Not a spammer or spam gang, but a "tag" where we place hijacked ("zombie") IP address blocks. These are re-tagged when we find the spam gang behind the hijack.

A "zombie" in the ROKSO sense is a netblock brought back from the dead, often by a spammer, also called a "hijacked netblock." (The term "zombie" later became widely applied to the infected peecee drones in a botnet.) The original owner of the block may have left it derelict for any number of reasons. Squatters then reclaim it with various ploys including registering an abandoned domain name for domain contact, or printing up bogus letterhead, or doing a bit of human engineering over the telephone. Some hijackers even outright steal IP-space allocated to someone else just by announcing it under their BGP Autonomous System Number.

Oh, and Autonomous Systems get the zombie cucumber, too. Old, abandoned AS are taken by a spammer or spammer supplier to announce various IP ranges. So it's quite possible to have a zombie netblock advertised by a zombie AS.

Originally a few crufty geeks found these ranges for cheap digs. While their ownership claims were unethical, they did not use the zombie networks for abuse. All that changed when spammers entered the picture. Then the zombie game became dominated by spammers (and some script kiddies) and it is now wise to accept no packets, but certainly not e-mail, from zombie networks.

Zombies can be found in blocks assigned by every Regional Internet Registry (RIR) including ARIN, RIPE, APNIC, and others. Restoring proper ownership of a zombie netblock means finding the original owner (often a dissolved company) and jumping through RIR hoops. It's a slow and laborious process, important but not suitable to stopping today's spam.

The peering/transit arrangements for zombies changes very quickly. Spamhaus leaves the entire zombie block listed in SBL, categorized under the RIR, and then provides additional pointer records for networks carrying the zombie's traffic. While such records are often only a single router's IP address (/32), the record will indicate the greater problem (and the problem is much greater than a single IP). Spamhaus may also provide additional SBL records within a zombie as various SWiPs or single IPs within the net are assigned to different ROKSO spammers. These, too, may serve as pointers to the upstream, as the zombie block is sometimes SWiPed as portable subnets with each spammer left to find their own transit.

Spamhaus lists entire zombie networks. Some of them are known to be controlled by particular a spammer and are thus listed under that spammer's ROKSO records. Those that are not assigned to another spammer may be assigned to this record. So, it is suggested that anyone searching for zombie networks under their aegis not only check this record's Current SBL Listings, but also check under their domain name and RIR via the search function at

Related URLs

The Completewhois Project investigates stolen I.P. space at (

SecurityFocus News: Cracking Down on Cyberspace Land Grabs

PSST! Hey Mister... wanna buy a Grandfathered Class B network? ROKSO [2594]
Infamous spamhaus Empire Towers joins in the fun - ROKSO [2616] (removed)

The complete Spamhaus list of RIR-assigned spammer blocks including zombies is available as the "Don't Route Or Peer" (DROP) list.

