|Tweet Follow @spamhaus||
Network Hijacking on the Rise
Subscription Bombing: COI, CAPTCHA, and the Next Generation of Mail Bombs
More Domain Stats: The 10 Most Abused Registrars
SBL/ZEN DNS lookups to return DROP/eDROP status
Spamhaus Presents: The World's Worst Top Level Domains
Verizon Routing Millions of IP Addresses for Cybercrime Gangs
Brazilian internet users suffer SoftLayer's security fail
Network under attack? You might be surprised where that's coming from!
Older News Articles:
Spamhaus News INDEX
Report regarding the SBL listings of spam operations on Resilans AB (resilans.se).
Spammer IP address space at Resilans
Spamhaus became aware of Resilans AB leasing netblocks to spam operations in August 2013. We listed those ranges and notified Resilans. Despite notification, the ranges they allocated in August were allowed to continue spamming for almost 3 months.
In October 2013, we detected spam from yet more Resilans ranges. Again, we notified Resilans - and again those problems took months to resolve. Spamhaus subsequently learned that the same spam operation had used several different identities during that time, undoubtedly complicating things for Resilans.Over the next few months, through February 2014, more and more IP address space was handed out to spammers by Resilans. During February 2014, Spamhaus identified 47 IP address ranges of "/24"s or larger issued to the spam operation, resulting in 17,664 IPv4 addresses assigned to various snowshoe spam operations scattered across six Resilans IP address allocations. A list of those IP address ranges, plus over 8,700 spammer PTRs we found, is available in the footnotes below.
SBL listings, 27 February, 2014
On 27 February, 2014, in an effort to protect our users from long-standing and widespread spam sources, and to bring resolution to the ongoing spam-related abuse of Resilans-managed IP address space, we implemented a number of larger SBL listings. Resilans had been sent many reports and given many chances to correct the situation before this step was needed. However, the large number of reports sent to them had not produced any noticeable change in the situation.
Resilans responded swiftly to the SBL listings made on 27 February and quickly resolved their outstanding SBL listings. Those larger listings were then removed the same day, 27 February, having been in the SBL zone for less than 12 hours.
Spamhaus hopes that our relationship with Resilans will once again normalize to the good working relationship we have with the vast majority of Internet providers. We're hopeful that Resilans will avoid any further contribution to enabling spammer resources. As always, we keep working for cleaner inboxes and a safer internet, and we welcome Resilans' participation in that cause.
Background of LIR abuse
With IPv4 address space increasingly hard to obtain, spammers are adopting creative and sneaky ways to obtain whatever ranges they can get. The more brazen ones will hijack ranges that are abandoned, or not routed, and forge documents just to get their spam out. Some will sub-lease IPv4 space on the gray or black markets, pretending to use it for SEO or VOIP - while really just wanting fresh IP address space from which to send spam. Others try a different route, and set up many false-front entities all over the world to tap into the reserves that local LIRs maintain. China and Romania have particularly suffered from this behavior. Western spammers experienced enough to use the right words, reasons, and funds have been able to get many large ranges of IP address space delegated to them. LIRs, perhaps naive about these sort of situations, have been taken advantage of by spammers and, given our experiences with spammers, we cannot always blame them for it.
A link to the PTR records of 8,700+ spam hosts detected at Resilans (text file)
"For that, a second AS was hijacked and used to originate routes via the already hijacked AS: Relians Ltd. (AS42461)" - PDF link
Spamhaus News Index
Spamhaus in the media
Spamhaus Official Statements
Permanent link to this news article:
Resilans Incident Report
Subscribe to RSS News Feed
Permission to quote from or reproduce Spamhaus News articles is granted automatically providing you state the source as Spamhaus and link to the news record.