Spamhaus under major dDOS

S

Late last night I, and a number of other folks, received mail from Spamhaus informing us of a major denial of service attack against their servers. The attack is so bad that the website and main mailserver is currently offline.
DNS services, including rsync and the mirrors, are up and running.
Spamhaus is working to bring the mailserver and website back up, and are hoping to have it up later today.
If there are any critical or particularly urgent SBL issues today, contact your ESP delivery team. The folks who were contacted do have an email address for urgent issues. This is not an address for routine queries, however, and most listees are going to have to wait until normal services are restored to have their listing addressed.
If there is something particularly urgent and your ESP or delivery team does not have a contact address, you can contact me an I can see what I can do.
UPDATE: Most of the IPs people have sent me are actually XBL/CBL listings. But right now the CBL webserver is responding slowly due to the DOS.
If you want to look up a listing without using the Spamhaus website you can use the “host” or “dig” command line tools. To do this reverse the digits in the IP address and append zen.spamhaus.org on the end.
So for the IP 10.11.12.13 you would query 13.12.11.10.zen.spamhaus.org

admin:~ laura$ host 13.12.11.10.zen.spamhaus.org

13.12.11.10.zen.spamhaus.org has address 127.0.0.4

or

admin:~ laura$ dig 13.12.11.10.zen.spamhaus.org

<<>> DiG 9.7.6-P1 <<>> 13.12.11.10.zen.spamhaus.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22991
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 22, ADDITIONAL: 0

;; QUESTION SECTION:
; 13.12.11.10.zen.spamhaus.org. IN A

;; ANSWER SECTION:
13.12.11.10.zen.spamhaus.org. 900 IN A 127.0.0.4

A return of 127.0.0.2 is a SBL listing.
A return of 127.0.0.4 is a XBL listing

About the author

26 comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • Thanks a lot for your Post Laura, One of my servers was suddenly listed on spamhaus’s SBL list all of a sudden, so we are wrapped up in this situation as well. To circumvent this we are trying to adjust our external IP address to speed up return to service.

  • Is there an increase in domains/IPs getting blocked by spamhaus today?
    My company can’t send to anyone using spamhaus right now, and of course I can’t get in touch with them to do anything about it.

  • I’m having the same problem — all of a sudden my company’s mail server IP is listed on Spamhaus … and I can do NOTHING to get removed… ouch!

  • Hey, Eric,
    I sent you mail about this.
    Anyone else seeing “sudden listings” I can help, but only if you give me an IP address. There shouldn’t be an increase in listings. Many Spamhaus folks haven’t had time to do any listing work recently.

  • That’s a CBL/XBL listing, which means that machine or something behind it is infected. The CBL website is currently impacted by the dDOS, so you can’t look up through the website.

  • We were on the CBL and ZEN listing started Friday morning. We’ve since worked around the problem by using a NAT rule to advertise a different external IP address and updated external DNS, this worked immediately and started getting mail flowing, contact your network administrator’s!
    We are not a marketing company, so how we got on the list is a concern.
    Laura, your insight and communication about this is greatly appreciated!

  • I have other external IPs I could use too… but that’s only temporary if the other IP gets listed due to the root cause of the problem. I’d also like to know how I got listed (like Jamie). I see no evidence of anything going out due to infected PC’s (we block port 25 going out for all but our mail server, mail server logs show it’s healthy with no strange e-mails for the last few hours, and nothing going to port 80 to the pushdo sinkhole (I can’t block port 80 outbound or people can’t visit websites!) I could block to certain subnets like the subnet the pushdo sinkhole is on. Still bummed I’m listed…

  • Laura, I:have the same problem. Spamhaus returns a 127.0.0.10, but the server has a fixed IP address, the same one it’s had for several years.

  • .10 is a PBL listing, maintained by the ISP. So you really need to talk to your ISP about the listing.

  • I wanted to thank Laura here on the blog for all of her help today. We are now de-listed thanks to her connections with some folks at Spamhaus (that don’t require use of their currently DDOS’d website)! We have isolated the root cause to some infected machines that use outbound stuff on port 80 (which we don’t block so people can use the web)! So we are now confident that we wont get re-listed. Thanks again Laura.

  • Where do we find your contact information Laura?
    I have an ip i want to get delisted for a company

  • Any ideas on how soon the website will be UP? We’re also listed for 2 days now and no way to delist, altho problem was fixed.
    I would really like to resolve this asap.

  • Laura: Have you noticed any change in spammer traffic or anything due to the Spamhaus outage? I know RBL’s weren’t down but the resources needed to list new IPs from spamgang runs were limited or down so I was curious if this was a coordinated attack in conjunction with huge spam runs?

  • There were posts in a few places within the last 2 hours suggesting it should be up “soon.” I don’t have any more recent information than that.

  • I don’t have the tools or traps to really measure traffic myself, but I’ve not heard anything from anyone indicating volumes are up.

  • […] Last night Spamhaus was the target of a distributed denial of service attack (DDoS) which at the time of this post is still happening.  The attack is so great the admins of SpamHaus sent out an email informing the public of the severity of the attack.  Original posting source of the attack can be found at the Word to the Wise via Laura Atkins. […]

  • We did manage to get into spamHaus’s website yesterday, I must say spamHaus gives great info on why you are blocked. While the dDoS was occuring, we moved our mail server to a dedicated new external NAT IP, immediately fixed the problem. Investigating further, one of our 2ndary utility mail server’s was using the same NAT IP as our web/http workstation traffic, this is key as we found the culprit was an infected workstation with the Zbot/Zeus trojan, so it triggered the IP address blacklist, and mail was impacted as a result of this.

  • Our company’s IP address is blacklisted. I found the trojan and have removed it. But because CBL’s website is still down, I am not able to remove our company from the blacklist. In the meantime, a majority of our emails are being bounced back. I’ve sent an email to CBL, but since their website is down, what are the chances they will get the email? This is a major problem when our business is being affected by this. Is there anyway to be removed from their blacklist?

By laura

Recent Posts

Archives

Follow Us