Subscribe to RSS News Feed About Spamhaus  |  Press Office  |  FAQs

Tweet Follow @spamhaus

Spamhaus forged (again) in malware phish attack 2010-11-29 18:20:00 UTC   |   by Quentin Jenkins   |

Recent News Articles Poor sending practices trigger a tidal wave of informational listings Spamhaus Botnet Threat Update: Q4-2021 SERVICE UPDATE | Spamhaus DNSBL users who query via Cloudflare DNS need to make changes to email set-up Spamhaus Botnet Threat Update: Q3-2021 Spammer Abuse of Free Google Services Spamhaus Botnet Threat Update: Q2-2021 Emotet Email Aftermath Wordpress compromises: What's beyond the URL? Older News Articles: Spamhaus News INDEX

Spamhaus.org has been a frequent target of forged e-mails over the years and once again we're seeing a rise in those sorts of spam messages. This time email messages pretending to come from Spamhaus are a social engineering attempt ("phish") to lure victims into installing malware on their computers. Don't fall for it! Some things to be aware of if a message claims to be from Spamhaus.org: Spamhaus does not send notification of SBL listings to anyone except bona fide Point-Of-Contact addresses for ISP Abuse Desks. If you have not asked to receive such notifications or if your address does not appear in RIR (ARIN, RIPE, etc.) records for a top-level IP-block allocation or in The Network Abuse Clearinghouse, we will not send you SBL notification. We never send notifications for XBL, PBL, DBL or ROKSO listings. We do not send attachments in any automated messages. The only attachments which spamhaus.org ever sends are in person-to-person mail where we know the recipient and the recipient knows us, and is expecting to receive information in the attachment format. There is no "utility" to download or install in order to view or request removal of any listing in any of our DNSBL zones (SBL, XBL, PBL, DBL, Zen). We will never ask you to install an ".exe" file. Look-ups in our lists of IPs and domains are done via normal HTTP web-browsing. All you need is any common browser. SBL removals are handled via e-mail directly with the ISP (most of them know how to do so, routinely). SBL Notification messages are sent as plain text, never HTML: Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Mail from Spamhaus.org comes from spamhaus.org mail servers in this IP range: $ host -t txt spamhaus.org spamhaus.org descriptive text "v=spf1 ip4:82.94.216.224/27 ~all" Spamhaus.org email only comes from IP addresses listed in the Spamhaus Whitelist. Incidentally, while Spamhaus.org is simply the domain being forged in this case, there is also an ongoing series of spear phishing attacks aimed at infecting specific computers inside ESPs and other e-mail reputation firms such as ReturnPath, as they have generously reported in their blog. Those attacks, like the forged Spamhaus messages, attempt to install malware onto victim's computers in an effort to gain access to data and systems within the target company. We cannot rule out that those attacks are related to the forged Spamhaus messages. Spamhaus, ReturnPath and several ESPs are working closely with law enforcement agencies to investigate these attacks.

Spamhaus Information Press Office Spamhaus News Index Spamhaus in the media About Spamhaus Spamhaus Official Statements

Article Information Permanent link to this news article: Spamhaus forged (again) in malware phish attack http://www.spamhaus.org/news/article/664/spamhaus-forged-again-in-malware-phish-attack Subscribe to RSS News Feed

Spamhaus News Quotes Permission to quote from or reproduce Spamhaus News articles is granted automatically providing you state the source as Spamhaus and link to the news record.

© 1998-2023 The Spamhaus Project SLU. All rights reserved. Legal  |  Privacy