Spamhaus, Barracuda, SORBS: How to Get Off a Blacklist (Step by Step)
Your IP just landed on Spamhaus. Half your mail is bouncing. Panic is not a plan. Here is the calm, ordered process to delist and stay off.
Three things will happen during the working life of any email infrastructure team. You will get a database corruption. You will get a misdirected campaign that hits the wrong list. And you will, eventually, find your sending IP on a blacklist. Spamhaus, Barracuda and SORBS are the three names that come up 90% of the time. Each works differently. Each requires a slightly different delisting approach.
This article gives you the exact procedure: how to detect the listing, find the root cause, request delisting from each provider, and stay off. Spoiler: the delisting itself takes hours. The root-cause work takes days. Skip it and you will be relisted within a week.
Detecting the Listing
You usually find out from your bounces. The signature SMTP reply is:
554 5.7.1 Service unavailable; Client host [203.0.113.10] blocked using
Spamhaus; see https://www.spamhaus.org/lookup/?ip=203.0.113.10Confirm with an authoritative checker:
dig +short 10.113.0.203.zen.spamhaus.org # Spamhaus
dig +short 10.113.0.203.b.barracudacentral.org # Barracuda
dig +short 10.113.0.203.dnsbl.sorbs.net # SORBSThe IP octets are reversed in the query — that is normal for DNSBL lookups. A returned A record (typically 127.0.0.2 through 127.0.0.10) means listed. NXDOMAIN means clean.
Understanding What Each List Is
Spamhaus
The Zen blocklist aggregates four sub-lists: SBL (spam sources), XBL (botnet/exploited hosts), PBL (residential/dynamic IP space) and DBL (domains used in spam). The return code tells you which one matched:
| Code | List | Meaning |
|---|---|---|
| 127.0.0.2 | SBL | Confirmed spam source |
| 127.0.0.3 | SBL CSS | Snowshoe/automated |
| 127.0.0.4 | XBL | Botnet / compromised |
| 127.0.0.10 | PBL | Should not be sending mail |
| 127.0.0.11 | PBL ISP | ISP says do not send |
Barracuda
Barracuda Central uses telemetry from their appliances. They list aggressively but also delist quickly. The bar is "we observed spam-like traffic from this IP".
SORBS
SORBS has historically been the most opaque. They run several lists (DNSBL, Spam, Web, Misc). Listings are sometimes very old and very sticky. Delisting can take 7-14 days.
Step 1: Stop the Bleeding
Before you request delisting, stop sending from the listed IP. Yes, all of it. If you keep sending while listed:
- The blacklist re-confirms your IP every time receivers query it.
- Your bounce log grows hugely, making root-cause harder.
- You burn reputation on every other list that has not listed you yet.
Route traffic to a fallback IP. If you have none, queue locally and pause delivery. Do not panic-send.
Step 2: Identify the Root Cause
Delisting without root cause is pointless — you will be back on the list within a week. The most common causes:
- A bad import re-activated suppressed hard-bounced addresses.
- A compromised account or API key is sending unauthorised mail.
- A new vendor is sending on your IP without consent records.
- Spam traps in your list (recycled or pristine).
- Sudden volume spike triggering pattern-based detection.
Cross-reference: bounce log for the past 7 days, complaint rate (FBL data and Postmaster Spam Rate), authentication failures, list growth events.
Step 3: Spamhaus Delisting
Visit https://www.spamhaus.org/lookup/. Enter your IP. The page shows which list matched and offers a "Request removal" link.
The removal form asks four questions:
- What caused the listing?
- What have you done to fix it?
- What controls prevent recurrence?
- Reachable abuse contact?
Be specific. Spamhaus reviewers read these. A response like "we found a compromised API key on 2026-05-12 14:30 UTC that sent 240,000 unauthorised messages, we rotated keys at 14:42, added rate limiting per key, and abuse mail goes to abuse@example.com" is good. A response like "we fixed it" gets ignored.
Decision time: usually 24-48 hours for first listing, shorter if your history is clean.
Step 4: Barracuda Delisting
Visit https://barracudacentral.org/rbl/removal-request. Less detailed form. Often delisted within 12 hours. If listed twice within 90 days, expect a longer wait and a manual review email.
Step 5: SORBS Delisting
Visit https://www.sorbs.net/delisting/dnsbl. Identify which sub-list matched (the lookup tool will tell you). Each sub-list has its own removal procedure:
- DNSBL: standard removal form.
- Spam list: requires proof of remediation, slow.
- Web list: usually triggered by an open relay or compromised webform. Fix the underlying issue first.
Step 6: The Other Lists
If you got listed on the big three you are usually on the smaller ones too: Invaluement, UCEPROTECT, Mailspike. Their listings often clear automatically once you stop sending bad traffic, but check:
for bl in zen.spamhaus.org b.barracudacentral.org dnsbl.sorbs.net
ivmsip.invaluement.com dnsbl-1.uceprotect.net bl.mailspike.net
do
result=$(dig +short 10.113.0.203.$bl)
echo "$bl: ${result:-clean}"
doneStep 7: Warm Back Up
Even after delisting, receivers remember. Send at 20% of normal volume for the first 48 hours, doubling every two days until baseline. Send to your most engaged recipients first.
The Prevention Plan
Once you are clean, put these guardrails in place:
- Hard cap on outbound volume per minute and per recipient domain.
- Automated blacklist check every 15 minutes; auto-pause sending if listed.
- Per-account complaint rate threshold; auto-suspend at 0.3%.
- Suppression list is append-only; no "manual re-enable" without double opt-in.
- Daily reconciliation between auth logs and outbound volume per API key.
Stay-Off Checklist
- SPF, DKIM, DMARC aligned and passing.
- MTA-STS in enforce.
- Reverse DNS matches sending hostname.
- HELO/EHLO matches reverse DNS.
- Abuse mailbox monitored (FBL receivers will email).
- Postmaster Tools enrolled for all major receivers.
- Rate limit per recipient domain (Gmail: 5/sec, Outlook: 10/sec, others: 20/sec).
When to Ask for Help
If your IP has been listed on Spamhaus SBL three times in 12 months, the problem is not delisting — it is your infrastructure. Either you have a recurring abuse vector (compromised credential, unmonitored vendor) or you are sending traffic that consistently looks abusive (cold lists, scraped contacts, re-engagement of dead leads). No delisting form fixes that.
Target SMTP runs blacklist checks every 5 minutes and auto-pauses sending on listing, with one-click delisting requests submitted from the dashboard. The Send-Time Firewall enforces the per-recipient and per-domain rate limits that prevent the listing in the first place — and refuses to send to recently-bounced addresses that would otherwise re-trigger the bad pattern.