The Spamhaus Project

Spamhaus strengthens trust and safety for the Internet. Advocating for change through sharing reliable intelligence and expertise. As the authority on IP and domain reputation data, we are trusted across the industry because of our strong ethics, impartiality, and quality of actionable data. This data not only protects but also provides signal and insight across networks and email worldwide. โ€ฉWith over two decades of experience, our researchers and threat hunters focus on exposing malicious activity to make the internet a better place for everyone. A wide range of industries, including leading global technology companies, use Spamhaus' data; currently protecting over 4.5 billion mailboxes worldwide.

The Spamhaus Projectspamhaus@infosec.exchange
2025-05-27

OPERATION ENDGAME 2.0 UPDATE | Following on from last week's announcement ๐Ÿ“ข we are now sending notification emails ๐Ÿ“ฉ to ISPs and hosting companies associated with the breached email accounts.

Here's what to do if you receive one:

๐Ÿ‘‰ Go to this remediation webpage: spamhaus.org/endgame-2
๐Ÿ‘‰ Enter the access code included in the email.
๐Ÿ‘‰ Download the list of breached email accounts.
๐Ÿ‘‰ Verify each email account, and where necessary, contact the owner and ask them to reset their password (there's a ready-made email template for you to use on the remediation webpage ๐Ÿ˜€)

Thank you to everyone who is part of this effort. ๐Ÿ™

#Trustandsafety #OperationENDGAME2 #Takedown

The Spamhaus Projectspamhaus@infosec.exchange
2025-05-23

๐Ÿ”ฅ Operation Endgame is BACK! This time targeting #BumbleBee, #Latrodectus, #DanaBot, #WarmCookie, #Qakbot and #Trickbot!

Once again this is a HUGE win, with a truly international effort! ๐Ÿ’ช

As with phase one of #OperationEndgame, Spamhaus are providing remediation support - those affected will be contacted in due course with steps to take.

For more information, read our write-up here:
๐Ÿ‘‰ spamhaus.org/resource-hub/malw

The Spamhaus Projectspamhaus@infosec.exchange
2025-05-21

.top remains firmly in the #2 spot for gTLDs most associated with phishing based on the number of detections weโ€™re seeing ๐Ÿ“ˆ.

Missed our latest blog post on whatโ€™s going on with .๐Ÿ”? And more importantly, what can be done to stop the ongoing proliferation in phishing abuse? โœ‹

Read the Domain Reputation Spotlight here โคต๏ธ
spamhaus.org/resource-hub/serv

#DomainReport #DomainAbuse #DotTop #Phishing

Top 10 gTLDs associated with phishing activities by number of detections
The Spamhaus Projectspamhaus@infosec.exchange
2025-05-21

Stark Industries, a UK-based hosting company, has been on our radar for some time. Last year we supported the German non-profit @correctiv_org with their investigation into the Neculiti brothers'. And almost a year to the day, @briankrebs published a deep-dive into their murky operations (links to articles in comments).

It was only a matter of time until...

Yesterday, the European Council finally took action, sanctioning the company for "acting as enablers of various Russian state-sponsored and affiliated actors to conduct destabilising activities, including information manipulation, interference, and cyber-attacks against the Union and third countries."

Read the full story here ๐Ÿ‘‡

consilium.europa.eu/en/press/p

The Spamhaus Project boosted:
abuse.ch :verified:abuse_ch@ioc.exchange
2025-05-20

#ItsNewFeatureTuesday! (Thatโ€™s a thing, right?) ๐Ÿ˜Ž
You can now share searches with 3rd parties without them needing to authenticate to view the results! Itโ€™s a neat feature that will save time and hassle.

Here's how it works โคต๏ธ
1) User (authenticated!) searches on hunting.abuse.ch
2) Click the "share" button next to the search button
3) This creates a unique link and copies it to clipboard, for example:
hunting.abuse.ch/hunt/68274cdc

โœจ Ta da! Any user with this link can see these results without the need to authenticate!

Happy Hunting (and sharing) enjoy! ๐Ÿซถ

#SharingIsCaring #ThreatIntel #ThreatHunting #CTI

New feature for hunting.abuse.ch
The Spamhaus Projectspamhaus@infosec.exchange
2025-05-16

๐Ÿ“ข ISPs: Donโ€™t get lazy just because you can rely on our efficient detections and high impact listings. Too often, issues are ignored until we raise the flag ๐Ÿšฉ . And if we donโ€™t see them? The issue persists.

We work hard to detect issues quickly. But, Spamhaus should never be your only line of defense.

To protect your reputation:

โœ… Monitor your abuse mailbox
โœ… Track client behavior via netflow, SMTP logs, traffic graphs, etc.
โœ… Analyze reports and act fast!

However, responsibility does not solely fall on the Trust & Safety Team. Neglecting to invest in abuse management might make savings now but it can cost far more later down the line.

Being proactive beats being listed. Every time.

The Spamhaus Projectspamhaus@infosec.exchange
2025-05-15

๐Ÿ” Email authentication used to be something only big players worried about. Not anymore. While small senders may not feel the heat yet, itโ€™s only a matter of time before it reaches them...

Want to stay ahead of the curve?

Learn how authentication can be implemented at the relay level to improve deliverability, prevent abuse, and protect your reputation before problems hit.

๐Ÿ‘‰ spamhaus.org/resource-hub/deli

#EmailSecurity #Deliverability #EmailBestPractices

The Spamhaus Projectspamhaus@infosec.exchange
2025-05-14

This month Spamhaus' CSS Blocklist reached 8 million active IPs listed for low-reputation email activity! ๐ŸŽ‰ Spam activity appears to be shifting toward residential proxies, making up a significant portion of the increase, as emission IPs are constantly changing, with around 500k new IPs added to our lists each day. ๐Ÿ“ˆ

Email admins! Use this real-time DNSBL to reduce inbound spam and other malicious email traffic. For optimum filtering, apply at:

โžก๏ธ Initial connection โ€“ against the connecting IP
โžก๏ธ Once email data accepted โ€“ check IPs in received chain mail headers and IPs hosting resources in the body (e.g. URLs)

Learn more about this data set here โคต๏ธ
spamhaus.org/blocklists/combin

#Spam #ResidentialProxies #EmailFiltering

8,000,000 IPs detected for spamming listed in the Combined Spam Sources (CSS) Blocklist.
The Spamhaus Projectspamhaus@infosec.exchange
2025-05-12

With a +61% โฌ†๏ธ increase, ๐Ÿ‡บ๐Ÿ‡ธ US-based "charter.com" is #1 for hosting IPs associated with exploited devices: 193, 782 detections over the last 30 days....

....as well as 167 Spamhaus Blocklist (SBL) listings.

Spamhaus reputation statistics:
๐Ÿ‘‰ spamhaus.org/reputation-statis

SBL listings:
๐Ÿ‘‰ check.spamhaus.org/sbl/listing

#IPs #Exploits #Spamhaus #ReputationStatistics #ThreatIntel

The Spamhaus Projectspamhaus@infosec.exchange
2025-05-09

๐Ÿ™‡โ€โ™‚๏ธ Masterguru, take a bow! You've been on fire, 70,352 IPs shared in the past 30 days ๐Ÿ”ฅ Thatโ€™s a +3,626% increase, landing you at #5 on the IP leaderboard. Incredible work!

As always, a heartfelt THANK YOU to all our amazing contributors. Your ongoing support and submissions are what keep the threat intelligence flowing. โค๏ธ๐Ÿ™

Got malicious or suspicious IPs, domains, URLs, or raw source to share?
๐Ÿ‘‰ Join the fight against cybercrime: submit.spamhaus.org

#Community #StrongerTogether #CyberSecurity #ThreatIntelligence #ThreatHunting #Infosec

The Spamhaus Projectspamhaus@infosec.exchange
2025-05-08

We've talked before about abuse issues with .top domains, and sadly, things arenโ€™t getting better. In fact, weโ€™re now seeing a rise in "toll scams" you might have spotted hitting the headlines in recent weeks. ๐Ÿ“ˆ๐Ÿ—ž๏ธ

But, why is this happening? What do we actually know about .๐Ÿ”? And more importantly, what can be done to stop it? โœ‹

Learn more in the latest Domain Reputation Spotlight ๐Ÿ”ฆ โคต๏ธ
spamhaus.org/resource-hub/serv

#DotTop #DomainAbuse #TollScam #Registrars #CyberSecurity #ThreatIntel

The Spamhaus Projectspamhaus@infosec.exchange
2025-05-08

@david_chisnall If you are a non-commercial entity or a small business with low query volumes, you can register for a free Data Query Service account here ๐Ÿ‘‡

spamhaus.com/free-trial/sign-u

The Spamhaus Projectspamhaus@infosec.exchange
2025-05-08

@uhuru Have you tried using GitHub for authentication?

GitHub is very popular with the tech community, has a large & varied client base and you can sign up very quickly for free github.com/signup (and there you can use your own email).

Even if you donโ€™t use Github (or Microsoft) for any other purpose, it can provide a means for authentication to the Spamhaus Community Portal.

The Spamhaus Projectspamhaus@infosec.exchange
2025-05-08

@esferahosting thank you for your support in helping strengthen trust and safety on the Internet ๐Ÿ’ช

The Spamhaus Project boosted:
Esfera Hostingesferahosting
2025-05-08

Nuestros servicios se benefician del filtrado de trรกfico proveniente de lo peor de lo peor de Internet, gracias a @spamhaus y su lista . ยกGracias Spamhaus por tantos aรฑos de un trabajo excelente mejorando la seguridad de todos!

The Spamhaus Projectspamhaus@infosec.exchange
2025-05-06

๐Ÿ” Previously limited to Andorran entities, .ad domains became open to anyone in October 2024. A series of safeguards were also implemented to prevent abuse including a dispute resolution mechanism, prohibition of domain trading, and content restrictions.

But with prices steadily dropping to $17โ€“18, the TLD has become more attractive. And while some use the TLD for ad-related branding, threat actors are clearly taking advantage too โคต๏ธ

The Spamhaus Projectspamhaus@infosec.exchange
2025-05-06

New entry: โ€œ.adโ€ now ranks #4 among ccTLDs associated with malicious activity.

Detections have surged in the last 30 days ๐Ÿ“ˆ now hitting approx. 3,000 domains in total, mostly via Dynadot, and nearly all linked to ๐Ÿ‡จ๐Ÿ‡ณ Chinese gambling operations โคต๏ธ

The Spamhaus Projectspamhaus@infosec.exchange
2025-04-29

โ—We're observing a massive spam/phishing campaign targeting Japanese users ๐Ÿ‡ฏ๐Ÿ‡ต โ€” sent using a botnet of 3.5โ€“4 million IPs, churning rapidly with ~250k new IPs added daily.

Just 650 unique subject lines have been observed, with many reused 100k+ times. Here's an example subjectใ€ใŠ็Ÿฅใ‚‰ใ›ใ€‘ๆ˜ฅๅญฃใ‚ญใƒฃใƒณใƒšใƒผใƒณ็‰นๅ…ธใฎๆœ‰ๅŠนๅŒ–ๆ‰‹็ถšใใฎใŠ้ก˜ใ„
Which translates to "[Notice] Request for activation procedure for spring campaign benefits"

๐Ÿ“ง Most emails are sent from residential IPs in LATAM, North Africa, Russia/former Soviet states, and the Middle East.

The campaign appears to be phishing traffic formerly using Chinese networks ๐ŸŽฃ โ€” now shifted to residential proxy networks after large Chinese ranges were listed.

We encourage National CERTs to reach out to Spamhaus directly at "cert-team@spamhaus.org" for additional information of what we are seeing within your constituency. A notice has also been sent to the @firstdotorg community.

If you have connections with Japanese companies, please encourage them to watch out for phishing emails that appear to come from well-known brands - paypay, SBI, Amazon JCB, Apple Resona Bank, AEON, and ETC - but originate from suspicious, non-legitimate IP addresses.

#infosec #spam #phishing #cybersecurity #threatintel

Client Info

Server: https://mastodon.social
Version: 2025.04
Repository: https://github.com/cyevgeniy/lmst