We’ve made some changes.  “Urgh!” we hear you sigh.  Few people like changes; be that a change in the user interface (UI) of an application we regularly use, or our favourite dish being taken off the menu at our local restaurant.  But, if we’re honest it’s amazing how quickly we get used to the new UI, or actually prefer the lamb burger to the beef burger.

What changes have we made?

Enough about burgers.  Let’s cut to the chase….

The Spamhaus Rsync service, which synchronizes complete data sets between the Spamhaus servers and local servers on a customer’s network, is now only available to organizations with 50,000+ users, with a minimum US$9,125 spend attached to it.

This service was specifically designed for high usage clients.  It is geared towards organizations with large user volume and/or for those wanting to create derivative products from the feeds.

To keep things running as smoothly as possible we require customers who are under the 50,000+ threshold to move to our Data Query Service (DQS).

What is the Data Query Service (DQS)?

The DQS provides customers with real-time access to 70+ Spamhaus mirrors (servers) which are located across the globe.  This service uses traditional DNS queries, facilitating easy mail server configuration for customers.   You will receive the data feeds in real-time, without any potential delays that may be caused by batch processing or synchronisation issues.

What’s involved in making the move?

Important things first: cost.  Per user there is no price difference between the DQS and Rsync service, however please remember that the minimum cost for DQS is US$250 and the minimum cost for the Rsync service is US$9,125!

Naturally, you will need to make some changes to your set-up.  But, it will only take a few minutes to configure the data feeds from the DQS…. And if you don’t want to take our word for it, then read Bård Bjerke Johannessen’s comments on making the switch. Bård is Chief Information Officer at SYSE and explained that “Moving from Rsync to DQS involved only minor changes to the configuration of our Exim and SpamAssassin frontends. Quite literary minutes of work.” Bård added that “Performance is not noticeably different and detection rates probably marginally better!”

For customers moving from Rsync to DQS we will enable the DQS to run alongside your current Rsync service.  This will provide you with the time, and peace of mind, to test it internally, ensuring you aren’t subject to any service disruption during the change over period.  By following this route the Postmaster at the University of Szeged, Mihaly Toth-Abony, ensured the cut over was seamless saying “Our users didn’t notice the move from Rsync to DQS.”

Additional benefits to using the DQS

At this point, we hope we’ve allayed any fears you may have had about the change management associated with moving from Rsync to the DQS.  There’s also some good news: you’ll receive additional benefits when you move to the DQS.

  • Realtime updates – as soon as a new threat is detected the information is pushed to the DQS mirrors (servers) – with no waiting on batch processing or synchronization delays.
  • Speed & continuity – 70+ global mirrors with intelligent routing of queries based on geolocation ensure a robust service.
  • Reduce running costs – removes the need for software (RBLDNSD) that consumes the realtime blacklist domain name and related running costs.  In Bård from SYSE’s words “This has enabled us to decommission two name servers with the associated monitoring and management, as well as the monitoring and management of the rsync-jobs.”
  • Free Zero Reputation Data (ZRD) feeds – customers consuming our domain block lists (DBL) can receive data feeds relating to newly observed domains at no additional cost.
  • Access to AuthBL feed – get protection against IP addresses associated with ‘brute force’ entry and form abuse.

Our team are on hand for any questions you may have relating to the move – drop them a line either via this contact form or email your customer service contact.

Thanks for your patience!

The following article was originally published by The Spamhaus Project, October 2018.

Haus Bot saying Exploits Block List increases by 50%After somewhat of a ‘lull’ in botnet activity over the past year  there has been a significant upswing in the number of listings on the Spamhaus Exploits Block List (XBL). The past few weeks have seen a lift from approximately 10 million to 16 million listings. The obvious question to be asking is why? The Spamhaus Project’s botnet specialist explains:

What is the XBL?

The XBL is Spamhaus’s block list which lists IP addresses that host bots and malware-infected computers.

Why the huge upswing in listings?

Approximately half of this increase is due to a new spambot sending out vast quantities of spam for Chinese porn web sites. We believe that this may be due to proxy software, popular in China, having a security issue. Meanwhile the rest is from the rising number of IP addresses that are being reported as infected with the Avalanche/Gamarue botnet.

For those of you with knowledge of the botnet landscape you’re probably thinking “But the Avalanche botnet was taken down?” You are indeed correct, however the machines infected by Avalanche are still out there spreading the infection to new machines. The difference being now is that these machines can no longer be controlled by the current set of bad guys. But, it’s worth noting that these machines are still insecure and open to abuse by other spammers.

When will these bots die out?

Even if all the botnet gangs were taken down the malware they created would continue to spread without their controller. This is a spectre we’re going to have to live with for a long time. The Conficker bot is still out there, and its control network died years ago!

What about the new spambot?

There’s one last question: what (or who) is responsible for sending the copious quantities of Chinese porn-related spam? To date the research team at the Project don’t have an answer, but we’ll let you know as soon as they find out more.

(The original article can be viewed here.)


High-speed and high-volume: Hailstorm spam is one method cyber criminals are using to overwhelm target organizations’ defenses, but Spamhaus is leading the fight back with threat intelligence delivered at high-speed.

Dynamic Updates from Spamhaus protect by alerting you to hailstorm attacks within seconds of them starting, giving you the unique capability to block this type of spam.

Powerful intelligence delivered at high speed

Hailstorm attacks can be over in a matter of minutes and every second counts.

At the first indication of a hailstorm attack, automatic incremental updates are made available. Instead of downloading a full set of IP and Domain-based threat intelligence periodically, Dynamic Updates allow you to receive data as soon as it is available.

Hailstorm spam attack timeline

Graph of a hailstorm attack

  • Before 0 sec: No info
  • 0 sec: Hailstorm attackstarts, traffic spikes to more than 800 emails sent every 10 seconds.
  • 16 sec: Domain used identified,published to Zero ReputationDomain list. Dynamic Updates subscribers can start blocking malicious domain.
  • 28 sec: Domain published to Spamhaus Zen and DomainBlocklist. Spam rate still running at over 800 emails every 10 seconds.
  • 90 sec: Domain generally accessible for rsync subscribers based on a standard 60 second rsync period. Spam rate starts to drop off.
  • 120 sec: Spam rate drops to negligible.

In three minutes, more than 15,000 spam messages sent –85% blocked by DynamicUpdates service at start of attack. Indicative real case example– individual attack profiles will vary.

The Dynamic Updates advantage

Table showing how dynamic updates compares to DQSIncluded is Spamhaus’ Zero Reputation Domain (ZRD) service, designed to stop cyber criminals who use newly registered domains.  This is a favoured method to send hailstorm spam; driving traffic to websites in the hope that users will fall victim before a domain has been analyzed for its reputation.

Legitimate organizations will rarely activate a domain and start using it immediately after registration so the ZRD automatically adds newly-registered and previously dormant domains to a block list for 24 hours.


Picture showing how dynamic updates is configuredDeploy Dynamics Updates in minutes following these easy steps:

  1. Generate your own authentication certificate (including self-signed)
  2. Submit certificate to Spamhaus via our user portal
  3. Connect! You will be informed via our portal

If you are not already a Spamhaus user, then sign up here and get access to our user portal.

GovWare 2018 in Singapore will see the launch of a new detection tool developed by Deteque, a division of Spamhaus, that uncovers patterns of malicious activity from networks across the world.

Using billions of records from across the internet, the new Passive DNS user tool allows security teams and researchers to investigate connections between suspicious domains and IP addresses in an instant.

Simon Forster, CEO of Spamhaus Technology said: “It’s a powerful tool for security investigators as well as companies wanting to see who might be abusing their brand online.”

Deteque’s Passive DNS is in beta test phase and GovWare 2018 is the first opportunity for a wider public to see the easy to use web portal which draws on data from the global network of contributors to The Spamhaus Project, a trusted third party collating DNS related data in real time.

Our team will be on-site at the UK Pavilion at GovWare to discuss the latest threat trends as they happen including:

• Global trends in spam and email borne threats. See the threat dashboard at www.spamteq.com

• Botnet tends and activities globally, what impact they have and what security professionals can do to protect their networks. https://www.deteque.com/live-threat-map/ .

Spamhaus has a 20 year track record of collating IP and Domain based threat intelligence used to protect against spam, email borne threats and prevent connections to malicious domains.

Spamhaus data is used by the majority of the Internet’s ISPs, email service providers, corporations, universities, governments and military networks, protecting three billion mailboxes globally.

Spam makes up 95% of all email traffic and email is the most common threat vector to insert malware and gain network access¹. Spamhaus data sets act as a first line of defence in multi- layered security.

¹UK’s National Cyber Security Centre, April 2017

The Spamhaus team are looking forward to being part of VB2018, in Montreal.

VB2018 logo for montreal conferenceThe world’s leading IT security experts, from academia and vendors to non-profits and mega corporations, will gather to share their expertise, ideas, research and predictions.

Date: 3-5th October

Venue: Fairmont The Queen Elizabeth hotel in Montreal, Quebec, Canada.

One of the Spamhaus Project’s leading threat intelligence research experts will be featuring in VB2018’s ‘Small Talks’: The botnet landscape – live threats and steps for mitigation.  From botnets to bonnet command and controllers you will discover up-to-date trends in the botnet threat landscape and recommendations for network security managers, data protection practitioners and CISO/CIOs.

Register for VB2018 here


Spamhaus Technology is delighted to be part of GovWare 2018, at Singapore International Cyber Week.

Logos of GovWare 2018 & Singapore International Cyber WeekGovWare is focused on “Forging a Trusted and Open Cyberspace in 2018″.  Attendees will have the opportunity to see the latest trends in technology, implementation and hear real-life stories from users in the market place.

DATE: 18 – 20 Sept

VENUE: Suntec Singapore Convention & Exhibition Centre, Singapore

Spamhaus Technology will be showcasing Deteque’s Passive DNS, which is currently in beta testing.  This tool uncovers patterns of malicious activity across global networks and can assist multiple roles within the cyber security industry, including Penetration Testers, Security Researchers and Brand Protection Specialists.

Connect with us and our reseller, Pipeline Security, at the event to discover how you can protect both your email and networks utilising threat intelligence that has been trusted by the industry for more than 20 years.

Register for GovWare 2018 here