The Spamhaus Project

news

Brazilian internet users suffer SoftLayer's security fail

by The Spamhaus TeamOctober 01, 20154 minutes reading time

Jump to

Introduction

In the summer of 2015, the number of SBL listings involving SoftLayer Technologies (an IBM company) increased rapidly, bringing Softlayer to the #1 spot on the Spamhaus Top 10 list of most problematic ISPs. This attracted a great deal of attention, because Softlayer has traditionally been a responsible ISP, and has made a number of contributions to the security and anti-spam industries. As one would expect, this situation prompted questions. What was happening? Had Softlayer, after years of being a responsible, whitehat ISP, suddenly turned rogue?

The answer to the second question, no, they hadn't. Unfortunately, what happened to Softlayer can easily happen to any ISP that makes certain unwise choices. We wrote this article to explain how an ISP with Softlayer's technical resources and excellent track record came to have such severe problems with a specific spam and malware operation, and to warn other ISPs so that they don't fall victim to this, or another, spam gang using the same tactics.

What happened?

In the last few months, a massive number of IP addresses on SoftLayer’s network sent spam that tricked recipients into downloading and installing malware. While the spam itself explicitly targeted Brazilian users, it was sent to large numbers of harvested email addresses belonging to users around the world. When Spamhaus researchers looked at the sources of these spams, the IP address ranges always seemed to be assigned to fake but plausible Brazilian companies or organizations whose names changed every day, sometimes several times a day.

The SBL team started to create listings for these IP address ranges, and SoftLayer responded to them as always. However, this Brazilian malware gang was so active that many SBL-listed IP address ranges were being reassigned to the same spam gang immediately after re-entering the pool of available IP addresses. After observing the same IP address ranges being reassigned repeatedly to the same spammers, Spamhaus contacted the SoftLayer abuse department and told them that SBLs for these specific issues would not be removed until SoftLayer was able to get control of the overall problem with these spammers.

Because the Brazilian malware operation that caused this situation is so large, the SBL count for Softlayer IP address ranges rapidly reached rarely previously seen numbers (>600).

What allowed the issue to get this big?

Spamhaus can only guess the answer to this question. We believe that SoftLayer, perhaps in an attempt to extend their business in the rapidly-growing Brazilian market, deliberately relaxed their customer vetting procedures. Cybercriminals from Brazil took advantage of SoftLayer's extensive resources and lax vetting procedures. In particular, the malware operation exploited loopholes in Softlayer's automated provisioning procedures to obtain an impressive number of IP address ranges, which they then used to send spam and host malware sites.

IBM acquired SoftLayer in June 2013, obviously leading to ongoing organizational changes. These changes might continue to affect SoftLayer's abuse and security operations.

Is this solved now?

Not really. Softlayer has slowly reduced the extent of its problem with this malware operation, but the problem is still far from solved. SoftLayer has taken months to change its procedures and bring this issue under control. With big companies, that is not exactly unexpected, but Spamhaus is certainly not satisfied with the glacial pace to a solution.

This situation also damages the reputation of Softlayer (and its parent company IBM) who have for years been trying to craft a public image as to what a good, safe and security conscious corporation they supposedly are. This summer, Brazilians infected with malware and other spammed internet users would beg to differ.


Update: November 2015

At the end of October, Softlayer contacted Spamhaus to notify us of the measures that they were rolling out in to keep these and other abusers off of their network and Cloud. The measures that Softlayer took have proved extremely effective, to the point that after just few days the malware operations were gone from Softlayer's network, with the perpetrators moving to other hosting providers.

After one month, Softlayer's SBL listings have dropped to levels that were normal before the Brazilian malware gangs attacked their platform.

Spamhaus congratulates Softlayer for their effective solution to this problem. We ask that other hosting providers that find their services being abused by the same types of criminals strengthen their policies & methods in similar ways.