Miscreants hijacked the defunct SpamCannibal blacklist service
30.5.18 securityaffairs

The SpamCannibal blacklist service was hijacked since Wednesday morning, attackers changed the DNS name server settings for the website overnight.
The SpamCannibal was born to blacklist IP address of malicious servers involved in spam campaigns and DoS attacks.

SpamCannibal was using a continually updated database containing the IP addresses of spam or DoS servers and blocks their ability to connect using services on a computer system that purposely delays incoming connections (aka TCP/IP tarpit).

The blacklist service was offline since last summer, but someone hijacked it on Wednesday morning, attackers changed the DNS name server settings for the website overnight.


The news was first reported by El Reg that was informed of the strange resurrection by a reader who told them that SpamCannibal was “pumping out Blacklist notifications for some of our servers and then when you go to spamcannibal.org, you get spam.”

“Visiting the site earlier today flung fake Adobe Flash updates at our sandboxed browser, downloads no doubt riddled with malware, so beware.” reads a blog post published by El Reg.

The DNS record for the blacklist service was changed to point at a rogue server controlled by attackers that likely used it to deliver malware and to alter the results of queries to the blacklist service.

Kevin Beaumont 🐈

If anybody uses spamcannibal's RBL, the domain has been taken over and has a wildcard response - so it returns everything as status spam. https://twitter.com/webme_it/status/1001731230264627202 …

12:51 PM - May 30, 18
22 people are talking about this
Twitter Ads info and privacy
All the users that queried the service to check an IP address to see if it is blacklisted as a spam source received always a positive result with serious consequences.

The attackers set a wildcard domain so that any subdomain of spamcannibal.org returns an IP address, with this trick the domain was interpreted as blacklisted.
Researcher Martijn Grooten believes the attack wasn’t targeted.

“This really looks like a standard domain takeover by some dodgy parking service. Doesn’t appear particularly targeted to Spamcannibal,” Grooten concluded.