How can I report fraudulent emails and domains to Spamhaus and other relevant organizations?
Matthew Whittaker
Co-founder & CTO, Suped
Published 4 May 2025
Updated 16 Aug 2025
8 min read
Dealing with fraudulent emails and spoofed domains is a persistent challenge for anyone managing email communications. These malicious activities, ranging from phishing scams to brand impersonation, not only harm recipients but can also severely damage your organization's reputation. The impact of such fraud can be widespread, affecting customer trust and leading to significant financial losses if not addressed promptly.
When my clients or I encounter these issues, a key step is to report the activity to organizations like Spamhaus. They play a critical role in compiling and distributing data on malicious IPs and domains. Knowing where and how to report these incidents effectively is essential for mitigating their impact and contributing to a safer email ecosystem for everyone. This process helps protect your brand and its recipients from ongoing threats.
Proactive reporting and understanding the mechanisms behind email blocklists (or blacklists) are fundamental to maintaining good email deliverability and protecting your sender reputation. It is a continuous effort to stay ahead of bad actors and ensure your legitimate communications reach their intended inboxes.
The first step in combating email fraud is to accurately identify the malicious activity. This often involves scrutinizing the email itself, particularly the sender's address and the email headers. Fraudsters frequently use sophisticated techniques, such as creating domains that closely resemble legitimate ones (typosquatting) to trick recipients.
I always advise looking for discrepancies in the domain name, unexpected links, or unusual requests. Phishing emails, for instance, often prompt urgent actions or requests for sensitive information. Understanding these patterns is key to recognizing a scam. Identifying suspicious email domains and patterns is crucial.
Analyzing email headers for forensic evidence
Email headers contain valuable information about the sender, recipient, and the path an email took to reach its destination. These details can help trace the origin of a fraudulent email and provide the necessary evidence for reporting. Key elements to look for include the Received headers, which show the IP addresses of the servers that handled the email, and the Authentication-Results header, which indicates SPF, DKIM, and DMARC authentication results. This information is vital for organizations like Spamhaus.
Example of email header snippettext
Received: from mail.example.com (mail.example.com [192.0.2.1])
by mx.yourdomain.com with ESMTPS id ABCDEF0123456
for <recipient@yourdomain.com>; Mon, 1 Jan 2024 12:00:00 -0000
Authentication-Results: mx.yourdomain.com;
dkim=pass (signature verified) header.d=legitdomain.com;
spf=fail (sender IP is 192.0.2.1) smtp.mailfrom=fraudulent-sender@frauddomain.com;
dmarc=fail action=none header.from=legitdomain.com
When you have the full email, including its raw source and headers, you have the necessary forensic data to begin reporting. This raw data is often crucial for organizations to verify the fraudulent activity and take appropriate action. Without it, your report might lack the specific evidence needed for a listing.
Reporting to Spamhaus and key blocklist organizations
Spamhaus is one of the most recognized and influential organizations in the fight against email abuse. They maintain several blocklists (also known as blacklists), including the Spamhaus Block List (SBL), Exploits Block List (XBL), Policy Block List (PBL), and Domain Block List (DBL), which are widely used by internet service providers and email administrators globally. Reporting fraudulent activity to Spamhaus is a key step in getting malicious IPs and domains blocked across the internet. If your domain or IP is ever listed, understanding these lists is helpful for delisting.
To report suspicious activity directly to Spamhaus, you can use their official submission portal. This portal allows you to provide email source code, URLs, domains, and IP addresses related to the fraud. Remember, the more comprehensive the information you provide, the better. Spamhaus often requires their own internal verification before adding an entry to their blocklists (blacklists), so clear evidence is paramount.
For specific issues like DBL listings, Spamhaus has procedures for reviewing reported domains. If you need to contact Spamhaus directly, providing all relevant details will expedite the process. The goal is to ensure that domains involved in fraudulent activities, like look-alike domains used in phishing, are added to these blocklists as quickly as possible, thus minimizing their reach.
Submitting to Spamhaus
Submission Portal: Utilize the official Spamhaus submit portal for reporting email source, URLs, domains, and IPs.
Required Evidence: Always include full email headers and the complete raw email source to help Spamhaus verify the fraudulent activity.
Verification Process: Be aware that Spamhaus conducts its own investigations and requires sufficient internal evidence before listing an entity.
Reporting to broader anti-phishing and law enforcement groups
While Spamhaus is a major player, it's beneficial to report fraudulent emails and domains to other relevant organizations. The Anti-Phishing Working Group (APWG) is a global coalition dedicated to eradicating online fraud and identity theft. You can report phishing emails directly to them, which helps their efforts in tracking and combating phishing trends. For instance, the FTC also suggests forwarding phishing emails to reportphishing@apwg.org.
Another crucial avenue is reporting to the domain registrar or hosting provider of the fraudulent domain. Most registrars and hosting companies have an abuse department that can be contacted via an abuse@ email address. They have the authority to suspend or take down malicious domains. This is particularly effective for handling spam using your domain and URLs, as it directly impacts the infrastructure supporting the fraud.
Finally, for severe cases involving financial fraud or large-scale cybercrime, reporting to law enforcement agencies is essential. In the United States, you can report such incidents to the FBI's Internet Crime Complaint Center (IC3). This helps law enforcement gather intelligence and pursue criminal investigations. When your email domain gets spoofed, these channels become even more critical. The FBI provides resources on reporting spoofing and phishing schemes.
Organization
What to report
How to report
Spamhaus Project
Malicious IPs, domains, URLs, and email source code linked to spam and cyber threats.
Beyond reactive reporting, taking proactive steps to protect your own domain and email infrastructure is vital. Implementing robust email authentication protocols such as SPF, DKIM, and DMARC is the most impactful measure you can take. These protocols help receiving mail servers verify that your emails are legitimate and prevent unauthorized parties from sending emails on your behalf. A good understanding of DMARC, SPF, and DKIM is foundational.
Regularly monitoring your domain's reputation and checking for any appearances on blocklists (blacklists) can give you an early warning of potential abuse. Tools for blocklist monitoring and DMARC monitoring are invaluable for this. Being aware of your standing allows you to quickly address any issues, such as unauthorized use of your domain in phishing campaigns. Learning how to improve your domain reputation is an ongoing process.
Lastly, educating your employees and customers about identifying and reporting suspicious emails is a powerful defense. Human vigilance, combined with strong technical measures, creates a robust barrier against email fraud. Clear internal policies for reporting suspicious activity can empower your team to be the first line of defense against these threats.
Benefits of strong email authentication
Enhanced Trust: SPF, DKIM, and DMARC build trust by proving your email's authenticity.
Fraud Prevention: They prevent unauthorized parties from spoofing your domain for fraudulent activities.
Improved Deliverability: Proper authentication signals to receiving servers that your emails are legitimate, improving inbox placement.
Views from the trenches
Best practices
Maintain a clear internal process for employees to report suspicious emails.
Regularly review your DMARC reports for signs of unauthorized domain use.
Ensure all outgoing email streams are properly authenticated with SPF, DKIM, and DMARC.
Educate users about common phishing techniques and how to identify fraudulent emails.
Common pitfalls
Failing to provide full email headers when reporting, leading to unverified claims.
Underestimating the impact of look-alike domains and not reporting them promptly.
Relying solely on one reporting channel instead of leveraging multiple organizations.
Ignoring DMARC reports, missing early indicators of domain abuse.
Expert tips
Use a DMARC monitoring solution to gain visibility into email authentication failures and potential spoofing attempts.
Implement a strict DMARC policy (p=reject) once you are confident in your email authentication.
Collaborate with your IT security team to integrate email fraud reporting into your incident response plan.
Subscribe to threat intelligence feeds to stay updated on new fraud tactics targeting your industry.
Expert view
Expert from Email Geeks says Spamhaus has personnel who can facilitate communication, and it is helpful to provide specific domains and IPs.
2022-03-17 - Email Geeks
Marketer view
Marketer from Email Geeks says it's useful to know if any websites are associated with the fraudulent domains being reported.
2022-03-17 - Email Geeks
Protecting your email ecosystem
Reporting fraudulent emails and domains is a critical component of a comprehensive email security strategy. It not only helps protect your brand and its recipients from direct harm, but also contributes valuable intelligence to organizations working to combat cybercrime on a broader scale. The interconnected nature of email security means that every report helps strengthen the defenses for everyone.
By understanding the process of identifying malicious activity, knowing which organizations to report to (from blocklists like Spamhaus to law enforcement), and implementing strong proactive measures like email authentication, you can significantly reduce your vulnerability to email fraud. This continuous effort is key to maintaining trust and ensuring the integrity of your email communications.
Remember that effective reporting requires thorough documentation, especially the full email headers. This forensic data is what allows security organizations to take decisive action, helping to remove fraudulent entities from the internet and improve overall email deliverability and safety. Understanding how email blocklists work is a crucial part of this protection.
Spamhaus
0Spam
Cisco
NoSolicitado
URIBL
abuse.ro
ALPHANET
Anonmails
Ascams
BLOCKEDSERVERS
Calivent Networks
EFnet
JustSpam
Kempt.net
NordSpam
RV-SOFT Technology
Scientific Spam
Spamikaze
SpamRATS
SPFBL
Suomispam
System 5 Hosting
Team Cymru
Validity
www.blocklist.de Fail2Ban-Reporting Service
ZapBL
2stepback.dk
Fayntic Services
ORB UK
technoirc.org
TechTheft
Spamhaus Project
FBI Internet Crime Complaint Center (IC3)
