17 July 2024
How Spamhaus DROP Lists Policy Works
The Spamhaus DROP lists consist of IP addresses that are hijacked by organizations and typically used for spam such as malware, trojan downloaders, botnet controllers, or other kinds of malicious activity. This service also empowers IPv4 address owners to add their Hijacked IPs, preventing the bad actors announcing in BGP. Don’t Route or Peer Protection List is provided as a public service for Free by Spamhaus Project, with the purpose of strengthening security effectively across the internet.
As part of the Spamhaus Blocklist (SBL), DROP lists provide protection across all internet protocols, including web traffic. Created for use by for Tier-1 and backbone providers, these lists help filter out malicious traffic using firewalls and routing equipment.
IP address subnets are added to DROP lists only after thorough investigation and forensic analysis confirm control by cybercrime groups or “bulletproof” hosting providers who ignore abuse reports or relocate abusive clients to evade detection. With IPv4 address depletion, IPv4 address assignments have become dynamic, frequently managed by trusted IPv4 facilitators such as Brander Group. Cybercriminals often change ASNs and company names to avoid detection. As a result, DROP lists are updated daily to monitor and track the evasive tactics of IP Hijacking.
How the DROP Lists Work
Free DROP datasets are available in JSON format, making them easy to implement across a any type of devices or software that is capable of processing IP networks for making a decision such as DNS resolvers , firewalls, network gateways, web-proxies and more.
There are 3 types of DROP Lists:
- DROP: drop 4v json
- DROPv6: drop v6 json
- ASN-DROP: asn-drop json
For legacy users who uses text format DROP files, Spamhaus highly recommends updating the configuration to JSON files when your next cycle allows it. If text files are still necessary, you can use the ‘jq’ command to convert JSON to text format.
It is important to note that text files are still being generated, however, will eventually be deprecated. Spamhaus will notify the community with well in advance, to allow for planning.
Benefits of DROP Lists
The first and most impratn benefit is that it enables users to kick IP Hijackers off their IP address space. DROP lists offer up-to-date protection from malicious activities such as spam, ransomware encryption, DNS hijacking, exploit attempts, authentication attacks, harvesting, and DDoS attacks.
It aso provides automatic protection to immediately stop infected devices from communicating with adversaries with “bulletproof hosting” on listed networks. This infrastructure-level protection is critica, as users are often not aware of any threats. The dataset is extremely reliable, ensuring that legitimate IPv4 addresses are never mistakenly listed, which dereases false positives.
IP addresses routed by any legitimate network operator will never be listed, and false positives are very low, given the trust & confidence of our dataset.
SPamhaus DROP Access is Free
Spamhaus believes that the critical nature of DROP list data warrants free access, regardless of organization size or business type, to protect the internet as a whole.
Spamhaus does requests that when used in a product, credit is given to the Spamhaus Project, and the date and © text remain with the file and data.
For a commercially-focused solution with data on compromised communities and dedicated botnet C&C listings, Spamhaus partners with Spamhaus Technology. Reach out to our team for assistance, info@brandergroup.net
How to Remove from DROP Lists
Ranges listed in DROP are linked to the corresponding Spamhaus Blocklist (SBL) record mentioned in the DROP files. Once the SBL record is removed, the associated ranges will automatically be excluded from DROP. For more information on removals, visit the SBL page.
IP addresses in DROP connect to the corresponding Spamhaus Blocklist (SBL) record referenced in the DROP files. After the SBL record is removed, the IP addresses will also automatically be delisted from DROP. Visit the SBL page for more information on removals.
Spamhaus DROP FAQ
How Often Does Spamhaus re-evaluate DROP
Yes. DROP listings are re-evaluated daily.
Various factors can prompt changes to these listings, including interactions with involved parties, detection or notification of false positives, automatic network reassignments, and more.
How can the DROP list be valuable if it’s free?
The DROP list includes IP ranges deemed highly dangerous to internet users, which Spamhaus offers freely to anyone interested. Recognizing the critical importance of this data, Spamhaus ensures the DROP list is accessible to all entities, regardless of size or industry, to safeguard internet users.
What are "hijacked netblocks"?
Hijacked netblocks are IP addresses that have been “revived” by a spammer. Here’s how it typically happens:
- The original owner abandons the block
- Squatters reclaim it using tactics such as registering an abandoned domain to accept email for the domain contact
- Some hijackers even steal IP space allocated to others by announcing it under their BGP Autonomous System Number (ASN).
- Autonomous System Numbers can also be hijacked. Spammers take over abandoned ASNs to announce various IP ranges, resulting in hijacked netblocks advertised by hijacked ASNs
These activities allow spammers to exploit abandoned resources for malicious purposes, creating significant challenges for network security.
Hijacked netblocks can be discovered within ranges allocated by Regional Internet Registries (RIR).
Restoring rightful ownership of a hijacked netblock involves identifying the original owner—often a defunct company—and navigating Regional Internet Registry (RIR) procedures. This is a slow process, yet insufficient for curbing modern spam.
How Can ISPs Utilize DROP?
There are several effective applications for DROP, including:
- Logging DNS Server Queries: Monitor customer queries for DNS servers within any DROP-listed IP space. This method is highly effective for identifying systems infected with malware.
- Vetting New Transit Customers: Assess the proposed IP ranges of new transit customers against DROP lists. These ranges often seek new routing options.
- Enhancing Spam Filtering: Assign higher scores to DROP ranges in spam-filtering software like SpamAssassin to improve detection.
- Using DROP in DNS RPZ Zones: Implement DROP ranges in a DNS RPZ zone to invalidate lookups in these ranges. More details on using DROP in a DNS Firewall Threat Feed are available on the Spamhaus Technology website.
What is the Spamhaus DROP?
Don’t Route Or Peer (DROP) is an authoritative advisory list designed to block all traffic from specific sources. DROP is a specialized subset of the SBL, optimized for firewalls and routing equipment.
- ol]:!pt-0 [&>ol]:!pb-0 [&>ul]:!pt-0 [&>ul]:!pb-0″ value=”2″>It includes netblocks hijacked or leased by professional spam or cyber-crime operations, typically used to spread malware, trojan downloaders, and botnet controllers.
- Spamhaus strongly advocates the adoption of DROP by Tier-1 and backbone networks. Consulting the DROP list webpage when routing suspicious IPs can avert significant network issues, ensuring a secure and reliable infrastructure.
Is DROP Available via DNS Lookup?
Yes, all networks listed in DROP and EDROP are also included in the SBL list. A DNS lookup for SBL and ZEN will return a listed status for these networks.
A return code of 127.0.0.9 indicates listings in DROP.
What is the Cost of SpamHaus DROP list
The DROP list includes IP ranges deemed highly dangerous to internet users, which Spamhaus offers for free to anyone interested. Recognizing the critical importance of this data, Spamhaus ensures the DROP list is accessible to all entities, regardless of size or industry, to safeguard internet users.
What is SpamHaus ASN DROP?
The Spamhaus DROP (Don’t Route Or Peer) list features autonomous system numbers (ASNs) exploited by professional spam or cyber-crime operations for spreading malware, trojan downloaders, botnet controllers, and more, delivering no legitimate traffic.
How Do I Remove an ASN from DROP?
For removal from ASN DROP, use the Spamhaus IP and Domain Reputation Checker to query the ASN and the steps are outlined there
Links for Firewalls, Web Filters, & Proxies:
- On the OISF Community website: Suricata rules from Emerging Threats.
- PHP code to create IPTables: IPTables Script.
- Bash script to sync the DROP/EDROP lists into a Quagga/Linux route server: spamhaus2quagga.sh.
- Script to add the DROP list to Linux iptables: spamhaus.sh.
◼️