SpamCannibal blacklist service hijacked

Updated: Miscreants have tampered with the service to pump out spam and tell you that every IP address you check is suspicious.

SpamCannibal, a defunct service which was once used as a means to check IP addresses for spam origins, has been hijacked.

Spam filters use a myriad of sources to ascertain whether a querying IP address is legitimate or one connected to spam and malicious campaigns, such as the well-known Spamhaus and SORBS blacklists.

In the past, one of these sources was SpamCannibal, a free, public tool touted as a means to "block spam at the origination server and [...] block DoS attacks."

SpamCannibal collected spam-related IP addresses based on mail that users received. The offending messages would be read and the IP address would be archived, with spam messages automatically sent to the service's database. The SpamCannibal tarpit daemon would use only 1/2 bytes per second per thread on average when in operation.

This service has not been active since the middle of last year. At least, until now.

SpamCannibal was once a means to block spam, but fraudsters managed to hijack the system to not only spew out spam itself but to respond to every IP query as a confirmation of spam.

The Register was tipped off to the change.

During a sandbox test, the domain launched a fake Flash plugin update request, a common practice used by cyberattackers to dupe website visitors into downloading malicious executables.

Overnight, the SpamCannibal.org's DNS entry was changed and pointed to a system controlled by fraudsters. IP address queries always pointed to "true" as a result.

This was made possible due to the expiry date of the SpamCannibal domain, as noted by Virus Bulletin researcher Martijn Grooten.

"As is typical in the takeover of expired domains, it was pointed to a dodgy-looking (but not necessarily malicious) parking site," Grooten says. "What was worse -- though again not uncommon -- was that a wildcard DNS was pointed to this parking site."

"In practice, this meant that any query to SpamCannibal's blacklist returned the same positive response, leading spam filters to believe the queried IP address was blacklisted," the researcher added.

See also: GDPR: A boon for privacy or choking regulation? Businesses weigh in

The change does not appear to be a targeted effort, but rather, a fraudster grasping at an opportunity to promote malware downloads and propagate spam.

However, it does appear that the original operator has managed to now regain control of the domain. SpamCannibal is no longer responding to blacklist queries, but this is better than responding by claiming every IP address is spam -- including yours.

Update 3.6.2018: The Spamhaus Project told ZDNet that Spamhaus managed to push the domain out of the "renewal mode" at the registrar when issues were detected, which temporarily stopped the problem. The project has now taken over the domain and operation, with plans to eventually wind it down following the proper DNS-blocklist shutdown procedures.

Previous and related coverage