Spamhaus ‘ZEN’ IP Data

The World’s #1-Rated Anti-Spam Blocklist

Spamhaus Zen is a combination of all Spamhaus IP-based blocklists (DNSBLs), each of which provides protection IP Reputation and intelligence to combat abuse and spam. Zen is therefore capable of providing broad protection against most types of spam. It is the single mostly widely used anti-spam blocklist in the world.


Spamhaus Zen contains four Spamhaus blocklists. These lists are:

·       The Spamhaus Block List (SBL). Contains IP addresses that send spam, host spam-advertised websites, provide DNS service to spammer-owned domains, or provide other services to spam enterprises.  Many are owned or controlled by known spammers. The SBL is manually created and manually maintained.  It provides protection against a larger variety of types of spam than any of the other Spamhaus blocklists.

·       The Consolidated Snowshoe Block List (CSS). Contains static IP addresses that send direct spam, mostly snowshoe spam. Spamhaus uses the term to refer to spam methods that rely on avoiding detection, especially automated detection. The CSS is automatically generated from observation of spam sent to large collections of spamtraps. It is designed to react quickly to spam that exhibits known patterns of behavior, without requiring manual intervention.

·       The eXploits Block List (XBL). Contains IP addresses of computers that are infected by spam-sending malware and have been observed sending spam or engaging in other malware-generated spam activity. Most spam by volume is of this type. The XBL reacts quickly to block this spam before it can overwhelm your network and your servers. 

·       The Policy Block List (PBL). Contains IP addresses that should not send unauthenticated SMTP email directly to other mailservers. Most IP addresses in the PBL are consumer-grade dynamically assigned IP addresses, such as those owned by large ISPs and assigned to home users. Users on such Internet connections are expected to use their ISP’s mailservers, or to use SMTP AUTH. Email that is sent directly from this type of IP address is almost always spam.


IPs identified to Spamhaus’ best ability as likely:

  • Direct spam sources,
  • Spammer hosting/DNS
  • Spam gangs
  • Spam support services.

Filters out a significant majority of email threats before they have a chance to access your network. More time for you and your security team to focus on in-depth analysis and investigation.


IP addresses hosting:

  • Bots
  • Malware-infected computers.

Automated tools observe SMTP connections for spamtrap and production mail servers in near-real-time to find characteristic patterns of malware or botnet-infected computers.

Cyber criminals exploit and hijack legitimate networks so with XBL you can block email traffic from what might first appear to be a trusted source.


IP address ranges for end-user devices from which email should never be sent:

  • IoT devices
  • Home routers
  • Smart TVs

The PBL lists IPs not because they are actively sending spam, but as a pre-emptive measure to prevent spam from networks that should send no email at all.

There’s been a massive growth in IoT devices but not all are secured correctly. Keep connected to IoT devices for their intended purpose while blocking unwanted email traffic.