Mastodawn

.bond (#6) operated by ShortDot S.A. continues to display patterns of high churn, with new domain registrations (1.13 million) almost equal to its total zone count (1.15 million) - 10–20% of new domains is considered unusually high.

But this reporting period .bond is not alone…

Three quarters of the Top 20 exceed this threshold 😱 - find out which ones in the latest Spamhaus Domain Update:

👉 https://www.spamhaus.org/resource-hub/domain-reputation/domain-reputation-update-oct-2025-mar-2026/

#DomainReputation #InfoSec #CyberSecurity

Show thread

The Spamhaus Project 14h ago

151.217.0.0/16 AS62016 AS198198 AS42987 AS22879 AS199524

AS62016: Virgin Media 🇬🇧
AS198198: Telefonica Global Solutions 🇪🇸
AS42987: Virgin Media 🇬🇧
AS22879: Sirus, Inc 🇺🇸
AS199524: Gcore 🇳🇱
Location is Chicago.

However, this case is slightly different. 151.217.0.0/16 is a "bogon", which means the network is not assigned to anyone at this time (and so nobody should be using it).

After the first announcement, new (presumably fake) carriers were inserted into the BGP path as a decoy.

The general modus operandi suggests that this is the same gang in action.

The Spamhaus Project 14h ago

RE: https://infosec.exchange/@spamhaus/116415022836698078

Earlier this week orange
announced new routes taking precedence over its hijacked path, forcing the bad actors to withdraw the route:

90.98.0.0/15 AS41128 AS22541 AS29802 Bad actors (WITHDRAWN)
90.98.0.0/16 AS3215 AS5511 Orange 🇫🇷
90.99.0.0/16 AS3215 AS5511 Orange 🇫🇷

Meanwhile, the Verizon Business hijacks out of AS29802 remain active.

And, we’ve observed an additional suspicious route ⤵️⤵️

The Spamhaus Project 2d ago

Good news: over the past 30 days, activity has declined across almost all of the Top 20 countries hosting IPs associated with exploited devices.

Only four countries saw increases:

🇨🇳 #1 China (+19%)
🇮🇩 #6 Indonesia (+9%)
🇩🇿 #7 Algeria (+9%)
🇪🇬 #20 Egypt (+11%)

For a full picture of where activity is rising and falling globally, dig deeper into Spamhaus Reputations Statistics here ⤵️⤵️
https://www.spamhaus.org/reputation-statistics/countries/exploit/

#ExploitedDevices #MaliciousIPs #ThreatIntelligence

Show thread

The Spamhaus Project Apr 16

This operation has established a clear modus operandi:

- Find a large unused network assigned to a large ISP
- Find an ASN not in use but also assigned to the same large ISP
- Set up a router announcing the network from the ASN, so that (almost) nobody will see anything wrong with the announcement.
- Set up a fake transport ISP in between, to confuse waters
- Connect the whole thing to the internet through an ISP with "relaxed" vetting procedures on what customers announce, and voila', a hijacked network is connected.

This series of events clearly demonstrates how important it is to look at routes including their connectivity, not just the ASN and network - it's only the connectivity which reveals the hijacking issue.

Show thread

The Spamhaus Project Apr 16

We've identified additional suspicious routes (see image):

AS22521 and AS4183: Verizon Business 🇺🇸
AS22541: MEGALINK S.R.L. 🇧🇴
AS20940: Akamai International B.V.
AS18734: Operbes S.A. de C.V. 🇲🇽

They all lead back to Chicago. https://www.youtube.com/watch?v=gvKs2VLmVnY ⬇️

The Spamhaus Project Apr 16

RE: https://infosec.exchange/@spamhaus/116398003458245821

Over the past 48 hours there have been some very interesting developments...

The "Charter Communications" announcements for 47.1.0.0/16 and 47.2.0.0/16 have disappeared, implicitly confirming that they were hijacked.

The "Orange" announcement for AS41128 has changed - the path is now:

90.98.0.0/15 AS41128 AS22541 AS29802

AS41128: Orange 🇫🇷
AS22541: MEGALINK S.R.L. 🇧🇴
AS29802: Hivelocity 🇺🇸

The entire network has relocated from Chicago to Dallas (likely to the Prime Dallas Campus DFW01 datacenter). Once more the inclusion of a South-American ISP appears completely unrealistic, with the traffic between the AS29802 router (de-cix.dfw.hivelocity.net) and the final destination seemingly within the Dallas datacenter.

But there's more. ⬇️

#infosec #cyberSecurity

The Spamhaus Project Apr 15

🌐 OUT NOW | Spamhaus Domain Report Oct 2025 - March 2026!

⬆️ 46.9 million new domains
⬇️ 2.15 million malicious domain detections
⬆️ Domains associated with botnet C&C’s (+289%) & malware (+206%)
🔄 .bond (and many more!) see high churn of new registrations

And find out which TLD has a massive 17.5% of its zone file listed 😱!

Read the full domain report here 👉 https://www.spamhaus.org/resource-hub/domain-reputation/domain-reputation-update-oct-2025-mar-2026/

#DomainAbuse #DomainInsights

The Spamhaus Project Apr 14

📢 FINAL REMINDER | From tomorrow we will start to restrict access to Oracle IP addresses querying our DNSBLs. To stay protected by the data, register for Spamhaus Technology's FREE Data Query Service - changes to config take minutes.

#Oracle #DNSBL #DQS

Show thread

The Spamhaus Project Apr 13

Why would Orange 🇫🇷 announce 90.98.0.0/15 from Chicago 🇺🇸 using Gcore 🇱🇺 for intercontinental transport, while using 🇲🇽 Mexican ISPs as upstreams to route traffic over what appears to be no actual distance?

Website	https://www.spamhaus.org
Threat Intel Community	https://submit.spamhaus.org
LinkedIn	https://www.linkedin.com/company/the-spamhaus-project
Twitter	https://twitter.com/spamhaus