Defunct SpamCannibal service hijacked, starts spamming users with false notifications

Hackers managed to hijack SpamCannibal, a defunct blacklist service that once used to issue blacklists of known spam servers to block spam. The service operated from 2003 until August 2017 after which it remained inactive and no longer responded to DNS queries. However, it was suddenly reincarnated by cybercriminals last week.

On Wednesday, SpamCannibal suddenly sprung to life after it was hijacked by fraudsters and reportedly began forwarding users to a domain parking site that pushed a potentially malicious Flash plugin as well.

The Register reports that the domain launched a fake Flash plugin update request during a sandbox test. Attackers managed to change SpamCannibal's DNS entry to point to a system controlled by them. They also used the system to respond to every IP query as a confirmation of spam, essentially designating anyone as a "known spammer".

Virus Bulletin editor and security researcher Martijn Grooten noted that the SpamCannibal domain happened to expire on Wednesday, leaving it open for anyone to seize and exploit.

"As is typical in the takeover of expired domains, it was pointed to a dodgy-looking (but not necessarily malicious) parking site. What was worse – though again not uncommon – was that a wildcard DNS was pointed to this parking site," Grooten wrote. "In practice, this meant that any query to SpamCannibal's blacklist returned the same positive response, leading spam filters to believe the queried IP address was blacklisted."

He added that the number of people and organizations still using SpamCannibal is likely small. However, the incident is still a lesson for the security industry, he notes.

"If you are using someone else's blacklist, you should check whether it supports 'health checks', and if it does, perform a health check regularly," he explained. "If you are running a blacklist and aren't able to continue supporting it, consider donating the domain to another organization working in the email security space. At the very least, they should be able to prevent the domain registration from expiring."

It appears that the SpamCannibal has since managed to reclaim ownership of the domain, he said. However, it is no longer responding to blacklist queries.

The Spamhaus Projecttold ZDNet that they managed to push the domain out of "renewal mode" and temporarily halt the issue. It has since tracked down the original operator and taken over the domain and its operation. It plans to eventually "wind it down" after following the appropriate DNS-blocklist shutdown procedures.