The Spamhaus Project

@[email protected]
1.5K Followers
21 Following
605 Posts
Spamhaus strengthens trust and safety for the Internet. Advocating for change through sharing reliable intelligence and expertise. As the authority on IP and domain reputation data, we are trusted across the industry because of our strong ethics, impartiality, and quality of actionable data. This data not only protects but also provides signal and insight across networks and email worldwide. โ€ฉWith over two decades of experience, our researchers and threat hunters focus on exposing malicious activity to make the internet a better place for everyone. A wide range of industries, including leading global technology companies, use Spamhaus' data; currently protecting over 4.5 billion mailboxes worldwide.
Websitehttps://www.spamhaus.org
Threat Intel Communityhttps://submit.spamhaus.org
LinkedInhttps://www.linkedin.com/company/the-spamhaus-project
Twitterhttps://twitter.com/spamhaus
The Spamhaus Project1d ago

Good news: over the past 30 days, activity has declined across almost all of the Top 20 countries hosting IPs associated with exploited devices.

Only four countries saw increases:

๐Ÿ‡จ๐Ÿ‡ณ #1 China (+19%)
๐Ÿ‡ฎ๐Ÿ‡ฉ #6 Indonesia (+9%)
๐Ÿ‡ฉ๐Ÿ‡ฟ #7 Algeria (+9%)
๐Ÿ‡ช๐Ÿ‡ฌ #20 Egypt (+11%)

For a full picture of where activity is rising and falling globally, dig deeper into Spamhaus Reputations Statistics here โคต๏ธโคต๏ธ
https://www.spamhaus.org/reputation-statistics/countries/exploit/

#ExploitedDevices #MaliciousIPs #ThreatIntelligence

Show threadThe Spamhaus Project6d ago

This operation has established a clear modus operandi:

- Find a large unused network assigned to a large ISP
- Find an ASN not in use but also assigned to the same large ISP
- Set up a router announcing the network from the ASN, so that (almost) nobody will see anything wrong with the announcement.
- Set up a fake transport ISP in between, to confuse waters
- Connect the whole thing to the internet through an ISP with "relaxed" vetting procedures on what customers announce, and voila', a hijacked network is connected.

This series of events clearly demonstrates how important it is to look at routes including their connectivity, not just the ASN and network - it's only the connectivity which reveals the hijacking issue.

Show threadThe Spamhaus Project6d ago

We've identified additional suspicious routes (see image):

AS22521 and AS4183: Verizon Business ๐Ÿ‡บ๐Ÿ‡ธ
AS22541: MEGALINK S.R.L. ๐Ÿ‡ง๐Ÿ‡ด
AS20940: Akamai International B.V.
AS18734: Operbes S.A. de C.V. ๐Ÿ‡ฒ๐Ÿ‡ฝ

They all lead back to Chicago. https://www.youtube.com/watch?v=gvKs2VLmVnY โฌ‡๏ธ

The Spamhaus Project6d ago

RE: https://infosec.exchange/@spamhaus/116398003458245821

Over the past 48 hours there have been some very interesting developments...

The "Charter Communications" announcements for 47.1.0.0/16 and 47.2.0.0/16 have disappeared, implicitly confirming that they were hijacked.

The "Orange" announcement for AS41128 has changed - the path is now:

90.98.0.0/15 AS41128 AS22541 AS29802

AS41128: Orange ๐Ÿ‡ซ๐Ÿ‡ท
AS22541: MEGALINK S.R.L. ๐Ÿ‡ง๐Ÿ‡ด
AS29802: Hivelocity ๐Ÿ‡บ๐Ÿ‡ธ

The entire network has relocated from Chicago to Dallas (likely to the Prime Dallas Campus DFW01 datacenter). Once more the inclusion of a South-American ISP appears completely unrealistic, with the traffic between the AS29802 router (de-cix.dfw.hivelocity.net) and the final destination seemingly within the Dallas datacenter.

But there's more. โฌ‡๏ธ

#infosec #cyberSecurity

The Spamhaus ProjectApr 15

๐ŸŒ OUT NOW | Spamhaus Domain Report Oct 2025 - March 2026!

โฌ†๏ธ 46.9 million new domains
โฌ‡๏ธ 2.15 million malicious domain detections
โฌ†๏ธ Domains associated with botnet C&Cโ€™s (+289%) & malware (+206%)
๐Ÿ”„ .bond (and many more!) see high churn of new registrations

And find out which TLD has a massive 17.5% of its zone file listed ๐Ÿ˜ฑ!

Read the full domain report here ๐Ÿ‘‰ https://www.spamhaus.org/resource-hub/domain-reputation/domain-reputation-update-oct-2025-mar-2026/

#DomainAbuse #DomainInsights

The Spamhaus ProjectApr 14

๐Ÿ“ข FINAL REMINDER | From tomorrow we will start to restrict access to Oracle IP addresses querying our DNSBLs. To stay protected by the data, register for Spamhaus Technology's FREE Data Query Service - changes to config take minutes.

Sign up here ๐Ÿ‘‡
https://www.spamhaus.com/data-access/free-data-query-service/

#Oracle #DNSBL #DQS

Show threadThe Spamhaus ProjectApr 13
Why would Orange ๐Ÿ‡ซ๐Ÿ‡ท announce 90.98.0.0/15 from Chicago ๐Ÿ‡บ๐Ÿ‡ธ using Gcore ๐Ÿ‡ฑ๐Ÿ‡บ for intercontinental transport, while using ๐Ÿ‡ฒ๐Ÿ‡ฝ Mexican ISPs as upstreams to route traffic over what appears to be no actual distance?
Show threadThe Spamhaus ProjectApr 13

Comcast 'apparently' last used AS393232 in 2017
Charter abandoned AS36429 in 2014
Orange only used AS41128 briefly from August to October 2025

In all three cases, the originating ASNs were not active prior to these announcements...making the situation even more unusual.

And raises the question ๐Ÿค” ...โฌ‡๏ธ

Show threadThe Spamhaus ProjectApr 13

Testing shows that these networks appear to be physically located just behind the router vrrp.gcore.lu (213.156.140.67) at the DE-CIX facility in Chicago.

This suggests that transport between Gcore and the final destination appears to take place within the same datacenter, despite the apparent involvement of ๐Ÿ‡ฒ๐Ÿ‡ฝ Mexican ISPs and in one case even Cloudflare ๐Ÿ‡บ๐Ÿ‡ธ.

And there are more anomalies to note: โฌ‡๏ธ

The Spamhaus ProjectApr 13

We've recently observed some unusual large-scale routes appearing on the internet (see image), involving the following networks:

AS393232: Comcast Cable Communications ๐Ÿ‡บ๐Ÿ‡ธ
AS36429: Charter Communications ๐Ÿ‡บ๐Ÿ‡ธ
AS41128: Orange ๐Ÿ‡ซ๐Ÿ‡ท
AS13335: Cloudflare ๐Ÿ‡บ๐Ÿ‡ธ
AS17072: Total Play Telecommunications ๐Ÿ‡ฒ๐Ÿ‡ฝ
AS270118: Soluciones, Analรญticos Y Servicios Team (Stratosphere Technology Latam) ๐Ÿ‡ฒ๐Ÿ‡ฝ
AS199524: Gcore Labs ๐Ÿ‡ฑ๐Ÿ‡บ

The label "path (fixed)" indicates that identical paths were observed by several probes across the internet. This strongly suggests that AS199524 is the central pivot point behind these announcements.

While the first four paths have since disappeared, the most recent three remain active. โฌ‡๏ธ