The SpamCannibal was born to blacklist IP address of malicious servers involved in spam campaigns and DoS attacks.
SpamCannibal was using a continually updated database containing the IP addresses of spam or DoS servers and blocks their ability to connect using services on a computer system that purposely delays incoming connections (aka TCP/IP tarpit).
The blacklist service was offline since last summer, but someone hijacked it on Wednesday morning, attackers changed the DNS name server settings for the website overnight.
The news was first reported by El Reg that was informed of the strange resurrection by a reader who told them that SpamCannibal was “pumping out Blacklist notifications for some of our servers and then when you go to spamcannibal.org, you get spam.”
“Visiting the site earlier today flung fake Adobe Flash updates at our sandboxed browser, downloads no doubt riddled with malware, so beware.” reads a blog post published by El Reg.
The DNS record for the blacklist service was changed to point at a rogue server controlled by attackers that likely used it to deliver malware and to alter the results of queries to the blacklist service.
If anybody uses spamcannibal's RBL, the domain has been taken over and has a wildcard response – so it returns everything as status spam. https://t.co/wBuzpWLjDR
— Kevin Beaumont ? (@GossiTheDog) May 30, 2018
All the users that queried the service to check an IP address to see if it is blacklisted as a spam source received always a positive result with serious consequences.
Researcher Martijn Grooten believes the attack wasn’t targeted.
“This really looks like a standard domain takeover by some dodgy parking service. Doesn’t appear particularly targeted to Spamcannibal,” Grooten concluded.
(Security Affairs – hacking, DNS hijacking)