Fake advertising attempting to discredit Spamhaus
Monday July 9, 2007 at 10:40 am CST
Posted by Chris Barton
Last Thursday we noticed a large spam campaign atempting to discredit Spamhaus and DDOS their phone lines :roll:. This is undoubtedly linked somehow to the massive and long term DDOS attacks on the three major blacklists run by Spamhaus, URIBL and SURBL (The latter two are currently being protected buy the DDOS Jedi at Prolexic). DDOS’s on this scale are risky for the botmasters since it exposes the botnets to those interested in such things.
Here is a copy of the mail:
From: Christy June <fake-sender@fake_place.com>
Date: Fri, 5 Jul 2007 20:34:52 +0100
To: “some, one” <spamme@mcafee.com>
Conversation: Which shalom myself magnetic
Subject: What shalom herself magneticWORKING TO PROTECT INTERNET NETWORKS WORLDWIDE
Spamhaus tracks the Internet’s Spammers, Spam Gangs and Spam Services, provides dependable realtime anti-spam protection for Internet networks, and works with Law Enforcement to identify and pursue spammers worldwide.The SBL database is maintained by a dedicated international Spamhaus team based in 9 countries, working 24 hours a day, 7 days a week to list new confirmed spam issues and - just as importantly - to delist resolved issues.
The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits.
The Exploits Block List can be used by all modern mail servers, by setting your mail server’s anti-spam DNSBL feature (sometimes called “Blacklist DNS Servers” or “RBL servers”) to query xbl.spamhaus.org. Use of the XBL is free for users with normal mail servers (but networks with high email traffic should see DataFeed).
You can get MUCH MORE if you contact us:
The Spamhaus Project Ltd. 50 Churchill Square, Suite 6, Kings Hill, West Malling ME19 4YU United Kingdom, Tel (+44) 870 766 xxx
This is not an uncommon event for RBL owners, however this one is only unusual because of the size, duration and indescriminate nature of the campaign.
The spammer in this case also had to fake the senders address because Spamhaus’s SPF record is of the “-all” variety which sensibly denotes that they *only* permit one IP address to send mail for their domain and so affecting the bots ability to deliver further.
Obviously Spamhaus do not use botnets to send out promotional material 
(If this all sounds a bit too fishy to be true you can read more about the traditional “Joe-Job” attack right here).