A Spamhaus blocklist listing is one of the most operationally serious deliverability events a sending infrastructure can encounter. Spamhaus lists — specifically the ZEN composite list that combines SBL, XBL, and PBL — are queried by the majority of enterprise spam filters and many ISPs as a primary delivery-gating check. A sending IP listed in ZEN may face immediate 5xx SMTP rejection at any mail server that queries Spamhaus during connection evaluation. Unlike ISP-level reputation problems that produce gradual spam folder placement, a Spamhaus listing can produce near-total delivery failure immediately and persists until the delist request is processed. This guide documents each Spamhaus list, how to check listing status, and how to execute the delist process correctly.

ZEN
Spamhaus ZEN = SBL + XBL + PBL combined — the list most commonly queried by mail servers
5xx rejection
ZEN-listed IPs face immediate SMTP rejection at servers that query Spamhaus — not spam folder, total failure
Different removal
SBL, CBL, and PBL listings have entirely different removal processes — don't confuse them
24-48 hours
Typical processing time for CBL/PBL delist requests after submission — SBL may take longer

Spamhaus: The Most Widely Used Email Blocklist

Spamhaus is a non-profit organisation that maintains the world's most widely used email blocklists. Founded in 1998, its blocklists are now queried billions of times daily by enterprise spam filters (Proofpoint queries Spamhaus, as does Barracuda, Cisco ESA, and many others), ISPs, and self-hosted mail servers running SpamAssassin or Postfix. Unlike smaller or regional blocklists that affect specific mail environments, a Spamhaus listing affects mail delivery to a significant fraction of all enterprise email worldwide.

The Spamhaus lookup infrastructure works via DNS: a mail server checks whether a sending IP is listed by querying zen.spamhaus.org with the reversed IP address. A positive return (any response other than NXDOMAIN) indicates listing, with the specific return code indicating which sub-list the IP is on. Many mail servers treat any ZEN listing as a hard rejection signal — immediately returning a 5xx SMTP error to the connecting mail server, refusing to accept the message.

The ZEN Composite List: What It Is and Why It Matters

ZEN (Zen Expanded Network) is Spamhaus's composite blocklist that combines three separate lists into a single query target. When a mail server queries zen.spamhaus.org, it gets the union of all three lists' coverage. The three component lists have completely different reasons for listing and completely different removal processes — understanding which specific list an IP is on is essential before attempting removal.

The return code tells which list:

# How to check Spamhaus ZEN listing from command line:
# For IP 198.51.100.10, reverse octets and query:
dig 10.100.51.198.zen.spamhaus.org A

# Return code interpretation:
# NXDOMAIN = not listed = clean
# 127.0.0.2 = SBL listing (Spamhaus Block List — spam source)
# 127.0.0.3 = SBL listing (CSS sub-list — snowshoe spam)
# 127.0.0.4 = XBL listing via CBL (compromised machine)
# 127.0.0.9 = SBL listing (DROP list — hijacked netblocks)
# 127.0.0.10 = PBL listing (Policy Block List — end-user IP)
# 127.0.0.11 = PBL listing (ISP-managed policy)

# Alternative: use the Spamhaus lookup tool at:
# https://check.spamhaus.org/
# Enter the IP address and it shows which lists are active

# Also check individual lists directly:
dig 10.100.51.198.sbl.spamhaus.org A    # SBL only
dig 10.100.51.198.xbl.spamhaus.org A    # XBL only
dig 10.100.51.198.pbl.spamhaus.org A    # PBL only

SBL (Spamhaus Block List): Policy Violations and Spam Sources

The SBL lists IPs that Spamhaus researchers have identified as spam sources, spam operations, or spam-support infrastructure. An SBL listing is a human-reviewed decision by Spamhaus researchers — it indicates that Spamhaus believes the listed IP is associated with spam activity. SBL listings are the most serious category because they reflect a judgment about the IP's use, not just its technical characteristics.

Common SBL listing reasons: Sending unsolicited commercial email that Spamhaus has classified as spam; sending to Spamhaus spam trap addresses (honeypot addresses that should never receive legitimate email); operating snowshoe spam (distributing spam volume across many IPs/domains to evade per-IP detection); sending on behalf of spam-listed clients; being associated with known spam infrastructure through IP block ownership or routing.

SBL removal process: (1) Visit check.spamhaus.org and look up the listed IP. The result page shows the reason for listing and a link to the specific SBL issue record. Read the issue record carefully — it contains Spamhaus's assessment of why the IP was listed. (2) The SBL removal request form requires: identification of the IP and the specific SBL record, a clear explanation of what changes have been made to stop the spam activity, confirmation that appropriate list hygiene, consent verification, and sending practices have been implemented. (3) Spamhaus reviews SBL removal requests manually. Processing time ranges from 24 hours to several days for standard requests. (4) Critical: do not submit multiple removal requests for the same listing. Spamhaus treats repeated requests without adequate information as a bad-faith indicator and may delay processing or decline removal.

What makes an SBL removal request succeed: Specific, factual description of the spam event and what caused it; concrete description of changes implemented to prevent recurrence; evidence of list hygiene improvements (such as removing the specific source of the spam trap hits or implementing confirmed opt-in); willingness to accept additional conditions if requested by Spamhaus. Generic "we didn't send spam, please delist us" requests are almost always declined.

CBL/XBL: Compromised Machines and Botnet Listing

The CBL (Composite Blocking List) detects IPs that are showing behaviour patterns consistent with compromised machines sending spam — specifically, IPs that are generating spam through botnet malware, open proxies, or email server misconfiguration that allows third-party relaying. The CBL feeds into Spamhaus XBL. A CBL/XBL listing does not mean Spamhaus believes the IP owner is a spammer — it means the IP is exhibiting automated spam-sending behaviour that typically indicates a security compromise.

Common CBL listing reasons: A server on the IP is infected with spam-sending malware; a mail server is configured as an open relay (accepting email for forwarding from unauthenticated third parties); a mail server is misconfigured as an open proxy; PHP mail scripts or web application email functions are being exploited to send spam through the server.

CBL removal process: (1) Check the CBL listing at check.spamhaus.org. The listing page for CBL/XBL entries includes specific information about what the CBL detected — this is the diagnostic starting point. (2) Investigate and remediate the security issue on the listed IP: scan for malware, close open relay configurations, check web application email functions for exploitation, review SMTP logs for anomalous outbound email. (3) After confirming the security issue is resolved, submit the CBL removal request at spamhaus.org/cbl. The CBL removal process is largely automated — if the CBL detection system no longer sees the problematic behaviour from the IP, the delist is typically processed within 1-3 hours. (4) If the CBL immediately re-lists the IP after delisting, the security issue has not been fully resolved — the automated detection is still seeing problematic traffic from the IP.

PBL (Policy Block List): End-User IP Ranges

The PBL is a completely different kind of list from SBL and XBL — it is not a list of spam sources, but a list of IP ranges that ISPs and hosting providers have designated as "end-user" or "dynamic" IP space that should not be used for direct-to-MX email sending. Many residential ISPs, cloud providers, and hosting companies submit their dynamic or consumer IP ranges to the PBL to indicate that these IPs should not be used for outbound SMTP.

Why your dedicated server IP might be on the PBL: If you recently obtained a new server or IP address, the IP may have previously been assigned to a consumer/residential account at an ISP and submitted to PBL. Or the IP block is owned by a hosting provider that submitted its consumer-grade IP ranges to PBL before your server was provisioned. A PBL listing does not indicate spam history — it indicates IP range policy.

PBL removal process: (1) Verify the IP is actually on PBL and not SBL (the removal processes are completely different). Check check.spamhaus.org and confirm the 127.0.0.10 or 127.0.0.11 return code. (2) The PBL removal form is at spamhaus.org/pbl-removal. This is a self-service form that allows IP owners to remove their IPs from PBL. Fill in the IP address and contact information. Spamhaus processes PBL removal requests automatically — the removal typically takes 24-48 hours. (3) PBL removal is permanent for the specific IP — once an IP is removed from PBL, Spamhaus does not automatically re-add it unless the hosting provider re-submits the IP range. (4) Note: removing an IP from PBL only removes the PBL listing. If the IP is also on SBL or CBL, those listings require separate removal processes.

Checking If Your IP Is Listed

# Complete Spamhaus check script for all sending IPs:

#!/bin/bash
SENDING_IPS=(
    "198.51.100.10"
    "198.51.100.11"
    "198.51.100.12"
    # Add all your sending IPs here
)

for IP in "${SENDING_IPS[@]}"; do
    # Reverse the IP octets for DNS lookup
    REVERSED=$(echo $IP | awk -F. '{print $4"."$3"."$2"."$1}')
    
    # Query ZEN (composite)
    ZEN=$(dig +short ${REVERSED}.zen.spamhaus.org 2>/dev/null)
    
    if [ -z "$ZEN" ]; then
        echo "✅ $IP: Not listed in Spamhaus ZEN"
    else
        echo "❌ $IP: LISTED in ZEN — return: $ZEN"
        
        # Identify which specific list
        SBL=$(dig +short ${REVERSED}.sbl.spamhaus.org 2>/dev/null)
        XBL=$(dig +short ${REVERSED}.xbl.spamhaus.org 2>/dev/null)
        PBL=$(dig +short ${REVERSED}.pbl.spamhaus.org 2>/dev/null)
        
        [ -n "$SBL" ] && echo "   → SBL listing (spam source — manual review required)"
        [ -n "$XBL" ] && echo "   → XBL/CBL listing (compromised machine — security review required)"
        [ -n "$PBL" ] && echo "   → PBL listing (policy block — end-user IP range)"
    fi
done

# Also check against other major blocklists:
for IP in "${SENDING_IPS[@]}"; do
    REVERSED=$(echo $IP | awk -F. '{print $4"."$3"."$2"."$1}')
    BARRACUDA=$(dig +short ${REVERSED}.b.barracudacentral.org 2>/dev/null)
    SORBS=$(dig +short ${REVERSED}.dnsbl.sorbs.net 2>/dev/null)
    INVALUEMENT=$(dig +short ${REVERSED}.dnsbl.invaluement.com 2>/dev/null)
    
    [ -n "$BARRACUDA" ] && echo "⚠️  $IP: Barracuda BRBL listed"
    [ -n "$SORBS" ] && echo "⚠️  $IP: SORBS listed"
    [ -n "$INVALUEMENT" ] && echo "⚠️  $IP: Invaluement listed"
done

The Delist Request Process: Step by Step

▶ Spamhaus Delist Process by List Type
1
Identify which list(s): Run the DNS check above or use check.spamhaus.org. Note the return code. SBL (127.0.0.2/3), XBL/CBL (127.0.0.4), PBL (127.0.0.10/11). Each requires a completely different process.
2
For PBL only: Go directly to spamhaus.org/pbl-removal. Complete the self-service form. No investigation needed — PBL is policy-based, not spam-based. Done in 24-48 hours.
3
For CBL/XBL: Investigate and fix the security issue on the server first (malware scan, close open relay, fix web app email). Only then submit the CBL removal at spamhaus.org/cbl. Automated re-check runs within hours. If still compromised — re-listed immediately.
4
For SBL: Read the specific SBL issue record at check.spamhaus.org. Implement the changes needed (list hygiene, consent verification, spam trap source removal). Then submit removal request at spamhaus.org/sbl with specific factual description of changes made.
5
Wait for processing: PBL = 24-48 hours. CBL = 1-3 hours after fix. SBL = 24 hours to several days. Do not submit duplicate requests. Check listing status daily at check.spamhaus.org.
6
After delisting — propagation: DNS blocklist records have TTL (time-to-live) values — typically 1-24 hours. Even after Spamhaus removes the listing, caches at recipient mail servers may retain the old data for up to 24 hours. Monitor delivery logs for 24-48 hours after confirmed delisting to verify clearing.

Avoiding Re-listing After Removal

Spamhaus maintains a history of listing and removal requests per IP. Repeated listings and removals for the same IP increase scrutiny and may result in longer review times or conditions attached to future removals. Building practices that prevent re-listing is the operational priority after a successful delist.

For SBL re-listing prevention: implement the list hygiene and consent practices that prevented the spam trap hits or spam complaints that caused the original listing. Run all sending IPs through a weekly automated Spamhaus check (the script above as a cron job) so that any new listing is detected within days rather than when customer complaints arrive. Enrol in Spamhaus' Data Query Service (DQS) — a commercial service that provides real-time Spamhaus data and typically includes early warning signals for IPs approaching listing thresholds.

For CBL re-listing prevention: establish server security practices that prevent the compromise patterns CBL detects. Use fail2ban or equivalent to rate-limit and block suspicious SMTP authentication attempts. Run regular malware scans on all sending servers. Monitor outbound SMTP volume in the MTA's accounting log — any sudden volume spike (10x normal hourly sending rate) from a server may indicate a compromise and should trigger an immediate security investigation.

A Spamhaus listing is a significant deliverability event that requires accurate diagnosis of which list is involved and a targeted remediation process specific to that list. The mistake most programmes make is treating all Spamhaus listings as equivalent — applying a generic "clean up the list and request removal" approach to a CBL listing (which requires security remediation, not list hygiene) or a PBL listing (which requires a self-service form, not a manual review). Matching the remediation to the specific listing type produces fast resolution; mismatched remediation produces delays and potential re-listing from the unresolved underlying issue.

H
Henrik Larsen

Deliverability Recovery Specialist at Cloud Server for Email. Specialising in email deliverability, infrastructure architecture, and high-volume sending operations.