OPERATION ENDGAME 2.0 UPDATE | Following on from last week's announcement 📢 we are now sending notification emails 📩 to ISPs and hosting companies associated with the breached email accounts.

Here's what to do if you receive one:

👉 Go to this remediation webpage: https://www.spamhaus.org/endgame-2
👉 Enter the access code included in the email.
👉 Download the list of breached email accounts.
👉 Verify each email account, and where necessary, contact the owner and ask them to reset their password (there's a ready-made email template for you to use on the remediation webpage 😀)

Thank you to everyone who is part of this effort. 🙏

#Trustandsafety #OperationENDGAME2 #Takedown

🔥 Operation Endgame is BACK! This time targeting #BumbleBee, #Latrodectus, #DanaBot, #WarmCookie, #Qakbot and #Trickbot!

Once again this is a HUGE win, with a truly international effort! 💪

As with phase one of #OperationEndgame, Spamhaus are providing remediation support - those affected will be contacted in due course with steps to take.

For more information, read our write-up here:
👉 https://www.spamhaus.org/resource-hub/malware/botnets-disrupted-worldwide-operation-endgame-is-back/

.top remains firmly in the #2 spot for gTLDs most associated with phishing based on the number of detections we’re seeing 📈.

Missed our latest blog post on what’s going on with .🔝? And more importantly, what can be done to stop the ongoing proliferation in phishing abuse? ✋

Read the Domain Reputation Spotlight here ⤵️
https://www.spamhaus.org/resource-hub/service-providers/abuse-takes-its-toll-on-top/

#DomainReport #DomainAbuse #DotTop #Phishing

Correctiv article: https://correctiv.org/en/fact-checking-en/2024/05/31/hacks-and-propaganda-meet-the-two-brothers-bringing-russias-cyber-war-to-europe/



Brian Krebs article: https://krebsonsecurity.com/2024/05/stark-industries-solutions-an-iron-hammer-in-the-cloud/

Stark Industries, a UK-based hosting company, has been on our radar for some time. Last year we supported the German non-profit @correctiv_org with their investigation into the Neculiti brothers'. And almost a year to the day, @briankrebs published a deep-dive into their murky operations (links to articles in comments).

It was only a matter of time until...

Yesterday, the European Council finally took action, sanctioning the company for "acting as enablers of various Russian state-sponsored and affiliated actors to conduct destabilising activities, including information manipulation, interference, and cyber-attacks against the Union and third countries."

Read the full story here 👇

https://www.consilium.europa.eu/en/press/press-releases/2025/05/20/russian-hybrid-threats-eu-lists-further-21-individuals-and-6-entities-and-introduces-sectoral-measures-in-response-to-destabilising-activities-against-the-eu-its-member-states-and-international-partners/

#ItsNewFeatureTuesday! (That’s a thing, right?) 😎
You can now share searches with 3rd parties without them needing to authenticate to view the results! It’s a neat feature that will save time and hassle.

Here's how it works ⤵️
1) User (authenticated!) searches on hunting.abuse.ch
2) Click the "share" button next to the search button
3) This creates a unique link and copies it to clipboard, for example:
https://hunting.abuse.ch/hunt/68274cdcde549/betbot.mchbee.cloud/

✨ Ta da! Any user with this link can see these results without the need to authenticate!

Happy Hunting (and sharing) enjoy! 🫶

#SharingIsCaring #ThreatIntel #ThreatHunting #CTI

📢 ISPs: Don’t get lazy just because you can rely on our efficient detections and high impact listings. Too often, issues are ignored until we raise the flag 🚩 . And if we don’t see them? The issue persists.

We work hard to detect issues quickly. But, Spamhaus should never be your only line of defense.

To protect your reputation:

✅ Monitor your abuse mailbox
✅ Track client behavior via netflow, SMTP logs, traffic graphs, etc.
✅ Analyze reports and act fast!

However, responsibility does not solely fall on the Trust & Safety Team. Neglecting to invest in abuse management might make savings now but it can cost far more later down the line.

Being proactive beats being listed. Every time.

🔐 Email authentication used to be something only big players worried about. Not anymore. While small senders may not feel the heat yet, it’s only a matter of time before it reaches them...

Want to stay ahead of the curve?

Learn how authentication can be implemented at the relay level to improve deliverability, prevent abuse, and protect your reputation before problems hit.

👉 https://www.spamhaus.org/resource-hub/deliverability/mail-relays-part-1-authenticate-your-outgoing-mail/

#EmailSecurity #Deliverability #EmailBestPractices

This month Spamhaus' CSS Blocklist reached 8 million active IPs listed for low-reputation email activity! 🎉 Spam activity appears to be shifting toward residential proxies, making up a significant portion of the increase, as emission IPs are constantly changing, with around 500k new IPs added to our lists each day. 📈

Email admins! Use this real-time DNSBL to reduce inbound spam and other malicious email traffic. For optimum filtering, apply at:

➡️ Initial connection – against the connecting IP
➡️ Once email data accepted – check IPs in received chain mail headers and IPs hosting resources in the body (e.g. URLs)

Learn more about this data set here ⤵️
https://www.spamhaus.org/blocklists/combined-spam-sources/

#Spam #ResidentialProxies #EmailFiltering

With a +61% ⬆️ increase, 🇺🇸 US-based "charter.com" is #1 for hosting IPs associated with exploited devices: 193, 782 detections over the last 30 days....

....as well as 167 Spamhaus Blocklist (SBL) listings.

Spamhaus reputation statistics:
👉 https://www.spamhaus.org/reputation-statistics/networks/exploit/

SBL listings:
👉 https://check.spamhaus.org/sbl/listings/charter.com/

#IPs #Exploits #Spamhaus #ReputationStatistics #ThreatIntel

🙇‍♂️ Masterguru, take a bow! You've been on fire, 70,352 IPs shared in the past 30 days 🔥 That’s a +3,626% increase, landing you at #5 on the IP leaderboard. Incredible work!

As always, a heartfelt THANK YOU to all our amazing contributors. Your ongoing support and submissions are what keep the threat intelligence flowing. ❤️🙏

Got malicious or suspicious IPs, domains, URLs, or raw source to share?
👉 Join the fight against cybercrime: https://submit.spamhaus.org

#Community #StrongerTogether #CyberSecurity #ThreatIntelligence #ThreatHunting #Infosec

We've talked before about abuse issues with .top domains, and sadly, things aren’t getting better. In fact, we’re now seeing a rise in "toll scams" you might have spotted hitting the headlines in recent weeks. 📈🗞️

But, why is this happening? What do we actually know about .🔝? And more importantly, what can be done to stop it? ✋

Learn more in the latest Domain Reputation Spotlight 🔦 ⤵️
https://www.spamhaus.org/resource-hub/service-providers/abuse-takes-its-toll-on-top/

#DotTop #DomainAbuse #TollScam #Registrars #CyberSecurity #ThreatIntel

@david_chisnall If you are a non-commercial entity or a small business with low query volumes, you can register for a free Data Query Service account here 👇

https://www.spamhaus.com/free-trial/sign-up-for-a-free-data-query-service-account/

@uhuru Have you tried using GitHub for authentication?

GitHub is very popular with the tech community, has a large & varied client base and you can sign up very quickly for free https://github.com/signup (and there you can use your own email).

Even if you don’t use Github (or Microsoft) for any other purpose, it can provide a means for authentication to the Spamhaus Community Portal.

@esferahosting thank you for your support in helping strengthen trust and safety on the Internet 💪

Nuestros servicios se benefician del filtrado de tráfico proveniente de lo peor de lo peor de Internet, gracias a @spamhaus y su lista #DROP. ¡Gracias Spamhaus por tantos años de un trabajo excelente mejorando la seguridad de todos!

🔍 Previously limited to Andorran entities, .ad domains became open to anyone in October 2024. A series of safeguards were also implemented to prevent abuse including a dispute resolution mechanism, prohibition of domain trading, and content restrictions.

But with prices steadily dropping to $17–18, the TLD has become more attractive. And while some use the TLD for ad-related branding, threat actors are clearly taking advantage too ⤵️

New entry: “.ad” now ranks #4 among ccTLDs associated with malicious activity.

Detections have surged in the last 30 days 📈 now hitting approx. 3,000 domains in total, mostly via Dynadot, and nearly all linked to 🇨🇳 Chinese gambling operations ⤵️

🌐 Spamhaus Reputation Statistics - ccTLDs:
https://www.spamhaus.org/reputation-statistics/cctlds/domains/

#DomainAbuse #TLDabuse #Dynadot #DotAd #Phishing

❗We're observing a massive spam/phishing campaign targeting Japanese users 🇯🇵 — sent using a botnet of 3.5–4 million IPs, churning rapidly with ~250k new IPs added daily.

Just 650 unique subject lines have been observed, with many reused 100k+ times. Here's an example subject【お知らせ】春季キャンペーン特典の有効化手続きのお願い
Which translates to "[Notice] Request for activation procedure for spring campaign benefits"

📧 Most emails are sent from residential IPs in LATAM, North Africa, Russia/former Soviet states, and the Middle East.

The campaign appears to be phishing traffic formerly using Chinese networks 🎣 — now shifted to residential proxy networks after large Chinese ranges were listed.

We encourage National CERTs to reach out to Spamhaus directly at "cert-team@spamhaus.org" for additional information of what we are seeing within your constituency. A notice has also been sent to the @firstdotorg community.

If you have connections with Japanese companies, please encourage them to watch out for phishing emails that appear to come from well-known brands - paypay, SBI, Amazon JCB, Apple Resona Bank, AEON, and ETC - but originate from suspicious, non-legitimate IP addresses.

#infosec #spam #phishing #cybersecurity #threatintel