Brian Krebs covers the Bitcanal “Hijack Factory” story which hit the news this week. Bitcanal, has continually hijacked Border Gateway Protocol (BGP) routes, leasing swathes of IP addresses to spammers. Spamhaus has 103 SBL listings related to Bitcanal, going as far back as 2014. Read Brian’s article here .

This week sees Spamhaus featuring in the news again. Bitcanal, a notorious bad actor, who has continually hijacked Border Gateway Protocol (BGP) routes, has effectively been kicked off the internet. Spamhaus has 103 SBL listings related to Bitcanal, going as far back as 2014. Doug Madory, Director of Internet Analysis at Oracle Dyn, takes an in-depth look at the story and highlights the lessons Internet Exchange Points (IXPs) need to learn from this. Shutting Down the BGP Hijack Factory .

Do you utilise Spamhaus’s free domain name server block lists (DNSBLs)? Are you currently using Google’s Public DNS, or similar public recursive server? You may not be aware, but with this combination, every time you make a query to Spamhaus it will return a ‘non-existent domain’ (NXDOMAIN) which in this case means we are not providing reputation advice about whether or not to receive that email. Essentially this means that your spam emails will not be blocked by the queries you are running. Here’s why…

Why use a public recursive DNS?

There are a number of reasons why people choose to employ a public DNS resolver, such as Google Public DNS. Perhaps your Internet Service Provider’s (ISPs) recursive name server suffers from high latency, due to it being overloaded. Let’s be honest, given the competitive nature of this marketplace some providers have been known to ‘skimp’ in this area, in order to reduce operating costs.

Also, let’s not forget its ease of use. If you’re setting up an address to use as your DNS resolver, then (one of Google’s public DNS resolver IP addresses) is one of the simplest numbers to remember.

So why don’t Spamhaus’s free DNSBLs work through some public DNS resolvers?

Regrettably we have had to block some public DNS resolvers because they can be exploited by some users to get more than their fair share of a free service.

Taking a step back

Back in 1998 when both the world wide web (w.w.w.) and Spamhaus were in their infancy, 3.1% of the global population were utilising the internet, according to data from the International Telecommunication Union. Fast forward 20 years and now 48% of the world’s population uses the internet. That takes the numbers from 188 million users in 1998 to 3,663 million users in 2017. This means that not only are the number of global internet users increasing at a phenomenal rate, but the number of those using Spamhaus’s free public mirrors is also dramatically increasing.

Sharing is caring

We believe in providing the public with threat intelligence for free; helping small independent businesses, schools and non-profit making organisations safely filter their email at no cost.

With a network of over 80 public DNSs spread across 35 countries, this significant international DNS infrastructure serves billions of queries to the public every day, for free.

But note that word ‘public’ in the above paragraph. This free service is intended to be available for those who are genuinely ‘the public’, fulfilling all of the following criteria:

  1. Use of the Spamhaus DNSBLs is non-commercial
  2. Your email traffic is fewer than 100,000 SMTP connection per day
  3. Your DNSBL query volume is fewer than 300,000 queries per day

Further details can be found at Spamhaus DNSBL Usage Terms.

Spamhaus understands that anything free is difficult to resist. Therefore usage is monitored of these free DNSBLs to ensure this resource isn’t being exploited. If an IP address exceeds the above criteria it is suggested the user pays to use the commercial DNSBL data feed service.

Yes, but why block queries from public recursive name servers?

It’s simple – public recursive name servers act as an anonymising service and enable large scale users to hide behind them. Given the lack of transparency and inability to identify those who are abusing the free service a difficult decision was made to add some public domain name servers to our access control list… ultimately blocking your query.

To quantify the issue, over a 24 hour period Spamhaus receives approximately two billion queries from, what could be argued, the most popular public recursive DNS. This is roughly 20% of the total number of queries made over the same period.

But I want to use both a public recursive DNS and Spamhaus’s free block lists.

Not a problem, as long as you meet the criteria detailed above. Spamhaus can provide you with free access to our DNSBL data feed, via a data query service (DQS), simply sign up for the DQS here. It’s straightforward and can be set up in a matter of minutes, and enables you to have access to our domain name server block lists, whilst still using a public DNS.

Any questions? Simply contact Spamhaus Technology.

There are a number of Internet Service Providers (ISPs), along with their customers, who are unwittingly missing out on the opportunity to have uninterrupted access to Spamhaus’s commercial grade threat intelligence. Here’s how to ensure you stay protected with our domain name server block lists (DNSBLs), and furthermore, increase the value of the service you provide to your customers.

How to protect email

There are multiple solutions, feeds and services in the commercial anti-spam marketplace. Currently three billion mailboxes, for those of you who like precise numbers, click here for today’s exact number, are being protected by Spamhaus’s business grade data feeds.

These DNSBLs are updated around the clock by a highly experienced group of security researchers, whose sole focus is to track spam and cyber related threats, such as phishing, malware and botnets. Malicious emails are blocked before they even reach your inbox reducing storage costs, bandwidth usage, and of course, increasing your email security.

So, what has this got to do with ISPs?

Good question. Keep reading.

A free service to the public

Occasionally large scale users like to avail themselves of Spamhaus’s free DNSBL servers. Spamhaus has always believed in protecting individuals, small businesses and nonprofit organizations for free. Over the years a global network of over 80 DNSBL servers has been built, serving billions of queries to the public at no cost, as long as usage is within the limits set out in the policy below:


  1. Use of the Spamhaus DNSBLs is non-commercial
  2. Your email traffic is fewer than 100,000 SMTP connections per day
  3. Your DNSBL query volume is fewer than 300,000 queries per day

Sadly, as previously mentioned, a minority abuse this policy. To ensure fair usage this service is now monitored. Where a recursive server is flagged as over querying it may potentially be blocked. This will result in any users running queries through it to return a ‘non-existent domain’ (NXDOMAIN) which in this case means we are not providing reputation advice about whether or not to receive that email. Ultimately it means that the user will no longer be protected from malicious emails through these queries.

But why should ISPs care?

If you are an ISP provider with one, or multiple customers over-querying through your recursive server(s) there is the potential that the recursive server(s) in question will be blocked from the free DNSBL service. Regrettably this means that not only do those who are guilty of abusing the service lose out, everyone does. Moreover it’s highly likely that you would be completely unaware that the service is being blocked.

Ignorance isn’t bliss, particularly not for your customers

We understand the inconvenience and potential risks an outage of threat intelligence could mean for all concerned. You, as the ISP, stand to lose the free service (as long as you are using it within the stated query and traffic volumes), but additionally your customers stand to lose it too. Even worse – there’s a high probability that your customers would be completely unaware of the fact they are not protected.

Keeping everyone happy

We all know you can’t keep everyone happy all of the time, but we like to try. Therefore we offer users of Spamhaus’s free DNSBL servers access to our data query service (DQS). This DQS has multiple advantages:

  • The DQS is FREE – as long as usage is within policy limits (see above).
  • Increased data quality – updated in real-time: this is a commercial grade feed.
  • Set-up is simple and quick – it should take you literally one minute to set up on most modern mail servers and it doesn’t require additional software or servers.
  • Continuous service assurance – providing you keep within the usage policy.
  • Only your usage will be monitored – not that of everyone else using the same recursive server as you.
  • Sign up for the feed is easy – click here

Spread the word

All you need to do is share this message with your customers, to ensure there are no potential access issues to the Spamhaus DNSBL for anyone. We suggest dropping your marketing team a note to see how they could help you communicate this information to your customers.

Share email threat protection with your customers

An alternative route, and one many ISPs take, is to increase the value of your service offering by providing this added layer of email protection to your customers’ mailboxes for free. “Ouch” we hear you say, “that’s going to be expensive”. Don’t jump too hastily to that conclusion – connect with us today to find out what the actual costs would be to your ISP business. After all, a phishing attack or potential loss of business is likely to be far more costly.

The Most Abused Top Level Domains List from Spamhaus continues to feature in the news. Writing for Japan’s XTECH, Yukihiro Katsumura puts the spotlight on the number of malicious domains hosted on cheap, or free, top level domains.

About Spamhaus Technology

Founded in London in 2004, Spamhaus Technology provides commercial data distribution and synchronization services for the real-time datastreams, raw datasets and security technologies developed by the non-profit organization The Spamhaus Project.

From the proceeds of these services, Spamhaus Technology supports a pool of worldwide public servers that providing data to the public, funds research into anti-spam technologies and contributes research and equipment to the global fight against cybercrime.

Technology service providers and enterprises in Japan / Asia Pacific will have faster, easier access to global cyber threat intelligence thanks to a new partnership between Tokyo-based PIPELINE Security and Spamhaus Technology.

PIPELINE Security brings local delivery and support along with an in-depth understanding of the Japanese market which is long associated with precision and excellence, demanding a deep level of metrics and visibility.

Spamhaus Technology provides the email and network security intelligence developed by The Spamhaus Project, a trusted third party currently protecting three billion user mailboxes, blocking the vast majority of spam and malware sent on the Internet.

Spamhaus and PIPELINE are positioned to help Internet Service Providers (ISPs), Email Service Providers (ESPs) and enterprises defend themselves from spam, malware, botnets and other online threats.

Simon Forster, CEO of Spamhaus Technology commented: “The move is designed to strengthen the Asia Pacific region against cyber attacks and broaden Spamhaus’ presence in Asian markets. With Pipeline Security we have an excellent partner to bring to new customers the threat intelligence that has been protecting our users for the past 20 years.”

Allan Watanabe, Managing Director of PIPELINE Security commented: “Cyber attacks are rapidly evolving and businesses are struggling to stay ahead of the cyber criminals. It is critical for businesses to utilize a threat intelligence strategy to transition from a reactive security to proactive security model. We are looking forward to providing Spamhaus’ Real Time Threat Intelligence to help secure our customers in Asia Pacific and Japan.

About PIPELINE Security

PIPELINE is providing threat intelligence and security consulting services to top tier businesses in Japan. Our team of global cyber security experts are continuously striving to raise and improve information security in Japan by offering solutions based on global standards and best practices. PIPELINE Security provides services for mission critical and information security systems at major Japanese banks, telecommunications, ISP`s, and large enterprises. Learn more

See what industry experts are saying about the latest annual Botnet Threat Report that has just been released by Spamhaus. It’s a summary of the latest trends used by cyber criminals and spammers with practical advice to protect your network and users. See what independent researcher Virus Bulletin is saying about the report here

Going to SANS Network Security in Las Vegas? Our data delivery vendor SecurityZones will be there at the vendor day Sept 12th and it would be great to meet up. Please contact SecurityZones here Contact here

And join us at our Lunch & Learn on Sept 13th, when will be showcasing Response Policy Zone threat intelligence that works with your DNS management to choke the botnets used by cyber criminals for DDoS attacks, fraud and network hijacking.

Sign up for the session at SANS, it would be great to see you there. Sign up here

See you at Caesers Palace

Criminals focused on getting a financial return have identified a particularly attractive target – the healthcare industry. Independent findings by Osterman Research have revealed the specific ways the industry finds itself under cyber attack – including ransomware, malware and targeted attacks. There is direct harm to IT systems but it’s the knock-on effects that have the industry reeling according to Osterman. Read the White Paper ‘Protecting Data in the Healthcare Industry’ to find out more – and importantly what you can do to minimise the risks.` Download here

About Osterman Research

Osterman provides timely and accurate market research, cost data and benchmarking information to technology-based companies. We do this by continually gathering information from IT decision-makers and end-users of information technology. Osterman conducts surveys on IT-related issues with both IT professionals and end users. Surveys focus on messaging management, instant messaging, messaging threats, backup and archiving strategies, operating system issues and other IT-related issues.  To learn more about Spamhaus in healthcare, please contact our authorized data feed vendor SecurityZones

Going to Black Hat in Las Vegas? Our data delivery partner SecurityZones will be there and it would be great to meet up. Please contact SecurityZones here