IP Blocklists

The World’s #1-Rated IP Blocklist

Real-time threat intelligence feeds to identify and block known malicious IP addresses. Protect your system from IPs that are associated with botnets and other abusive activity.

Spamhaus “ZEN” is a combination of all Spamhaus IP-based blocklists (DNSBLs), each of which provides protection IP Reputation and intelligence to combat abuse and spam. “ZEN” provides broad protection against most types of spam. It is the single most widely used anti-spam blocklist in the world.

  • Highly Comprehensive: Spamhaus’ unique sources and leading research techniques provide a highly comprehensive data set.  Spamhaus blocklist alone averages ~30 million listings. 
  • Accurate Data, Near-Zero False Positives: Spamhaus data feeds have near 0.02% false positives.  Accurate coverage ensures legit IP addresses can be reached. 
  • Real-time Updates: IP Blocklists are updated within 30 seconds. As soon as researchers observe and list a threat, users are protected against it. 
  • Expertly Researched: Spamhaus has 23 years of experience identifying malicious IP addresses.  Over 13.4 Billion global SMTP connections, 1.5 million IPs, 3 million domains analyzed daily.

Spamhaus IP Blocklists

The Spamhaus Block List (SBL)

IP addresses that send spam, host spam-advertised websites, provide DNS service to spammer-owned domains, or provide other services to spam enterprises. Many are owned or controlled by known spammers. The SBL is manually created and manually maintained to provide protection against a large variety of threats.

Consolidated Spam Blocklist (CSS)

Contains static IP addresses that send direct spam, mostly snowshoe spam. Spamhaus uses the term to refer to spam methods that rely on avoiding detection, especially automated detection. The CSS is automatically generated from observation of spam sent to large collections of spamtraps. It is designed to react quickly to spam that exhibits known patterns of behavior, without requiring manual intervention.

The eXploits Blocklist (XBL)

IP addresses of computers that are infected by spam-sending malware and have been observed sending spam or engaging in other malware-generated spam activity. The XBL reacts quickly to block this spam before it can overwhelm your network and your servers.

The Policy Blocklist (PBL)

Contains IP addresses that should not send unauthenticated SMTP email directly to other mailservers. Most PBL listings are consumer-grade dynamically assigned IP addresses, such as those owned by large ISPs and assigned to home users. Users on such Internet connections are expected to use their ISP’s mailservers, or to use SMTP AUTH. Email sent directly from this IP address type is almost always spam.

Key Features & Benefits

Highly Comprehensive:  Accurate, actionable data currently protecting 3 billion users worldwide. As a result of their extensive global coverage, Spamhaus is considered an international authority on botnets and IP reputation. 

Near-Zero False Positives: Spamhaus data feeds have <0.02% false positives. Business grade quality ensures only malicious IP activity is blocked. 

Real-time Updates: IP blocklists are updated within 30 seconds. As soon as researchers observe and list a threat, user are protected against it. 

Expertly Research Data: Spamhaus has 23 years of experience identifying malicious IP addresses.  Over 13.4 Billion global SMTP connections, 1.5 million IPs, 3 million domains analyzed daily.



Simple Integration: Using traditional DNS queries or Restful APIs ensures easy configuration. Data feeds can easily be added to your existing mail filtering systems. 

“Set and Forget” product: No maintenance required after set up. 

Reduce processing and storage costs: Blocking threats before they can enter a network to free up bandwidth and server space. 

Minimize Risk: Save on associated remediation costs and potential loss of reputation due to security incidents. 

Delivery Options: Blocklists are available via Data Query Service or Spamhaus Intelligence API. Choose the method that works best for your team.

IP-Based Blocklists


IP Addresses identified by Spamhaus to be associated with:

  • Direct Spam Sources
  • Spammer hosting / DNS
  • Spam / Cyber Crime gangs
  • Cyber Crime support services.

Filters out a significant majority of email threats before they have a chance to access your network. More time for you and your security team to focus on in-depth analysis and investigation. 


Cyber criminals exploit and hijack legitimate networks.  Use the XBL to block email traffic from what might first appear to be a trusted source.

XBL listings are IP addresses known to be:

  • Bot-controlled devices
  • Malware- and trojan- infected computers

Researchers and tools observe SMTP connections for spamtrap and production mail servers in near-real-time to find characteristic patterns of malware or botnet-infected computers.

XBL offers the following add-ons:

  • eXBL: An “enhanced” version of the XBL is available.  The Enhanced Exploit Block List (eXBL) provides additional information (meta data, historical view) for each IP listed. 
  •  Auth Blocklist (AuthBL): A sublist of XBL that identifies bot-controlling IP addresses. 


IP address ranges for end-user devices. Email should never be sent from end-user devices like:

  • IoT devices
  • Home Routers
  • Smart TVs

The PBL lists IPs as a pre-emptive measure to prevent spam from these devices that should never be sending email.

IoT devices have grown exponentially, but not all are secured correctly. PBL allows connection to IoT devices for their intended purpose while blocking unwanted email traffic.

Uses of IP-based Blocklists

Email Filtering

Other Common Uses

Start your free trial.

Design the best set of data feeds to meet your needs!

Experience improved cybersecurity and stop phishing emails, ransomware, malware, and other cyber threats. Sign up for your free consultation and receive an in-depth technical deep dive and a 30-day free trial.