The Spamhaus Project
BETA

news

Resilans Incident Report

Report regarding the SBL listings of spam operations on Resilans AB (resilans.se). Spammer IP address space at Resilans: Spamhaus became aware of Resilans AB leasing netblocks to spam operations in August 2013. We listed those ranges and notified Resilans. Despite notification, the ranges they allocated in August were...

by The Spamhaus TeamMarch 04, 20144 minutes reading time
Spam
Service Providers
DNSBL

Jump to

Report regarding the SBL listings of spam operations on Resilans AB (resilans.se).

Report regarding the SBL listings of spam operations on Resilans AB (resilans.se).


Spammer IP address space at Resilans

Spamhaus became aware of Resilans AB leasing netblocks to spam operations in August 2013. We listed those ranges and notified Resilans. Despite notification, the ranges they allocated in August were allowed to continue spamming for almost 3 months.

In October 2013, we detected spam from yet more Resilans ranges. Again, we notified Resilans - and again those problems took months to resolve. Spamhaus subsequently learned that the same spam operation had used several different identities during that time, undoubtedly complicating things for Resilans.

Over the next few months, through February 2014, more and more IP address space was handed out to spammers by Resilans. During February 2014, Spamhaus identified 47 IP address ranges of "/24"s or larger issued to the spam operation, resulting in 17,664 IPv4 addresses assigned to various snowshoe spam operations scattered across six Resilans IP address allocations. A list of those IP address ranges, plus over 8,700 spammer PTRs we found, is available in the footnotes below.

SBL listings, 27 February, 2014

On 27 February, 2014, in an effort to protect our users from long-standing and widespread spam sources, and to bring resolution to the ongoing spam-related abuse of Resilans-managed IP address space, we implemented a number of larger SBL listings. Resilans had been sent many reports and given many chances to correct the situation before this step was needed. However, the large number of reports sent to them had not produced any noticeable change in the situation.

Resilans responded swiftly to the SBL listings made on 27 February and quickly resolved their outstanding SBL listings. Those larger listings were then removed the same day, 27 February, having been in the SBL zone for less than 12 hours.

Moving forward

Spamhaus hopes that our relationship with Resilans will once again normalize to the good working relationship we have with the vast majority of Internet providers. We're hopeful that Resilans will avoid any further contribution to enabling spammer resources. As always, we keep working for cleaner inboxes and a safer internet, and we welcome Resilans' participation in that cause.

*Steve Linford

CEO - The Spamhaus Project*


Footnotes:

Background of LIR abuse

With IPv4 address space increasingly hard to obtain, spammers are adopting creative and sneaky ways to obtain whatever ranges they can get. The more brazen ones will hijack ranges that are abandoned, or not routed, and forge documents just to get their spam out. Some will sub-lease IPv4 space on the gray or black markets, pretending to use it for SEO or VOIP - while really just wanting fresh IP address space from which to send spam. Others try a different route, and set up many false-front entities all over the world to tap into the reserves that local LIRs maintain. China and Romania have particularly suffered from this behavior. Western spammers experienced enough to use the right words, reasons, and funds have been able to get many large ranges of IP address space delegated to them. LIRs, perhaps naive about these sort of situations, have been taken advantage of by spammers and, given our experiences with spammers, we cannot always blame them for it.

47 Resilans IP address ranges detected sending spam in February 2014:

192.36.52.0/23

192.36.70.0/23

192.36.119.0/24

192.36.121.0/24

192.36.136.0/23

192.36.154.0/24

192.36.166.0/24

192.36.172.0/23

192.36.198.0/24

192.36.207.0/24

192.36.217.0/24

192.36.226.0/24

192.36.241.0/24

192.36.248.0/24

192.71.2.0/23

192.71.8.0/24

192.71.10.0/24

192.71.12.0/24

192.71.23.0/24

192.71.30.0/24

192.71.36.0/24

192.71.38.0/24

192.71.42.0/24

192.71.44.0/24

192.71.46.0/24

192.71.48.0/24

192.71.50.0/24

192.71.52.0/24

192.71.57.0/24

192.71.59.0/24

192.71.61.0/24

192.71.70.0/23

192.71.74.0/24

192.71.81.0/24

192.71.86.0/23

192.71.88.0/23

192.71.103.0/24

192.71.113.0/24

192.71.126.0/24

192.71.142.0/24

192.71.224.0/23

193.183.124.0/23

194.68.16.0/22

194.71.100.0/22

194.71.208.0/22

194.71.228.0/22

194.103.2.0/24

A link to the PTR records of 8,700+ spam hosts detected at Resilans (text file)

An unrelated Resilans incident from 2012

The ACM SIGCOMM Computer Communication Review (Volume 43, Number 2, April 2013 - page 8) states Resilans lost control of one of their Autonomous System Numbers (ASNs) to hijackers:

"For that, a second AS was hijacked and used to originate routes via the already hijacked AS: Relians Ltd. (AS42461)" - PDF link