Spamhaus blocks over 65K IPs of a hijacked netblock



On September 6th, 2009, Spamhaus blocked a /16 which is 65,536 IPs (1 Class B) on its SBL. This listing is filed under SBL68517. The IP range that is being blocked is One can view the ASN information of at robtex. According to robtex, the upstream for this range is AS3257 which is Tinet (formerly Tiscali). There are 3 current SBLs related to this large blocking: SBL68517, SBL78348 ( of ) and SBL78350 ( of Cogentco).

If one is rusty on subnetting (how many IPs after a / listing), one can check the CIDR entry on the wiki. Having over 65,000 IPs blocked by Spamhaus is generally a big deal to ISPs and webhosts. Spamhaus in its diligent research of the worst spam ogranisations has determined that this IP range which is owned by Oracle (AS794) is hijacked. Spamhaus classifies such activitiy under ROKSO as Zombies. Nearly all Spamhaus’ ROKSO (Register of Known Spam Operations) entries are names of companies, people or something similar which are known to engage in large scale spamming activities. Spamhaus lists such groups on its ROKSO lists if the spamming operations have been terminated with at least 3 different ISPs. Zombies (the activity of hijacking networks of IP ranges) gets its own entry.

The problem of zombies (hijacked netblocks) appears to be an issue in fighting spam and blocking various rogue networks. Spamhaus updates a list of DROP (Don’t Route or Peer) networks (hijacked netblocks or zombies) on its website for network administrators to use to block unwanted traffic to their networks, firewalls or webservers.

It would seem that the Regional Internet Registries (RIRs which are LACNIC, ARIN, RIPE, AfriNIC, and APNIC ) would be more protactive in preventing hijacking from happening in the first place. The RIRs allocate the IPs to different organizations, mainly to ISPs and large corporations. Perhaps IANA (Internet Assigned Numbers Authority) which is oversees the allocations of IP addresses should take some action as well in minimizing the stealing of netblocks on the Internet by spammers. But then again, one who watches the issue of fraudulent domain name purchases knows that ICANN is not taking direct action that often in minimizing falsified domains purchased by spammers often using stolen credit cards. These fraudulent domains are then used in many spamming activities including fast flux DNS on botnets.

No Responses Yet to “Spamhaus blocks over 65K IPs of a hijacked netblock”

  1. Leave a Comment

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: