ROKSO Home  |  ROKSO FAQs & Policies  |  About Spamhaus  |  FAQs
ROKSO
The Register of Known Spam Operations
zombies

Evidence Menu:

zombies Index


Country:
State:
Not a spammer or spam gang, but a "tag" where we place hijacked ("zombie") IP address blocks. These are re-tagged when we find the spam gang behind the hijack.


zombies SBL Listings History
Current SBL Listings
Archived SBL Listings

Main Info


A "zombie" in the ROKSO sense is a netblock brought back from the dead, often by a spammer, also called a "hijacked netblock." (The term "zombie" later became widely applied to the infected peecee drones in a botnet.) The original owner of the block may have left it derelict for any number of reasons. Squatters then reclaim it with various ploys including registering an abandoned domain name for domain contact, or printing up bogus letterhead, or doing a bit of human engineering over the telephone. Some hijackers even outright steal IP-space allocated to someone else just by announcing it under their BGP Autonomous System Number.

Oh, and Autonomous Systems get the zombie cucumber, too. Old, abandoned AS are taken by a spammer or spammer supplier to announce various IP ranges. So it's quite possible to have a zombie netblock advertised by a zombie AS.

Originally a few crufty geeks found these ranges for cheap digs. While their ownership claims were unethical, they did not use the zombie networks for abuse. All that changed when spammers entered the picture. Then the zombie game became dominated by spammers (and some script kiddies) and it is now wise to accept no packets, but certainly not e-mail, from zombie networks.

Zombies can be found in blocks assigned by every Regional Internet Registry (RIR) including ARIN, RIPE, APNIC, and others. Restoring proper ownership of a zombie netblock means finding the original owner (often a dissolved company) and jumping through RIR hoops. It's a slow and laborious process, important but not suitable to stopping today's spam.

The peering/transit arrangements for zombies changes very quickly. Spamhaus leaves the entire zombie block listed in SBL, categorized under the RIR, and then provides additional pointer records for networks carrying the zombie's traffic. While such records are often only a single router's IP address (/32), the record will indicate the greater problem (and the problem is much greater than a single IP). Spamhaus may also provide additional SBL records within a zombie as various SWiPs or single IPs within the net are assigned to different ROKSO spammers. These, too, may serve as pointers to the upstream, as the zombie block is sometimes SWiPed as portable subnets with each spammer left to find their own transit.

Spamhaus lists entire zombie networks. Some of them are known to be controlled by particular a spammer and are thus listed under that spammer's ROKSO records. Those that are not assigned to another spammer may be assigned to this record. So, it is suggested that anyone searching for zombie networks under their aegis not only check this record's Current SBL Listings, but also check under their domain name and RIR via the search function at http://www.spamhaus.org/sbl/.



Related URLs

The Completewhois Project investigates stolen I.P. space at http://www.completewhois.com/hijacked/ (archive.org)

SecurityFocus News: Cracking Down on Cyberspace Land Grabs

PSST! Hey Mister... wanna buy a Grandfathered Class B network? ROKSO [2594]
Infamous spamhaus Empire Towers joins in the fun - ROKSO [2616] (removed)

The complete Spamhaus list of RIR-assigned spammer blocks including zombies is available as the "Don't Route Or Peer" (DROP) list.


The Register of Known Spam Operations (ROKSO) collates information and evidence on entities with a history of spamming or providing spam services, and entities affiliated or otherwise connected with them, for the purpose of assisting ISP Abuse Desks and Law Enforcement Agencies.
The address of this ROKSO record is: https://www.spamhaus.org/rokso/evidence/ROK2493/

The above consists of information in the public domain. The Spamhaus Project makes every effort to avoid errors in information in the ROKSO database, and will correct any errors as soon as it is able to verify the correction, but accepts no responsibility or liability for any errors or omissions, or liability for any loss or damage, consequential or otherwise, incurred in reliance on the material in these pages. The Spamhaus Project makes no warranties or representations as to the accuracy of the Information in ROKSO records. The information in the ROKSO database is for information purposes only and is not intended as legal advice of any kind.

For information on contacting the ROKSO Team regarding any factual errors in this record, see the ROKSO FAQs.
© 1998-2016 The Spamhaus Project Ltd. All rights reserved.
Legal  |  Privacy