Subscribe to RSS News Feed
About Spamhaus  |  Press Office  |  FAQs   
Spamhaus forged (again) in malware phish attack

2010-11-29 18:20:00 UTC, by Quentin Jenkins
Recent News Articles

Subscription Bombing: COI, CAPTCHA, and the Next Generation of Mail Bombs

More Domain Stats: The 10 Most Abused Registrars

SBL/ZEN DNS lookups to return DROP/eDROP status

Spamhaus Presents: The World's Worst Top Level Domains

Verizon Routing Millions of IP Addresses for Cybercrime Gangs

Brazilian internet users suffer SoftLayer's security fail

Network under attack? You might be surprised where that's coming from!

Ongoing abuse problems at Nic.at and DENIC


Older News Articles:
Spamhaus News INDEX

Spamhaus.org has been a frequent target of forged e-mails over the years and once again we're seeing a rise in those sorts of spam messages. This time email messages pretending to come from Spamhaus are a social engineering attempt ("phish") to lure victims into installing malware on their computers. Don't fall for it!

Some things to be aware of if a message claims to be from Spamhaus.org:

  • Spamhaus does not send notification of SBL listings to anyone except bona fide Point-Of-Contact addresses for ISP Abuse Desks. If you have not asked to receive such notifications or if your address does not appear in RIR (ARIN, RIPE, etc.) records for a top-level IP-block allocation or in The Network Abuse Clearinghouse, we will not send you SBL notification. We never send notifications for XBL, PBL, DBL or ROKSO listings.

  • We do not send attachments in any automated messages. The only attachments which spamhaus.org ever sends are in person-to-person mail where we know the recipient and the recipient knows us, and is expecting to receive information in the attachment format.

  • There is no "utility" to download or install in order to view or request removal of any listing in any of our DNSBL zones (SBL, XBL, PBL, DBL, Zen). We will never ask you to install an ".exe" file. Look-ups in our lists of IPs and domains are done via normal HTTP web-browsing. All you need is any common browser. SBL removals are handled via e-mail directly with the ISP (most of them know how to do so, routinely).

  • SBL Notification messages are sent as plain text, never HTML:
    Content-Type: text/plain; charset="iso-8859-1"
    Content-Transfer-Encoding: quoted-printable


    Mail from Spamhaus.org comes from spamhaus.org mail servers in this IP range:
    $ host -t txt spamhaus.org
    spamhaus.org descriptive text "v=spf1 ip4:82.94.216.224/27 ~all"


  • Spamhaus.org email only comes from IP addresses listed in the Spamhaus Whitelist.

    Incidentally, while Spamhaus.org is simply the domain being forged in this case, there is also an ongoing series of spear phishing attacks aimed at infecting specific computers inside ESPs and other e-mail reputation firms such as ReturnPath, as they have generously reported in their blog. Those attacks, like the forged Spamhaus messages, attempt to install malware onto victim's computers in an effort to gain access to data and systems within the target company. We cannot rule out that those attacks are related to the forged Spamhaus messages. Spamhaus, ReturnPath and several ESPs are working closely with law enforcement agencies to investigate these attacks.

  • Spamhaus Information

    Press Office
    Spamhaus News Index
    Spamhaus in the media
    About Spamhaus
    Spamhaus Official Statements
    Article Information

    Permanent link to this news article:
    Spamhaus forged (again) in malware phish attack
    https://www.spamhaus.org/news/article/664/spamhaus-forged-again-in-malware-phish-attack

    Subscribe to RSS News Feed
    Spamhaus News Quotes

    Permission to quote from or reproduce Spamhaus News articles is granted automatically providing you state the source as Spamhaus and link to the news record.
    © 1998-2016 The Spamhaus Project Ltd. All rights reserved.
    Legal  |  Privacy