Resources

Domain Reputation Update Apr 2024 - Sept 2024

10 DNS best practices to keep your Domain Reputation in check

Poor DNS hygiene can leave your organization vulnerable to threats like subDoMailing, DNS spoofing, domain hijacking and other threats. In addition to putting domain security at risk, these vulnerabilities can have long-term effects on domain reputation. Here are ten DNS best practices businesses can implement to protect their domains and entire business.

Markmonitor webinar | League Table Talk: Ranking ccTLDs on DNS Abuse

In this Markmonitor webinar, Spamhaus' Carel Bitter, joins Georgia Osborn, Senior Research Analyst at the DNS Research Federation, and Chris Niemi, Manager of Strategic Initiatives at Markmonitor, to discuss ccTLDs in the larger context of DNS Abuse.

A misuse of Spamhaus blocklists: PART 2 - How to limit outbound spam

If you’ve skipped the first part of this series, we strongly recommend you go and read this blog first (link below), to understand the misuse of Spamhaus blocklists to block outbound mail. However, if you provide a mail service and want to learn specifically how to limit your outbound spam, read on.

A misuse of Spamhaus blocklists: PART 1 - blocking outbound email

One issue our folks handling tickets submitted by blocked users experience are messages like: Help! My IP is listed by Spamhaus and now I can’t send emails! My provider is rejecting all my emails! You may be asking “Is this not exactly what is supposed to happen in case of a listing?”. Surprising, the answer is “No, it is not!” This is a misuse of our blocklists

If you query the legacy DNSBLs via GoDaddy move to Spamhaus Technology’s free Data Query Service

Currently accessing the free legacy DNS Blocklists (DNSBLs) via the Public Mirrors, and using GoDaddy's network? You'll need to make some minor changes to your email infrastructure. The changes are simple to implement, but if you fail to do so, you could find that at some point post-September 26th 2024, all or none of your email is blocked!

Too big to care? - Our disappointment with Cloudflare’s anti-abuse posture

Cloudflare, best known for its content delivery network (CDN), is marketed as a “Connectivity Cloud”. Part of its offering is protecting a vast number of websites from DDoS attacks [1]. However, its attitude to abuse management and prevention proves a point of contention and we urge Cloudflare to review its anti-abuse policies.

Living-Off-Trusted-Sites (LOTS) or should we say services?

"Living Off-Trusted Sites (LOTS)" is not a new cybercrime tactic, but it continues to pose a significant threat. Join us as we explore the evolution of LOTS, its impact on online trust and safety, and the crucial role the community plays in disrupting the activities of those who engage in these deceptive tactics.

Dangling DNS and the dangers of subdomain hijacking

DNS attacks are becoming increasingly prevalent, with 90% of organizations experiencing them, as per the IDC Threat Intelligence Report 2023. Due to its critical function, DNS is a frequent target for cybercrimes, including DDOS attacks, DNS spoofing and DNS hijacking. However, a lesser-known but significant threat is the dangling DNS record - read on to learn more.

Botnet Threat Update January to June 2024

Amazon SES works with Spamhaus to protect its network and reputation

Maintaining a reputable network for reliable service without problems is EVERYTHING to email service provider, Amazon Simple Email Service (SES). Proactively managing millions of IPs and domains, SES is committed to delivering exceptional service and deliverability. Learn more about how SES works with Spamhaus to protect its network and reputation when at risk.

ESPs: Why IP and Domain Reputation Matter and How to Manage Them

Maintaining a positive IP and domain reputation is essential for email service providers (ESPs) aiming to offer a successful email sending service. In this blog, we will explore the key principles and best practices that ESPs should follow to effectively manage and enhance their IP and domain reputation, ultimately driving customer success and business growth.

Manage IP & domain reputation wisely - they're valuable assets!

Trust. That’s a word with huge connotations. The Oxford Languages defines it as: believe in the reliability, truth, or ability of. But how can you believe in the reliability, truth or ability of an IP address or domain? In our world it boils down to reputation.

Expired and exploited: Reviving a 30-year-old legacy domain for hijacking

Due to the current shortage of IPv4 addresses, any legacy IP block, regardless of its size, including Autonomous System (AS) networks, is at risk of being hijacked and misused for identity theft or other malicious activities. Here are the findings of Spamhaus' investigation into Fiberlinkcc.com, a legacy domain used to provide connectivity to hijacked IP blocks.

C-O-N-S-E-N-T, find out what it means to me!

With her unique style of wisdom, wit, and authenticity, Alison Gootee is a pro at challenging you to think differently about fundamental deliverability issues. Recently, we asked Alison to share her thoughts on consent, an issue close to Spamhaus. Guess what? She said, "yes!" So, sit back, grab a cup of coffee, and read on to find out what consent means to her.

Spammers Love Mobile Phone IP Space. Here’s How to Fix That.

Mobile phone companies are leaving the door wide open for spammers. They’re hurting their own customers (and the rest of the Internet) - but there’s still time to fix this.

If you query the legacy DNSBLs via Vultr move to Spamhaus Technology’s free Data Query Service

If you are currently accessing the free legacy DNS Blocklists (DNSBLs) via the Public Mirrors, and you’re using Vultr infrastructure - you'll need to make some minor changes to your email infrastructure. The changes are easy to implement, but if you fail to do so, you could find that at some point post-May 22nd 2024, all or none of your email is blocked!

Sex education in the classroom? Google can help, but there is a compromise!

It’s not uncommon for popular services to eventually fall victim to abuse. In this case, we explore how spammers are using Google Classroom to lure their victims (at elementary school!) to dating websites and generate revenue via affiliate programs associated with such sites.

Domain Reputation Update Oct 2023 - Mar 2024

Between input and output: The enigma of being a Spamhaus threat investigator

Spamhaus processes millions of IPs and domains every day. Given the vast amount of incoming data, automation is a necessity. But is technology alone enough? Let’s find out. Meet one of our researchers, Jonas Arnold, as he sheds light on the threat investigators' role in Spamhaus and the fight against Internet abuse.

Beyond spam: How Spamhaus is strengthening trust and safety for the Internet

At its core, the Spamhaus Project has a deep-seated desire to increase trust and safety on the Internet—a passion to protect and make the Internet a safer place. That sounds a little too virtuous, doesn't it? Let's look at what those phrases really mean in the context of Spamhaus and how it's striving to make this happen.

Registration, collaboration and disruption - an interview with Dave Piscitello (Part 2)

In part one, Dave Piscitello, Partner at Interisle Consulting Group LLC discussed several key findings of the Interisle Cybercrime Supply Chain study 2023. Now, let’s explore the role of registries, registrars and other organizations that can affect change in the cybercrime supply chain.

Trends, policy and cheap TLDs - an interview with Dave Piscitello (Part 1)

Cybercrime supply chains are central to today’s intricate web of cyber threats. Without them, malicious actors wouldn’t have access to the tools, resources, and expertise necessary to execute their attacks. In October 2023, Interisle Consulting Group LLC conducted a study that sheds light on the supply chains used by cybercriminals. Learn more about the findings here.

A website to effect change

We're thrilled to share our brand-new Spamhaus Project website with you! It was high time for an overhaul, but now we have a website that reflects who and what Spamhaus is today. The new site offers a wealth of education, support, and free data to the community covering topics such as IP and domain reputation, malware, DNS Blocklists, threat intelligence, service providers, and more.

Part 2 – Effective strategies against inbound malicious email: using your own data

Having looked at best practices for utilizing blocklists in the first part of this series, let’s explore the value of maximizing your own data to protect your network from malicious inbound emails. After all, your email infrastructure contains data that may only occur on your specific network.

Malware Digest January 2024

Spamhaus Blocklist (SBL) listings are moving

Any abuse desk worker or Trust and Safety team member who has received a Spamhaus Blocklist (SBL) email notification, can view the full details of the listing on www.spamhaus.org. However, change is coming soon. Please read on, otherwise, you may think you've been phished, when the URL in one of these notifications is different and directs you to a different place!

Botnet Threat Update Q4 2023

Malware Digest December 2023

Malware Digest November 2023

How to encode data before making a submission via the API

When sharing data via the API, some users are experiencing issues encoding data. Where an email text attachment is included (likely to include strange characters), JSON is not always encoded correctly. To help we have provided step-by-step guidance on how to send RAW email source code using a BASH or PHP script.

How to submit suspicious activity or threats

Malware Digest October 2023

The beta nature of the Threat Intel Community Portal

If you haven't noticed, the Threat Intel Community is in beta, and to be honest, it will be for some time - probably until the end of 2024. "Why?" we hear you chorus. In a nutshell, we're all learning together - it's a process of discovering what data you want...

Domain Reputation Update Q3 2023

Malware Digest September 2023

Want to submit data? Be our guest!

For many years Spamhaus has been asked if it accepts data from third parties. The standard response has always been “Only after a detailed technical process and if certain criteria is met". But today, that response changes to “Yes, we do”. If you want to submit malicious domains, IPs, email...

Botnet Threat Update Q3 2023

The return of the ASN-DROP

Further to requests from the community we've reinvigorated the ASN-DROP. With a new algorithm, ASN-DROP is now available in JSON format, listing Autonomous System Numbers (ASNs) associated with the worst of the worst behavior. These are ASNs that our researchers wouldn’t recommend engaging with and are highly likely to announce...

How to successfully access your email source code

Learn how to access email source code using different email clients and the type of information you can find to help identify malicious emails associated with spam and phishing attempts.

Malware Digest August 2023

Qakbot - the takedown and the remediation

Writing "Qakbot" and "takedown" in the same sentence is quite something. Usually, Spamhaus is bemoaning the ever-growing numbers of compromised IPs associated with this malware. But, on Tuesday, August 29th, 2023, the Federal Bureau of Investigation (FBI) announced that it coordinated an international group...

What will happen with my submission?

At Spamhaus, we value every piece of data shared with us. Currently, we (and our algorithms) are learning from your submissions. Through manual reviews and automatic reprocessing, we're discovering how best we can feedback on your data.

Who is the Threat Intel Community for?

We firmly believe it’s vital for the safety of the internet to share malicious activity. You may be someone who isn’t hugely technical but wants to report a single spam email that you’ve received. Alternatively, you may want to increase the reach of your current threat-researching activities. Either way, there's a place to share…

What benefits does creating an account provide?

If you are going to make regular contributions, we recommend you create an account, which takes minutes (if that). Having account-based access provides you with a number of benefits...

Why submit?

Everyone who interacts digitally, i.e., uses the internet, has a role in making it a safer place. We all witness malicious behavior to some extent or another. Spamhaus is creating a platform for sharing intelligence relating to this activity because, ultimately, sharing is caring!

Malware Digest July 2023

DNS abuse: ICANN call for action – but is it enough?

ICANN's proposed amendments to registry and registrar contracts (RARAA), tackle DNS abuse head on, a positive step in the fight against internet abuse and cybercrime. But, are they enough? Read our thoughts here.

Domain Reputation Update Q2 2023

Botnet Threat Update Q2 2023

Malware Digest June 2023

Lifting the lid on a long-time operating Brazilian malware gang

For over 8 years, our researchers have been tracking an operation that targets Brazilian internet users, and is focused on stealing their banking credentials, withdrawing funds from its victim’s accounts. Here’s a potted history.

Domain Reputation Update Q1 2023

Botnet Threat Update Q1 2023

Malware Digest March 2023

Neutralizing Tofsee Spambot – Part 3 | Network-based kill switch

In part three, we focus on using a network kill switch - causing an out-of-bounds read error, leading to Tofsee crashing.

Neutralizing Tofsee Spambot - Part 2 | InMemoryConfig store vaccine

In part two, learn about a second malware vaccine our team has produced, focused on polluting Tofsee's internal configuration store.

Understanding top-level domain (TLD) abuse helps illuminate and predict domain threat trends

The Domain Name System (DNS) is the backbone of the internet, enabling agile communication between internet entities. This blog post will focus on top-level domains (TLD), and how they can impact the security landscape.

Malware Digest February 2023

Malware Digest January 2023

A surge of malvertising across Google Ads is distributing dangerous malware

Recently, researchers have witnessed a massive spike affecting famous brands, with multiple malware being utilized. This is not “the norm.” Here’s what researchers are observing and a theory on this tsunami of abuse.

Annual Domain Reputation Report 2022

Domain Reputation Update Q4 2022

Botnet Threat Update, Q4 2022

Annual Botnet Threat Update 2022

Malware Digest December 2022

There's no such thing as a "free" app!

Downloading a free application and installing it on an internet-connected device can lead to you not being able to send email. This is because some apps allow third parties to access your device without your knowledge. These third parties then use your network connection for malicious purposes, causing your IP address to be listed as unsafe.

Malware Digest November 2022

Neutralizing Tofsee Spambot – Part 1 | Binary file vaccine

The Spamhaus Malware Researchers have been busy in their lairs, reverse engineering Tofsee malware to provide you with the code required for two malware vaccines and a network-based kill switch. A hat trick of protection against this spambot! This is the first in this three-part series, and looks at how to inject a malware vaccine into the binary file.

Malware Digest October 2022

Domain Reputation Update Q3 2022

Botnet Threat Update Q3 2022

Dissecting the new shellcode-based variant of GuLoader (CloudEyE)

One of the Spamhaus Project's malware specialists has been battling GuLoader, attempting to analyze this tricky malware. Here they share their findings and explain how you can extract URLs from GuLoader.

Malware Digest September 2022

Malware Digest August 2022

Introducing Spamhaus’ Quarterly Domain Reputation Update: what’s it all about? - Spamhaus Technology

In July 2022, we launch a brand new quarterly report - Spamhaus’ Quarterly Domain Reputation Update. Read this blog to discover why we've created it, the data it's based on, and what you can find in the full report.

Domain Reputation Update Q2 2022

Botnet Threat Update Q2 2022

The holiday hack – a reminder of why you shouldn’t always trust emails

Here’s a cautionary tale to anyone and everyone who uses email. The learning is simple: Always be vigilant, especially if its content asks you to provide personal information or click on links and download files.

Botnet Threat Update Q1 2022

Can you .bank on this registry for security?

Here, fTLD, the registry for .bank and .insurance top-level domains (TLDs), provides their view of how a TLD can make it simple for users to trust their interactions with websites.

How to avoid looking like a spammer when sending marketing emails

Here are a few key elements to abide by to ensure an ISP or blocklist provider doesn't view your marketing emails as malicious.

Botnet Threat Update Q4 2021

We hope you keep ".sbs" clean, ShortDot

When a new top-level domain (TLD) is starting out, we understand that it needs to find its way to being commercially viable. But registries need to walk a fine line between profit and managing abuse on their TLD.

When doorbells go rogue!

Here's a story of doorbells, specific software development kits (SDKs), proxies, and miscreants using your home network to send spam.

Botnet Threat Update Q3 2021

Using OMI on Microsoft Azure? Here's an update you need to read

An easy-to-exploit security vulnerability that allows remote code execution (RCE) on virtual machines where Open Management Infrastructure (OMI) is installed has been observed. Users need to take action.

Spammer Abuse of Free Google Services

Over the past year, Spamhaus has noticed a surge in spam that abuses free resources belonging to Google. This is becoming a serious concern, because a significant and growing amount of that spam is avoiding use of IP addresses and domains belonging to spammers....

Botnet Threat Update Q2 2021

Emotet Email Aftermath

At the end of January 2021, Europol announced that a coordinated group of international authorities had taken control of the Emotet botnet infrastructure. Prior to this takedown, Emotet had spread itself using previously compromised email addresses to send tens of thousands of messages with malware-laden attachments using a technique called...

Wordpress compromises: What's beyond the URL?

One of the many tricks in the modern cybercriminal miscreant's toolbox is using compromised websites to evade spam filters and domain reputation systems. Whether hiding a web-based exploit or just getting a free ride on the reputation of otherwise legitimate domains, using an existing domain name has multiple benefits –...

Botnet Threat Update Q1 2021

Emotet is disrupted, but the malware it installed lives on

The successful takedown of the Emotet C2 infrastructure announced January 27th 2021 is no small accomplishment, both from a technical point of view and for the larger safety and security of the internet as a whole. However, Emotet often drops other malware which can still work even though Emotet no...

Emotet infrastructure disrupted after coordinated action

On Tuesday, Jan 27, 2021, Europol announced that a coordinated group of international authorities has taken control of the Emotet infrastructure. We congratulate the authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada, and Ukraine, who collaborated to disrupt...

Suspicious network resurrections

***UPDATE** Dec 1st 2020: A big thank you to Telia Carrier, Hurricane Electric and GTT for taking swift and positive action in shutting down the related announcements.* We believe there is a serious issue relating to the equivalent of 56 “/20” networks, with a corresponding 230k IPv4 addresses. The total...

Botnet Threat Update: Q2 2020

Tracking Qbot

Qbot (aka Quakbot or Qakbot), is a piece of malware originally designed to enable bad actors to conduct financial fraud. This was done by intercepting traffic to the online banking systems of various banking institutions. Lately, it has been updated with worm-like features to help it...

Botnet Threat Update Q1 2020

The Current State of Domain Hijacking, and a specific look at the ongoing issues at GoDaddy

**Domain hijacking is not a new problem, but it is one that gains strength if it is not countered effectively, and we have seen some disturbing trends in the last 6 months.** Cyber criminals are increasingly relying on legitimate and well established domains in order to carry out their maliciousness...

Weaponizing Domain Names: how bulk registration aids global spam campaigns

In 2019, Dave led research with the Interisle Consulting Group investigating criminal domain name abuse, focused on bulk registrations. These findings emphasized the need for more stringent measures to be put in place within...

Botnet Threat Update 2019

Estimating Emotet’s size and reach

As many of you will be aware, Emotet, one of the most dangerous botnets in operation, restarted its malicious activity on 16th September 2019. Since its resurgence, Spamhaus Malware Labs has been closely monitoring and studying Emotet’s activity. Here’s what we’ve uncovered...

Botnet Threat Update Q3 2019

Botnet Threat Update Q2 2019

Botnet Threat Update Q1 2019

Emotet adds a further layer of camouflage

Most professionals within enterprise security have come across *‘Emotet'*. As its history illustrates, the criminals behind Emotet malware are cunning and quick to maximize its ‘potential.' From a basic banking Trojan to a threat distribution service, it is constantly being re-invented. This ‘constant malware improvement’ isn’t showing any sign of...

How to Halt the Hijackers

If you’ve read Network hijacking - the low down, you’ll be fully versed in the varied ways cybercriminals can hijack your network. In this article, we’ll be explaining how to protect against this happening to you, along with a high-level overview as to what you can do if your Internet...

Botnet command & control domain registrations go through the roof in 2018

When Spamhaus Malware Labs observe a 40% increase in the number of domains that are being registered by cybercriminals to host a botnet command & control (C&C) it's time to understand where the threats are coming from in the top-level domains (TLDs) space and learn how you can protect against them.

Botnet command & control malware - the highs and lows of 2018 - Spamhaus Technology

The team at Spamhaus Malware Labs detected and blocked a record number of botnet command & control (C&C). Over 10,000 in fact. Here's what was driving the increase.

Botnet Threat Update 2018

Network hijacking - the low down

Network hijacking involves the announcing or re-routing of Internet protocol (IP) addresses without authorization from the owner of those addresses. When hijacking is done intentionally, it is usually for some type of nefarious or illegal purpose and the consequences can be far reaching for organizations whose networks are hijacked. There...

A Domain-Specific Lesson from the Marriott Incident

The headlines have come thick and fast over the past few weeks in relation to the ‘Marriott Hack’. We all know the story: 500 million guest reservations from its Starwood database have been stolen. There are numerous lessons to be learned in regards to responding to this kind of incident,...

Exploits Block List - Two Botnets Contribute to 50% Increase in Listings

If you’ve been monitoring the Exploits Block List (XBL) recently you will have noticed a significant increase in the number of listings. The past few weeks have seen a lift from approximately 10 million to 15 million listings. The question is why? Our botnet specialist explains…

How has GDPR affected Spam?

The real answer is that it is far too early to tell. Various articles currently state that "nothing has happened" as a result of GDPR or "spam has fallen slightly"; however, the true effects of GDPR providing...

Spamhaus in the news

Read how Spamhaus Top Level Domains list continues to feature in the cyber news columns

Smoke Loader malware improves after Microsoft spoils its Campaign

Early this year, in March 2018, Microsoft’ Windows Defender Research Team in Redmond published some interesting insights into a massive malware campaign distributing a dropper/loader called Smoke Loader (also known as Dofoil). The main purpose of the documented campaign was to distribute a coin miner payload that is using infected...

Spamhaus Botnet Threat Report 2017

PandaZeuS’s Christmas Gift: Change in the Encryption scheme

Spamhaus Malware Labs - Spamhaus's malware research unit - recently observed a wave of new PandaZeuS malware samples being distributed during the Christmas season. PandaZeuS, also known as Panda Banker, is an ebanking Trojan that evolved from the notorious ZeuS trojan and is being used by different threat actors to...

Did anyone recently notice that the Spamhaus XBL just got really big?

Yes, the XBL grew by over 50%! Over the past three weeks, some of our users have noticed that the XBL (CBL) database has grown substantially in size. There are two major reasons for this. 1) Increase from the Internet of Things (IoT) There has been a substantial increase...

French government provides spam lists

The government of France provides lists of email addresses to French political candidates for them to use when sending campaign emails. Unfortunately these lists have many spamtrap addresses on them. Our spamtrap email addresses cannot have been legitimately subscribed to this list, and most assuredly do not belong to French...

Botnet Controllers in the Cloud

Cloud computing is popular these days. Millions of users consume computing power out of the cloud every day. Cloud computing comes with several advantages over traditional server hosting, such as scalability and quick deployment of new resources. As of January 2017, several large botnet operators appear to have discovered the...

Spamhaus Botnet Summary 2016

Network Hijacking on the Rise

As we discussed in a previous article, allocations of IP addresses (IPv4 addresses) are getting hard to come by, especially for spammers. Because the IP addresses they use quickly get a bad reputation as sources of spam, spammers constantly need fresh IPs that are not yet "burned". To get around...

More Domain Stats: The 10 Most Abused Registrars

Filling in The Spamhaus Project's domain panorama in our "Top-10 Worst" pages, we have added a page for The 10 Most Abused Domain Registrars. It breaks out by registrar the ratio of bad domains versus total domains as seen by our systems in the course of a rolling two-week window....

Spamhaus Presents: The World's Worst Top Level Domains

The Spamhaus Project has added a new list to its Top-10 Worst pages, this time for Top Level Domains (TLDs). This domain data is designed to complement the recent additions to our IP address data announced in a previous news blog. One must note that this list does not provide...

Verizon Routing Millions of IP Addresses for Cybercrime Gangs

Over the past few years, spammers have sought out large ranges of IP addresses. By spreading out their sending patterns across a wide range of IP addresses, they can attempt to defeat spam filters and get spam and malware emails delivered where they are not wanted. However, IPv4 addresses are...

Brazilian internet users suffer SoftLayer's security fail

In the summer of 2015, the number of SBL listings involving SoftLayer Technologies (an IBM company) increased rapidly, bringing Softlayer to the #1 spot on the Spamhaus Top 10 list of most problematic ISPs. This attracted a great deal of attention, because Softlayer has traditionally been a responsible ISP, and...

Network under attack? You might be surprised where that's coming from!

About a month ago the Spamhaus Project added several new lists to its *Top-10 Worst* pages. These are in addition to our existing Top-10 lists: Worst spammers, spammer hosting nations and spammer hosting Internet Service Providers (ISPs). Every second of every hour of every day Spamhaus collects a vast quantity...

Ongoing abuse problems at Nic.at and DENIC

Some of you may remember Spamhaus' dispute with Nic.at (the registry of .at ccTLD - "country code Top Level Domain") back in 2007. At that time, we saw a massive amount of the "Rock Phish" gang's phishing domain names being registered within .at for the exclusive purpose of hosting phishing...

A Survival Guide for the Small Mail Server

Nowadays many companies and organizations (non-profits, units of governmental and educational institutions, etc) believe that running their own mail servers has become an impossible task, due both to the large amount of inbound spam and to the continuous attempts by spammers to send outbound spam...

In memory of Ellen

On the evening of Wednesday, 18th February 2015, The Spamhaus Project lost a long-time friend and member of its team. A spam fighter from deep in the trenches, Ellen R. was known to many in this community for her earlier role at SpamCop. Fewer knew of her contributions at Spamhaus:...

Spamhaus Botnet Summary 2014

Stop spammers from exploiting your webserver!

For many years, speaking of "botnet spam" mainly meant speaking about compromised Windows systems. However, in the last few years this assumption is no longer entirely true. Looking at the number of distinct sources, the vast majority of emitters are still about the same as before, but looking at volumes...

Second arrest in response to DDoS attack on Spamhaus

The Spamhaus Project again offers congratulations and thanks to the law enforcement community in the matter of the massive Distributed Denial of Service (DDoS) attack perpetrated against our systems in March 2013 by a Russian-based anti-Spamhaus group...

New IPv6 CIDR searching tools released: grepcidrs

Moving into IPv6 presents many, many challenges. Among the myriad tasks which are required in that transition, many IT admins and techs will find the need to search and filter IPv4 and IPv6 addresses matching CIDR patterns in data related to both those IP addressing systems. The standard tool for...

Summer Break arrives early for Malware & Botnet Gang

After over 3-years of non-stop work stealing millions from people and companies on the internet, the cybercriminals behind the thefts will have some free time on their hands. Last week a group of Internet security organizations including the Spamhaus Project, several IT security companies, and the cybercrime departments of ten...

Resilans Incident Report

Report regarding the SBL listings of spam operations on Resilans AB (resilans.se). Spammer IP address space at Resilans: Spamhaus became aware of Resilans AB leasing netblocks to spam operations in August 2013. We listed those ranges and notified Resilans. Despite notification, the ranges they allocated in August were...

ICANN SSAC on DDoS, DNS and BCP 38

ICANN's Security and Stability Advisory Committee (SSAC) document Advisory on DDoS Attacks Leveraging DNS Infrastructure, published this week, provides a much-needed touchstone for the Internet in its current state. DDoS attacks, such as the one directed at Spamhaus last spring, continue to grow in size. Their magnitude poses a threat...

The return of the open relays

Around 1997, a company named Cyber Promotions (a/k/a Cyberpromo) was the first to start spamming Internet users on a massive scale. Cyberpromo first did this from their own mail servers, relying on their ISP's unwillingness to disconnect them. Within a short time, however, system administrators...

The DMA kicks spam up a notch

Spamming is always bad, but it is just plain foolish to spam addresses at spamhaus.org. While Spamhaus SBL listings are based on much wider views of spam than our own mailboxes, our mailboxes can tell us what we should look for. So when over the weekend the...

An arrest in response to March DDoS attacks on Spamhaus

The Spamhaus Project offers congratulations and its sincere thanks to the Dutch Public Prosecution Service (OM, the Dutch National High Tech Crime Unit (NHTCU) of the Dutch Police Services Agency (KLPD), the Spanish National Police (Catalonia branch in collaboration with the Central UDEF), and any and all other entities involved...

Fake 'Spamhaus' MoneyPak Ransomware 'Blocked PC' Virus

A number of Internet users are reporting a fresh version of a ransomware virus circulated by cyber criminals which exploits the name and image of Spamhaus to trick computer users into paying fake fines using MoneyPak. Computer users should know that no authorities or organizations (including Spamhaus) use screen blocking...

Answers about recent DDoS attack on Spamhaus

At this time The Spamhaus Project is getting more press enquiries than we can personally respond to. Below is a list with the most frequently asked questions, along with our answers. If you are in need of any additional information please do not hesitate to contact us but we cannot...

Cooperative Efforts To Shut Down Virut Botnet

During the past few weeks, Spamhaus has worked hard to shut down a botnet called "Virut". Virut take down: Virut is a worm that spreads through removable drives such as USB sticks and network shares, but it also has file infection capabilities it uses to spread itself. Virut was first...

Spam botnets: The fall of Grum and the rise of Festi

In July 2012, FireEye in cooperation with other security organisations, such as Spamhaus, took down the Grum botnet. At that time Grum was the third largest spam-sending botnet. The event gained considerable media attention. Spamhaus worked on the takedown of the botnet by contacting...

Spamhaus joins World IPv6 Launch day with IPv6 enabled DNSBL mirrors

On 6 June 2012 many major internet service providers (ISPs), home networking equipment manufacturers, and web companies around the world are uniting to redefine the global Internet and permanently enable IPv6 for their products and services. The Spamhaus Project endorses actions such as these to push forward the growth...

Snake oil spamming chiropractor gets cracked

Long time ROKSO-listed spammer Brian "Dr. HGH" McDaid is finally going to pay for his crimes. This week, in a Philadelphia court, US federal court Judge Stewart R. Dalzell sentenced McDaid to two years in prison and a year of probation. McDaid and his "Sili Neutraceuticals" were a real pain...

Russian registrar NAUNET knowingly harbours Cybercriminals

In November 2011, new terms and conditions (T&C's) for registering .ru domains were put out by the Coordination Center for the Top Level Domain RU (cctld.ru). The following paragraphs of the new T&C are important to Spamhaus' mission to fight against spam and cybercrime...

Ghost Click/DNSChanger: Could ISPs have stopped it?

After the November 9, 2011 successful law-enforcement dismantling of a huge cybercrime network in an operation dubbed 'Ghost Click', questions were raised as to what Internet Service Providers (ISPs) could have been doing to protect their users, and the internet, from this botnet. So, could an ISP...

Targeting Rove Digital: Operation Ghost Click

On November 9, 2011 the FBI announced the successful dismantling of a huge cybercrime network in an operation dubbed 'Ghost Click'. The target of this joint US and Estonian law enforcement operation is the ROKSO listed gang Rove Digital]. Rove Digital ran a sophisticated operation in which malware changed the...

Who's Really Paying Cybercriminals?

This week sees the arrival of LondonCyber, a conference organised by the British Government's Foreign Office and reported to have been so thoroughly stage-managed that the media have been carefully kettled away in a special media centre to ensure they are not allowed to directly interact with any of the...

Dutch ISP Attempts False Police Report

If The Netherlands has penalties for filing false reports and wasting police time, Dutch ISP 'A2B Internet' will be looking at a hefty fine. The owner of the small Dutch transit ISP claimed on Tuesday 11 Oct to have filed a report with local police in the Dutch region of...

Santander gets it mostly right

If one admonishes for poor practice, one should encourage better practice. On Friday we wrote about an email sent by the UK tax office the formatting of which was ill advised (see UK Tax Office Sends an Invitation to Phishers). The following Monday, Santander UK sends an email which gets...

UK Tax Office Sends an Invitation to Phishers

Phishing. Broadly speaking, sending out emails which misdirect people to supply confidential information to miscreants. One such ruse in the UK has been to send out tax rebate emails purporting to come from the UK tax office, HMRC. So on Friday, in a stroke of genius, HMRC sent out the...

Spamhaus Victory in Final Appeal in E360 Case

On the 2nd September 2011 Spamhaus was successful in its final appeal which reduced a baseless $11.7 million default judgment down to $3 (three dollars). Twice the US Court of Appeals for the Seventh Circuit vacated judgments against UK-based Spamhaus made by U.S. Federal Judge Charles Kocoras who had twice...

Wikileaks Mirror Malware Warning

On Monday Spamhaus became aware that the main Wikileaks website, wikileaks.org, was redirecting web traffic to a 3rd party mirror site, mirror.wikileaks.info. This new web site is hosted in a very dangerous "neighborhood", Webalta's 92.241.160.0/19 IP address space, a "blackhat" network which Spamhaus believes caters primarily to, or is under...

Spamhaus forged (again) in malware phish attack

Spamhaus.org has been a frequent target of forged e-mails over the years and once again we're seeing a rise in those sorts of spam messages. This time email messages pretending to come from Spamhaus are a social engineering attempt ("phish") to lure victims into installing malware on their computers. Don't...

UK Threat from Cybercrime is Very Real

When it became clear that the UK's National Security Strategy (published today) would highlight "Cybersecurity" as one of the most serious threats to the United Kingdom's security, the media were most querulous. Even some of the more experienced journalists seemed to pour immediate scorn on the suggestion that computer-based crime...

Spamhaus Blocks Gmail? Report Was Not True.

"Spamhaus Blocks Gmail" - A catchy headline which certainly got the twitterati going. However, it wasn't true. Recently some IT websites, including Softpedia and Sucuri, erroneously issued reports of Spamhaus' SBL blocking Gmail. These reports are not true. Google's Gmail service has never been listed in, or affected by, any...

Canned Spammer: "The Godfather" Alan Ralsky locked up

Leaving a wake of over 12 years of criminal spamming and trillions of sent junk emails behind him, long time ROKSO-listed spammer Alan Ralsky is finally behind the walls of a US Federal Prison. After pleading guilty to multiple federal criminal charges, and after time extensions to "get his affairs...

State of Maine AG OKs Spam List

The idea of "opt in" is central to the legitimate, non-spam use of bulk e-mail. Without "opt in" policies, any and all e-mail addresses will be spammed relentlessly until they "opt out", and likely even after that. "Opt in" means that the recipient--the e-mail address owner--knowingly and intentionally subscribes to...

DarkMarket "loner" soon to have many new friends

Unfortunatly for Renukanth Subramaniam, the "loner with a modest lifestyle" who helped run the secretive website where cybercriminals traded stolen credit card data, his friends will probably be fellow inmates in a Her Majesty's Prison Service institution. Subramaniam was remanded into custody in London...

Congratulations to CNNIC (China)

China Internet Network Information Center (CNNIC) - China's own domain regulator - last week criticised Xinnet.com and some other Chinese registrars for the excessive inaccuracy in registration information (called "Whois" data). From this week, buyers of ".cn" Country Code Top Level Domains (ccTLDs) are required to provide paperwork - such...

Comcast guarding users helps protect all of us

In October, Comcast Corporation, the USA's largest provider of high-speed Internet to private homes, announced the roll-out of its new Constant Guard security initiative. The system will provide in-browser notifications about possible virus infections. If the system detects a possible problem, a "service notice" will appear in the customer's web...

Herbalking ringleader gets US$15 million fine

The Herbalking aftermath continues with a US federal judge ordering ringleader Lance Atkinson to pay the US Federal Trade Commission (FTC) a hefty US$15.5 million (£9.4 million). After already admitting his involvement to the New Zealand authorities last year now the FTC steps in with its findings...

Some Good News From Downunder

Two New Zealanders well known to Spamhaus have been fined for their roles in the biggest pharmaceutical spamming operation in the history of the internet, officials of the nation's Department of Internal Affairs (DIA) said on Monday. They were part of a business based in Christchurch that sent more than...

Impact on Cutwail of 3FN shutdown

There is nothing like a visual representation to show how botnet spam traffic dries up when a major eastern European run host (in this case, USA routed) of the botnet Command & Control systems (C&C) is shut down. Below is a report from the CBL botnet spam detection system on...

PBL Update and Comparisons - April 2009

We'd like to show you what some typical broadband space looks like in terms of spam-sending bots and Policy Block List (PBL) listings. Let's sample a few chunks of IPv4 space, count the spam bots, and map them graphically to visualize what those ranges look like. These are just examples,...

A Snowshoe Winter: Our Discontent with CAN-SPAM

Snowshoe spamming has been around for many years but during 2008 a few USA spammers honed the technique to a fine edge. It has grown rapidly for the past year and there is no indication that it will cease in the foreseeable future. As of February 2009, snowshoe spamming accounts...

Another one bytes the dust

Following the October 2008 shut down of the largest US based host of trojan malware, botnet command and control systems (C&Cs) and DNS changer hosts (pharming), Intercage/Atrivo, another US based network specializing in hosting similar cybercrime has been taken off the Internet. McColo is a bit different from Intercage/Atrivo in...

Spam Kingpin's hench-woman pleads guilty

A person well known to Spamhaus, Judy Devenow, one of long time spamming kingpin and convicted felon Alan Ralsky's gang, plead guilty to conspiracy and aiding fraud in a US Federal court. She admitted she had sent millions of spam e-mails a day to generate excitement about junk stocks while...

HerbalKing principals indicted by FTC and New Zealand

The #1 worst spam gang on the Internet for much of 2007 and 2008, and active since at least 2005, has been indicted by the US Federal Trade Commission (FTC) in conjunction with simultaneous charges in New Zealand and possibly Australia & India. Several co-conspirators formed the HerbalKing spam gang....

Virginia Court OKs Anonymous Spam

Or "Frea Speach," as spammers write with their notoriously bad spelling while yammering about their right to send spam. There is no right to send spam, of course, let alone anonymously. Almost a decade ago, in their decisions in AOL vs. Cyberpromo and Earthlink vs. Cyberpromo, U.S. courts of appeal...

Cybercrime's U.S. Home

When cybercrime is mentioned it never takes long for Russia and the Ukraine to enter the picture. However, while a lot of cybercriminals are based in those countries, a lot of their infrastructure is housed in the west, in the United States to be precise. Without exception, all of the...

Spam, Malware and FTP cracks

There is lots of spam going around with funny subjects like "Mike Tyson to Fight Michael Jackson" or "Afghanistan to be 51st US State", or other equally absurd lines designed to hook unwary recipients into clicking the URL in the spam. Unfortunately, the results of following that link are not...

The Spammer Agora

There's been a lot of use of the term "ecosystem" in the e-mail industry lately. It's a good description of the complex environment that has grown up around Simple Mail Transport Protocol; it's no longer simple. But, like any ecosystem, it has many subsystems and niches within it. Among spammers...

Blackhats and Grayhats

From a discussion in a private anti-abuse industry workgroup list in November 2007 regarding the need for extensive restructuring of e-mail systems due to spam; reproduced with permission...

US Feds arrest and book ROKSO spammer Alan Ralsky

As reported by the Detroit Free Press on January 9, 2008, spammer Alan Ralsky of West Bloomfield, Michigan was brought into U.S. District Court in Detroit in handcuffs, escorted by FBI and US Postal Inspection Service agents who met him at the Detroit Metro Airport upon his return from Germany....

Spam King Alan Ralsky indicted

The US Department of Justice went public on January 3rd with the indictment of Alan Ralsky and 10 others who helped him. Ralsky topped our Top 10 Worst Spammers list for quite some time and was involved in almost any sort of spam activity that's being done. He and his...

The increasing importance of registrars in the fight against spam

Anyone remotely involved in the fight against spam has heard of the Storm worm. While Storm has used a variety of social engineering tricks to propagate, the e-card method has always been a popular one. What better a moment to send an e-card than in this holiday season? That's probably...

RBN as Chinese as Caviar & Borscht

When the routes to the older IP address mapped to the Russian Business network began to no longer route on the internet, Spamhaus noticed a new set of IP addresses and ASN numbers mapping into the same upstream network. The Whois data for these showed Chinese company names and .cn/.tw...

ROKSO Spammer Robert Soloway Arrested

On May 30, 2007, one of the most persistent professional spammers, Robert Alan Soloway, was indicted by a grand jury in Seattle, Washington, on charges that include fraud, money laundering, and identity theft. The indictment followed a years-long joint investigation by the Washington State Attorney General's Office, the Federal Bureau...

Summer Spam Suits Show Some Success

Microsoft Corporation has won what could be the largest award against a spammer in Europe thus far. Paul Fox, whose e-mail messages were intended to direct people toward his pornographic websites, was forced by a court order to pay Microsoft 45,000 pounds ($84,177) for breaching the terms and conditions of...

Australian Spam Act Nails First Spammer

The Australian Communications Authority (ACA) has taken action against a spammer in the first case to be brought under Australia's Spam Act. Spammer Wayne Mansfield, listed in Spamhaus ROKSO database, is charged with sending at least 56 million commercial emails in twelve months after the Spam Act 2003 commenced in...

The Threat from the Net

During two keynote speeches at the Infosecurity Europe conference at Olympia (London UK), Lord Harris of Haringey warned the UK government of the serious threat to Critical National Infrastructure posed by groups of E-vandals and criminal gangs, and the fact that the UK has neither systematic protection nor a response...

Increasing Spam Threat from Proxy Hijackers

Spam, now at 75% of all email traffic arriving at most ISPs mail servers, has come mainly from two types of source - either sent directly by the spammer, or sent by the spammer through a hijacked computer (proxy). For most anti-spam systems these two sources have been relatively easy...

Jeremy Jaynes Gets 9 Years for Spamming

[Update: The 9 year sentence was overturned on appeal, the spammer did go to prison for other crimes] Jeremy Jaynes of Raleigh, North Carolina, a prolific spammer who operated using the alias 'Gaven Stubberfield' and was listed by Spamhaus' ROKSO database as being the 8th most prolific spammer in the...

Follow Australia!

United Nations - World Summit on the Information Society International Telecommunication Union (ITU) Geneva, Switzerland The message conveyed by the UN spam conference to the delegates from 60 countries was clear, spam in July was 76% of all email, is now costing national economies US$25 Billion a year, the problem...

Spammer Arrests herald FTC Crackdown on Illegal Spamming

For many months the Spamhaus team have been working with teams from Law Enforcement Agencies in the United States and United Kingdom helping put together cases against the known spammers. We are very pleased to see arrests of spammers by the FTC now taking place, and look forward to the...

United States set to Legalize Spamming on January 1, 2004

Against the advice of all anti-spam organizations, the U.S. House of Representatives has passed the CAN-SPAM Act, a bill backed overwhelmingly by spammers and dubbed the "YOU-CAN-SPAM" Act because it legalizes spamming instead of banning it. Spam King Alan Ralsky told reporters...

Spammers Release Virus to Attack Spamhaus.org

A new virus released by spammers on Saturday 1st November is infecting computers worldwide, and this time the purpose of the virus is to attack www.Spamhaus.org. The W32.Mimail.E virus is the latest in a string of viruses, each one released by spammers for the purpose of creating a vast worldwide...

The Spam Definition and Legalization Game

The word Spam means "Unsolicited Bulk Email". Unsolicited means that the Recipient has not granted verifiable permission for the message to be sent. Bulk means that the message is sent as part of a larger collection of messages, all having substantively identical content. But ask a spammer and he'll claim...

Spamming is now a Crime in Virginia

The State of Virginia on Tuesday 29th April 2003 enacted the toughest anti-spam legislation of any US State so far, imposing harsh felony penalties for sending spam to computer users through deceptive means. Spammers who send Unsolicited Bulk Email to or from Virginia with a bogus return address, or via...

Europe Outlaws Spam

The European Parliament has decided to accept the Council's Common Position which would require senders of advertisements by "electronic mail" to have the recipient's prior consent. "Electronic mail" is defined broadly enough so as to include text messaging systems based on mobile telephony in addition to email. The 'opt-in' requirement...