Spamhaus is Evil
...and what that fact reveals about the modern internet. About a month ago, I discovered that one of my domains had been added to a blocklist maintained by The Spamhaus Project. I wasn't too concerned at first — it's not unusual to land on a blocklist if someone in your IP range or a previous owner of your assets (IP, domain, ASN) engaged in suspicious activity. In most cases, the appeal process is straightforward: sometimes it's as easy as visiting a verification page, and in more complex cases, you might have to email the blocklist admins. Spamhaus, however, was a different story entirely.
Are you feeling as good as I am?
You are unbeatable do you understand?
I have one eye on the contraband
and the other on the door, and that's all.
What is Spamhaus?
According to Wikipedia: "The Spamhaus Project is an international organisation based in the Principality of Andorra, founded in 1998 by Steve Linford to track email spammers and spam-related activity. The name Spamhaus, a pseudo-German expression, was coined by Linford to refer to an internet service provider or other firm that spams or knowingly provides service to spammers."
On paper, it's a noble mission. Spamhaus compiles various types of blocklists to help providers keep malicious actors out. Beyond its widely used anti-spam lists, Spamhaus also maintains the BCL (Botnet Controller List) for blocking malware command-and-control servers, and the DBL (Domain Blocklist), which flags phishing and malware-related domains. But the problem becomes clear once you realize how much unchecked authority they wield over the modern internet.
What's the big deal?
Spamhaus claims to protect 4.5 billion users. In other words — it hurts to find yourself on one of their lists. I recently learned this firsthand. On the very day my domain was listed, two things happened: First, an email I sent bounced back with a "poor domain reputation" error. Then, a friend trying to visit my site from public library Wi-Fi was met with a DNS block page stating my domain violated system policy as a "Spam URL."
Ouch. Okay — let's get off this list. Blocklist removals usually aren't hard. Once you prove your innocence, you're typically cleared quickly. Surely Spamhaus just made a mistake, right? Buzzer sound: wrong.
Delisting Hell
The first thing I noticed while filling out the Spamhaus appeal form was its underlying tone: Spamhaus doesn't admit mistakes. Every word suggests that if you're on their list, you are responsible for fixing it. There's no mention of what to do if their system blacklists an innocent domain. I filed a ticket anyway — if only to clear things up.
kloet[.]net
Is in an Internet "neighbourhood" with poor reputation that has shared (or inevitably will share) its negative reputation with your domain. This may be due to the DNS server, hosting service, registrar, IPs used, or a combination of these factors. The domain is not eligible for removal while associated with this neighbourhood. We recommend moving your domain to a hosting network with good reputation.
So essentially, because someone else in my "neighbourhood" misbehaved at some point, my innocent domain is punished. Spamhaus refuses to delist it unless I switch providers. None of my hosting providers tolerate spam — they actively remove it. But that doesn't seem to matter.
According to Spamhaus, services like Njalla have a "poor reputation." Researching further, I found this isn't uncommon: Mynymbox? Bad neighbourhood. Njalla? Bad neighbourhood. Incognet? BAD NEIGHBOURHOOD. The pattern is clear: Spamhaus hates privacy-centric providers. I really do urge you to read up on some of those links... it's ridiculous how much Spamhaus can get away with. More bad behaviour [internal] recorded by Vincent Canfield.
The Authoritative Spamhaus Regime
Hosting and privacy providers have no choice but to appease Spamhaus — because if Spamhaus labels them a "bad neighbourhood," their entire business suffers. Even when operators comply fully, Spamhaus can act arbitrarily and arrogantly. They wield enormous, unaccountable power over vast portions of the internet. Spamhaus isn't just fighting spam — it's shaping who gets to exist online.
The Bigger Problem
The core issue isn't just Spamhaus — it's that such power exists at all. DNS was never designed for the systems we've built atop it. It was supposed to be distributed, redundant, and trustworthy. But modern trust has been outsourced to a handful of centralized entities that decide who is "good" and who is "bad." Spamhaus is simply the most visible example of this privatized enforcement.
When a single organization's judgment can cut a domain off from global communication, we've lost decentralization. We've built a centralized enforcement layer, disguised as "security." Spamhaus, Google Safe Browsing, Microsoft SmartScreen — all run private trust lists that can instantly destroy a domain's reputation. These systems catch real threats — but they also punish countless innocent users with little hope of appeal.
The Illusion of "Community Trust"
These reputation systems are presented as neutral, data-driven, and community-based. They are not. In reality, they rely on private judgment calls with no oversight, transparency, or appeal process. If Spamhaus labels a provider as a "bad neighbourhood," thousands of unrelated sites can go dark overnight. And the public rarely ever hears about it.
The early internet was resilient because it was decentralized — if one provider banned you, you could migrate elsewhere. Today, Spamhaus's DBL and SBL lists are queried by nearly every major mail server, DNS resolver, and host worldwide. Getting caught in their net doesn't just harm your reputation; it erases your presence from the modern web.
Accountability in Name Only
Spamhaus often tells affected users to "move to a better neighbourhood." That's like telling a wrongly blacklisted homeowner to move houses. The burden of their mistakes falls entirely on the victim. Spamhaus isn't a government body, regulator, or democratic institution — there's no structured oversight or appeals process. You either comply or disappear.
This model rewards conformity and punishes privacy. Services that support anonymous domain registration, free expression, or alternative infrastructure are deemed suspicious by default. Under the guise of "security," these lists quietly enforce censorship and conformity.
Why This Matters
The root problem isn't just Spamhaus — it's the centralization of trust itself. DNS, email routing, and IP reputation have become choke points controlled by a few powerful actors. The decisions of one private entity ripple across billions of users. That one organization can effectively "unhost" you from the internet is not just unfair — it's fundamentally incompatible with a free and open web.
Toward a Better Internet
Ironically, the portion of the internet most criticized by the mainstream — the dark web — upholds many of the principles the surface web has lost. Networks like Tor and I2P empower users by eliminating centralized points of failure. There are no universal blocklists, no "bad neighbourhoods," and no sole authority that decides whether your site deserves to exist. Reputation evolves organically through communities and voluntary trust systems.
The dark web can be slow and sometimes chaotic, but its architecture embodies the decentralization the internet was meant to have. Each site or hidden service is self-contained and independent. If your clearnet domain gets delisted or censored, your onion or eepsite stays online. No central gatekeeper dictates who speaks — a vision much closer to what the internet's founders originally intended.
WE DO NOT NEGOTIATE WITH TERRORISTS
So what will I do about my Spamhaus listing? NOTHING.
