The Spamhaus Project is an international organisation based in the Principality of Andorra, founded in 1998 by Steve Linford to track email spammers and spam-related activity.

The XBL includes information gathered by Spamhaus as well as by other contributing DNSBL operations such as the Composite Blocking List (CBL).

Examples of such are an ISP's core routers, corporate users required by policy to send their email via company servers, and unassigned IP addresses.

The Combined Spam Sources (CSS)[12] is an automatically produced dataset of IP addresses that are involved in sending low-reputation email.

Listings can be based on HELO greetings without an A record, generic looking rDNS or use of fake domains, which could indicate spambots or server misconfiguration.

It lists IP addresses of which Spamhaus personnel believe to be operated by cybercriminals for the exclusive purpose of hosting botnet Command&Control infrastructure.

The Spamhaus DROP ("Don't Route Or Peer") lists are JSON files delineating CIDR blocks and ASNs that have been stolen or are otherwise "totally controlled by spammers or 100% spam hosting operations".

At the core is the Spamhaus Project SLU,[19] a not-for-profit company based in Andorra which tracks spam sources and cyber threats such as phishing, malware and botnets and publishes free DNSBLs.

In September 2006, David Linhardt, the owner-operator of American bulk-emailing company "e360 Insight LLC",[4] filed a lawsuit in Illinois USA against Spamhaus in the UK for blacklisting his bulk mailings.

Kocoras concluded, "[w]hile we will not condone or tolerate noncompliance with a valid order of this court [i.e., Spamhaus' refusal to satisfy the default judgement] neither will we impose a sanction that does not correspond to the gravity of the offending conduct".

[32][33] In 2007, Chicago law firm Jenner & Block LLP took up Spamhaus's case pro bono publico and successfully appealed the default ruling.

Following the successful Appeal by Jenner & Block LLP in 2010 Judge Kocoras reduced the $11.7 million damages award to $27,002[34]—$1 for tortious interference with prospective economic advantage, $1 for claims of defamation, and $27,000 for "existing contracts".

Finally, on 2 September 2011 the Illinois court reduced the damages award to just $3 (three dollars) total, and ordered the plaintiff e360 to pay to Spamhaus the costs of the appeal for the defence.

[37] In the course of these proceedings, in January 2008 e360 Insight LLC filed for bankruptcy and closed down, citing astronomical legal bills associated with this court case as the reason for its demise.

[47] Shortly afterwards, beginning on March 18,[48] Spamhaus was the target of a distributed denial of service (DDoS) attack exploiting a long-known vulnerability in the Domain Name System (DNS) which permits origination of massive quantities of messages at devices owned by others using IP address spoofing.

Steve Linford, chief executive for Spamhaus, said that they had withstood the attack, using the assistance of other internet companies such as Google to absorb the excess traffic.

[59] In 2018, The Spamhaus Project was sued by Netirons LLC, Fiber Grid, and Sonjara Oü, three internet service providers operating in Europe and the United States.

Spamhaus had unilaterally blacklisted their domain "webexxpurts" and multiple IP addresses, effectively cutting them off from key online services and damaging their business reputation.

Despite multiple legal appeals between 2019 and 2021, Spamhaus was repeatedly found in violation of the ruling, leading to increasing financial penalties.

The ruling reinforced that organizations like Spamhaus do not have the unchecked power to blacklist businesses arbitrarily and harm their operations without legal consequences.