[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More


Spamhaus DROP list implementation for Windows Advanced Firewall

Published on
9,050 Points
Last Modified:
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intentions being that the user of the DROP list will install it within their firewall.

Though I've found a lot of support to compile to drop list into alternative operating systems, I've found support to be lacking on the internet for implementation with Windows servers, without a hardware firewall.

This list is free to most users.  As stated on their web site: "The DROP list contains network ranges which can cause so much damage to internet users that Spamhaus provides it to all, free-of-charge, to help mitigate this damage."  

"When implemented at a network or ISP's 'core routers', DROP and EDROP will help protect the network's users from spamming, scanning, harvesting, DNS-hijacking and DDoS attacks originating on rogue netblocks."

The following instructions will allow a web server using Windows Advanced Firewall to take advantage of Spamhaus DROP lists.  


This script has been modified from the original code to output netsh commands, replacing the original iptables output.

Create file called "pulldrop.php" with the following code:


 * SpamHaus DROP Tool v0.1
 * Written by Rick Hodger <rick@fuzzi.org.uk>
 * http://www.potato-people.com/
 * DROP (Don't Route Or Peer) is an advisory "drop all traffic" list, consisting
 * of stolen 'zombie' netblocks and netblocks controlled entirely by professional
 * spammers. DROP is a tiny sub-set of the SBL designed for use by firewalls and
 * routing equipment.
 * http://www.spamhaus.org/drop/
 * This tool will download and parse the Spamhaus DROP list into IPTables rules or 
 * a Cisco compatible access control list.
 * Usage: Execute from the command line.
 * Examples:
 *         php spamhausdrop.php iptables
 *         php spamhausdrop.php cisco 10

function getSubnetMask($cidr) {
    for($i=1;$i<=32;$i++) {
        $bin .= $mask >= $i ? '1' : '0';
    return array($network,$subnet);

function subnet2wildcard($subnet) {
    return long2ip($z-$x);

if ($argc==1) {
    die("$argv[0] [iptables|cisco] [extraoptions]\n");
} else {
    switch($mode) {
        case "cisco":
            if ($argc==2) {
                die("$argv[0] cisco [accesslistid]\n");
            } else {


foreach($drop as $line) {
    if (!empty($line) && substr($line,0,1)!==';') {
        list($cidr,$sbl)=explode(" ; ",$line);
        switch($mode) {
            case "iptables":
                echo "netsh advfirewall firewall add rule name=SpamhausDROP dir=in action=block remoteip=$cidr\n";
            case "cisco":
                if ($aclid <= 99) {
                    echo "access-list $aclid deny $x[0] ".subnet2wildcard($x[1])."\n";


Open in new window

Create file called "SpamhausDROP.bat" with the following code in the same path:

netsh advfirewall firewall delete rule name="SpamhausDROP"
php pulldrop.php iptables > dropcompiled.bat
call dropcompiled.bat

Open in new window

Create task in Windows Task manager to call "SpamhausDROP.bat" no more than once per hour as of Spamhaus terms.  (Recommended once per day)

First, the SpamhausDROP.bat deletes all of the "old" rules, all named SpamhausDROP.
Second, it compiles the Spamhaus drop file into "netsh advfirewall" commands, inside dropcompiled.bat.
Finally, the new dropcompiled.bat file is run, adding all of the new Microsoft Windows Advanced Firewall rules.

The PHP script can also be called to create Cisco access control lists using the command line: php pulldrop.php cisco 67 > cisco.acl

PHP v5.3+
Free or paid access to Spamhaus DROP list
1 Comment

Author Comment

by:Shaun Rieman
I'll expand on it as soon as possible.  Thank you!

Featured Post

Learn SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

Join & Write a Comment

When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Key to your CPU's ability to stay cool is to use the right amount of thermal paste and apply it correctly. In other words you want as much thermal conductivity between CPU and the cooling block. Use a quality thermal paste and apply it in a manner…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month