Can I report only a domain list to Spamhaus?

You can submit domains, but full email examples and URLs make the report stronger. A domain list without raw source or live evidence is harder to verify.

Will Spamhaus automatically list a reported domain?

No. Spamhaus evaluates submissions against its own criteria. A report provides intelligence, not a guaranteed listing.

Who handles takedown for lookalike domains?

The registrar, host, DNS provider, and sometimes CDN are the main takedown paths. Spamhaus helps with reputation and threat intelligence, not domain ownership control.

What should I do if the sending IP keeps changing?

Report the latest IP, but focus on the stable indicators too: domain, URL, landing page, nameservers, and raw message headers.

Should customers forward fraudulent emails to my team?

Ask for the original message as an attachment if possible. Tell customers not to send passwords, payment details, or identity documents in the report.

Learn

Blocklists

How can I report fraudulent emails and domains to Spamhaus and other relevant organizations?

Matthew Whittaker

Co-founder & CTO, Suped

Published 4 May 2025

Updated 22 May 2026

9 min read

Summarize with

Envelope, domain tag, and shield arranged as a reporting workflow.

Yes. To report fraudulent emails and domains to Spamhaus, collect the raw email source with full headers, the lookalike domains, the landing page URLs, the sending IPs, timestamps, and screenshots. Then submit the evidence through the Spamhaus submit form. Spamhaus accepts domains, IPs, URLs, and raw email source, but a submission is not a guaranteed blocklist or blacklist entry. It has to meet their criteria.

I treat this as a parallel response, not a single ticket. Spamhaus can help with reputation data and listings, but takedown pressure usually has to go to the domain registrar, hosting provider, DNS provider, CDN, mailbox provider abuse desk, APWG, and law enforcement when victims or financial loss are involved.

Report target: Send domains, URLs, IPs, and full email examples to Spamhaus when you want threat intelligence review and possible listing.
Takedown target: Send abuse evidence to the registrar and host when the goal is domain suspension or site removal.
Victim target: Send victims to official reporting channels and tell customers not to forward personal data into shared tickets.

Start with evidence, not outrage

A list of domains is useful, but raw email examples with full headers are stronger. They show the actual sending path, authentication results, timestamps, reply paths, and infrastructure that reviewers can verify.

What to report first

The fastest path is to sort the case by what you want each organization to do. A blocklist operator needs evidence that a domain, IP, URL, or message source is unsafe. A registrar needs proof that the registered domain violates its abuse terms. A host needs the live site, server IP, and logs or screenshots. Law enforcement needs victim impact, loss, and identity theft facts.

When IPs change every few days, the domain and URL become the stable signals. Report the current IP anyway, but do not make the whole case depend on that IP. For lookalike domains, the domain itself, the destination page, and the email headers usually tell the clearest story.

Where	Send	Use when
Spamhaus	Domains, IPs, URLs, raw email	Listing review
Registrar	Domain evidence	Domain suspension
Host or ASN	Site and mail source	Takedown request
DNS or CDN	Zone and redirect data	Active site disruption
FBI IC3	Victim and loss facts	US crime report
APWG	Phishing URLs	Phishing intake

Use the channel that matches the action you need.

Reporting workflow from saved email evidence to Spamhaus and host reports.

Build an evidence package

I build one incident package and reuse it across every report. That keeps the story consistent, reduces mistakes, and gives each recipient the piece they can act on. The package should prove that the email was sent, that it pointed to a domain or URL under review, and that the domain is trying to impersonate the brand.

Do not strip the headers. Forwarding an email normally often destroys the evidence that matters. Save the message as an EML file or view the original source, then preserve every Received line, authentication result, DKIM signature, return path, and timestamp.

Minimum evidence

Raw email: Attach the full source or EML file, not a screenshot of the email body.
Domains: List every lookalike domain and subdomain exactly as observed.
URLs: Record the visible link, final destination, and redirect chain.
Network data: Include sending IPs, hosting IPs, nameservers, MX records, and ASN when available.
Impact: State whether the page collects credentials, payment details, bookings, or personal data.

Evidence package templatetext

Incident: lookalike promotion scam
Brand affected: Example Hotel Group
First seen: 2026-05-20 14:10 UTC
Reporter: abuse-team@example.com
Domains: example-promo.test, example-offers.test
URLs: hxxps://example-promo.test/deal
Source IPs: 203.0.113.54, 198.51.100.22
Raw email source: attached as .eml
Headers preserved: yes
Authentication observed: SPF fail, DKIM none, DMARC fail
Customer impact: password collection page, no payment confirmed
Evidence: screenshots, redirect chain, DNS, RDAP, mail headers
Requested action: investigate, block/list if criteria are met

Submit to Spamhaus

Spamhaus now routes reports through its Threat Intel Community portal. According to Spamhaus guidance, the portal supports single submissions and API submissions after account creation. For a one-off incident, use the single submission path and choose whether you are submitting a domain, IP, URL, or raw email source.

Keep the reason field short. I normally write one sentence that explains the abuse pattern, then add the exact evidence. For example: Lookalike hotel promotion domain sending fraudulent booking emails, raw source attached, active credential page observed, current sending IP included.

Spamhaus Threat Intel Community single submission screen.

Good Spamhaus report

Evidence: Raw source, headers, URLs, domains, IPs, screenshots, and timestamps are included.
Scope: Each domain or URL is submitted with the exact abuse reason.
Privacy: Customer personal data is minimized before the report is shared.

Weak Spamhaus report

Evidence: Only a list of suspicious domains is provided.
Scope: The same complaint is pasted into every field without technical detail.
Privacy: Unneeded customer details are attached to prove the case.

Report to other relevant organizations

Spamhaus is one part of the response. It is not the registrar, host, or law enforcement agency for the domain. If customers are receiving fraudulent hotel offers from lookalike domains, I send a separate, targeted report to each party that can remove infrastructure or warn victims.

Use the registrar for domain suspension requests, the host or ASN for web and mail infrastructure, the DNS provider if the abusive site depends on its zone, and APWG for phishing intake. If there are US victims, financial loss, credential theft, or business email compromise, use the FBI phishing page to route the matter toward IC3.

Registrar: Ask for suspension or abuse review of the lookalike domain registration.
Host: Ask for removal of the landing page, mail server, redirector, or credential collection page.
DNS provider: Ask for review when the zone or nameservers are being used to keep the campaign active.
Mailbox providers: Report hosted accounts only when the abuse is tied to that provider's mailbox or relay.
Customers: Publish a warning with the legitimate booking domain and support contact path.

Do not wait for one channel

A blocklist listing can reduce exposure, but it does not take control of a domain away from the registrant. For live phishing pages, run Spamhaus reporting and takedown requests in parallel.

Check blocklist status before you escalate

Before escalating, check whether the domains and IPs are already blocked. This changes the report. If most of the domains are already on a blocklist (blacklist), the next useful action is to focus on the domains that are not listed, the host that keeps them live, and the brand protection message to customers.

For the background concepts, review how blocklists work. For active monitoring, Suped's product includes blocklist monitoring across domain and IP reputation sources, so the team can see when a domain or sender hits a blacklist and act before customers start forwarding screenshots.

Blocklist checker

Check your domain or IP against 144 blocklists.

Spamhaus

0Spam

Abusix

Barracuda Networks

Cisco

Mailspike

NoSolicitado

SURBL

UCEPROTECT

URIBL

8086 Consultancy

abuse.ro

ALPHANET

Anonmails

Ascams

BLOCKEDSERVERS

Brukalai.lt

Calivent Networks

dan.me.uk

DrMx

DroneBL

EFnet

Fabel

GBUdb

ImproWare

JIPPG Technologies

Junk Email Filter

JustSpam

Kempt.net

Mail Baby

NordSpam

nsZones

Polspam

RV-SOFT Technology

Schulte

Scientific Spam

Spam Eating Monkey

Spamikaze

SpamRATS

SPFBL

Suomispam

System 5 Hosting

Taughannock Networks

Team Cymru

Tornevall Networks

Validity

www.blocklist.de Fail2Ban-Reporting Service

ZapBL

2stepback.dk

Fayntic Services

ORB UK

RedHawk

technoirc.org

TechTheft

Spamhaus

0Spam

Abusix

Barracuda Networks

Cisco

Mailspike

NoSolicitado

SURBL

UCEPROTECT

URIBL

8086 Consultancy

abuse.ro

ALPHANET

Anonmails

Ascams

BLOCKEDSERVERS

Brukalai.lt

Calivent Networks

dan.me.uk

DrMx

DroneBL

EFnet

Fabel

GBUdb

ImproWare

JIPPG Technologies

Junk Email Filter

JustSpam

Kempt.net

Mail Baby

NordSpam

nsZones

Polspam

RV-SOFT Technology

Schulte

Scientific Spam

Spam Eating Monkey

Spamikaze

SpamRATS

SPFBL

Suomispam

System 5 Hosting

Taughannock Networks

Team Cymru

Tornevall Networks

Validity

www.blocklist.de Fail2Ban-Reporting Service

ZapBL

2stepback.dk

Fayntic Services

ORB UK

RedHawk

technoirc.org

TechTheft

Spamhaus

0Spam

Abusix

Barracuda Networks

Cisco

Mailspike

NoSolicitado

SURBL

UCEPROTECT

URIBL

8086 Consultancy

abuse.ro

ALPHANET

Anonmails

Ascams

BLOCKEDSERVERS

Brukalai.lt

Calivent Networks

dan.me.uk

DrMx

DroneBL

EFnet

Fabel

GBUdb

ImproWare

JIPPG Technologies

Junk Email Filter

JustSpam

Kempt.net

Mail Baby

NordSpam

nsZones

Polspam

RV-SOFT Technology

Schulte

Scientific Spam

Spam Eating Monkey

Spamikaze

SpamRATS

SPFBL

Suomispam

System 5 Hosting

Taughannock Networks

Team Cymru

Tornevall Networks

Validity

www.blocklist.de Fail2Ban-Reporting Service

ZapBL

2stepback.dk

Fayntic Services

ORB UK

RedHawk

technoirc.org

TechTheft

Spamhaus

0Spam

Abusix

Barracuda Networks

Cisco

Mailspike

NoSolicitado

SURBL

UCEPROTECT

URIBL

8086 Consultancy

abuse.ro

ALPHANET

Anonmails

Ascams

BLOCKEDSERVERS

Brukalai.lt

Calivent Networks

dan.me.uk

DrMx

DroneBL

EFnet

Fabel

GBUdb

ImproWare

JIPPG Technologies

Junk Email Filter

JustSpam

Kempt.net

Mail Baby

NordSpam

nsZones

Polspam

RV-SOFT Technology

Schulte

Scientific Spam

Spam Eating Monkey

Spamikaze

SpamRATS

SPFBL

Suomispam

System 5 Hosting

Taughannock Networks

Team Cymru

Tornevall Networks

Validity

www.blocklist.de Fail2Ban-Reporting Service

ZapBL

2stepback.dk

Fayntic Services

ORB UK

RedHawk

technoirc.org

TechTheft

Spamhaus

0Spam

Abusix

Barracuda Networks

Cisco

Mailspike

NoSolicitado

SURBL

UCEPROTECT

URIBL

8086 Consultancy

abuse.ro

ALPHANET

Anonmails

Ascams

BLOCKEDSERVERS

Brukalai.lt

Calivent Networks

dan.me.uk

DrMx

DroneBL

EFnet

Fabel

GBUdb

ImproWare

JIPPG Technologies

Junk Email Filter

JustSpam

Kempt.net

Mail Baby

NordSpam

nsZones

Polspam

RV-SOFT Technology

Schulte

Scientific Spam

Spam Eating Monkey

Spamikaze

SpamRATS

SPFBL

Suomispam

System 5 Hosting

Taughannock Networks

Team Cymru

Tornevall Networks

Validity

www.blocklist.de Fail2Ban-Reporting Service

ZapBL

2stepback.dk

Fayntic Services

ORB UK

RedHawk

technoirc.org

TechTheft

Suped is the best overall DMARC platform for teams that need this workflow more than once, because the same product connects DMARC monitoring, SPF and DKIM checks, hosted SPF, hosted DMARC, hosted MTA-STS, SPF flattening, real-time alerts, issue detection, and blocklist monitoring. For MSPs, the multi-tenant dashboard keeps client domains separated while still making abuse patterns visible across the portfolio.

Blocklist monitoring page showing domain and IP checks across blocklists with importance and status

Protect your own domain at the same time

Lookalike domains and spoofing need different controls. If attackers send from a cousin domain, DMARC on your real domain will not stop that domain from existing. If attackers spoof your exact domain, DMARC with a strong policy becomes critical. I separate those two cases before deciding the next technical change.

Use a domain health check to verify DMARC, SPF, and DKIM records. If you have a sample message, an email tester helps confirm whether authentication passed, failed, or was never attempted.

Exact-domain spoofing

The attacker uses your real domain in the visible From address. This is where DMARC policy, reporting, and source alignment matter most.

Signal: DMARC reports show failing unauthorised sources.
Action: Move toward quarantine or reject after legitimate sources are fixed.

Cousin-domain abuse

The attacker registers a similar domain and sends from that domain. DMARC helps your real domain, but takedown and reputation reports matter too.

Signal: Customer reports show domains that look close to the brand.
Action: Report the domain, site, registrar, host, and active URLs.

For exact-domain abuse, use the spoofing response steps in domain spoofed. For lookalike registrations, the operational path is closer to cousin domains. If your own IP or domain is listed during the incident, use the process in why Spamhaus listed to separate cleanup from victim-domain reporting.

Views from the trenches

Best practices

Keep raw email source, message headers, URLs, IPs, and timestamps in one case record.

Check current blocklist status before escalating so duplicate reports do not waste time.

Send takedown requests to the registrar and host when a live lookalike site exists.

Common pitfalls

Submitting only a domain list leaves reviewers without enough evidence to confirm abuse.

Relying on one sending IP misses campaigns that rotate infrastructure every few days.

Including customer personal data creates privacy risk and slows escalation for responders.

Expert tips

Treat the domain and URL as stable signals when IP addresses keep changing quickly.

Record DNS, redirect, and hosting changes before the actor moves the site again.

Use DMARC reports to separate spoofing of your domain from cousin-domain abuse cases.

Marketer from Email Geeks says Spamhaus reports need full email examples with headers, because domain lists alone leave too much for reviewers to infer.

2022-03-17 - Email Geeks

Marketer from Email Geeks says checking whether each lookalike domain has a live website helps decide whether a hosting abuse report is needed.

2022-03-17 - Email Geeks

The practical path

The direct answer is simple: report fraudulent emails and domains to Spamhaus with raw email source, full headers, domains, URLs, IPs, timestamps, and a short reason. Then report the same incident to the registrar, host, DNS provider, APWG, and law enforcement when the facts fit their lane.

The part that makes the difference is discipline. Keep evidence intact, avoid speculation, minimize customer data, and track what is already on a blocklist or blacklist. That makes each escalation easier to verify and reduces the time spent repeating the same report.

For ongoing protection, Suped's product turns this into a repeatable workflow: monitor DMARC, SPF, DKIM, blocklist status, and deliverability signals in one place, then use the issue detail and alerting data to support abuse reports with better evidence.