Man monitoring servers

The Spamhaus Exploits Blocklist (XBL) is a comprehensive blocklist that is updated in near real-time

XBL lists the IP addresses of devices that are infected with malware, worms, and Trojans; third party exploits, such as open proxies; or devices controlled by botnets. The constantly updated list is designed to protect networks from malware and spam by preventing mailservers and routers from accepting connections from compromised computing devices.

Mailservers can be configured to block connections from IPs that are listed on the XBL. Routers can also be configured to prevent XBL-listed computers from accessing their networks. By blocking connections from compromised computers, the Spamhaus XBL helps to reduce the distribution of malware and spam and can be used to mitigate DDoS attacks.

Any IP address that exhibits behaviour consistent with malware infection and botnet command and control activity is added to the XBL

XBL is the Spamhaus brand name for its Composite Block List (CBL). The CBL team uses automated tools to observe SMTP connections to a vast number of mailservers and spam traps. Any IP address that exhibits behaviour consistent with malware infection and botnet command and control activity is added to the XBL.

This blocklist comprises individual IP addresses of computers that have been observed to be involved in sending malicious email, rather than IP address ranges or networks.

The XBL only lists IP addresses of computing devices that attempt to send malicious spam. IP addresses that are not used to send email will not be included in the XBL, even if they are involved in other malicious activity.

IP addresses can be quickly removed from the XBL once malware has been removed from individual devices and the XBL listings automatically expire after 72 hours.

XBL is part of the combined Spamhaus domain name server block list (DNSBL) service, comprising SBL, XBL and PBL (see Spamhaus Zen).

How Spamhaus XBL works:

The mailserver DNSBL feature is configured to query whenever another IP address attempts to deliver email to it. System administrators can configure the mailserver to perform one of the following tasks whenever a connection is requested from an IP address listed in the XBL:

  • Refuse the connection and reject delivery of the email message
  • Accept the connection, but save the email in a system spam folder
  • Accept the connection but tag the email as **SPAM** and deliver it to the recipient, to enable them to decide whether the message is legitimate (a false positive)
  • Accept the connection, but silently drop the email message
  • Configure the mailserver to delay transmission of emails after a certain number of messages have been received, to combat spammers sending bulk emails: a practice known as ‘tar pitting.’ For example, 10,000 emails that have a 2 second delay added for every 20 emails sent would be subject to a 5 hour delay.
  • Follow the policy set by the systems administrator

How to benefit from XBL

  • Spamhaus Technology subscribers with more than 5,000 users can access near real-time XBL updates via rsync
  • Spamhaus Technology datafeed subscribers can configure their servers to query a designated datafeed mirror.
  • For users undertaking fewer than 100,000 XBL queries a day, mailservers can be configured to query, or, via a public mirror.
  • Within IT environments where it is not practical to use XBL on a mailserver, anti-spam filters, such as SpamAssassin, can also be configured to check XBL.

Click for your free 30 day trial

Discover why we’re the most trusted Mailfilter and Security solution with a 30 day free trial

Our customers

Many of the world’s largest internet service providers rely on Spamhaus threat intelligence to block harmful email traffic and protect their customers.

AOL Logo
Microsoft Logo
AT&T Logo
Comcast Logo
COX Logo
1∧1 Logo
Century Link Logo
 Mail RU Logo
Time Warner Cable Logo
Sonic Net Logo

With over 12 years experience, we are trusted experts

Get in touch

Latest News

Virus Bulletin reviews the latest Spamhaus Botnet Threat Report

Independent researchers review the latest annual Spamhaus Botnet Threat Report.

Read more

Join us at SANS, Las Vegas

Spamhaus Technology and vendor SecurityZones will be showing how to beat botnets at SANS, Las Vegas Sept 12/13th.

Read more

Connect with Spamhaus Technology

Keep up to date with the latest news at Spamhaus Technology.