Virus Bulletin Spam Verified LogoIn recent independent tests Spamhaus’s block lists, used alongside a specially configured SpamAssassin, stopped 99.43%* of spam emails, with 0.02% false positives.  These results are similar to some of the more expensive email filter solutions on the market.  Perhaps it’s time to consider a more cost-effective & simple anti-spam solution?

Using Spamhaus’s block lists with SpamAssassin isn’t new, what’s changed?

Until recently those using SpamAssassin and Spamhaus’s block lists had to rely on the programme’s default configuration, or, manually change SpamAssassin’s configuration based on what the user believed to be the best settings.

Now, users no longer have to rely on intuition or the defaults: we have created the optimum settings.  At a high-level, the experts at Spamhaus have introduced new analysis for the headers and tweaked both the rules and weighted scoring.

With these changes, you can achieve similar results you would expect from a costly email filter product, all for the price of a subscription to Spamhaus’s Block lists via the Data Query Service(DQS), and the time taken to download the SpamAssassin add-on.

How do I get my hands on these recommended settings?

Firstly, it’s worth noting that this will only work for subscribers to the Spamhaus DQS. Additionally, you need access to all our block lists, i.e., Spamhaus’s Domain Policy Block List (DBL), Zero Reputation Domain (ZRD) and Spamhaus’s ZEN service, which includes the Spamhaus Block List (SBL), the Exploits Block List (XBL) and the Policy Block List (PBL).

With all the above in place just go to and find ‘Data Query Service using SpamAssassin’ or click here, and download the instructions and Spamhaus’s SpamAssassin add-on. Naturally, if you are using a subprogram with SpamAssassin you will need to amend accordingly.

Effective email filters needn’t cost the earth, nor take excessive amounts of time to configure.  Download the config and sign up for a free 30-day DQS trial today, and see how simple it can be.



* The VBSpam results refer to the test configuration where Spamhaus’s data-sets were the only ones used: lookups to all other services supplying data were disabled. SpamAssassin users will further increase the effectiveness of this set-up by turning on services that deeply analyse mail contents such as the ClamAV open source anti-malware engine. 

When Spamhaus Malware Labs observe a 100% increase in the number of domains that are being registered by cybercriminals to host a botnet command & control (C&C) it’s time to stop.  Take a look. And understand where the threats are coming from in the top-level domains (TLDs) space and learn how you can protect against them.

The importance of domain names

Cybercriminals prefer to use a domain name registered exclusively to host a botnet C&C.  A dedicated domain name allows them to fire up a new virtual private server (VPS), load the botnet C&C kit, and immediately be back in contact with their botnet after their (former) hosting provider shuts down their botnet C&C server. Not having to change the configuration of each infected computer (bot) on the botnet is a significant advantage.

Number of botnet C&C domain names registered in 2018

Last year, compared to 2017, Spamhaus Malware Labs saw a 100% increase in the number of the domain names registered and set up by cybercriminals for the sole purpose of hosting a botnet C&C:

2017:  50,000 domains

2018:  103,503 domains*

Top-level domains – a brief overview

Before we get into the detail of which top-level domains were abused the most by botnet C&Cs in 2018 let’s take a look at some of the different types of top-level domains:

  • Generic TLDs (gTLDs)– can be used by anyone
  • Country code TLDs (ccTLDs)– some have restricted use within a particular country or region; however, others are licensed for general use which provides the same functionality of gTLDs
  • Decentralized TLDs (dTLDs) –independent top-level domains that are not under the control of ICANN.

Most abused top-level domains in 2018

There were some interesting (and concerning) developments in this area, perhaps most notably was the rise of domain names registered to ‘.bit,’ a decentralized top-level domain (dTLD). Domain names with this type of TLD create additional issues when it comes to blocking malicious traffic and taking down these bad operators.

Top abused TLDs

List of most abused top-level domains in 2018 by botnet C&C traffic

Most abused top-level domains by botnet C&C traffic in 2018

Palau ‘.pw’ was the most abused TLD: The listings associated with ‘.pw’ rose by 56% in 2018, which was an additional 4,835 botnet C&Cs connected with this domain from the previous year.

Russia ‘.ru’ had a reduced number of domain registrations for botnet C&Cs:  We noted a small decrease from 1,370 domain listings in 2017 to 1,183 in 2018. This saw ‘.ru’ ccTLD move out of the top ten rankings, down to #17.

Historically cybercriminals heavily abused ‘.ru’ & ‘.su’ ccTLDs, however, over recent years their operator has implemented measures which are having positive effects in reducing the amount of abuse across these 2 TLDs.

‘.tk,’ ‘.ml,’ ‘.ga,’ ‘.gg’ and ‘.cf’ made their first appearances in the Top 20: Originally ccTLDS;  Freenom now operate them, and they are considered to be gTLDs. As the name implies ‘Freenom’ provide domain names for free.

Given this business model, it’s not surprising that there has been a massive increase in abusive activity associated with them: Cybercriminals realize that their nefarious actions are likely to lead to their domain name being shut down, therefore prefer to obtain them for free rather than pay for them.

dTLD ‘.bit’ had an upsurge in listings: This dTLD didn’t make it into the ‘Top 20’ however we observed 108 domain names hosting botnet C&Cs with the dTLD ‘.bit.’ dTLDs provide criminals with advantages over other TLDs and consequently pose additional threats to users; therefore we feel it is necessary to highlight them:

    • These domain names cannot be taken down or suspended when being used for malicious purposes, because there is no governing body associated with a dTLD.


    • Researching malicious activity becomes more challenging as domain name registrations within dTLDs are usually entirely anonymous, with registrant information not being required.


  • dTLDs bypass DNS Firewalls/Response Policy Zones (RPZ) that many ISPs and businesses use to protect their customers/users from cyber threats.  They by-pass DNS Firewalls because dTLD domains are not resolvable through common DNS.  Instead, they are resolved through nameservers that support ‘.bit,’ such as OpenNIC.


How can you protect against botnet C&C traffic on dTLD’s?

How Border Gateway Protocol Feeds protect your network

How Border Gateway Protocol Feeds protect your network

Border Gateway Protocol data feeds provide an added layer of protection.  These feeds block connections to IPs involved in the most dangerous cybercrime and DDoS attacks via your edge router.

By taking just a few minutes to configure your edge router to peer with a Deteque BGP router and a null route, you can provide your network with up-to-date protection against botnets, alongside phishing and external attacks on your organization’s servers.

IT security has always required a multi-faceted approach, and with new threats continually coming to the fore, such as those posed by botnet C&C traffic registered to a dTLD, it is vital to continue to add layers of additional security.

 If you’d like to read the full Botnet Threat Report click here or fill in a contact form to get in touch with a member of the Deteque team who can discuss BGP feeds with you further.

*N.B. These numbers exclude hijacked domain names; domains owned by non-cybercriminals that were used without permission, and domains on ‘free sub-domain’ provider services.


The team at Spamhaus Malware Labs were pretty busy last year.  Actually, that’s an understatement: they detected and blocked a record number of botnet command & control (C&C). Over 10,000 in fact! 

Here’s an overview of the malware that botnet C&Cs were associated with, but if you want the full botnet C&C picture download the detailed report here.

The malware trends in 2018:

As always, the threat landscape was highly dynamic in 2018.  While some trends such as remote access tools (RATs) continued to gather momentum, additional ones started to rear their heads, such as CoinMiners.

Credential Stealers: As in 2017, credential stealers were still accounting for the most significant amount of botnet C&C traffic; however there were changes as to which were top of the leader board.

Botnet C&Cs associated with Loki malware comparison between 2017 & 2018‘Pony’ held the #1 spot for two years, however in 2018 ‘Loki’ took pole position, having more than doubled the number of unique botnet C&Cs associated with it.

Remote Access Tools (RATs): This type of malware saw a significant increase in 2018, in particular, a Java-based RAT, called JBifrost (aka Adwind).

Botnet C&Cs associated with JBifrost malware comparison between 2017 & 2018Back in 2017, we reported that JBifrost was starting to flood the botnet landscape, however, in 2018 we witnessed an explosion in the number of unique botnet C&C listings associated with it. The sheer volume of these listings has placed JBifrost at #2 on our leader board.

Ransomware & e-banking Trojans: Botnet C&Cs associated with both types of malware dropped significantly in 2018.

Botnet C&Cs associated with JBifrost malware comparison between 2017 & 2018CoinMiners: Making their first appearance in the Top 20 list last year were CoinMiners. These are malicious pieces of software that silently mine cryptocurrencies, such as Bitcoin and Monero, without the consent or approval of the user. In 2018, we identified 83 botnet C&Cs associated with CoinMiners.

Mining pools: In addition to CoinMiner botnet C&C listings, in 2018 we also issued 156 Spamhaus Block List (SBL) listings for 111 cryptocurrency mining pools that were used by the CoinMiners. Some of these cryptocurrency mining pools appeared to be rogue; however, the majority were legitimate pools that were being abused by CoinMiners.

The Spamhaus Project has tried to approach the responsible hosting providers, asking them to have the offending user(s) of the mining pool suspended, to stop the fraudulent activity. Unfortunately, this was not always possible because some cryptocurrencies, such as Monero, are entirely anonymous, unlike Bitcoin. 

Mitigating the risk of malware at the DNS level

Charts showing Malware blocked by DNS Firewall in 2018The increased threat from CoinMiners is apparent when you view the statistics from users of Deteque’s DNS Firewall Threat Feeds.   These threat feeds are consumed at the DNS level, allowing security teams to automatically block users (blocks/redirects), and IoT devices’ from accessing bad sites.

In April 2018 only 21% of blocks/redirects were for CoinMiner/Cryptoblocker traffic, whereas at the end of last year, in December 2018, CoinMiner redirects accounted for 66% of all blocked/redirected traffic.

It is evident that the botnet C&C landscape underwent some significant changes in 2018.  With ‘lean teams’ and ‘lean budgets’ security professionals are caught between a rock and a hard place in attempting to keep on top of the ever-changing threats.  Therefore, it’s crucial to identify solutions that are quick to install, ‘set & forget,’ and leverage the best threat intelligence in the industry.  In doing so, security & IT teams are enabled to focus on other urgent matters, confident in the knowledge that teams of professional security researchers and investigators are identifying the threats on their behalf.

Download the report

We have observed a significant increase in the amount of botnet activity across the past few months.  Watch the video to find out what’s driving this.

We’ve made some changes.  “Urgh!” we hear you sigh.  Few people like changes; be that a change in the user interface (UI) of an application we regularly use, or our favourite dish being taken off the menu at our local restaurant.  But, if we’re honest it’s amazing how quickly we get used to the new UI, or actually prefer the lamb burger to the beef burger.

What changes have we made?

Enough about burgers.  Let’s cut to the chase….

The Spamhaus Rsync service, which synchronizes complete data sets between the Spamhaus servers and local servers on a customer’s network, is now only available to organizations with 50,000+ users, with a minimum US$9,125 spend attached to it.

This service was specifically designed for high usage clients.  It is geared towards organizations with large user volume and/or for those wanting to create derivative products from the feeds.

To keep things running as smoothly as possible we require customers who are under the 50,000+ threshold to move to our Data Query Service (DQS).

What is the Data Query Service (DQS)?

The DQS provides customers with real-time access to 70+ Spamhaus mirrors (servers) which are located across the globe.  This service uses traditional DNS queries, facilitating easy mail server configuration for customers.   You will receive the data feeds in real-time, without any potential delays that may be caused by batch processing or synchronisation issues.

What’s involved in making the move?

Important things first: cost.  Per user there is no price difference between the DQS and Rsync service, however please remember that the minimum cost for DQS is US$250 and the minimum cost for the Rsync service is US$9,125!

Naturally, you will need to make some changes to your set-up.  But, it will only take a few minutes to configure the data feeds from the DQS…. And if you don’t want to take our word for it, then read Bård Bjerke Johannessen’s comments on making the switch. Bård is Chief Information Officer at SYSE and explained that “Moving from Rsync to DQS involved only minor changes to the configuration of our Exim and SpamAssassin frontends. Quite literary minutes of work.” Bård added that “Performance is not noticeably different and detection rates probably marginally better!”

For customers moving from Rsync to DQS we will enable the DQS to run alongside your current Rsync service.  This will provide you with the time, and peace of mind, to test it internally, ensuring you aren’t subject to any service disruption during the change over period.  By following this route the Postmaster at the University of Szeged, Mihaly Toth-Abony, ensured the cut over was seamless saying “Our users didn’t notice the move from Rsync to DQS.”

Additional benefits to using the DQS

At this point, we hope we’ve allayed any fears you may have had about the change management associated with moving from Rsync to the DQS.  There’s also some good news: you’ll receive additional benefits when you move to the DQS.

  • Realtime updates – as soon as a new threat is detected the information is pushed to the DQS mirrors (servers) – with no waiting on batch processing or synchronization delays.
  • Speed & continuity – 70+ global mirrors with intelligent routing of queries based on geolocation ensure a robust service.
  • Reduce running costs – removes the need for software (RBLDNSD) that consumes the realtime blacklist domain name and related running costs.  In Bård from SYSE’s words “This has enabled us to decommission two name servers with the associated monitoring and management, as well as the monitoring and management of the rsync-jobs.”
  • Free Zero Reputation Data (ZRD) feeds – customers consuming our domain block lists (DBL) can receive data feeds relating to newly observed domains at no additional cost.
  • Access to AuthBL feed – get protection against IP addresses associated with ‘brute force’ entry and form abuse.

Our team are on hand for any questions you may have relating to the move – drop them a line either via this contact form or email your customer service contact.

Thanks for your patience!

The following article was originally published by The Spamhaus Project, October 2018.

Haus Bot saying Exploits Block List increases by 50%After somewhat of a ‘lull’ in botnet activity over the past year  there has been a significant upswing in the number of listings on the Spamhaus Exploits Block List (XBL). The past few weeks have seen a lift from approximately 10 million to 16 million listings. The obvious question to be asking is why? The Spamhaus Project’s botnet specialist explains:

What is the XBL?

The XBL is Spamhaus’s block list which lists IP addresses that host bots and malware-infected computers.

Why the huge upswing in listings?

Approximately half of this increase is due to a new spambot sending out vast quantities of spam for Chinese porn web sites. We believe that this may be due to proxy software, popular in China, having a security issue. Meanwhile the rest is from the rising number of IP addresses that are being reported as infected with the Avalanche/Gamarue botnet.

For those of you with knowledge of the botnet landscape you’re probably thinking “But the Avalanche botnet was taken down?” You are indeed correct, however the machines infected by Avalanche are still out there spreading the infection to new machines. The difference being now is that these machines can no longer be controlled by the current set of bad guys. But, it’s worth noting that these machines are still insecure and open to abuse by other spammers.

When will these bots die out?

Even if all the botnet gangs were taken down the malware they created would continue to spread without their controller. This is a spectre we’re going to have to live with for a long time. The Conficker bot is still out there, and its control network died years ago!

What about the new spambot?

There’s one last question: what (or who) is responsible for sending the copious quantities of Chinese porn-related spam? To date the research team at the Project don’t have an answer, but we’ll let you know as soon as they find out more.

(The original article can be viewed here.)


High-speed and high-volume: Hailstorm spam is one method cyber criminals are using to overwhelm target organizations’ defenses, but Spamhaus is leading the fight back with threat intelligence delivered at high-speed.

Dynamic Updates from Spamhaus protect by alerting you to hailstorm attacks within seconds of them starting, giving you the unique capability to block this type of spam.

Powerful intelligence delivered at high speed

Hailstorm attacks can be over in a matter of minutes and every second counts.

At the first indication of a hailstorm attack, automatic incremental updates are made available. Instead of downloading a full set of IP and Domain-based threat intelligence periodically, Dynamic Updates allow you to receive data as soon as it is available.

Hailstorm spam attack timeline

Graph of a hailstorm attack

  • Before 0 sec: No info
  • 0 sec: Hailstorm attackstarts, traffic spikes to more than 800 emails sent every 10 seconds.
  • 16 sec: Domain used identified,published to Zero ReputationDomain list. Dynamic Updates subscribers can start blocking malicious domain.
  • 28 sec: Domain published to Spamhaus Zen and DomainBlocklist. Spam rate still running at over 800 emails every 10 seconds.
  • 90 sec: Domain generally accessible for rsync subscribers based on a standard 60 second rsync period. Spam rate starts to drop off.
  • 120 sec: Spam rate drops to negligible.

In three minutes, more than 15,000 spam messages sent –85% blocked by DynamicUpdates service at start of attack. Indicative real case example– individual attack profiles will vary.

The Dynamic Updates advantage

Table showing how dynamic updates compares to DQSIncluded is Spamhaus’ Zero Reputation Domain (ZRD) service, designed to stop cyber criminals who use newly registered domains.  This is a favoured method to send hailstorm spam; driving traffic to websites in the hope that users will fall victim before a domain has been analyzed for its reputation.

Legitimate organizations will rarely activate a domain and start using it immediately after registration so the ZRD automatically adds newly-registered and previously dormant domains to a block list for 24 hours.


Picture showing how dynamic updates is configuredDeploy Dynamics Updates in minutes following these easy steps:

  1. Generate your own authentication certificate (including self-signed)
  2. Submit certificate to Spamhaus via our user portal
  3. Connect! You will be informed via our portal

If you are not already a Spamhaus user, then sign up here and get access to our user portal.

GovWare 2018 in Singapore will see the launch of a new detection tool developed by Deteque, a division of Spamhaus, that uncovers patterns of malicious activity from networks across the world.

Using billions of records from across the internet, the new Passive DNS user tool allows security teams and researchers to investigate connections between suspicious domains and IP addresses in an instant.

Simon Forster, CEO of Spamhaus Technology said: “It’s a powerful tool for security investigators as well as companies wanting to see who might be abusing their brand online.”

Deteque’s Passive DNS is in beta test phase and GovWare 2018 is the first opportunity for a wider public to see the easy to use web portal which draws on data from the global network of contributors to The Spamhaus Project, a trusted third party collating DNS related data in real time.

Our team will be on-site at the UK Pavilion at GovWare to discuss the latest threat trends as they happen including:

• Global trends in spam and email borne threats. See the threat dashboard at

• Botnet tends and activities globally, what impact they have and what security professionals can do to protect their networks. .

Spamhaus has a 20 year track record of collating IP and Domain based threat intelligence used to protect against spam, email borne threats and prevent connections to malicious domains.

Spamhaus data is used by the majority of the Internet’s ISPs, email service providers, corporations, universities, governments and military networks, protecting three billion mailboxes globally.

Spam makes up 95% of all email traffic and email is the most common threat vector to insert malware and gain network access¹. Spamhaus data sets act as a first line of defence in multi- layered security.

¹UK’s National Cyber Security Centre, April 2017

The Spamhaus team are looking forward to being part of VB2018, in Montreal.

VB2018 logo for montreal conferenceThe world’s leading IT security experts, from academia and vendors to non-profits and mega corporations, will gather to share their expertise, ideas, research and predictions.

Date: 3-5th October

Venue: Fairmont The Queen Elizabeth hotel in Montreal, Quebec, Canada.

One of the Spamhaus Project’s leading threat intelligence research experts will be featuring in VB2018’s ‘Small Talks’: The botnet landscape – live threats and steps for mitigation.  From botnets to bonnet command and controllers you will discover up-to-date trends in the botnet threat landscape and recommendations for network security managers, data protection practitioners and CISO/CIOs.

Register for VB2018 here


Spamhaus Technology is delighted to be part of GovWare 2018, at Singapore International Cyber Week.

Logos of GovWare 2018 & Singapore International Cyber WeekGovWare is focused on “Forging a Trusted and Open Cyberspace in 2018″.  Attendees will have the opportunity to see the latest trends in technology, implementation and hear real-life stories from users in the market place.

DATE: 18 – 20 Sept

VENUE: Suntec Singapore Convention & Exhibition Centre, Singapore

Spamhaus Technology will be showcasing Deteque’s Passive DNS, which is currently in beta testing.  This tool uncovers patterns of malicious activity across global networks and can assist multiple roles within the cyber security industry, including Penetration Testers, Security Researchers and Brand Protection Specialists.

Connect with us and our reseller, Pipeline Security, at the event to discover how you can protect both your email and networks utilising threat intelligence that has been trusted by the industry for more than 20 years.

Register for GovWare 2018 here