Spamhaus ZEN: The DNSBL Resource Review

Spamhaus ZEN is a composite blocking list run by the Spamhaus Project. This UK-based organization was created in 1998 by Steve Linford, and is maintained by a group of employees spread across the globe.

Note: This is an ARTICLE about Spamhaus, written by Al Iverson. Al Iverson is NOT a representative of Spamhaus, does not maintain a blacklist, and HAS NOTHING TO DO with any problems you might be having with Spamhaus. If you have a Spamhaus blocking issue, you need to contact THEM, not the author of this article.


Spamhaus runs a number of different spam-blocking lists. These include:
  • SBL (Spamhaus Block List), which aims to block verified spam sources, spam gangs, and supporters of spam. This list is manually operated, in that every listing is the result of a volunteer deciding that a given IP address or network block merits listing.
  • XBL (Exploits Block List), which aims to block infected computers, open proxies, and the like. Data for this list is supplied by (or supplemented by) outside sources, such as the CBL (Composite Blocking List), meaning that if you use the XBL to filter or reject mail, you do not need to also use the CBL.
  • PBL (Policy Block List), which aims to reject mail from machines that are not meant to be mail servers, ones that would not normally send mail. This includes end user computers on dynamic internet connections (dialup, cable modems, DSL), unassigned IP addresses, web servers, etc. The data from this list is compiled by Spamhaus based on their personal observations, and also from information provided from various internet service providers who choose to cooperate in attempts to help reduce spam delivery effectiveness.
  • ZEN (zone: zen.spamhaus.org) is a combination of all of the above lists. If you are using the ZEN list, you do not need to also use the other lists individually.

Zone Choices and Accuracy Rates
The Spamhaus zones seem to work best when used in combination. SBL alone captures very little spam, as it is very focused and manually maintained. XBL and PBL do most of the “heavy lifting,” providing the most spam-blocking value. When used separately, XBL blocks on average around 50% of spam, and PBL often blocks more than 60% of spam. Combined, with overlap accounted for, and the addition of the SBL, the resulting ZEN list zone regularly blocks more than 80% of spam on a weekly averaged basis, and its effectiveness seems to be slowly trending upward. In short, ZEN is a very accurate list, and I find it to be an excellent tool to help reduce the amount of spam received.

False Positives
Spamhaus, like other DNSBLs, has been known to escalate listings to include corporate mail servers, networks, or other resources in order to nudge ISPs, companies, and organizations to change policies to make their resources less favorable to spammers. When this happens, if a personal correspondent, or a properly run mailing list, sends from an IP address found on this escalated listing, they would not be able to send mail to users of the Spamhaus SBL or ZEN lists, even though those senders may not have sent spam. I don't have significant data on how often this happens, but I suspect it to be rare.

Additionally, this is rarely, if ever, represented in the DNSBL Resource data, due to the relatively small sizes of the spamtrap and hamtrap address pools.

There's an inherent risk with any sort of third-party reputation system in that you're relying on the third party to make a determination for you what mail to accept and what mail to filter or reject. I would always recommend that before using Spamhaus ZEN, or any other blocklist, that you test and investigate on your own, to make sure that you are comfortable with the blocklist provider's policies. 

Data Access
Access to the Spamhaus lists is generally free for hobby users and small businesses. However, some users find their ability to query the lists blocked if they are deemed by Spamhaus to be draining on their freely-provided resources. Because of this, sites with more than a handful of users would be well advised to reach out to Spamhaus regarding data feed licensing. 

Second Stage Filtering
Spamhaus recommends using the SBL for second stage filtering, effectively creating a “URI SBL.” This allows you to filter or block mail that contains references to websites that resolve to IP addresses listed on the SBL. DNSBL Resource does not currently incorporate this second stage filtering, and has no data regarding its effectiveness. However, this is planned for a future project.

Controversy

Spamhaus, like most other DNSBLs, is not entirely free from controversy. They are currently (2007) embroiled in an ongoing legal battle with a company called E360. As Spamhaus is not based in the US, there are varying opinions regarding whether or not Spamhaus is subject to any judgments or actions under US law, not to mention whether or not the underlying actions have merit. I'm not a lawyer, so I can't speak to this. I can tell you, however, that I do not find that this ongoing issue stops me from utilizing Spamhaus ZEN for my own personal spam filtering. If you'd like to learn more about the E360 matter, Mickey Chandler's spam lawsuit site at SpamSuite.com is a great place to start.

Google reveals a great many links to articles, posts, and comments from people who have various negative opinions of Spamhaus. Sometimes these opinions are based on a lack of understanding of how spam filtering works. Sometimes these are based on dissatisfaction resulting from disagreement over what constitutes spam or non-spam. In particular, many entities purposely listed on Spamhaus are likely to be unhappy about the fact, and some subset of this negative commentary is likely to have been actively spread by spammers. I personally suspect very little of it is likely to be accurate.