Blocklists Explained: Spamhaus And The Rest

A DNS blocklist (DNSBL, sometimes called an RBL) is a list of IP addresses or domains with bad sending reputation, published over DNS so a mail server can check a sender in a few milliseconds during the SMTP handshake. When a connection arrives, the receiving server reverses the connecting IP, appends the list's zone name, and does a normal DNS lookup. A listed IP returns an address in the 127.0.0.0/8 range; a clean IP returns NXDOMAIN. That is the whole mechanism. Spamhaus runs the most widely used of these lists, and being on one means your mail gets deferred or rejected before the body is ever read.

The query is cheap precisely because it is just DNS. The receiving MTA does not download the list. It asks a question and reads the answer, which is why a blocklist check can sit on the front of every inbound connection without slowing delivery.

How a DNSBL lookup works

To check an IP, you reverse its octets, append the list zone, and query for an A record. For 192.0.2.5 against Spamhaus Zen:

# IP 192.0.2.5 reversed, with the zone appended
dig +short 5.2.0.192.zen.spamhaus.org A

# Listed: returns one or more 127.0.0.x codes, e.g.
127.0.0.2

# Not listed: returns nothing (NXDOMAIN)

The return code is not arbitrary. Each 127.0.0.x value tells you which underlying list matched, so a single query against the combined Zen zone tells you both that the IP is listed and why. The NXDOMAIN-means-clean convention is load-bearing: filters rely on a clean IP producing no answer, so a list that returned a wildcard A record for everything would break every server querying it.

The Spamhaus lists

Spamhaus publishes several IP-based lists, each targeting a different behavior. The combined zone zen.spamhaus.org rolls them into one query, and the return code identifies the source list:

• SBL (Spamhaus Block List), return code 127.0.0.2: IP addresses Spamhaus has manually verified as spam sources or spam-support operations. Listings are evidence-based and curated. Code 127.0.0.9 indicates SBL DROP data, hijacked or spammer-controlled netblocks you should not route or peer with at all.
• CSS (Combined Spam Sources), return code 127.0.0.3: an automated subset of the SBL that catches snowshoe spam and IPs showing spam-source patterns without manual review.
• XBL (Exploits Block List), return code 127.0.0.4: IP addresses of compromised machines, sending through trojans, worms, exploits, or open proxies. This is the botnet list, sourced largely from the CBL data.
• PBL (Policy Block List), return codes 127.0.0.10 and 127.0.0.11: ranges that should not be delivering mail directly to the internet, typically dynamic and residential IP space. Code 127.0.0.10 means the listing was supplied by the ISP that controls the range; 127.0.0.11 means Spamhaus inferred it. A PBL listing is a policy statement, not an accusation of spam.

There is also the DBL (Domain Block List), which lists spam domains rather than IPs and is queried at the content-filtering stage against domains found in the message body. Querying zen.spamhaus.org covers SBL, CSS, XBL, and PBL in one lookup, which is why most configurations point a single DNSBL check at Zen and read the return code.

A safe baseline in Rspamd or your MTA is to reject SMTP connections from any IP that returns a code in Zen, since all four component lists describe IPs that should not be sending you mail directly.

How an IP gets listed

The path onto each list differs. SBL listings come from Spamhaus's own investigation of spam operations. CSS and XBL listings are automated, driven by spam traps, sensor networks, and observed exploit traffic, so a freshly compromised server or a misconfigured open relay can be listed within hours of starting to emit. PBL listings come from ISPs declaring their dynamic ranges, or from Spamhaus identifying ranges that match dynamic-allocation patterns. The most common surprise for an operator is a PBL listing on a new server: the cloud provider's IP block was already declared as space that should route mail through a smart host, and your direct-to-MX delivery trips it.

Getting delisted, calmly

Removal from Spamhaus is free. There is no paid fast lane, and any service that charges you to "remove you from Spamhaus" is not Spamhaus. The process:

1. Check the IP at the Spamhaus reputation checker to see exactly which list it is on and read the listing reason.
2. Fix the underlying cause first. For XBL or CSS, that means cleaning the compromised host, closing the open relay, or stopping the spam run. Delisting before the cause is fixed gets you relisted immediately.
3. For a single IP on XBL or CSS, use the self-service exclusion (removal) form on the listing page. These listings also expire automatically once the underlying problem stops, so removal mainly skips the wait.
4. For a PBL listing, the fix is usually not removal at all. Either send through your provider's designated smart host, or request removal through the ISP-controlled PBL portal if you genuinely run a static IP that should deliver directly.
5. For SBL, follow the evidence-based instructions in the listing record, since these are reviewed by humans.

The recurring lesson is that the blocklist is a symptom, not the disease. An IP lands on XBL because a machine behind it is compromised, on CSS because it is emitting spam-shaped traffic, on PBL because the range was never meant to send directly. Delist the IP without fixing that and you are back on the list by the next scan.

If an interviewer asks how blocklists work, the clean answer is: a DNSBL is a DNS zone where a listed IP resolves to a 127.0.0.x code and a clean IP returns NXDOMAIN; Spamhaus Zen combines SBL, CSS, XBL, and PBL into one query whose return code tells you which list matched; and removal is free once you fix the cause. Being able to recite the return codes and explain why a new cloud IP often starts life on the PBL shows you have actually delisted a server, not just read about it.