The Spamhaus Project


The increasing importance of registrars in the fight against spam

by The Spamhaus TeamJanuary 01, 200822 minutes reading time

Anyone remotely involved in the fight against spam has heard of the Storm worm. While Storm has used a variety of social engineering tricks to propagate, the e-card method has always been a popular one. What better a moment to send an e-card than in this holiday season? That's probably why the Storm botnet gang began pumping out large amounts of fake holiday season e-cards on Christmas Eve.

All these fake e-cards are hosted on domains such as, or, to name a few. This is not regular hosting, this is all fast-flux hosting. This means that the IP addresses hosting the content change every few seconds. This technique makes it virtually impossible for ISPs to take down the site because the fast-flux pool is fed with thousands of infected "botnet" machines that serve up the content.

The only fast and effective way of shutting down a fast-flux hosted website is to shut down the domains involved. If the domains are removed from the TLD rootservers they cannot be resolved anymore, this makes the fast-flux hosted websites unreachable. The only party that can shut down a domain is the registrar where the domain was registered. With the advent of fast-flux hosting, registrars now have a critical role in enforcing a policy against spam. That is why Spamhaus sees it as an absolute must that registrars keep in touch with--and react to--today's spam & virus issues.

While many registrars are very cooperative, others have not yet addressed the problem. In this case the Storm worm people have registered their domains through This does not look like a coincidence, because thus far Spamhaus has been unable to establish contact with to have the domains involved shut down. Of course it is the holiday season, but we assume that even has a 24/7 staff to keep things running and to react to serious issues.

This is a very serious issue, involving a massive flood of spam designed to infect many thousands of end-user machines. Due to the fast-flux nature of the hosting only can effectively put a halt to this malware disguised as a fake greeting card, stop thousands of internet users from becoming infected with the Storm worm and becoming senders of spam right after that. Unfortunately, has failed to react to all of our efforts at contacting them. Given the huge impact of the Storm worm, the impact can have by suspending the domains involved and their failure to react promptly, Spamhaus has no other option than to list critical parts of their infrastructure in SBL to get their attention. Holiday season or not, organizations like need to react when alerted to serious problems like these.

Related SBL listings:

Related articles:- US CERT: Storm Worm Activity Increases During Holiday Season.- F-Secure: Storm action continues.- SecurityZone: Also spread using blog-spamming.- Dancho Danchev's Blog: Riders on the Storm Worm.- Fergie's Tech Blog: ZLOB worm sites are now Storm worm sites.- PCWorld: Storm Worm Tempts With Christmas Strip Show.- ISC-SANS: Anticipated Storm-Bot Attack Begins.- Arbor: Storm is Back, Dude!- CastleCops: Mrs. Claus gone wild :)- McAfee: