Spamhaus forged (again) in malware phish attack

Spamhaus.org has been a frequent target of forged e-mails over the years and once again we're seeing a rise in those sorts of spam messages. This time email messages pretending to come from Spamhaus are a social engineering attempt ("phish") to lure victims into installing malware on their computers. Don't fall for it!

Some things to be aware of if a message claims to be from Spamhaus.org:

• Spamhaus does not send notification of SBL listings to anyone except bona fide Point-Of-Contact addresses for ISP Abuse Desks. If you have not asked to receive such notifications or if your address does not appear in RIR (ARIN, RIPE, etc.) records for a top-level IP-block allocation or in The Network Abuse Clearinghouse, we will not send you SBL notification. We never send notifications for XBL, PBL, DBL or ROKSO listings.

• We do not send attachments in any automated messages. The only attachments which spamhaus.org ever sends are in person-to-person mail where we know the recipient and the recipient knows us, and is expecting to receive information in the attachment format.

• There is no "utility" to download or install in order to view or request removal of any listing in any of our DNSBL zones (SBL, XBL, PBL, DBL, Zen). We will never ask you to install an ".exe" file. Look-ups in our lists of IPs and domains are done via normal HTTP web-browsing. All you need is any common browser. SBL removals are handled via e-mail directly with the ISP (most of them know how to do so, routinely).

• SBL Notification messages are sent as plain text, never HTML:

Content-Type: text/plain; charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

Mail from Spamhaus.org comes from spamhaus.org mail servers in this IP range:

$ host -t txt spamhaus.org

spamhaus.org descriptive text "v=spf1 ip4:82.94.216.224/27 ~all"

• Spamhaus.org email only comes from IP addresses listed in the Spamhaus Whitelist.

Incidentally, while Spamhaus.org is simply the domain being forged in this case, there is also an ongoing series of spear phishing attacks aimed at infecting specific computers inside ESPs and other e-mail reputation firms such as ReturnPath, as they have generously reported in their blog. Those attacks, like the forged Spamhaus messages, attempt to install malware onto victim's computers in an effort to gain access to data and systems within the target company. We cannot rule out that those attacks are related to the forged Spamhaus messages. Spamhaus, ReturnPath and several ESPs are working closely with law enforcement agencies to investigate these attacks.