Content Blocklist – Domain Blocklist (DBL)

Domain Block List (DBL) contains a list of spam domains that link to fraud, phishing, and malware sites.

Zero Reputation Domains (ZRD) contains a list of ‘brand new’ domains less than 24-hours old.  Spamhaus does not classify them as bad, more of an advisory that they are brand new.  


  • Domains owned by spammers and used for spam or other malicious purposes.
  • Domains owned by non-spammers, used for legitimate purposes, but hacked by spammers.

Includes basic spam, phishing, malware, botnet C&C and redirector domains.

Domain based block lists complement IP-reputation threat data based on a sender’s reputation. Extra protection because even if a spammer has used a clean IP, domain block listing identifies low reputation or malicious domains in the email message. 


Cyber criminals use newly registered and active domains to send spam and drive traffic to harmful websites hoping to claim victims before a domain has been analyzed.

ZRD automatically adds newly-registered and previously dormant domains to a block list for 24 hours.

Legitimate organizations will rarely activate a domain and start using it immediately after registration. ZRD prevents clicking on links and visiting domains until it is established that they are not associated with malicious activities.

Spamhaus DBL

The Spamhaus Domain Blocklist (DBL) protects your business and your customers by reliably blocking malware, phishing domains, spam, and other cyberthreats.

What is the Spamhaus DBL?

The DBL is a list of domains involved with spam and cyberattacks across the internet. This list contains a variety of domains that send spam, host spam content, and provide DNS services to other spam domains. 

Spamhaus DBL Features

The Domain Blocklist contains a wide range of spam domains used in cyberattacks, including malware and phishing. The DBL contains two domain categories:

  1. Spam domains owned and used by spammers to send spam
  2. Legitimate  domains that have been hacked by spammers to send spam or hosted spam content

Spam domains do not engage in any legitimate activity, but hacked legitimate domains may appear in the headers or bodies of email messages. The DBL identifies what type of cyberthreat the domain is involved in when the mail server or spam filter queries it, allowing you to handle each situation appropriately.

Spamhaus updates the Domain Blocklist frequently, often within minutes of detecting spam. The Spamhaus Datafeed Service provides you with access to these updates in near-real-time, so you can stop most spam before it reaches your users.

Spamhaus DBL Categories

Each Domain Blocklist category includes several specific domain types. Spammer-owned domains include:

  • Spam domains: Domains owned and used by spammers to send spam, host spammed content, and support spam operations
  • Phish domains: Domains that send phish, host phish websites, and support phish operations
  • Malware domains: Domains that send malware, host malware, and support malware distribution operations 
  • Botnet Command and Control (C&C) domains: Domains that control networks of computers that are infected with spam-sending malware.

Legitimate, hacked domains that participate in spam activities include:

  • Abused legit spam domains: Legitimate domains that have been hacked and send spam or host spammed content
  • Abused legit redirector domains: Legitimate domains that redirect to a spam website
  • Abused legit phish domains: Legitimate domains that have been hacked or compromised and now send phish or host phish websites
  • Abused legit malware domains: Legitimate domains that host websites that have been infected with malware and engage in “drive-by” attempts to infect any computer that visits the website by sending emails that contain malware, a link to a malware website, or that host malware
  • Abused legit botnet C&C domains: Legitimate domains that have been hacked and are now used to control botnets

Using the Spamhaus DBL

The Spamhaus Domain Blocklist is loaded onto an internal secure DNS server that’s configured to act as a DNSBL for your networks, and your mail server is configured to query this internal DNSBL. The DBL can be used to:

  • Reject inbound email from IP addresses with rDNS that include a listed domains, that contain From or Reply-to headers set to a listed domain, or that contain a URL in the message body that includes a listed domain*
  • Score and tag inbound email that contains a listed domain in the headers or message bodies of email
  • Filter email sent by your smarthosts or SMTP AUTH outbound mail servers and block or hold email that contains URLs on the Domain Blocklist.

*NOTE: The abused-legit category of domains is not designed for outright blocking. You should configure your mail server to block only if the domain is identified as outright spam, phish, or malware domain. (Botnet C&C domains rarely send email or host spammed content.)

Want to know about how you can use the Spamhaus Domain Blocklist to provide network and email security for your business? Sign up for your 30 day free trial below!