| Website | https://www.spamhaus.org |
| Threat Intel Community | https://submit.spamhaus.org |
| https://www.linkedin.com/company/the-spamhaus-project | |
| https://twitter.com/spamhaus |
LESS THAN 2 WEEKS until access will start to be restricted to those querying our blocklists via Oracle’s network. Stay protected for free with Spamhaus Technology's Data Query Service - changes to config take minutes.
Read more & sign up: 👇
https://www.spamhaus.org/resource-hub/email-security/querying-the-free-dnsbls-via-oracle
This same company markets itself as a Chinese provider of "residential proxies." These ASNs are registered at RIPE (@ripencc) as assigned to ISPs delivering fibre to UK homes.
One explanation is that this makes proxy traffic appear to originate from genuine residential broadband customers. But it may not necessarily be for malicious purposes. It could be targeting SEO and those who want to "cheat the system" by simulating traffic from a large pool of users for marketing. ⤵️
An individual, Zhenyun Sun (https://find-and-update.company-information.service.gov.uk/officers/svz68usL11Hfb5q2_65DDqlFd2Y/appointments), is registering UK "fibre ISPs" at Companies House at an unusual rate. On the surface, they could pass for legitimate broadband providers. But look closer, and the picture soon changes 🕵️ ...
Some of these companies are assigned an ASN, sharing the same abuse contact: onesproxy[.]com. ⤵️
TAKE ACTION | If you’re using the free #DNSBLs and querying via Oracle ’s network, you need to change your config, or from April 8th, you may face issues with your email stream.
Read why and the steps you need to take to stay protected for free in this blog:
https://www.spamhaus.org/resource-hub/email-security/querying-the-free-dnsbls-via-oracle
It doesn't happen every day that you see a /13 IPv4 network end up on Spamhaus Blocklist (SBL). Such large prefixes are commonly listed in conjunction with IP hijacking activity - and yes, you guessed it, the last /13 entering SBL (and DROP) is a hijacked unallocated prefix, according to our investigations🕵️
102.224.0.0/13, "reserved [by AFRINIC] for future as per section 5.4.7.1 of [AFRINIC's] consolidated policy manual Version 1.1", according to its AFRINIC database record, was suddenly announced by AS3563. Its owner, 🇺🇸Pilot Network Services, Inc, seems to have abandoned it; pilot[.]net is parked nowadays.
Shortly after 102.224.0.0/13 entered SBL and DROP, the BGP announcement by AS3563 disappeared. It remains unclear whether the miscreants themselves or their uplink,🇧🇷ELETRONET S.A. (AS267613), pulled the plug. 🧐
IP hijacking remains a persistent threat. If you are a network operator, please ensure your IP assets and ASNs can't get hijacked, and your infrastructure does not process traffic to or from hijacked networks 👉 https://www.spamhaus.org/resource-hub/hijacking/
...receiving greater attention, with greater recognition of the risks and consequences for end users.
At Spamhaus, we’ve been monitoring the abuse of residential proxy networks for some time, and we continue to work with the wider security community to address the issue, including participation in industry groups such as the M3AAWG Residential Proxy Working Group.
For further reading on the risks and abuse of residential proxies, see below ⤵️
📣 In case you missed it: last week the FBI released a Public Service Announcement on residential proxy networks. The notice explains, at a high level:
- What residential proxy networks are
- How they work
- How your device can become part of a residential proxy network
- How criminals are exploiting them
- Best practices to help protect yourself
Read the announcement here 👉 https://www.ic3.gov/PSA/2026/PSA260312
It’s encouraging to see residential proxies - an often overlooked security threat... ⤵️
In this post Sven Krohlas, Detection Engineer at Spamhaus, explains what you can share, how to share it, and what we need to help verify the activity you've observed.
Learn more here ⬇️
https://www.spamhaus.org/resource-hub/cybercrime/how-to-report-suspicious-activity-to-spamhaus/