Trend Micro Defends Spamhaus Assessment in Latvian Blacklist Controversy

  Trend Micro confirms Spamhaus' findings about Microlines and Latnet
In the midst of controversy between Spamhaus and Latvia's top-level domain registry over the blacklisting of the latter's IP space, researchers from Trend Micro confirm the anti-spam outfit's findings that led to its decision.

In the midst of controversy between Spamhaus and Latvia's top-level domain registry over the blacklisting of the latter's IP space, researchers from Trend Micro confirm the anti-spam outfit's findings that led to its decision.

NIC.LV, the organization in charge of the .LV domain space, took issue with Spamhaus' practices and overall attitude after the it added its IP address range to the spam block list (SBL) used by numerous ISPs and institutions around the world.

The whole situation, which also led to the University of Latvia's Institute of Mathematics and Computer Science to be cut off from many Internet resources, was ultimately caused by outdated RIPE records listing inaccurate information.

Spamhaus' actual intention was to blacklist the IP space of Latnet Serviss, one of the leading Latvian ISPs, as they were unresponsive to repeated abuse reports about spam and other malicious activity originating from its network.

According to the anti-spam organization, one of the main sources of this bad traffic was Microlines.LV, a cybercrime-friendly ISP for which Latnet is the primary uplink provider.

The story got Paul Ferguson, one of the senior researchers at Trend Micro, curious and with the help of his colleagues he searched through data gathered by the antivirus vendor's own threat monitoring systems.

"What we have seen is a smaller, concentrated block of IP addresses with Microlines.LV entire allocation that has exhibited long-term hosting of Rogue AV, various exploit kits, ZeuS and Gozi Trojans, and an array of other badness.

"And not only that, it appears that the Bad Guys operating out of Eastern Europe are also now also using portions of LATNET’s (the upstream ISP of Microlines.LV) IP address space to host additional malware.

"Our research confirms what Spamhaus has made public in it’s SBL listings — we have seen long-term, large-scale criminal activity associated with Microlines.LV, as well as a hodge-podge of hosts in LATNET itself," Mr. Ferguson writes on the Trend Micro blog.

Even though the ban was lifted for both the affected educational institution and the Latvian domain registry, Spamhaus remains strong on its position that the whole situation was caused by negligence on the part of both Latnet and NIC.LV.

Comments

By    14 Aug 2010, 12:06 GMT