Subscribe to RSS News Feed
About Spamhaus  |  Press Office  |  FAQs   
Spamhaus News Index
Spamhaus News Quotes

Permission to quote from or reproduce Spamhaus News articles is granted automatically providing you state the source as Spamhaus and link to the news record.

RSS News Feed
Spamhaus Botnet Threat Report 2017 2018-01-08 UTC

Now that 2017 is behind us, as we do each year, the Spamhaus Project would like to give some numbers and thoughts on the botnet threats we encountered. In 2017, Spamhaus Malware Labs identified and issued Spamhaus Block List (SBL) listings for more than 9,500 botnet Command & Control servers on 1,122 different networks. A... (>)

PandaZeuS’s Christmas Gift: Change in the Encryption scheme 2017-12-28 UTC

Spamhaus Malware Labs - Spamhaus's malware research unit - recently observed a wave of new PandaZeuS malware samples being distributed during the Christmas season. PandaZeuS, also known as Panda Banker, is an ebanking Trojan that evolved from the notorious ZeuS trojan and is being used by different threat actors to compromise ebanking credentials, used by cybercriminals to commit ebanking fraud.

Looking into two recent PandaZeuS campaigns that have just been spread before Christmas revealed that the most recent version of PandaZeuS comes with a few minor changes. An important one is the change in the encryption scheme of PandaZeuS’s Base Config. While PandaZeuS is still using the RC4 binary encryption scheme, it comes with some tiny modifications. First of all, the versioning of PandaZeuS got updated to 2.6.1:

PandaZeuS: New version 2.6.1
New version 2.6.1

In the previous version, the base config was AES-265-CBC and RC4 encrypted . While this is still the case of the most recent version of PandaZeuS too, a slight modification in RC4 has been done:

PandaZeuS code snipped
PandaZeuS code snipped

The screenshot above documented the changes made to by the developers of PandaZeuS to the code:

  1. Initial Key Stream Array is initialized
  2. The State Array is modified 4 * 30 times and the keystream value is omitted
  3. Reusing the previous indexes, State Array is modified and keystream values obtained is XORed with encrypted byte.

This can be represented in Python code as:

for i in range(256):
       j = (j + S[i] + ord(key[i % len(key)])) % 256
       S[i], S[j] = S[j], S[i]
   i = j = 0
   for x in range(0, 30 * 4):
        i = (i + 1) % 256
        j = (j + S[i]) % 256
        S[i], S[j] = S[j], S[i]
   for p in data:
       i = (i + 1) % 256
       j = (j + S[i]) % 256
       S[i], S[j] = S[j], S[i]

While we can only speculate about the reason of this minor change in the encryption scheme of PandaZeuS, we suspect the intent behind this code change is to break malware extractors used by malware researchers to extract botnet controllers from PandaZeuS malware samples.

Looking into sinkhole data of one of these PandaZeuS campaigns shows that the botnet is mainly targeting English-speaking internet users:

PandaZeuS most infected countries

In addition, the associated botnet domain names are poorly detected:

Indicators of Compromise (IOC)

Campaign #1

PandaZeuS botnet controller URLs:


PandaZeuS botnet controller domain names (blocked by Spamhaus RPZ):

PandaZeuS botnet controllers (blocked by Spamhaus BCL):

Related malware samples (MD5):


Campaign #2

PandaZeuS botnet controller URLs:


PandaZeuS botnet controller domain names (blocked by Spamhaus RPZ):

PandaZeuS botnet controllers (blocked by Spamhaus BCL):

Related malware samples (MD5):


Related Spamhaus Products

Spamhaus Malware Labs is Spamhaus's malware research unit run in conjunction with Deteque, a subsidiary of Spamhaus Technology Ltd.

... (>)

Did anyone recently notice that the Spamhaus XBL just got really big? 2017-12-19 UTC

Yes, the XBL grew by over 50%!

Over the past three weeks, some of our users have noticed that the XBL (CBL) database has grown substantially in size. There are two major reasons for this.

1) Increase from the Internet of Things... (>)

French government provides spam lists 2017-05-30 UTC

The government of France provides lists of email addresses to French political candidates for them to use when sending campaign emails. Unfortunately these lists have many spamtrap addresses on them. Our spamtrap email addresses cannot have been legitimately subscribed to this list, and most assuredly do not belong to French... (>)

Botnet Controllers in the Cloud 2017-04-25 UTC

Cloud computing is popular these days. Millions of users consume computing power out of the cloud every day. Cloud computing comes with several advantages over traditional server hosting, such as scalability and quick deployment of new resources.

As of January 2017, several large botnet operators appear to have... (>)

Spamhaus Botnet Summary 2016 2017-01-17 UTC

2016 was a busy year for existing and emerging cyber threats. In the past year, Spamhaus researchers issued listings for over 7,000 botnet Command & Control ("C&C") servers on more than 1,100 different networks. These C&C servers enabled and controlled online crime such as credential theft, e-banking fraud,... (>)

Network Hijacking on the Rise 2016-09-26 UTC
As we discussed in a previous article, allocations of IP addresses (IPv4 addresses) are getting hard to come by, especially for spammers. Because the IP addresses they use quickly get a bad... (>)

Subscription Bombing: COI, CAPTCHA, and the Next Generation of Mail Bombs 2016-09-16 UTC

Internet harassment is becoming an increasingly ugly and widespread issue, and over the weekend of August 13-14 it spilled into territory we could do something about. After a few weeks of low level activity, over that weekend some unknown cyber criminals launched a targeted attack on over 100 government email addresses,... (>)

More Domain Stats: The 10 Most Abused Registrars 2016-05-17 UTC

Filling in The Spamhaus Project's domain panorama in our "Top-10 Worst" pages, we have added a page for The 10 Most Abused Domain... (>)

SBL/ZEN DNS lookups to return DROP/eDROP status 2016-04-05 UTC

Anvil For many years Spamhaus has maintained two text lists named DROP (Don't Route Or Peer) and EDROP (Extended Don't Route Or Peer). These lists contain netblocks that are "hijacked" or leased by professional spam or cybercrime operations, and were originally designed to be used by network edge devices such as routers or firewalls to block all traffic. They are provided at no cost to the community on the Spamhaus website.

All networks in DROP and EDROP are also listed in the Spamhaus blocklist (SBL); DNS lookups for those IPs have always returned (listed) status. However, it has not been possible to determine whether a listed IP was also listed in DROP/EDROP from the DNS lookup result.

To allow spam filters and other anti-spam software to support more aggressive spam scores for networks listed on DROP or eDROP, and to support access rules for other protocols such as HTTP, starting on 1st June 2016, the, and zones will return the new code in addition to the standard return code for IP addresses that are listed in DROP or eDROP.

Those who program or maintain spam filters or other anti-spam software can test any new rules immediately by looking up the test address, or its IPv6 sibling ::ffff:7f00:9.

Spamhaus reminds its users that, since February 2016, the public version of the SBL has also contained IPv6 data and answered IPv6 lookups. Spamhaus plans to add IPv6 data to the XBL and PBL in the future. However, the majority of spam coming from IPv6 IPs at this time is snowshoe spam, which falls in the SBL territory. Spammers have been purchasing and using large IPv6 blocks in an attempt to more easily bypass spam filtering and deliver email to inboxes on IPv6-connected email facilities.

... (>)

Spamhaus Presents: The World's Worst Top Level Domains 2016-02-25 UTC

The Spamhaus Project has added a new list to its Top-10 Worst pages, this time for Top Level Domains (TLDs). This domain data is designed to complement the recent additions to our IP address data announced in a... (>)

Verizon Routing Millions of IP Addresses for Cybercrime Gangs 2016-02-01 UTC

Over the past few years, spammers have sought out large ranges of IP addresses. By spreading out their sending patterns across a wide range of IP addresses, they can attempt to defeat spam filters and get spam and malware emails delivered where they are not wanted. However, IPv4... (>)

Brazilian internet users suffer SoftLayer's security fail 2015-10-01 UTC

In the summer of 2015, the number of SBL listings involving SoftLayer Technologies (an IBM company) increased rapidly, bringing Softlayer to the #1 spot on the Spamhaus Top 10 list of most problematic ISPs. This attracted a great deal of attention, because Softlayer has traditionally... (>)

Network under attack? You might be surprised where that's coming from! 2015-09-21 UTC

About a month ago the Spamhaus Project added several new lists to its Top-10 Worst pages. These are in addition to our existing Top-10 lists: Worst spammers, spammer hosting nations and... (>)

Ongoing abuse problems at and DENIC 2015-08-19 UTC

Some of you may remember Spamhaus' dispute with (the registry of .at ccTLD - "country code Top Level Domain") back in 2007. At that time, we saw a massive amount of the "Rock Phish" gang's... (>)

On the dubious merits of email verification services 2015-04-30 UTC

The Spamhaus Project view of these services

Over the past several years we have encountered several businesses offering email verification services. We have met them in industry social circles, sometimes they get tangled in our lists, and often we're asked by senders and receivers alike: "what does... (>)

A Survival Guide for the Small Mail Server 2015-03-19 UTC

Nowadays many companies and organizations (non-profits, units of governmental and educational institutions, etc) believe that running their own mail servers has become an impossible task, due both to the large amount of inbound spam and to the continuous attempts by spammers to send outbound spam through their mail... (>)

In memory of Ellen 2015-02-20 UTC

On the evening of Wednesday, 18th February 2015, The Spamhaus Project lost a long-time friend and member of its team. A spam fighter from deep in the trenches, Ellen R. was known to many in this community for her earlier role at SpamCop. Fewer knew of her contributions at Spamhaus: ... (>)

Spamhaus Botnet Summary 2014 2014-12-31 UTC

As 2014 ends, Spamhaus reviews the botnet threats that it detected in the past year, and provides facts and useful suggestions for ISPs and web hosts on the front lines of the battle against cybercrime. To nobody's surprise, botnet activity appears to be increasing. The majority of detected botnets are targeted at... (>)

Stop spammers from exploiting your webserver! 2014-12-15 UTC

For many years, speaking of "botnet spam" mainly meant speaking about compromised Windows systems. However, in the last few years this assumption is no longer entirely true. Looking at the number of distinct sources, the vast majority of emitters are still about the same as before, but looking at volumes we see that a large... (>)

Second arrest in response to DDoS attack on Spamhaus 2014-07-07 UTC

The Spamhaus Project again offers congratulations and thanks to the law enforcement community in the matter of the massive Distributed Denial of Service (DDoS) attack perpetrated against our systems in March 2013 by a Russian-based anti-Spamhaus group calling themselves... (>)

New IPv6 CIDR searching tools released: grepcidrs 2014-06-20 UTC

Moving into IPv6 presents many, many challenges. Among the myriad tasks which are required in that transition, many IT admins and techs will find the need to search and filter IPv4 and IPv6 addresses matching CIDR patterns in data related to both... (>)

Changes in Spamhaus DBL DNSBL return codes 2014-06-15 UTC

Spamhaus engineers have been busy developing new data for the Spamhaus Domain Block List (DBL) during the past several months. Our efforts have produced several specialized subsets of the DBL data set which will provide Spamhaus DBL users with better protection against spam as... (>)

Summer Break arrives early for Malware & Botnet Gang 2014-06-05 UTC

After over 3-years of non-stop work stealing millions from people and companies on the internet, the cybercriminals behind the thefts will have some free time on their hands.

Last week a group of Internet security organizations including the Spamhaus Project, several IT security companies, and the cybercrime... (>)

Spamhaus launches CERT Insight Portal 2014-04-08 UTC

Today, The Spamhaus Project is both happy and proud to announce the official launch of the Spamhaus CERT Insight Portal. The aim of the new web portal is to help Computer Emergency Response Teams (CERTs) and Computer Security Incident Response Team (CSIRTs) with a national or regional responsibility to... (>)

The Spamhaus Policy Block List now covers One Billion IP addresses 2014-03-18 UTC

As we always try keep tabs on what spammers do, we couldn't help to overhear this at an Evil Botnet Spam Gang's... (>)

Resilans Incident Report 2014-03-04 UTC

Report regarding the SBL listings of spam operations on Resilans AB (

Spammer IP address space at Resilans

Spamhaus became aware of Resilans AB leasing netblocks to spam operations in August 2013. We listed those ranges and notified... (>)

ICANN SSAC on DDoS, DNS and BCP 38 2014-02-26 UTC

ICANN's Security and Stability Advisory Committee (SSAC) document Advisory on DDoS Attacks Leveraging DNS Infrastructure, published this week, provides a much-needed touchstone for the Internet in its current... (>)

The return of the open relays 2013-12-02 UTC


Around 1997, a company named Cyber Promotions (a/k/a Cyberpromo) was the first to start spamming Internet users on a massive scale. Cyberpromo first did this from their own mail servers, relying on... (>)

The DMA kicks spam up a notch 2013-10-27 UTC

Spamming is always bad, but it is just plain foolish to spam addresses at While Spamhaus SBL listings are based on much wider views of spam than our own mailboxes, our mailboxes can tell us what we should look for. So when over the weekend the U.S. Direct Marketing Association... (>)

Celebrating The First Birthday Of The Spamhaus BGPf 2013-06-12 UTC

In June 2012, Spamhaus launched the Spamhaus BGP feed (BGPf), a new service... (>)

An arrest in response to March DDoS attacks on Spamhaus 2013-04-26 UTC

The Spamhaus Project offers congratulations and its sincere thanks to the Dutch Public Prosecution Service (OM), the Dutch National High Tech Crime Unit (NHTCU) of the Dutch Police Services... (>)

Fake 'Spamhaus' MoneyPak Ransomware 'Blocked PC' Virus 2013-04-16 UTC
A number of Internet users are reporting a fresh version of a ransomware virus circulated by cyber criminals which exploits the name and image of Spamhaus to trick computer users into paying fake fines using MoneyPak. Computer users should know that no... (>)

Answers about recent DDoS attack on Spamhaus 2013-03-28 UTC

At this time The Spamhaus Project is getting more press enquiries than we can personally respond to. Below is a list with the most frequently asked questions, along with our answers. If you are in need of any additional information please do not hesitate to contact us but we cannot guarantee a quick response. Our staff are... (>)

Problems seen in transactional messages 2013-03-05 UTC

Some months ago a number of bloggers wrote about The Spamhaus Project's "new" spamtraps. Some asserted that we were suddenly targeting transactional messages. Others noticed the timing of new SBLs based on those "new" traps and one concluded that we had decided to publish our advisories during the Christmas season, the time... (>)

Cooperative Efforts To Shut Down Virut Botnet 2013-01-19 UTC

During the past few weeks, Spamhaus has worked hard to shut down a botnet called "Virut".

Virut take down

Virut is a worm that spreads through removable drives such as USB sticks and network shares, but it also has file infection capabilities it uses to spread itself. Virut was first... (>)

How hosting providers can battle fraudulent sign-ups 2012-10-01 UTC

Hosting providers are increasingly asking Spamhaus how they can prevent so-called "fraudulent sign-ups" -- new customers whose only intention is to spam, host malware, host botnet controllers, or engage in other activities that are forbidden by the hosting provider's acceptable use policy (AUP). Such customers normally... (>)

Spam botnets: The fall of Grum and the rise of Festi 2012-08-16 UTC

In July 2012, FireEye in cooperation with other security organisations, such as Spamhaus, took down the Grum botnet. At that time Grum was the third largest... (>)

Spamhaus Releases BGP feed (BGPf) and Botnet C&C list (BGPCC) 2012-06-12 UTC
Geneva, 12 June 2012

Today the Spamhaus Project announces the release of a new service -- the Spamhaus BGP feed (BGPf). The BGPf serves three Spamhaus lists by using the Border Gateway Protocol (BGP). It is intended to be used primarily by Internet Service Providers (ISPs), web hosting providers, and network... (>)

Spamhaus joins World IPv6 Launch day with IPv6 enabled DNSBL mirrors 2012-06-06 UTC
On 6 June 2012 many major internet service providers (ISPs), home networking equipment manufacturers, and web companies around the world are uniting to redefine the global Internet and permanently enable IPv6 for their products and... (>)

Spam through compromised passwords: can it be stopped? 2012-05-09 UTC
Any account on a legitimate mail server is a valuable resource to a spammer or cybercriminal because it gives access to a server that is unlikely to be blocked from sending email. A spammer can use an account on a legitimate mail server to spam, and reach many more people than if he sent email from an IP that does not host a... (>)

Snake oil spamming chiropractor gets cracked 2012-05-03 UTC
Long time ROKSO-listed spammer Brian "Dr. HGH" McDaid is finally going to pay for his crimes.

This week, in a Philadelphia court, US federal court Judge... (>)

Russian registrar NAUNET knowingly harbours Cybercriminals 2012-03-22 UTC
In November 2011, new terms and conditions (T&C's) for registering .ru domains were put out by the Coordination Center for the Top Level Domain RU ( The following paragraphs of the new T&C are important to Spamhaus' mission to fight against spam and... (>)

SNMP DDoS Vector - Secure Your Network NOW! 2011-12-23 UTC
Spamhaus has observed a newer type of distributed denial-of-service attack (DDoS) which has only recently become popular among cybercriminals. In just the past month, several attacks using this method have been investigated by private security firms and law enforcement agencies. During December 2011, Spamhaus sustained an SNMP... (>)

Ghost Click/DNSChanger: Could ISPs have stopped it? 2011-11-15 UTC
After the November 9, 2011 successful law-enforcement dismantling of a huge cybercrime network in an operation dubbed 'Ghost Click', questions were raised as to what Internet Service Providers (ISPs) could have been doing to protect their users, and the internet, from this... (>)

Targeting Rove Digital: Operation Ghost Click 2011-11-09 UTC
On November 9, 2011 the FBI announced the successful dismantling of a huge cybercrime network in an operation dubbed 'Ghost Click'. The target of this joint US and Estonian law enforcement operation is the ROKSO listed gang Rove... (>)

Who's Really Paying Cybercriminals? 2011-11-01 UTC
This week sees the arrival of LondonCyber, a conference organised by the British Government's Foreign Office and reported to have been so thoroughly stage-managed that the media have been carefully kettled away in a special media centre to ensure they are not allowed to directly interact with any of the attendees. While many... (>)

Dutch ISP Attempts False Police Report 2011-10-14 UTC
If The Netherlands has penalties for filing false reports and wasting police time, Dutch ISP 'A2B Internet' will be looking at a hefty fine. The owner of the small Dutch transit ISP claimed on Tuesday 11 Oct to have filed a report with local police in the Dutch region of Zaanstreek-Waterland accusing Spamhaus of "extortion" and... (>)

Santander gets it mostly right 2011-10-03 UTC
If one admonishes for poor practice, one should encourage better practice. On Friday we wrote about an email sent by the UK tax office the formatting of which was ill advised (see UK Tax Office Sends an... (>)

UK Tax Office Sends an Invitation to Phishers 2011-09-30 UTC
Phishing. Broadly speaking, sending out emails which misdirect people to supply confidential information to miscreants. One such ruse in the UK has been to send out tax rebate emails purporting to come from the UK tax office, HMRC.

So on Friday, in a stroke of genius,... (>)

Spamhaus Victory in Final Appeal in E360 Case 2011-09-05 UTC
On the 2nd September 2011 Spamhaus was successful in its final appeal which reduced a baseless $11.7 million default judgment down to $3 (three dollars). Twice before, the US Court of Appeals for the Seventh Circuit had vacated judgments made by an Illinois District Court which had twice awarded fabricated 'lost profits' to an... (>)

Spamhaus' DBL as a Response Policy Zone (RPZ) 2011-06-10 UTC
All too frequently electronic security breaches result from some form of social engineering trick which entices a user to visit a harmful website by providing a clickable link (URL) with a specially-registered domain which ultimately leads to the user being defrauded or their machine being infected with malware.

Once... (>)

Spamhaus Releases IPv6 Blocklists Strategy 2011-06-06 UTC
The Spamhaus Project has released a document outlining Spamhaus' strategy with respect to Spamhaus' IP blocklists and their future in an IPv6 enabled world. Entitled "Spamhaus IPv6 Blocklists Strategy Statement", the document focuses exclusively on IPv6 DNS-based blocklists and gives technical details of how Spamhaus plans to... (>)

One year anniversary of the DBL brings a new zone 2011-03-03 UTC
5 March 2011: One year ago this week, The Spamhaus Project released a new spam-blocking advisory list for the world's internet users. Its focus was on the domain side of email filtering. Called the Domain Block List, the DBL has now been in worldwide use for a full year. The reported... (>)

Wikileaks Mirror Malware Warning 2010-12-14 UTC
On Monday Spamhaus became aware that the main Wikileaks website,, was redirecting web traffic to a 3rd party mirror site, This new web site is hosted in a very dangerous "neighborhood", Webalta's IP address space, a "blackhat" network which Spamhaus believes caters primarily... (>)

Spamhaus forged (again) in malware phish attack 2010-11-29 UTC has been a frequent target of forged e-mails over the years and once again we're seeing a rise in those sorts of spam messages. This time email messages pretending to come from Spamhaus are a social engineering attempt ("phish") to lure victims into installing malware on their computers. Don't fall for... (>)

UK Threat from Cybercrime is Very Real 2010-10-18 UTC
When it became clear that the UK's National Security Strategy (published today) would highlight "Cybersecurity" as one of the most serious threats to the United Kingdom's security, the media were most querulous. Even some of the more experienced journalists seemed to pour immediate scorn on the suggestion that... (>)

Spamhaus Releases The Spamhaus Whitelist 2010-09-26 UTC
The Spamhaus Project has released a whitelist called the Spamhaus Whitelist. Long awaited in the industry, the Spamhaus Whitelist allows internet mail servers to separate incoming email traffic into 3 categories: Good, Bad and Unknown, allowing mail server operators to block known bad email traffic, let known good email traffic... (>)

Spamhaus Blocks Gmail? Report Was Not True. 2010-08-20 UTC
"Spamhaus Blocks Gmail" - A catchy headline which certainly got the twitterati going. However, it wasn't true. Recently some IT websites, including Softpedia and Sucuri, erroneously issued reports of Spamhaus' SBL blocking Gmail. These reports are not true. Google's Gmail service has never been listed in, or... (>)

Canned Spammer: "The Godfather" Alan Ralsky locked up 2010-03-04 UTC
Leaving a wake of over 12 years of criminal spamming and trillions of sent junk emails behind him, long time ROKSO-listed spammer Alan Ralsky is finally behind the walls of a US Federal Prison. After pleading guilty to multiple federal criminal charges, and after time extensions to "get his affairs in order", Ralsky reported... (>)

Approaching 100% spam block: Spamhaus releases the Domain Block List 2010-03-01 UTC
1 March 2010: The Spamhaus Project is proud to release its newest spam-blocking advisory list to the world's internet users, this time focused on the domain side of email filtering. Called simply the Domain Block List, the DBL has been in beta testing for much of 2009 on production ISPs... (>)

State of Maine AG OKs Spam List 2010-02-03 UTC
The idea of "opt in" is central to the legitimate, non-spam use of bulk e-mail. Without "opt in" policies, any and all e-mail addresses will be spammed relentlessly until they "opt out", and likely even after that. "Opt in" means that the recipient--the e-mail address owner--knowingly and intentionally subscribes to a specific... (>)

DarkMarket "loner" soon to have many new friends 2010-01-15 UTC
Unfortunatly for Renukanth Subramaniam, the "loner with a modest lifestyle" who helped run the secretive website where cybercriminals traded stolen credit card data, his friends will probably be fellow inmates in a Her Majesty's Prison Service institution.

Subramaniam was remanded into custody in London after earlier... (>)

Congratulations to CNNIC (China) 2009-12-17 UTC
China Internet Network Information Center (CNNIC) - China's own domain regulator - last week criticised and some other Chinese registrars for the excessive inaccuracy in registration information (called "Whois" data). From this week, buyers of ".cn" Country Code Top Level Domains (ccTLDs) are... (>)

Comcast guarding users helps protect all of us 2009-12-07 UTC
In October, Comcast Corporation, the USA's largest provider of high-speed Internet to private homes, announced the roll-out of its new Constant Guard security initiative. The system will provide in-browser notifications about possible virus infections. If the system detects a possible problem, a "service notice" will appear... (>)

Two month "snowshoe" trek results 2009-12-03 UTC
On the two-month anniversary of our announcement of the Spamhaus CSS, we thought it's time to take a look at its effect against this type of spamming. As we had mentioned, while filtering methods for botnet spam are now quite effective, a new breed of static-IP address spammers had evolved, and their spam was evading many... (>)

Herbalking ringleader gets US$15 million fine 2009-11-30 UTC
The Herbalking aftermath continues with a US federal judge ordering ringleader Lance Atkinson to pay the US Federal Trade Commission (FTC) a hefty US$15.5 million (£9.4 million). After already admitting his involvement to the New Zealand authorities last year now the FTC steps in with its findings:
The spam... (>)

Some Good News From Downunder 2009-11-20 UTC
Two New Zealanders well known to Spamhaus have been fined for their roles in the biggest pharmaceutical spamming operation in the history of the internet, officials of the nation's Department of Internal Affairs (DIA) said on Monday.

They were part of a business based in Christchurch that sent more than two million... (>)

Announcing the Spamhaus CSS 2009-10-03 UTC
While filtering methods for botnet spam are now quite effective, a new breed of static-IP address spammers has evolved, and their spam evades many filters. It is time to target the next great spam problem, "snowshoe" spam.

The Problem of... (>)

Impact on Cutwail of 3FN shutdown 2009-06-16 UTC
There is nothing like a visual representation to show how botnet spam traffic dries up when a major eastern European run host (in this case, USA routed) of the botnet Command & Control systems (C&C) is shut down. Below is a report from the CBL botnet spam detection system on the effect of a recent shut down.
These... (>)

Erroneous Mail Rejections at Yahoo! 2009-05-30 UTC
During the last week of May, 2009, some senders experienced mail rejected by which referenced Spamhaus PBL data. But when they looked up their IP address, it was not in any Spamhaus list. The error was not consistent, and sometimes resubmitting a message might result in its delivery. Yahoo! is aware of the problem and... (>)

ISP PBL Account - New Look! 2009-05-19 UTC
Last month we mentioned upcoming changes to ISP's PBL Account pages. We're pleased to announce that the first phase of those improvements is now up and running. While not visible to the public, an ISP logging in to their PBL Account will immediately see the upgrades.

The new ISP PBL Account pages:

  • Are designed... (>)

PBL Update and Comparisons - April 2009 2009-04-13 UTC
We'd like to show you what some typical broadband space looks like in terms of spam-sending bots and Policy Block List (PBL) listings. Let's sample a few chunks of IPv4 space, count the spam bots, and map them graphically to visualize what those ranges look like. These are just examples, conveniently chosen based on our... (>)

A Snowshoe Winter: Our Discontent with CAN-SPAM 2009-02-25 UTC
Snowshoe spamming has been around for many years but during 2008 a few USA spammers honed the technique to a fine edge. It has grown rapidly for the past year and there is no indication that it will cease in the foreseeable future. As of February 2009, snowshoe spamming accounts for... (>)

Another one bytes the dust 2008-11-17 UTC
Following the October 2008 shut down of the largest US based host of trojan malware, botnet command and control systems (C&Cs) and DNS changer hosts (pharming), Intercage/Atrivo, another US based network specializing in hosting similar cybercrime has been taken off the Internet.

McColo is a bit different from... (>)

Spam Kingpin's hench-woman pleads guilty 2008-10-15 UTC
A person well known to Spamhaus, Judy Devenow, one of long time spamming kingpin and convicted felon Alan Ralsky's gang, plead guilty to conspiracy and aiding fraud in a US Federal court. She admitted she had sent millions of spam e-mails a day to generate excitement about junk stocks while working for Ralsky who... (>)

HerbalKing principals indicted by FTC and New Zealand 2008-10-14 UTC
The #1 worst spam gang on the Internet for much of 2007 and 2008, and active since at least 2005, has been indicted by the US Federal Trade Commission (FTC) in conjunction with simultaneous charges in New Zealand and possibly Australia & India. Several co-conspirators formed the... (>)

Virginia Court OKs Anonymous Spam 2008-09-16 UTC
Or "Frea Speach," as spammers write with their notoriously bad spelling while yammering about their right to send spam. There is no right to send spam, of course, let alone anonymously. Almost a decade ago, in their decisions in AOL vs. Cyberpromo and Earthlink vs. Cyberpromo, U.S. courts of appeal ruled that spam is theft of... (>)

Cybercrime's U.S. Home 2008-08-29 UTC
When cybercrime is mentioned it never takes long for Russia and the Ukraine to enter the picture. However, while a lot of cybercriminals are based in those countries, a lot of their infrastructure is housed in the west, in the United States to be precise.

Without exception, all of the major security organizations on the... (>)

Confirmed Opt In - A Rose by Any Name 2008-08-11 UTC
Closed Loop Confirmed Opt In is the full technical term for the best opt-in subscription practice around. But whether you call it Confirmed, Verified, Double or any other adjective it still means the same thing: "Hey you! Subscriber! Is this really you who signed up for this list? Unless you respond, we won't send you more... (>)

Spam, Malware and FTP cracks 2008-07-25 UTC
There is lots of spam going around with funny subjects like "Mike Tyson to Fight Michael Jackson" or "Afghanistan to be 51st US State", or other equally absurd lines designed to hook unwary recipients into clicking the URL in the spam. Unfortunately, the results of following that link are not at all funny. The victim's computer... (>)

Using the SBL and XBL against spamvertized URLs 2008-06-27 UTC
A lot of people are using our SBL and XBL lists to guard their mail infrastructure against the incoming floods of spam. While we encourage all SBL-XBL users to switch to ZEN to check the connecting IP, the SBL-XBL combination still has a very powerful, but lesser-known application area: use it against spamvertized URLs in the... (>)

The Spammer Agora 2008-03-16 UTC
There's been a lot of use of the term "ecosystem" in the e-mail industry lately. It's a good description of the complex environment that has grown up around Simple Mail Transport Protocol; it's no longer simple. But, like any ecosystem, it has many subsystems and niches within it. Among spammers in general, the... (>)

Blackhats and Grayhats 2008-02-15 UTC
(From a discussion in a private anti-abuse industry workgroup list in November 2007 regarding the need for extensive restructuring of e-mail systems due to spam; reproduced with permission...)

Someone Else... (>)

The Spamhaus PBL, a one year old anti-spam heavyweight 2008-01-29 UTC
One year ago this month, Spamhaus launched the Policy Block List, also known as the PBL. Now a year later we look back to see what effect it has had.

The PBL was created to be used together with our other DNSBL zones, the SBL and... (>)

US Feds arrest and book ROKSO spammer Alan Ralsky 2008-01-11 UTC
As reported by the Detroit Free Press on January 9, 2008, spammer Alan Ralsky of West Bloomfield, Michigan was brought into U.S. District Court in Detroit in handcuffs, escorted by FBI and US Postal Inspection Service agents who met him at the Detroit Metro Airport upon his return from Germany.

Spamhaus was pleased... (>)

Spam King Alan Ralsky indicted 2008-01-03 UTC
The US Department of Justice went public on January 3rd with the indictment of Alan Ralsky and 10 others who helped him. Ralsky topped our Top 10 Worst Spammers list for quite some... (>)

The increasing importance of registrars in the fight against spam 2008-01-01 UTC
Anyone remotely involved in the fight against spam has heard of the Storm worm. While Storm has used a variety of social engineering tricks to propagate, the e-card method has always been a popular one. What better a moment to send an e-card than in this holiday season? That's probably why the... (>)

RBN as Chinese as Caviar & Borscht 2007-11-16 UTC
When the routes to the older IP address mapped to the Russian Business network began to no longer route on the internet, Spamhaus noticed a new set of IP addresses and ASN numbers mapping into the same upstream network. The Whois data for these showed Chinese company names and .cn/.tw email addresses. ... (>)

ROKSO Spammer Robert Soloway Arrested 2007-05-30 UTC
On May 30, 2007, one of the most persistent professional spammers, Robert Alan Soloway, was indicted by a grand jury in Seattle, Washington, on charges that include fraud, money laundering, and identity theft. The indictment followed a years-long joint investigation by the Washington State Attorney General's Office,... (>)

Summer Spam Suits Show Some Success 2006-09-08 UTC
Microsoft Corporation has won what could be the largest award against a spammer in Europe thus far. Paul Fox, whose e-mail messages were intended to direct people toward his pornographic websites, was forced by a court order to pay Microsoft 45,000 pounds ($84,177) for breaching the terms and conditions of Microsoft's free... (>)

Australian Spam Act Nails First Spammer 2005-06-23 UTC
The Australian Communications Authority (ACA) has taken action against a spammer in the first case to be brought under Australia's Spam Act. Spammer Wayne Mansfield, listed in Spamhaus ROKSO database, is charged with sending at least 56 million commercial emails in twelve months after the Spam Act 2003 commenced in April... (>)

The Threat from the Net 2005-04-27 UTC
During two keynote speeches at the Infosecurity Europe conference at Olympia (London UK), Lord Harris of Haringey warned the UK government of the serious threat to Critical National Infrastructure posed by groups of E-vandals and criminal gangs, and the fact that the UK has neither systematic protection nor a response strategy... (>)

Increasing Spam Threat from Proxy Hijackers 2005-02-03 UTC
Spam, now at 75% of all email traffic arriving at most ISPs mail servers, has come mainly from two types of source - either sent directly by the spammer, or sent by the spammer through a hijacked computer (proxy). For most anti-spam systems these two sources have been relatively easy to deal with, as they can both be... (>)

Jeremy Jaynes Gets 9 Years for Spamming 2004-11-04 UTC
[Update: The 9 year sentence was overturned on appeal, the spammer did go to prison for other crimes] Jeremy Jaynes of Raleigh, North Carolina, a prolific spammer who operated using the alias 'Gaven Stubberfield' and was listed by Spamhaus' ROKSO database as being the 8th most prolific spammer in the world, has been... (>)

Follow Australia! 2004-07-19 UTC
United Nations - World Summit on the Information Society International Telecommunication Union (ITU) Geneva, Switzerland The message conveyed by the UN spam conference to the delegates from 60 countries was clear, spam in July was 76% of all email, is now costing national economies US$25 Billion a year, the problem continues... (>)

Spammer Arrests herald FTC Crackdown on Illegal Spamming 2004-04-29 UTC
For many months the Spamhaus team have been working with teams from Law Enforcement Agencies in the United States and United Kingdom helping put together cases against the known spammers. We are very pleased to see arrests of spammers by the FTC now taking place, and look forward to the many more arrests we know are on the way... (>)

Spamhaus Releases Exploits Block List (XBL) to Combat Illegal Spam Relaying 2004-01-01 UTC
London, 1 January 2004 To help stop the rising tide of spam coming from illegal 3rd party exploits, the Spamhaus Project today released the Exploits Block List (XBL), a realtime DNS-based database of IP addresses of illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with... (>)

United States set to Legalize Spamming on January 1, 2004 2003-11-22 UTC
Against the advice of all anti-spam organizations, the U.S. House of Representatives has passed the CAN-SPAM Act, a bill backed overwhelmingly by spammers and dubbed the "YOU-CAN-SPAM" Act because it legalizes spamming instead of banning it. Spam King Alan Ralsky told reporters the passage of the House bill "made... (>)

Spammers Release Virus to Attack 2003-11-02 UTC
A new virus released by spammers on Saturday 1st November is infecting computers worldwide, and this time the purpose of the virus is to attack The W32.Mimail.E virus is the latest in a string of viruses, each one released by spammers for the purpose of creating a vast worldwide network of spam-sending... (>)

The Spam Definition and Legalization Game 2003-05-14 UTC
The word Spam means "Unsolicited Bulk Email". Unsolicited means that the Recipient has not granted verifiable permission for the message to be sent. Bulk means that the message is sent as part of a larger collection of messages, all having substantively identical content. But ask a spammer and he'll claim spam is... (>)

Spamming is now a Crime in Virginia 2003-04-30 UTC
The State of Virginia on Tuesday 29th April 2003 enacted the toughest anti-spam legislation of any US State so far, imposing harsh felony penalties for sending spam to computer users through deceptive means. Spammers who send Unsolicited Bulk Email to or from Virginia with a bogus return address, or via exploits such as stolen... (>)

Europe Outlaws Spam 2002-05-30 UTC
The European Parliament has decided to accept the Council's Common Position which would require senders of advertisements by "electronic mail" to have the recipient's prior consent. "Electronic mail" is defined broadly enough so as to include text messaging systems based on mobile telephony in addition to... (>)

© 1998-2018 The Spamhaus Project Ltd. All rights reserved.
Legal  |  Privacy