Glossary of terms

Abuse Desk is the common name for the group of network administrators charged with enforcing Acceptable Use Policy/Terms of Service agreements. They are the people who monitor "abuse@domain" for a network, as specified by RFC 2142, and they should understand Role Accounts and Feedback Loops.

Android Backdoor malware is installed on an Android device to circumvent normal authentication procedures and other security measures. This allows attackers to gain unauthorized access to the device, enabling them to control and manipulate its behaviour.

An Autonomous System Number (ASN) is a group of one or more IP prefixes (lists of IP addresses accessible on a network) run by one or more network operators that maintain a single, clearly-defined routing policy. Network operators need Autonomous System Numbers (ASNs) to control routing within their networks and to exchange routing information with other Internet Service Providers (ISPs).

"Acceptable Use Policy" or "AUP" is the part of a service provider's Terms of Service (TOS) contract with each of their customers which specifies both acceptable, and unacceptable, use of the provided services. AUPs generally prohibit spam and other abusive actions.

For more information please see the ISP Area and ISP Spam Issues sections of this website.

Email authentication is a technical solution to verifying that an email comes from who it claims to be from.

At present there are three major email authentication standards:

• Sender Policy Framework (SPF)
• DomainKeys and DomainKeys Identified Mail (DKIM)
• Domain-based Message Authentication Reporting and Conformance (DMARC)

Backdoor malware circumnavigates normal authentication procedures and other security measures to gain high-level access to a system, network or application.

Backscatter (also known as outscatter, misdirected bounces, blowback or collateral spam) is incorrectly automated bounce messages sent by mail servers, typically as a side effect of incoming spam.

Recipients of such messages see them as a form of unsolicited bulk email or spam, because they were not solicited by the recipients, are substantially similar to each other, and are delivered in bulk quantities.

• Systems that generate email backscatter may be listed on various email blocklists and may be in violation of internet service providers' Terms of Service.
• Backscatter occurs because worms and spam messages often forge their sender addresses.

Instead of simply rejecting a spam message, a misconfigured mail server sends a bounce message to such a forged address.

• This normally happens when a mail server is configured to relay a message to an after-queue antivirus scan or spam check - which then fails.
• At the time the antivirus scan or spam check is done, the client already has disconnected.
• In such cases, it is normally not possible to reject the SMTP transaction, since a client would time out while waiting for the antivirus scan or spam check to finish.

Using a DNSBL such as Spamhaus Zen at the time of the SMTP transaction avoids this issue.

An action taken by an ISP or network to prevent unwanted traffic from entering its private servers, including mail servers.

Network administrators can peer routers and firewalls with peering services to provide protective data, such as the BGP datasets provided by Spamhaus. Connections with confirmed malicious IPs can then be dropped, automatically.

Each dataset is "labeled" with a distinct BGP community, allowing administrators to decide which datasets they want to apply. This decision will depend on the nature and security posture of the network protection is applied to.

A ‘botnet command & control’ ‘botnet controller,’ ‘botnet C2,’ ‘botnet command & control server', or ‘botnet C&C’ is a server used by cybercriminals to remotely control a network of malware-infected machines (bots), known as a botnet.

The botnet C&C enables the attacker to send commands to the infected machines, instructing them to perform various malicious activities, such as launching distributed denial-of-service (DDoS) attacks, sending spam or ransomware, stealing data, or spreading malware.

Cache miss data is generated when an internet user makes a request to visit a website, and the hostname is resolved by an external authoritative server instead of a DNS resolver’s cache. This data contains no personally identifiable information, only the domain name, record type, record value, and time stamp.

Carrier-Grade Network address translation allows multiple customers to share a single public IP address by changing their private IP addresses to a public one. It is effectively the large-scale implementation of NAT used by networks to manage the shortage of IPv4 addresses.

ccTLDs - Country code Top-Level Domains typically relate to a country or region. Registries define the policies relating to these TLDs; some allow registrations from anywhere, some require local presence, and some license their namespace wholesale to others.

ClamAV signatures are patterns of data associated with known threats, which the ClamAV antivirus engine uses to detect malware, viruses, and other malicious software.

“CNAME” stands for Canonical Name and it is a DNS record used to alias one domain to another. For example, the CNAME record can map the web address www.example.com to www.example.com.hosted.by.bigcdn.com, so that the IP address where the site is hosted is determined by the company bigcdn.com.

A CNAME record should never directly point to an IP address, it must always point to another domain name.

Cobalt Strike is a legitimate commercial penetration testing tool that allows an attacker to deploy an “agent” on a victim’s machine. Sadly, it is extensively used by threat actors with malicious intent, for example, to deploy ransomware.

A Distributed Denial-of-Service (DDoS) attack is a cybercrime in which attackers attempt to disrupt a server, service or network by overwhelming it with Internet traffic. This is achieved by using multiple compromised machines including computers and other resources such as Internet of Things (IoT) devices.

In 2013, Spamhaus was victim to one such attempt coined, “the DDoS that almost broke the Internet” in which over 300Gbps of traffic was generated - learn more here.

DNS servers can be complicit in a DDoS attack by “reflecting” the attack back to the victim. In this scenario, the attackers spoof the victim’s IP address and send a simple query to a number of DNS servers, appearing to be from the victim. DNS servers sometimes reply with a much larger packet, which is then sent to the victim. An example is the NS . query which only requires 48 bytes to send, but can return an answer of over 800 bytes long.

A DDoS bot is a compromised device or computer that forms part of a botnet and is utilized to execute Distributed Denial-of-Service (DDoS) attacks. A DDoS attack involves malicious attempts to disrupt a targeted server, network, or website by overwhelming it with an excessive amount of traffic.

DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect forged sender addresses in emails (email spoofing), a technique often used in phishing and email spam.

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol. It is designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing.

A DNSBL (Domain Name System Block List): A list of IP address ranges or other information compiled and presented as a DNS zone. Information in DNS format is easy to query and transport, and its small answers are very "light" on bandwidth overhead. Spamhaus Zen is a DNSBL, as are its component zones of SBL, XBL, CSS, and PBL.

Spamhaus DBL is a domain DNSBL. It may be used to identify URL domains with poor domain reputation, or as a "Right Hand Side Block List" (RHSBL) for email addresses.

DNSBL Usage FAQ

Understanding DNSBL filtering

A return code is the answer a DNSBL provides when the object of a DNS query is listed in that DNSBL zone. All Spamhaus DNSBL return codes are in the 127.0.0.0/8 range assigned by IANA as "Loopback" addresses. Specific return codes may signify specific characteristics of the data within a Spamhaus DNSBL zone. Lists of Spamhaus DNSBL return codes are linked from the What do the 127.*.*.* Return Codes mean? FAQ.

A quick way to check the return code of a listed IP or domain is the "host" or "nslookup" command found on most OS installations. For IPs, check the inverse octets, so for 127.0.0.2 you'd do this:

$ host 2.0.0.127.zen.spamhaus.org
2.0.0.127.zen.spamhaus.org has address 127.0.0.10
2.0.0.127.zen.spamhaus.org has address 127.0.0.2
2.0.0.127.zen.spamhaus.org has address 127.0.0.4

Here's an example for domains:

$ host dbltest.com.dbl.spamhaus.org
dbltest.com.dbl.spamhaus.org has address 127.0.1.2

A ** DNS resolver** is server software, and a critical infrastructure asset to load web pages. It can also be termed recursive DNS resolver or DNS recursor.

When a user wants to access a website, their human language must be translated into machine-friendly, numerical language. This is a key reason why every device has an IP address associated with it. Domain Name System (DNS) resolution takes place to convert the hostname (e.g., www.example.com) to an IP address - like a telephone book for the internet - to serve up the requested website.

DNS resolution is a phased approach. The first step is for the user’s device to contact a DNS resolver to provide the associated IP address of the hostname. If the IP is stored in the DNS resolver’s cache, the webpage is served to the user. If not, further communications are made from the DNS resolver to various nameservers to locate the IP and ultimately provide the requested content.

Domain Name System Security Extensions (DNSSEC) are a suite of extension specifications by the Internet Engineering Task Force (IETF) for secure DNS data exchange.

DNSSEC works by adding cryptographic signatures to existing DNS records, which are stored in DNS name servers alongside DNS records. By checking the associated signature of a record, you can verify a request is coming from its authoritative name server, as opposed to a fake record.

A downloader is a type of malicious software designed to download and install additional malicious payloads onto an infected computer or device.

Once executed on a target device, the downloader connects to a remote server or command and control (C&C) infrastructure to obtain and deploy further malware, including ransomware, spyware, or other harmful software.

A dropper is a malicious program that facilitates the delivery and installation of malware.

Emotet is a former e-banking Trojan that targeted e-banking customers globally. In 2018, Emotet ceased its e-banking fraud activities and started to offer infected computers on a “Pay-Per-Install” model. From 2019 onwards, Emotet developed into one of the most dangerous botnets.

Email appending, e-pending, or "enriching" is the supplementation of existing email databases by cross-referencing them with information from other databases. The presumed goal is to add email addresses for customers or prospects for whom the sender has other information but not email. E-pending is not an opt-in process.

M3AAWG (formerly MAAWG) has published a very clear statement about e-pending The practice of email appending is in direct violation of core MAAWG values. The Spamhaus Project fully agrees with MAAWG's position; we never have and never will support e-pending. Both e-pending services and marketers using e-pending to enlarge their audience risk being listed by Spamhaus.

An ESP (Email Service Provider) is a company that helps customers send email marketing messages by offering an email marketing platform or email tool. Most ESPs will:

• Allow their customers to build and maintain a list of subscribers.
• Enable the creation of email campaigns.
• Send these campaigns to subscribers in bulk.
• Customise email templates.
• Provide reporting facilities to measure the results of those campaigns.

The depth and complexity of the offerings vary from ESP to ESP. Examples of ESPs include Constant Contact, Mailchimp, Exact Target, SalesForce Marketing Cloud, Splio, etc.

FluBot is a trojan that infects Android devices. It steals user credentials and spreads itself by turning the infected smartphone into an SMS spam zombie.

gTLDs - Generic Top-Level domains are under ICANN jurisdiction. Some TLDs are open i.e. can be used by anyone e.g., .com, some have strict policies regulating who and how they can be used e.g., .bank, and some are closed e.g., .honda.

Hailstorm spamming is a variation of snowshoe spamming. The difference between the two techniques is the way IP addresses and domains are used.

In snowshoe the emissions for each IP are limited by spreading the spam load across many IPs and/or domains, and in this way the operators hope to stay "under the radar". In contrast, hailstorm emitters start sending out of the blue (with a complete absence of traffic before the spam campaign) with extremely high intensities, and stop after a few minutes, just when anti-spam systems have recognized the activity and started reacting.

At that point, the same activity reappears on other, often completely unrelated IPs. A similar fast rotation is applied to domains. In some cases, domains are registered seconds before the spam starts - that is, they simply do not exist until the spam starts.

Hailstorm spam operations work with a pipelines provisioning chain, constantly getting new blocks of IPv4 addresses to burn. Since IPv4 address space is running out, they have had to resort to compliant IP brokers and ISPs to sustain these types of operations.

For further information: In several cases, large IPv4 ranges have been used illegally through network hijacking.

Hashbusters are sections of random text included in spam, possibly hidden as invisible text using HTML.

The purpose of including hashbusters is to try and defeat Bayesian spam filtering, by making each individual spam email look as different as possible. This practice is prohibited by legitimate ESPs or affiliate marketing programs.

"HELO/EHLO" is a command sent to an SMTP server to identify itself and initiate the SMTP conversation. The domain name or IP address of the SMTP client is usually sent as an argument together with the command (e.g. “HELO client.example.com”). If a domain name is used as an argument with the HELO command, it must be a fully qualified domain name (also called FQDN).

Internet Protocol hijacking (IP hijacking) is a specific form of attack that makes use of stolen IP addresses to move data over the Internet. This hack exploits some weaknesses in general IP networking and the Border Gateway Protocol (BGP), which is a system used to designate paths for routed data packets.

Hijacked IP addresses can be used for various kinds of targeted activities including spamming and denial of service(DoS) attacks.

An infostealeris a type of malware intended to gather and exfiltrate sensitive information from an infected computer or device. This information can include personal data, login credentials, financial details, and other confidential information.

An Indicator of Compromise (IOC) is data that evidences a potential security breach or malicious activity within a network, system, or application. Cybersecurity professionals use IOCs to identify and detect threats, enabling them to respond to and mitigate attacks.

An IP address (Internet Protocol address) is a unique address that devices use in order to identify and communicate with each other on a computer network utilizing the Internet Protocol standard. The format of an IP address is a 32-bit numeric address written as four numbers separated by periods. Each number can be zero to 255. For example, 1.160.10.240 could be an IP address.

An IP address can appear to be shared by multiple client devices either because they are part of a shared hosting web server environment or because a proxy server (e.g., an ISP or anonymizer service) acts as an intermediary agent on behalf of its customers.

IP addresses are managed and created by the Internet Assigned Numbers Authority. IANA generally assigns super-blocks to Regional Internet Registries, who in turn allocate smaller blocks to Internet service providers and enterprises.

An ISP is a company that provides subscribers with access to the Internet. Examples of ISPs include: Comcast, Sky, KPN, Telstra, etc.

"Listwashing" is defined as the removal of spamtraps and bad email addresses from a list that is not confirmed-opt-in, while retaining the other email addresses. This is often used as an attempt to clean up a rented, purchased, or very old mailing list.

Living-Off-The-Land commonly abbreviated as LOTL, refers to a threat actor’s aim to conduct as many parts of their illicit activity as possible by leveraging legitimate tools, applications, and resources commonly present in the target’s environment.

For example, rather than using custom tooling after the initial intrusion, a threat actor may live off its freshly claimed “land” by conducting post-infection tasks such as privilege escalation, establishment of persistence, and lateral movement, solely by doing something a legitimate system administrator would do as well, using the same commands and system utilities.

A loader is a type of malicious software designed to infiltrate devices or systems to deliver and install additional payloads or malware.

Once executed on a target device, a loader typically downloads and deploys further malicious components, such as ransomware, spyware, or other forms of malware.

Malware is any malicious software intended to remove control of a computer from its legitimate controller. Malware can try to steal and exfiltrate the user's data, or use the system's resources for illicit purposes including spam and DDoS attacks.

Common types of malware include computer viruses, Trojan horses, worms, ransomware, spyware, adware, and scareware, etc. Some appropriate strategies against malware include firewalls, anti-virus software, and real-time filtering.

In Spamhaus' Malware Digest, utilizing data from abuse.ch's open platforms, get insights into malware campaigns, distribution sites, samples, indicators of compromise, and YARA rules.

Within the Internet email system, a "mail transfer agent" (MTA) or "message transfer agent" or "mail relay" is software that transfers electronic mail messages from one computer to another using SMTP. The terms mail server, mail exchanger, and MX host are also used in some contexts.

A mail user agent (MUA) is a program that allows people to receive and send e-mail messages; it's usually just called an e-mail program, e-mail agent or an e-mail client.

To use an MUA such as Apple Mail. Thunderbird or Microsoft Outlook, the MUA program in installed on a local computer and then used to download and store e-mail messages to that local computer; It also allows messages to be written or read while offline.

Web-based MUAs, such as Hotmail, Gmaill and Yahoo store messages on their own mail servers and allow access to them through a Web page.

Network address translation is the process of mapping multiple private IP addresses in a local network to a single public IP address before sending data to the internet. By doing so, the actual origin of the network traffic is obscured.

An NSP is a business that provides access to the Internet backbone. While some ISPs also serve as NSPs, in most cases, NSPs provide Internet connectivity to ISPs, which in turn provide Internet access to customers. Examples of an NSP include: Level 3, Zayo, Telia, NTT, Verizon Business, Tata, etc.

The Nameserver (NS) record indicates which DNS server is authoritative for a domain. In essence, it instructs the internet where to look for a domain's IP address.

A pentest framework is a platform cybersecurity professionals use during penetration testing (pentesting) to simulate attacks on systems, networks, or applications. These frameworks help identify vulnerabilities by emulating attackers’ techniques, including deploying and managing exploits, payloads, and other malicious activities.

However, cybercriminals can abuse pentest frameworks to find and exploit weaknesses in systems. For instance, Cobalt Strike, a legitimate commercial penetration testing tool, can be used by attackers to deploy an “agent” on a victim’s machine. It is often used by malicious threat actors to deploy ransomware and other threats.

Phishing is defined as "the attempt to steal personal information by presenting a fraudulent copy of a trustworthy identity as bait". This fraudulent copy is intended to trick the victim into revealing their information.

Banks, online payment services, and social media accounts are common targets of phishing. These scams are often distributed via email, as well as other vectors.

Ransomware is a class of malware which restricts access to the computer system that it infects, and demands a ransom be paid to the creator of the malware in order for the restriction to be removed.

• Some forms of ransomware encrypt files on the system's hard drive, while some may simply lock the system.
• All types of ransomware display messages intended to coerce the user into paying a ransom to recover their system and data.

You can find more information in this Wikipedia article.

Remote Access Trojans (RATs) are designed to enable attackers to control an infected computer remotely. Once the RAT is operating, the attacker can send commands to the compromised system to receive data in response.

A domain name Registrar provides domain name registrations to the general public. They do not own the domain names; those are provided TO the registrar BY the registries.

A domain name Registry is a database of all domain names and the associated registrant information in the top level domains of the Domain Name System (DNS) of the Internet that enables third party entities to request administrative control of a domain name.

A Response Policy Zone is a method that introduces policy to DNS queries performed on a network. The policy zones are, in effect, targeted datafeeds detailing threat information in a binary format. This means if a user queries a domain listed on a botnet command and controller (C&C) policy zone, for example, they are protected against the malicious site.

RPZs are applied via recursive DNS servers, and with each “zone” defined by “policy,” users can choose to implement only the protection policies that are relevant to them.

A Regional Internet Registry (RIR) is a not-for-profit organization that oversees Internet Protocol (IP) address space (IPv4 and IPv6) and the Autonomous System (AS) numbers within a specific geographical region.

There are five regional RIRs across the globe: ARIN, RIPE, APNIC, LACNIC and AfriNIC. Together, they are known as the Number Resource Organization (NRO).

A secondary DNS server (sometimes also called a slave DNS server) simply replicates the information that is present on the primary (or master) DNS server.

The secondary server typically monitors the serial number in the SOA record, and fetches the new information the moment the serial number increments.

A smart host is an email server through which third parties can send emails and forward emails on to recipients' email servers.

SMTP (Simple Mail Transfer Protocol) is a protocol for sending e-mail messages between servers. Most e-mail systems that send mail over the Internet use SMTP to send messages from one server to another; the messages can then be retrieved with an e-mail client using either POP or IMAP.

Snowshoe spamming is a sending technique which evolved in an attempt to avoid email filters.

• Like a snowshoe spreads the load of a traveler across a wide area of snow, snowshoe spamming is a technique used to spread spam output across many IPs and domains in order to dilute reputation metrics and evade filters.
• Domains which act in a manner indistinguishable from snowshoers will unavoidably be treated like snowshoers.

Some of the things snowshoe spammers do:

• They may use many fictitious business names (DBA - Doing Business As), fake names and identities;
• They may use frequently changing postal dropboxes and voicemail drops
• Snowshoers often use anonymized or unidentifiable Whois records;
• Use nonsense domains or hostnames in quantity;
• Some showshoers use tunneled connections from their back-end mail engine to the outgoing, internet-facing IP. This causes the originating IP to be hidden.
  • ISPs are in a position to detect those back-end mail engines by checking where traffic flows are coming from. The tunneled connection is not necessarily on port 25. Spamhaus always appreciates such information!

Legitimate senders work hard to build brand reputation based on a genuine business address, a known domain and a small, permanent, well-identified range of sending IPs.

The Start of Authority (SOA) record contains information about a domain or zone such as the administrator's email address, a serial number that changes when the zone is updated, and when the server should refresh the zone.

To comply with IETF standards, all DNS zones must have an SOA record.

"SPAM ® Chopped Pork and Ham" is the registered trademark of a famous canned meat product made primarily from ham, made by the Hormel Foods Corporation.

• It's great in sandwiches, salads, or mac & cheese, with eggs, cheese or pineapples, sliced, diced, baked or fried...
• The name derives from "SP(iced h)AM";
• If you have never tasted SPAM, try it today! :-)
• The product name "SPAM" (always used in upper-case) has no relationship with the internet jargon word "spam", referring to Unsolicited Bulk Email.

SpamAssassin is an open source mail filter produced by Apache to identify spam. It is an intelligent email filter which uses a diverse range of tests to identify unsolicited bulk email, more commonly known as spam. These tests are applied to email headers and content to classify email using various statistical methods.

Spamhaus offers a SpamAssassin plug in free of charge.

A spambot is malicious software or an automated program that sends unsolicited and often bulk email messages to a large number of recipients. It is designed to deliver advertisements, phishing scams, or malware.

Spambots usually operate as part of a botnet, where compromised computers or devices are controlled remotely to carry out spam campaigns.

Spam is generally understood to be Unsolicited Bulk E-mail (UBE).

• Unsolicited: the recipient has not granted verifiable permission for the message to be sent.
• Bulk: the message is sent as part of a larger collection of messages with identical content.

Spam as defined by Spamhaus.

Spamtraps are broadly defined as email addresses which have not opted into any email. There are, however, many types of traps.

• They are used by various reputation systems to highlight senders who add email addresses to their lists without obtaining prior permission.
• They are also very effective in identifying email marketers with poor permission and list management practices.
• Spamtraps are never revealed by their owners, for various reasons:

• They are a component of reputation systems' secret sauce;
• If the trap is provided, the trap is useless to its owner from that point forward;
• It often happens in the event a trap address is provided to a sender that is listed, that only the trap address is suppressed - and no other work is done to solve the underlying data collection/maintenance issue.

Spamvertising is the act of using spam to advertise products, services, or websites. When a site is "spamvertized," it means it is being included as a link in spam emails.

Spamware is software designed for sending email in ways that hide the sender, attempt to circumvent spam filters, or which contains features of use only to miscreants.

NOTE: The sale of spamware is illegal in many countries and most U.S. states.

Sender Policy Framework (SPF) is an email authentication method designed to detect forging sender addresses during the delivery of the email. Sender Policy Framework is defined in RFC 7208, dated April 201, as a "proposed standard". For more information start with the Wiki article about SPF.

Terms Of Service (TOS) which can also known as "Terms Of Use" and "Terms and Conditions", are the legal agreements between a service provider and a person who wants to use that service. These lay out the responsibilities of both parties.

The TXT record is a DNS record that allows human-readable 'text' information to be associated with a host or other name in DNS. It is also used as a free-form data storage for the SPF and DKIM protocols, underpinning the authentication of email.

Verification companies - or email verifiers - are desktop tools or online services (both software-as-a-service or plugins) that allow marketers and salespeople to verify a single email address or a whole list of email addresses, with the intention of being sure the contacts exist, work, and are valid.

Some companies also say they can find and remove spam traps. This is a questionable claim, since Spamhaus frequently sees mail in its spamtraps from "verified" opt-out lists!

Waterfalling is an abusive technique wherein a list owner "waterfalls" the same illicitly obtained address list through a series of (usually) unknowing, innocent ESPs. Each time they clean out bounces, complainants and maybe non-respondants, with the end goal being to send the final result through a good ESP with solid deliverability.

The result of this process is damage to the reputation of each ESP involved, as well as being a violation of ethics, counter to best practices and against Spamhaus policy.

YARA, short for 'Yet Another Recursive Acronym,' is an open-source tool.

Security researchers use this tool to create complex YARA rules to categorize and identify malware samples by creating definitions describing the characteristics or patterns of the malware.

Definition #1 (newer):

A zombie is a computer connected to the Internet that has been compromised by a computer virus or trojan malware and, which can then be used to perform malicious tasks under remote direction.

• Botnets of zombie computers are often used to send spam e-mail and launch distributed-denial-of-service (DDoS) attacks.
• Most owners of zombie computers are unaware that their system is being used in this way. Because the owner tends to be unaware, these computers are metaphorically compared to zombies.

This definition is analogous to the zombies in modern zombie movies. They become zombies when infected by some virus or pathogen.

Definition #2 (older):

A zombie is a name Spamhaus gave to ranges of IP addresses that are hijacked by spammers, routed to the spammer's servers and then used to send out spam.

• These IP addresses were either assigned to long-dead companies, or have been forgotten about by the original assignees over the years.
• Spamhaus saw these ranges of IP addresses "coming back from the dead."

Hijacking, which continues today, pre-dated the use of infected computers for spam. Its analogy is to the zombies in voodoo-lore. These "zombies" of legend are corpses that are re-animated to do the bidding of their master.