Hackers hijack SpamCannibal, spam users with false notifications

News by Teri Robinson

Last week hackers hijacked SpamCannibal, which sends blacklists of spam servers, and spammed users with phony blacklist reports.

Hackers on Thursday hijacked SpamCannibal, which sends blacklists of spam servers, and spammed users with phony blacklist reports.   

“One of the significant risks parked domains pose is that they can be purchased by anyone, including malicious actors, who will have access to the DNS server and any other domain operating via that DNS server,” said Alex Calic, chief strategy and revenue officer at The Media Trust. “This is the likely avenue the SpamCannibal attackers took. Website operators can avoid these attacks by removing parked domains from their environment and continuously scanning that environment for new or unauthorised executing code.”

SpamCannibal had “ceased its activities last summer and was no longer responding to DNS queries” until early Wednesday morning “when the SpamCannibal domain expired,” Martijn Grooten wrote in a Virus Bulletin blog post. “As is typical in the takeover of expired domains, it was pointed to a dodgy-looking (but not necessarily malicious) parking site. What was worse – though again not uncommon – was that a wildcard DNS was pointed to this parking site.”

As a result, all queries to the website's blacklist “returned the same positive response, leading spam filters to believe the queried IP address was blacklisted.”

Fortunately, Grooten, wrote, it's likely that the number of people and organisations using SpamCannibal is small.

He said the incident could be a teaching moment for the security industry. Anyone running someone else's blacklist “should check whether it supports ‘health checks,' and if it does, perform a health check regularly… by confirming that the IP address 127.0.0.1 isn't listed, but 127.0.0.2 is.”

For those running a blacklist, but who can't continue to support it, “consider donating the domain to another organisation working in the email security space,” Grooten wrote, so that they at least ensure the domain registration doesn't expire.

SpamCannibal is no longer responding to queries, he said, which indicates that whoever previously ran the domain “did at least manage to reclaim ownership.”

Topics:

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events