IP Blocklist Status

IP Blocklist Status checks the IPs your domain resolves to against major IP-level reputation feeds. This is distinct from Domain Blocklist Status: that one looks at the domain name; this one looks at the underlying IPs. An IP listing usually indicates the host itself has been used for malicious activity (compromised box, botnet member, spam source) or sits in a range that should not directly serve mail. CDN-fronted domains often inherit listings from shared infrastructure rather than from anything you control.

How the check works

Per resolved IPv4 address, three lists are queried in parallel. Penalties stack but cap at the 30-point weight:

• Spamhaus ZEN: combined feed across PBL (Policy Block List, IPs that should not send mail), SBL (manually-curated spam sources), and XBL (automated detection of compromised hosts, botnets, open proxies). SBL or XBL listing: 15 pt penalty (reason: spamhaus_zen_sbl_xbl). PBL only: 5 pt penalty (reason: spamhaus_zen_pbl).
• Barracuda Reputation Block List: 8 pt penalty if any IP listed (reason: barracuda_ip_listed).
• SpamCop: 7 pt penalty if any IP listed (reason: spamcop_ip_listed).

Score = (30 - total penalty) / 30. Verdict via the standard CT composite mapping. Evidence includes a per-IP breakdown and a CDN context hint when the host's responses suggest a CDN edge.

How the verdict maps to evidence

• Pass: clean across all queried lists.
• Warn: PBL-only listing, or single moderate listing (Barracuda or SpamCop alone).
• Fail: SBL/XBL listing, or stacked listings dropping the score.

Evidence shows ip_results per IP (which lists matched, which kind of ZEN entry), plus a CDN hint flagging when the listing may reflect shared CDN infrastructure rather than your origin.

Special states

• Deferred: no resolved IPv4 addresses available. Either DNS resolution failed, or your hosts are IPv6-only. The check defers without scoring.

Fix by listing tier

Spamhaus ZEN: SBL or XBL (critical)

SBL means Spamhaus has manually identified your IP as a known spam source. XBL means automated systems detected the host running malware, an open proxy, or a botnet C2 endpoint. Both indicate the host itself has been compromised or misused. Investigate before requesting removal:

• Audit the host for compromise: unauthorized SSH keys, unusual outbound connections, processes you do not recognize, modified system binaries, recent file changes outside your deployment paths.
• Run rkhunter, chkrootkit, or your EDR to look for active compromise.
• Check outbound mail logs for spam being sent from the host without your knowledge.
• If you cannot find the cause, treat the host as compromised: rebuild from a known-good image, restore data carefully, rotate credentials.
• After remediation, request removal at https://check.spamhaus.org/. Spamhaus reviews removal requests; do not request before you have actually fixed the underlying issue or you will be re-listed and removal becomes harder.

Spamhaus ZEN: PBL only (low severity)

PBL is the Policy Block List: IPs that should not be sending direct mail. It includes consumer broadband ranges, dynamic IPs, and end-user-allocated VPS pools. It does NOT mean your IP did anything wrong; it means your ISP or hosting provider has declared the range unsuitable for direct mail.

• If your host is not sending mail (web-only, API, etc.), PBL listing is acceptable; no action required beyond awareness.
• If your host IS sending mail, your hosting provider needs to declare this IP as a designated mail server. Contact your provider; they can request the IP be removed from PBL or moved to a non-PBL pool.
• Alternative: route outbound mail through a dedicated SMTP relay (SendGrid, Postmark, AWS SES, etc.) so the apparent sender IP is the relay's, not your hosting IP.

Barracuda IP listing

Submit a removal request at http://www.barracudacentral.org/lookups. Barracuda evaluates the IP's recent behavior; once activity stabilizes, removal is granted. Address the cause first.

SpamCop IP listing

SpamCop listings auto-expire 24 hours after the last spam report referencing the IP. Investigation: check whether your IP is sending spam (compromise) or is being used for legitimate mail that is being incorrectly reported (mailing list, transactional sender). Stop the source; the listing clears within 1-2 days.

If your host is behind a CDN

When your domain resolves to Cloudflare, CloudFront, or another CDN's IP, blocklist hits at that IP usually reflect shared infrastructure rather than something you did. The check flags this in the cdn_context field of evidence. Two scenarios:

• Your domain is fully behind the CDN. The CDN provider monitors and manages their IP reputation; listings on Cloudflare, CloudFront, or Fastly IPs are generally noise from a single bad customer at the same edge node, and the CDN handles delisting. Check with your provider only if persistent.
• Origin IP exposed alongside the CDN. If your real origin IP is reachable directly (see Origin IP Exposure), the listing may be on YOUR origin, not the CDN. The CDN context hint is just a possible explanation; verify by checking which IP is listed against which hosts in your zone.

Verify the fix

• Per-IP spot check. For each listed IP: dig +short <reversed-octets>.<ip>.zen.spamhaus.org. Returns nothing = not listed. Same pattern for b.barracudacentral.org and bl.spamcop.net.
• MXToolbox blacklist check (https://mxtoolbox.com/blacklists.aspx) accepts an IP as input and shows status across many lists in one view.
• After removal request, allow up to 24 hours for DNS propagation of the delisting.
• Re-run the RedScore lookup. The score recovers as listings clear.

Common pitfalls

• Removing listing without removing cause. The IP gets re-listed within hours. Investigate compromise first; remove second.
• PBL-only listing on a host that doesn't send mail: ignore. PBL is purely a directive about mail-sending policy. Web hosts in PBL ranges are fine.
• Shared hosting collateral. If your IP is shared with another tenant who got listed, you may have to migrate to a dedicated IP or accept the score impact. Most reputable hosts handle this proactively.
• Cloud autoscaling rotating IPs. New EC2/Cloud Run/etc. IPs may have been someone else's spam source yesterday. Check IP reputation as part of new-host provisioning; rotate again or request removal.
• Multiple IPs listed but only one was probed. The check samples up to a cap of resolved IPs; not every IP your domain returns may be in the sample. Audit all DNS A records to find every listed IP.
• Spamhaus PBL on a designated mail server. If your host is intentionally sending mail and PBL-listed, the listing IS a problem because receivers may reject mail from PBL-listed IPs. Request removal via your hosting provider.