Spamhaus DROP list implementation for Windows Advanced Firewall

Published on
9,302 Points
Last Modified:
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intentions being that the user of the DROP list will install it within their firewall.

Though I've found a lot of support to compile to drop list into alternative operating systems, I've found support to be lacking on the internet for implementation with Windows servers, without a hardware firewall.

This list is free to most users.  As stated on their web site: "The DROP list contains network ranges which can cause so much damage to internet users that Spamhaus provides it to all, free-of-charge, to help mitigate this damage."  

"When implemented at a network or ISP's 'core routers', DROP and EDROP will help protect the network's users from spamming, scanning, harvesting, DNS-hijacking and DDoS attacks originating on rogue netblocks."

The following instructions will allow a web server using Windows Advanced Firewall to take advantage of Spamhaus DROP lists.  


This script has been modified from the original code to output netsh commands, replacing the original iptables output.

Create file called "pulldrop.php" with the following code:


 * SpamHaus DROP Tool v0.1
 * Written by Rick Hodger <rick@fuzzi.org.uk>
 * http://www.potato-people.com/
 * DROP (Don't Route Or Peer) is an advisory "drop all traffic" list, consisting
 * of stolen 'zombie' netblocks and netblocks controlled entirely by professional
 * spammers. DROP is a tiny sub-set of the SBL designed for use by firewalls and
 * routing equipment.
 * http://www.spamhaus.org/drop/
 * This tool will download and parse the Spamhaus DROP list into IPTables rules or 
 * a Cisco compatible access control list.
 * Usage: Execute from the command line.
 * Examples:
 *         php spamhausdrop.php iptables
 *         php spamhausdrop.php cisco 10

function getSubnetMask($cidr) {
    for($i=1;$i<=32;$i++) {
        $bin .= $mask >= $i ? '1' : '0';
    return array($network,$subnet);

function subnet2wildcard($subnet) {
    return long2ip($z-$x);

if ($argc==1) {
    die("$argv[0] [iptables|cisco] [extraoptions]\n");
} else {
    switch($mode) {
        case "cisco":
            if ($argc==2) {
                die("$argv[0] cisco [accesslistid]\n");
            } else {


foreach($drop as $line) {
    if (!empty($line) && substr($line,0,1)!==';') {
        list($cidr,$sbl)=explode(" ; ",$line);
        switch($mode) {
            case "iptables":
                echo "netsh advfirewall firewall add rule name=SpamhausDROP dir=in action=block remoteip=$cidr\n";
            case "cisco":
                if ($aclid <= 99) {
                    echo "access-list $aclid deny $x[0] ".subnet2wildcard($x[1])."\n";


Open in new window

Create file called "SpamhausDROP.bat" with the following code in the same path:

netsh advfirewall firewall delete rule name="SpamhausDROP"
php pulldrop.php iptables > dropcompiled.bat
call dropcompiled.bat

Open in new window

Create task in Windows Task manager to call "SpamhausDROP.bat" no more than once per hour as of Spamhaus terms.  (Recommended once per day)

First, the SpamhausDROP.bat deletes all of the "old" rules, all named SpamhausDROP.
Second, it compiles the Spamhaus drop file into "netsh advfirewall" commands, inside dropcompiled.bat.
Finally, the new dropcompiled.bat file is run, adding all of the new Microsoft Windows Advanced Firewall rules.

The PHP script can also be called to create Cisco access control lists using the command line: php pulldrop.php cisco 67 > cisco.acl

PHP v5.3+
Free or paid access to Spamhaus DROP list
Ask questions about what you read
If you have a question about something within an article, you can receive help directly from the article author. Experts Exchange article authors are available to answer questions and further the discussion.
Get 7 days free