Court of Appeals for the Seventh Circuit vacated the damages award and remanded the matter back to the district court for a more extensive inquiry to determine damages.
Following the successful Appeal by Jenner & Block LLP in 2010 Judge Kocoras reduced the $11.7 million damages award to $27,002—$1 for tortious interference with prospective economic advantage, $1 for claims of defamation, and $27,000 for "existing contracts".
Both parties appealed, but e360's case for increasing the damages was sharply criticized by Judge Richard Posner of the Seventh Circuit: "I have never seen such an incompetent presentation of a damages case," Posner said. "It's not only incompetent, it's grotesque. You've got damages jumping around from $11 million to $130 million to $122 million to $33 million. In fact, the damages are probably zero." and for a second time the Court of Appeals vacated the damages award.
Finally, on 2 September 2011 the Illinois court reduced the damages award to just $3 total, and ordered the plaintiff e360 to pay to Spamhaus the costs of the appeal for the defence.
In the course of these proceedings, in January 2008 e360 Insight LLC filed for bankruptcy and closed down, citing astronomical legal bills associated with this court case as the reason for its demise.

Spamhaus versus nic.at

In June 2007, Spamhaus requested the national domain registry of Austria, nic.at, to suspend a number of domains, claiming they were registered anonymously by phishing gangs for illegal bank phishing purposes. The registry nic.at rejected the request and argued that they would break Austrian law by suspending domains, even though the domains were used for criminal purposes, and demanded proof that the domains were registered under false identities. For some time the domains continued to phish holders of accounts at European banks. Finally, Spamhaus put the mail server of nic.at on their SBL spam blacklist under the SBL's policy "Knowingly Providing a Spam Support Service for Profit" for several days which caused interference of mail traffic at nic.at. All of the phishing domains in question have been since deleted or suspended by their DNS providers.