What Is the Spamhaus CSS?

The Spamhaus Combined Spam Sources (CSS) Blocklist helps you identify IP addresses that are known for sending spam.

What Is the Spamhaus ZEN Blocklist?

The Spamhaus Combined Spam Sources (CSS) Blocklist is a resource to identify IP addresses known to send unsolicited bulk emails, commonly referred to as spam.

Maintained by the non-profit Spamhaus Project, which tracks email spammers and spam-related activities worldwide, the CSS Blocklist is essential for protecting networks and users from spam. By using this blocklist, email providers and network admins can filter out annoying emails, keeping inboxes safe from unwanted and potentially harmful content.

CSS Blocklist: A Dataset for Spam

The Spaamhaus CSS blocklist focuses on SMTP traffic and port-25 based malicious activity detection. You might end up on this list if you send unsolicited emails, have poor email marketing practices, or send out malicious emails because of compromised accounts or content management systems (CMS). Both IPv4 (/32) and IPv6 (/64) addresses are tracked by CSS..

An Automated Blocklist for Catching Spammers

The Spamhaus CSS list is auto-generated to include IP addresses involved in sending low-reputation emails. It mainly targets static spam emitters not covered by the Policy Blocklist (PBL) or Exploits Blocklist (XBL), such as snowshoe spam operations. It also covers other high-risk senders, including compromised hosts.

The CSS Blocklist Aggregates Data for Enhanced Protection

CSS data is compiled from many sources, resulting from numerous events and heuristics. Typically, the Spamhaus Blocklist contains between 2 to 4 million entries, with 300,000 to 400,000 new listings added daily. Email administrators can use this real-time DNSBL to significantly cut down on spam and other malicious emails. Enjoy industry-leading catch rates with minimal false positives, helping to mitigate security risks, lower email infrastructure costs, and reduce workload.

How to Utilize This Dataset

To get the most out of Spamhaus’ data, implement blocklists at specific points in the email filtering process. For the CSS, it’s part of the Spamhaus Blocklist zone, a subset of SBL, and should be used during:

  • The initial connection – check the connecting IP.
  • After the email data is accepted, check IP addresses in the Received chain within the mail headers and look up IP addresses hosting resources in the email body, like URLs.

For more details, check out this best practice guide.

Spamhaus Blocklists are Free and Used Globally

Each blocklist targets a specific behavior. Relying on a single blocklist limits data effectiveness. Spamhaus offers three other IP-based blocklists for free:

These IP blocklists are accessible via ZEN, which combines these datasets for efficient querying.

While most malicious emails are intercepted at the SMTP transaction, many bad actors invest heavily in evading IP detection. For optimal catch rates, domain and hash blocklists should also be employed to filter emails post-acceptance. Spamhaus provides the Domain Blocklist (DBL) for free. Discover more about the importance of domain and hash blocklists here.

How to Configure the CSS Blocklist

To get your CSS blocklist up and running, you can use the data through SMTP server configuration for connection and SMTP transaction checks. Plus, there are open-source tools like SpamAssassin and Rspamd that help with content analysis. There are plugins available for both, making configuration easier, especially if you’re using Spamhaus Technology’s free Data Query Service.

How to Use the CSS Blocklist Data

Good news! Using Spamhaus DNSBLs is free for low-volume, non-commercial users. If you’re not sure, check our DNSBL usage criteria.

IP Reputation is Everything

Spamhaus’ data helps protect billions of mailboxes worldwide. To keep your IP off the list and ensure smooth email service, follow these tips:

  1. IP Warm-Up – Start by gradually increasing the mail sent from new IPs. Building a good reputation starts here, so it’s crucial.
  2. Proactive Configuration – Make sure your new IPs are properly set up at least 30 days before your first send.
  3. Restrict Outbound SMTP Traffic – Configure your firewall to allow outbound SMTP traffic (destination port 25) only from your mail server’s internal IP.
  4. Infrastructure – Double-check your internet infrastructure providers, like ISPs. Check out reputation statistics on ISPs/networks.
  5. Use Double Opt-In – Avoid spam traps and make sure only genuine, interested recipients get your emails.
  6. Configuration – Ensure your hostname and HELO match, and your reverse DNS (PTR record) points to the same hostname.

How to be Removed from a CSS Block

If your IP ends up on the CSS blocklist, just visit https://check.spamhaus.org for more info. That’s the one place where CSS removals are dealt with.

Spamhaus CSS FAQ

The Spamhaus CSS list is an automatically generated set of IP addresses known for sending low-reputation emails. While CSS mainly targets static spam emitters, it can also include other senders that pose risks to users, like compromised hosts. The list covers both IPv4 (/32) and IPv6 (/64 or larger) addresses. Several factors influence CSS listings, such as:

  • Emails showing signs of being unsolicited;
  • Poor list hygiene practices;
  • Sending problematic emails due to compromises, insecure setups, or misconfigured servers;
  • Other indicators of low reputation or abuse.

CSS listings are based on a wide range of inputs and result from multiple events and heuristics, ensuring reliable identification of suspect IP addresses.

CSS listings usually expire within three days after the last spam detection, unless there’s a history of chronic abuse, which might extend the time.

  • The system allows quick, no-questions-asked removals within limits but will re-list IPs quickly upon re-detection.
  • To start the de-listing process, head to the IP and Domain Reputation Checker and follow the links provided.

Before you remove an IP from CSS, identifying and fixing the root cause is CRUCIAL.

  • CSS lets you remove IPs, but it will re-list them immediately if the problem remains.
  • Self-removals are limited.

IMPORTANT: Always check the reputation of any associated domains using the IP and Domain Reputation Checker. Remember, domain and IP reputations are connected.

Spamhaus creates reputation data, and ISPs use this info in different ways.

  • Providers decide what to do with IP addresses listed in CSS.
  • IP addresses on the CSS blocklist have been flagged for sending mail that fits CSS heuristics.
  • Usually, CSS listings expire three days after the last detection. But for ongoing issues, listings might last longer to alert administrators.
  • If your IP is listed, the issue is recent!

CSS rules target several issues, like snowshoe spam, mail from known bad actors, infected or compromised websites or CMS, bots, and other insecure or misconfigured applications or devices.

  • If an IP is listed in CSS, the first thing to do is check all technical settings for accuracy.
  • We recommend that all domain and mail server admins monitor the appropriate role accounts and feedback loops for their domains and network.
  • Server logs might also have useful information.

If an IP address is listed, check to see if any related domains are in the DBL.

  • This IP and Domain Reputation Checker can look up both IP addresses and domains.
  • If you manage an IP address and believe the issues causing the listing have been resolved, you can request a delisting.

CSS effectively manages IPv6 addresses by listing /64 subnets. Here’s how it works:

  • IPv6 CIDR Blocks: CSS lists “/64” or larger CIDR blocks.
  • Spam Mitigation: If a bunch of spam-emitting IPv6 addresses pop up across various /64 blocks within the same network, larger blocks might get listed.
  • Zone Size Management: Without these extensions, the IPv6 zone size could get overwhelmingly large.
  • Spammer Deterrence: Aggregated blocks make life harder for spammers compared to single “/128” IPs.

A “/64” is the industry standard for the smallest IPv6 allocation, even for home uses like cable, DSL, or wireless.

  • ISP Practices: For ISPs following the standard industry practices, CSS IPv6 listings typically affect only a single customer.
  • Standard Origin: The “/64” standard comes from RFC4291 and is further explained in RFC6177.

For more technical details on /64 customer assignments, check out Slash64.net and the M3AAWG document on policy issues for email reception in an IPv6 context.

Regional Internet Registries (RIRs) Allocation Information:

For customers assigned different addresses within the same /64 block, it’s a good idea to contact provider support to request a dedicated /64 assignment and move mail services to a non-shared /64 range.

  • If hosts handle both incoming and outgoing (smarthost) email, they should exempt connections using SMTP authentication from CSS checks.
  • End users often have dynamic IP addresses, which might get listed in the CSS because of previous users.
  • Use the CSS to notify an ISP’s security team when a user’s IP is flagged, but treat it as just an informational alert.

Trusted by Global Industry Leading Brands

Read Case Studies

IPv4 addresses ranging from a /24 up to /12s

Get a Free Consultation

Contact Us Today
Fortune Magazine
Financial Times
Stevie Awards
ACE Awards
© Brander Group Inc. 2026 All Rights Reserved | + 1 (702) 560-5616 | info (at) staging.brandergroup.net | Scottsdale, AZ - Las Vegas, NV - Los Angeles, CA