BLOG

Spamhaus under major dDOS

Late last night I, and a number of other folks, received mail from Spamhaus informing us of a major denial of service attack against their servers. The attack is so bad that the website and main mailserver is currently offline.

DNS services, including rsync and the mirrors, are up and running.

Spamhaus is working to bring the mailserver and website back up, and are hoping to have it up later today.

If there are any critical or particularly urgent SBL issues today, contact your ESP delivery team. The folks who were contacted do have an email address for urgent issues. This is not an address for routine queries, however, and most listees are going to have to wait until normal services are restored to have their listing addressed.

If there is something particularly urgent and your ESP or delivery team does not have a contact address, you can contact me an I can see what I can do.

UPDATE: Most of the IPs people have sent me are actually XBL/CBL listings. But right now the CBL webserver is responding slowly due to the DOS.

If you want to look up a listing without using the Spamhaus website you can use the “host” or “dig” command line tools. To do this reverse the digits in the IP address and append zen.spamhaus.org on the end.

So for the IP 10.11.12.13 you would query 13.12.11.10.zen.spamhaus.org

admin:~ laura$ host 13.12.11.10.zen.spamhaus.org

13.12.11.10.zen.spamhaus.org has address 127.0.0.4

or

admin:~ laura$ dig 13.12.11.10.zen.spamhaus.org

<<>> DiG 9.7.6-P1 <<>> 13.12.11.10.zen.spamhaus.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22991
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 22, ADDITIONAL: 0

;; QUESTION SECTION:
; 13.12.11.10.zen.spamhaus.org. IN A

;; ANSWER SECTION:
13.12.11.10.zen.spamhaus.org. 900 IN A 127.0.0.4

A return of 127.0.0.2 is a SBL listing.

A return of 127.0.0.4 is a XBL listing

26 comments

  1. Dave says

    Thanks a lot for your Post Laura, One of my servers was suddenly listed on spamhaus’s SBL list all of a sudden, so we are wrapped up in this situation as well. To circumvent this we are trying to adjust our external IP address to speed up return to service.

  2. jamie says

    Is there an increase in domains/IPs getting blocked by spamhaus today?

    My company can’t send to anyone using spamhaus right now, and of course I can’t get in touch with them to do anything about it.

  3. Eric says

    I’m having the same problem — all of a sudden my company’s mail server IP is listed on Spamhaus … and I can do NOTHING to get removed… ouch!

    1. laura says

      Hey, Eric,

      I sent you mail about this.

      Anyone else seeing “sudden listings” I can help, but only if you give me an IP address. There shouldn’t be an increase in listings. Many Spamhaus folks haven’t had time to do any listing work recently.

  4. Eric says

    Hi Laura-

    I sent you an e-mail w/ our IP address that is in trouble. Thank you!

  5. jamie says

    209.33.201.114
    But I’d REALLY like to find out how I got listed.

    1. laura says

      That’s a CBL/XBL listing, which means that machine or something behind it is infected. The CBL website is currently impacted by the dDOS, so you can’t look up through the website.

  6. Dave says

    We were on the CBL and ZEN listing started Friday morning. We’ve since worked around the problem by using a NAT rule to advertise a different external IP address and updated external DNS, this worked immediately and started getting mail flowing, contact your network administrator’s!
    We are not a marketing company, so how we got on the list is a concern.

    Laura, your insight and communication about this is greatly appreciated!

  7. Eric says

    I have other external IPs I could use too… but that’s only temporary if the other IP gets listed due to the root cause of the problem. I’d also like to know how I got listed (like Jamie). I see no evidence of anything going out due to infected PC’s (we block port 25 going out for all but our mail server, mail server logs show it’s healthy with no strange e-mails for the last few hours, and nothing going to port 80 to the pushdo sinkhole (I can’t block port 80 outbound or people can’t visit websites!) I could block to certain subnets like the subnet the pushdo sinkhole is on. Still bummed I’m listed…

  8. Steven Stern says

    Laura, I:have the same problem. Spamhaus returns a 127.0.0.10, but the server has a fixed IP address, the same one it’s had for several years.

    1. laura says

      .10 is a PBL listing, maintained by the ISP. So you really need to talk to your ISP about the listing.

  9. Eric says

    I wanted to thank Laura here on the blog for all of her help today. We are now de-listed thanks to her connections with some folks at Spamhaus (that don’t require use of their currently DDOS’d website)! We have isolated the root cause to some infected machines that use outbound stuff on port 80 (which we don’t block so people can use the web)! So we are now confident that we wont get re-listed. Thanks again Laura.

  10. Jesper says

    Where do we find your contact information Laura?
    I have an ip i want to get delisted for a company

    1. laura says

      My contact info is: http://wordtothewise.com/company/contact.html

  11. Grega says

    Any ideas on how soon the website will be UP? We’re also listed for 2 days now and no way to delist, altho problem was fixed.

    I would really like to resolve this asap.

    1. laura says

      There were posts in a few places within the last 2 hours suggesting it should be up “soon.” I don’t have any more recent information than that.

  12. Richard King says

    Laura: Have you noticed any change in spammer traffic or anything due to the Spamhaus outage? I know RBL’s weren’t down but the resources needed to list new IPs from spamgang runs were limited or down so I was curious if this was a coordinated attack in conjunction with huge spam runs?

    1. laura says

      I don’t have the tools or traps to really measure traffic myself, but I’ve not heard anything from anyone indicating volumes are up.

  13. Spamhaus.org Offline due to attack - Hello Inbox : An Email Marketing Blog by Email Marketing Service Provider, EmailDirect. says

    [...] Last night Spamhaus was the target of a distributed denial of service attack (DDoS) which at the time of this post is still happening.  The attack is so great the admins of SpamHaus sent out an email informing the public of the severity of the attack.  Original posting source of the attack can be found at the Word to the Wise via Laura Atkins. [...]

  14. The Transactional Email News Digest | Message Exchange says

    [...] blocking lists and services, Laura Atkins at the indispensable Word to the Wise blog has some helpful suggestions. Good luck to the Spamhaus team in getting back up and running [...]

  15. Neil says

    website is back up

  16. Dave says

    We did manage to get into spamHaus’s website yesterday, I must say spamHaus gives great info on why you are blocked. While the dDoS was occuring, we moved our mail server to a dedicated new external NAT IP, immediately fixed the problem. Investigating further, one of our 2ndary utility mail server’s was using the same NAT IP as our web/http workstation traffic, this is key as we found the culprit was an infected workstation with the Zbot/Zeus trojan, so it triggered the IP address blacklist, and mail was impacted as a result of this.

  17. Spamhaus hit by DDoS attack, not executed by Anonymous - says

    [...] anti-spam DNS blacklist service, has been hit by a severe DDoS attack over the weekend. Users have been informed by Spamhaus of certain services like their website and email server being unavailable, with them [...]

  18. Anonymous DDoS Attack Report Bogus, Spamhaus Says | RobertJGraham.com says

    [...] servers. The attack is so bad that the website and main mailserver is currently offline,” said Laura Tessmer Atkins of anti-spam consultancy Word to the Wise, in a blog posted Monday. “Spamhaus is working to [...]

  19. Stacey Gleason says

    Our company’s IP address is blacklisted. I found the trojan and have removed it. But because CBL’s website is still down, I am not able to remove our company from the blacklist. In the meantime, a majority of our emails are being bounced back. I’ve sent an email to CBL, but since their website is down, what are the chances they will get the email? This is a major problem when our business is being affected by this. Is there anyway to be removed from their blacklist?

  20. Hackers Launch DDOS Attack Against Spamhaus « HackShark | make sure you are secure says

    [...] service, became inaccessible. No one knew what was going on until Monday, when the company started notifying its customers of a massive distributed denial-of-service (DDOS) attack against its servers. Shortly after, [...]

Comment:

Your email address will not be published. Required fields are marked *

  • AOL problems

    Lots of people are reporting ongoing (RTR:GE) messages from AOL today.  This indicates the AOL mail servers are having problems and can't accept mail. This has nothing to do with spam, filtering or malicious email. This is simply their servers aren't functioning as well as they should be and so AOL can't accept all the mail thrown at them. These types of blocks resolve themselves. 1 Comment


  • Fixing discussion lists to work with new Yahoo policy

    Al has some really good advice on how to fix discussion lists to work with the new Yahoo policy. One thing I would add is the suggestion to actually check dmarc records before assuming policy. This will not only mean you're not having to rewrite things that don't need to be rewritten, but it will also mean you won't be caught flat footed if (when?) other free mail providers start publishing p=reject.No Comments


  • Sendgrid's open letter to Gmail

    Paul Kincaid-Smith wrote an open letter to Gmail about their experiences with the Gmail FBL and how the data from Gmail helped Sendgrid find problem customers. I know a lot of folks are frustrated with Gmail not returning more than statistics, but there is a place for this type of feedback within a comprehensive compliance desk.No Comments


Archives