Application security, Breach, Threat Management, Data Security, Network Security

Hackers hijack SpamCannibal, spam users with false notifications

Share

Hackers on Thursday hijacked SpamCannibal, which sends blacklists of spam servers, and spammed users with phony blacklist reports.   

“One of the significant risks parked domains pose is that they can be purchased by anyone, including malicious actors, who will have access to the DNS server and any other domain operating via that DNS server,” said Alex Calic, chief strategy and revenue officer at The Media Trust. “This is the likely avenue the SpamCannibal attackers took. Website operators can avoid these attacks by removing parked domains from their environment and continuously scanning that environment for new or unauthorized executing code.”

SpamCannibal had “ceased its activities last summer and was no longer responding to DNS queries” until early Wednesday morning “when the SpamCannibal domain expired,” Martijn Grooten wrote in a Virus Bulletin blog post. “As is typical in the takeover of expired domains, it was pointed to a dodgy-looking (but not necessarily malicious) parking site. What was worse – though again not uncommon – was that a wildcard DNS was pointed to this parking site.”

As a result, all queries to the website's blacklist “returned the same positive response, leading spam filters to believe the queried IP address was blacklisted.”

Fortunately, Grooten, wrote, it's likely that the number of people and organizations using SpamCannibal is small.

He said the incident could be a teaching moment for the security industry. Anyone running someone else's blacklist “should check whether it supports ‘health checks,' and if it does, perform a health check regularly… by confirming that the IP address 127.0.0.1 isn't listed, but 127.0.0.2 is.”

For those running a blacklist, but can't continue to support it, “consider donating the domain to another organization working in the email security space,” Grooten wrote, so that they at least ensure the domain registration doesn't expire.

SpamCannibal is no longer responding to queries, he said, which indicates that whoever previously ran the domain “did at least manage to reclaim ownership.”

Hackers hijack SpamCannibal, spam users with false notifications

All queries to the website's blacklist received a positive response so that spam filters believed the IP addresses were blacklisted.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.