Blocklist Removal Center
Contacts  |  Official Statements  |  FAQs  |  News Blog   
Bookmark and Share DDoS and Virus Attacks on Spamhaus

Category: Report
Updated: 2004-01-20
Statement Ref: S010

Blocklist Help

Blocked? To check, get info and resolve listings go to
Blocklist Removal Center

Associated Documents

How Blocklists Work
Legal Questions
In June 2003 Spamhaus warned that spammers had progressed from spamming through open proxies to actually manufacturing and sending out computer viruses, infecting hundreds of thousands of business and home-user machines on broadband/DSL lines, in order to create a vast network of anonymous spam 'zombies'.

Starting in 2003 an increasing amount of criminal spam gangs, mostly Russian and East-European gangs, began using large networks ("botnets") of virus or trojan-infected computers ("bots") to mount Distributed Denial Of Service ("DDoS") attacks on Spamhaus. To defend itself from such attacks Spamhaus had to implement substantial anti-ddos measures.

On November 1st 2003 a virus codenamed W32.Mimail.E began infecting hundreds of thousands of Microsoft Windows computers worldwide. Like other Trojan worms before it, W32.Mimail.E is designed to install a malicious program (in this case "foo.exe") which rifles through the user's address books sending itself onwards to every email address it finds, whilst harvesting the addresses for the spammers who sent it, but there the similarities with previous Trojans worms end because W32.Mimail.E's job once installed, is to begin attacking the Spamhaus website,

Two days later, on 3rd November 2003, a second virus codenamed W32.Mimail.H was released. It too conducts a distributed Denial of Service (dDoS) attack on

On December 1st 2003, yet another MiMail virus W32.Mimail.L was released, like the others it too conducts a dDoS on, but it also goes further. W32.MiMail.L claims to come "From" a address '' and the message the virus delivers is designed to provoke the biggest reaction possible from millions of victims: the Subject of the virus email is "We are going to charge your credit card". The message tells users that unless they respond by emailing a address, Spamhaus "will bill your credit card for amount of $22.95 on a weekly basis. Free pack of child porn CDs is already on the way to your billing address."

In early 2003 spammers, crackers and virus writers joined forces to launch the first known spam virus, W32.SoBig.E, a Trojan designed to infect computers worldwide to create an arsenal of proxies/zombies through which spammers could send billions of spams anonymously. Up to 60% of all spam is now sent using virus-infected computers.

While SoBig was the most famous spam virus, a more sinister virus known as Fizzer was released before it in May 2003 by a now known group of spammers into "porn & pills" spamming, dDoS cyber-attacks and credit card fraud. Fizzer (W32.HLLW.Fizzer) is a wide-spread Trojan worm which spreads by emailing itself to contacts in Microsoft Outlook and Windows address books. The purpose of Fizzer is to install a minature web server (on which spammers then host rapidly-moving "porn & pills" web sites linked to from spams), an IRC backdoor enabling the spammer to control the infected machine, and a DoS attack tool specifically for attacking anti-spam organizations.

As spam from virus-infected computers soared in mid 2003, spammers began using their new armies of infected 'zombies' to mount attacks against anti-spam systems including Spamhaus which stood in the way of them spamming millions of Internet users.

Beginning in early July 2003, Spamhaus servers came under massive distributed Denial of Service (dDoS) attacks by thousands of virus-infected computers throughout the Internet. Over the course of the summer we sustained intensive dDoS attacks from a number of different spam gangs, but were able to thwart the attacks thanks to our large distributed network capable of absorbing attacks, and thanks in no small part to the engineering skills of the server administrators running Spamhaus' servers. Other anti-spam systems weren't so lucky, during August and September 2003, four anti-spam systems were forced into closure under overwhelming dDoS attacks.

Statements Index

Fraudulent fake DNSBL uncovered: Protected Sky (

Fraudulent fake DNSBL uncovered:

EMarketersAmerica vs. The Spamhaus Project

Popular Myths About Spamhaus

Case Answer: e360Insight vs. The Spamhaus Project

TRO Answer: e360Insight vs. The Spamhaus Project

Case Dismissed: Ames & McGee v The Spamhaus Project

Spamhaus IPv6 Blocklists Strategy Statement

Report on the criminal 'Rock Phish' domains registered at

DDoS and Virus Attacks on Spamhaus

Spamhaus Position on CAN-SPAM Act of 2003

Copyright © 2022 The Spamhaus Project SLU. Reproduction from "DDoS and Virus Attacks on Spamhaus" is permitted provided you quote the source as "The Spamhaus Project" and provide a link to the source url:
© 1998-2022 The Spamhaus Project SLU. All rights reserved.
Legal  |  Privacy