The Spamhaus Project

@[email protected]
1.5K Followers
21 Following
604 Posts
Spamhaus strengthens trust and safety for the Internet. Advocating for change through sharing reliable intelligence and expertise. As the authority on IP and domain reputation data, we are trusted across the industry because of our strong ethics, impartiality, and quality of actionable data. This data not only protects but also provides signal and insight across networks and email worldwide. 
With over two decades of experience, our researchers and threat hunters focus on exposing malicious activity to make the internet a better place for everyone. A wide range of industries, including leading global technology companies, use Spamhaus' data; currently protecting over 4.5 billion mailboxes worldwide.
Websitehttps://www.spamhaus.org
Threat Intel Communityhttps://submit.spamhaus.org
LinkedInhttps://www.linkedin.com/company/the-spamhaus-project
Twitterhttps://twitter.com/spamhaus
Show threadThe Spamhaus Project2d ago

This operation has established a clear modus operandi:

- Find a large unused network assigned to a large ISP
- Find an ASN not in use but also assigned to the same large ISP
- Set up a router announcing the network from the ASN, so that (almost) nobody will see anything wrong with the announcement.
- Set up a fake transport ISP in between, to confuse waters
- Connect the whole thing to the internet through an ISP with "relaxed" vetting procedures on what customers announce, and voila', a hijacked network is connected.

This series of events clearly demonstrates how important it is to look at routes including their connectivity, not just the ASN and network - it's only the connectivity which reveals the hijacking issue.

Show threadThe Spamhaus Project2d ago

We've identified additional suspicious routes (see image):

AS22521 and AS4183: Verizon Business πŸ‡ΊπŸ‡Έ
AS22541: MEGALINK S.R.L. πŸ‡§πŸ‡΄
AS20940: Akamai International B.V.
AS18734: Operbes S.A. de C.V. πŸ‡²πŸ‡½

They all lead back to Chicago. https://www.youtube.com/watch?v=gvKs2VLmVnY ⬇️

The Spamhaus Project2d ago

RE: https://infosec.exchange/@spamhaus/116398003458245821

Over the past 48 hours there have been some very interesting developments...

The "Charter Communications" announcements for 47.1.0.0/16 and 47.2.0.0/16 have disappeared, implicitly confirming that they were hijacked.

The "Orange" announcement for AS41128 has changed - the path is now:

90.98.0.0/15 AS41128 AS22541 AS29802

AS41128: Orange πŸ‡«πŸ‡·
AS22541: MEGALINK S.R.L. πŸ‡§πŸ‡΄
AS29802: Hivelocity πŸ‡ΊπŸ‡Έ

The entire network has relocated from Chicago to Dallas (likely to the Prime Dallas Campus DFW01 datacenter). Once more the inclusion of a South-American ISP appears completely unrealistic, with the traffic between the AS29802 router (de-cix.dfw.hivelocity.net) and the final destination seemingly within the Dallas datacenter.

But there's more. ⬇️

#infosec #cyberSecurity

The Spamhaus Project3d ago

🌐 OUT NOW | Spamhaus Domain Report Oct 2025 - March 2026!

⬆️ 46.9 million new domains
⬇️ 2.15 million malicious domain detections
⬆️ Domains associated with botnet C&C’s (+289%) & malware (+206%)
πŸ”„ .bond (and many more!) see high churn of new registrations

And find out which TLD has a massive 17.5% of its zone file listed 😱!

Read the full domain report here πŸ‘‰ https://www.spamhaus.org/resource-hub/domain-reputation/domain-reputation-update-oct-2025-mar-2026/

#DomainAbuse #DomainInsights

The Spamhaus Project4d ago

πŸ“’ FINAL REMINDER | From tomorrow we will start to restrict access to Oracle IP addresses querying our DNSBLs. To stay protected by the data, register for Spamhaus Technology's FREE Data Query Service - changes to config take minutes.

Sign up here πŸ‘‡
https://www.spamhaus.com/data-access/free-data-query-service/

#Oracle #DNSBL #DQS

Show threadThe Spamhaus Project5d ago
Why would Orange πŸ‡«πŸ‡· announce 90.98.0.0/15 from Chicago πŸ‡ΊπŸ‡Έ using Gcore πŸ‡±πŸ‡Ί for intercontinental transport, while using πŸ‡²πŸ‡½ Mexican ISPs as upstreams to route traffic over what appears to be no actual distance?
Show threadThe Spamhaus Project5d ago

Comcast 'apparently' last used AS393232 in 2017
Charter abandoned AS36429 in 2014
Orange only used AS41128 briefly from August to October 2025

In all three cases, the originating ASNs were not active prior to these announcements...making the situation even more unusual.

And raises the question πŸ€” ...⬇️

Show threadThe Spamhaus Project5d ago

Testing shows that these networks appear to be physically located just behind the router vrrp.gcore.lu (213.156.140.67) at the DE-CIX facility in Chicago.

This suggests that transport between Gcore and the final destination appears to take place within the same datacenter, despite the apparent involvement of πŸ‡²πŸ‡½ Mexican ISPs and in one case even Cloudflare πŸ‡ΊπŸ‡Έ.

And there are more anomalies to note: ⬇️

The Spamhaus Project5d ago

We've recently observed some unusual large-scale routes appearing on the internet (see image), involving the following networks:

AS393232: Comcast Cable Communications πŸ‡ΊπŸ‡Έ
AS36429: Charter Communications πŸ‡ΊπŸ‡Έ
AS41128: Orange πŸ‡«πŸ‡·
AS13335: Cloudflare πŸ‡ΊπŸ‡Έ
AS17072: Total Play Telecommunications πŸ‡²πŸ‡½
AS270118: Soluciones, AnalΓ­ticos Y Servicios Team (Stratosphere Technology Latam) πŸ‡²πŸ‡½
AS199524: Gcore Labs πŸ‡±πŸ‡Ί

The label "path (fixed)" indicates that identical paths were observed by several probes across the internet. This strongly suggests that AS199524 is the central pivot point behind these announcements.

While the first four paths have since disappeared, the most recent three remain active. ⬇️

The Spamhaus ProjectApr 9

πŸ’ͺ Contributor "mugufinder" has shared 2,731 domains over the past 30 days πŸ”₯ That’s a +1,969% increase, landing them in the Top10 on the domain leaderboard! Incredible work!

Your ongoing support and submissions are what keep the threat intelligence flowing, thank you. β€οΈπŸ™

Got malicious or suspicious IPs, domains, URLs, or raw source to share?

πŸ‘‰ Join the fight against cybercrime: https://submit.spamhaus.org/submit/

#CyberSecurity #ThreatIntelligence #ThreatHunting #Infosec #Community