Content Blocklist – HASH Blocklist (HASHBL)

Spamhaus Hash Blocklist

Hash Blocklists (HBL) are lists of cryptographic hashes associated with malicious content, as opposed to IP addresses or domains. They are extremely useful for filtering fraudulent emails coming from ISP, domains, or IP addresses that Spamhaus is unable to list e.g. Gmail. Additionally they can block emails containing malware files.

This blocklist contains the following content areas: Cryptowallet (Bitcoin etc.), Malware and Email addresses.

Benefits of the HBL –

  • Block emails from compromised accounts at large ESP/ISPs (e.g. Gmail, Yahoo, etc.).
  • Rapid protection from malware threats – we can list threats as soon as they are observed.
  • Highly accurate data with an exceptionally low false positive rate
  • Due to our collection and dissemination methods, our Malware Hash Blocklist can list malware within 30 secs of initial observation by our researchers.

Why HBL –

  • Users are being tricked into making payments after receiving scam emails containing crypto- currency wallet details.
  • Compromised and fraudulent email coming from hacked accounts at large email providers e.g. “Gmail / Yahoo”.

How does a Malware Hash Blocklist work –

Similarly to a malicious email address, where we have seen a file to be associated with malware, we assign that file with a cryptographic hash.  So, even if no malicious IPs or domains can be associated with the email message containing the malware file, the Malware HBL can be queried for that hash in the “file” context. The Spamhaus HBL return codes will tell you one of two things:

  • If it’s malicious: here the queried file has been analyzed by Spamhaus Malware Labs and is recognized as known malware.  The malware family is also provided in the return record.
  • If it’s suspicious: here the queried file has been observed in spam, and its nature makes it suspicious. While Spamhaus Malware Labs hasn’t confirmed its maliciousness, the file still should be treated with extreme caution.

How does a Cryptowallet Hash Blocklist work? 

The ever so troublesome “sextortion” scam emails, which are currently so prevalent (Example email below).  The sextortion email includes a bitcoin address of where the victim is to send money.  Even if the sending email doesn’t trigger a rejection based on IP or domain reputation, the bitcoin address can be used to determine that the email is malicious in nature and result in the email being blocked anyway.


This blocklist is included in our Content Blocklist subscription and is available via our Data Query Service (DQS).  It can also be consumed via an API. For further information on consuming our blocklists via API please contact us here.