Spamhaus, an international non-profit organisation which aims to track the Internet’s spam operations and sources, maintains a block list of IP addresses that send out spam or are being used for malicious activity.
The Spamhaus Block List, or SBL, lists which IP addresses from a network service provider are sending out spam, hosting malware, or are involved in botnet activity.
This kind of network abuse can be a huge headache for South African service providers, as it can cause their IP addresses to be cut off from the Internet if the issues aren’t dealt with quickly.
In the table below, the number of IPs sending spam, serving malware, and involved in phishing attacks or botnet activity are summarised per network.
|Spamhaus Block List|
|ISP responsible||Total||Spam||Malware||Phishing||Botnet C&C|
|telkom.co.za + saix.net + bcx.co.za||18||14||3||–||1|
|neology.co.za + wbs.co.za||4||2||1||–||1|
South African service providers have said they are aware of the SBL, and check it frequently.
Good best practice is for operators to have an abuse e-mail address ([email protected]…), and to publish the address to the Whois database of the regional Internet registry – AFRINIC, in the case of South African service providers.
Listings on Spamhaus are usually due to servers which get infected with malware, are hacked, or otherwise compromised.
Operators explained that in most cases, customers are not aware that their websites or email accounts have been compromised.
The service provider steps in to stop the source of the issue, which can result in stopping the websites, changing the passwords on the email accounts, or shutting down the server.
The client is then notified and given a chance to clean up their content.
Feedback from SA’s service providers is summarised below.
“Spamhaus is not the only source we receive these alerts and notifications from,” said Cybersmart.
One of the challenges hosts face is with co-located or virtual private server customers, where service providers have no control over the content on the servers.
“If any of [our clients’] servers are compromised on the network or we receive an alert regarding a vulnerability, appropriate action is then carried out by our staff.”
Cybersmart said spamming is a difficult problem to solve.
“We have tried redirecting all port 25 through our servers, this creates a whole bunch of other issues and sometimes breaks outgoing mail for the customer.”
For this reason, it has been more effective to deal with each issue as it comes up.
“To redirect everything is assuming that most customers do spam, and that is not the case. By doing that you also create a single point of failure for all customers.”
Cybersmart has also tried a commercial product as a solution to its clients’ servers being compromised.
“This solution scans all cPanel servers’ outgoing email and hosted SMTP servers and our primary domain’s incoming email. This had a positive impact on our service, and dropped support queries down to almost zero regarding blacklisting or spam issues.”
In December, Webafrica had 3 IPs listed on the SBL, but by January it was at 0.
Spam is a constant problem, the company said, and is usually related to out-of-date software and passwords.
It said the addresses listed in December were allocated to clients with dedicated servers, who were notified and remedial action taken. However, they failed to request delisting from Spamhaus.
“Our NOC team then followed up and did it on the customers’ behalf,” said Webafrica.
Internet Solutions had 2 IP addresses listed in December, both of which were no longer listed by January.
The company said it implemented its Acceptable Use Policy on the offending parties when the issues were detected, and secured its network.
Multisource, responsible for the Neology network and the Wireless Business Solutions network, said it takes swift action against abnormal use.
Multisource is a wholesale provider offering various types of hosting services, Internet access, and mail relay services.
“From time to time, customers’ systems get compromised by trojans or malicious individuals, and are then used by spammers to relay e-mail, or provide DNS services for spam domains,” said Multisource.
“We typically quarantine the infected hosts, and inform the customer of the compromise where possible.”
The company said it participates in the Spamhaus Policy Blocklist to indicate which portions of its networks are dedicated to end users.
Anyone using the Spamhaus list can then block direct e-mail connections from end users who are not meant to be operating mail servers.
Vodacom said it has noticed an increase in attacks originating from its network, but added it has systems in place to mitigate this.
“Vodacom has taken the stance to protect its customers and internal network users by blocking and sharing the malware IPs with our partners.”
In December, Seacom had an IP address that had been listed as a command and control server for a botnet. By January, it was clean.
“Seacom takes network abuse seriously and acted immediately upon the receipt of a complaint from Spamhaus in September 2015,” it said.
“Our network operations centre notified the customer who in turn confirmed it had a compromised machine on its network due to a misconfiguration.”
Although the issue was solved, Seacom said the resolution of a complaint does not automatically trigger the delisting of an IP address from the SBL.
“The ISP needs to contact Spamhaus and ask them to remove the IP address from their listings.”
Vox said it has resolved the issues reported on its network and is waiting for the IPs to be delisted.
“We receive these alerts from numerous sources. We also have our in-house security audits to ensure we pick up on any issues,” it said.
MTN said it could not comment on the scale of the attacks on its network.
“We are continuously reviewing ways of minimising our exposure to these attacks. We take this issue very seriously.”
MTN said it notifies its customers if an issue is detected, and failure to take action results in the offending device being “blackholed”, or removed from the Internet.