|Tweet Follow @spamhaus||
Botnet Controllers in the Cloud
Spamhaus Botnet Summary 2016
Network Hijacking on the Rise
Subscription Bombing: COI, CAPTCHA, and the Next Generation of Mail Bombs
More Domain Stats: The 10 Most Abused Registrars
SBL/ZEN DNS lookups to return DROP/eDROP status
Spamhaus Presents: The World's Worst Top Level Domains
Verizon Routing Millions of IP Addresses for Cybercrime Gangs
Older News Articles:
Spamhaus News INDEX
In the summer of 2015, the number of SBL listings involving SoftLayer Technologies (an IBM company) increased rapidly, bringing Softlayer to the #1 spot on the Spamhaus Top 10 list of most problematic ISPs. This attracted a great deal of attention, because Softlayer has traditionally been a responsible ISP, and has made a number of contributions to the security and anti-spam industries. As one would expect, this situation prompted questions. What was happening? Had Softlayer, after years of being a responsible, whitehat ISP, suddenly turned rogue?
The answer to the second question, no, they hadn't. Unfortunately, what happened to Softlayer can easily happen to any ISP that makes certain unwise choices. We wrote this article to explain how an ISP with Softlayer's technical resources and excellent track record came to have such severe problems with a specific spam and malware operation, and to warn other ISPs so that they don't fall victim to this, or another, spam gang using the same tactics.
What happened?In the last few months, a massive number of IP addresses on SoftLayer’s network sent spam that tricked recipients into downloading and installing malware. While the spam itself explicitly targeted Brazilian users, it was sent to large numbers of harvested email addresses belonging to users around the world. When Spamhaus researchers looked at the sources of these spams, the IP address ranges always seemed to be assigned to fake but plausible Brazilian companies or organizations whose names changed every day, sometimes several times a day.
The SBL team started to create listings for these IP address ranges, and SoftLayer responded to them as always. However, this Brazilian malware gang was so active that many SBL-listed IP address ranges were being reassigned to the same spam gang immediately after re-entering the pool of available IP addresses. After observing the same IP address ranges being reassigned repeatedly to the same spammers, Spamhaus contacted the SoftLayer abuse department and told them that SBLs for these specific issues would not be removed until SoftLayer was able to get control of the overall problem with these spammers.
Because the Brazilian malware operation that caused this situation is so large, the SBL count for Softlayer IP address ranges rapidly reached rarely previously seen numbers (>600).
What allowed the issue to get this big?Spamhaus can only guess the answer to this question. We believe that SoftLayer, perhaps in an attempt to extend their business in the rapidly-growing Brazilian market, deliberately relaxed their customer vetting procedures. Cybercriminals from Brazil took advantage of SoftLayer's extensive resources and lax vetting procedures. In particular, the malware operation exploited loopholes in Softlayer's automated provisioning procedures to obtain an impressive number of IP address ranges, which they then used to send spam and host malware sites.
IBM acquired SoftLayer in June 2013, obviously leading to ongoing organizational changes. These changes might continue to affect SoftLayer's abuse and security operations.
Is this solved now?Not really. Softlayer has slowly reduced the extent of its problem with this malware operation, but the problem is still far from solved. SoftLayer has taken months to change its procedures and bring this issue under control. With big companies, that is not exactly unexpected, but Spamhaus is certainly not satisfied with the glacial pace to a solution.
This situation also damages the reputation of Softlayer (and its parent company IBM) who have for years been trying to craft a public image as to what a good, safe and security conscious corporation they supposedly are. This summer, Brazilians infected with malware and other spammed internet users would beg to differ.
After one month, Softlayer's SBL listings have dropped to levels that were normal before the Brazilian malware gangs attacked their platform.
Spamhaus congratulates Softlayer for their effective solution to this problem. We ask that other hosting providers that find their services being abused by the same types of criminals strengthen their policies & methods in similar ways.
Spamhaus News Index
Spamhaus in the media
Spamhaus Official Statements
Permanent link to this news article:
Brazilian internet users suffer SoftLayer's security fail
Subscribe to RSS News Feed
Permission to quote from or reproduce Spamhaus News articles is granted automatically providing you state the source as Spamhaus and link to the news record.