Devious Spamhaus Phishing Scam Warns You’re on an Email Block List

Posted by & filed under Ειδοποιήσεις.

A new phishing campaign distributing malware pretends to be from the Spamhaus Project warning that the recipient’s email address has been added to a spam block list due to sending unsolicited email.

Spamhaus Project is an organization that creates spam block lists that mail servers can utilize to block known spammers from sending emails to recipients in their organization.

Due to this, using Spamhaus as the theme of your phishing scam could alarm email administrators enough to cause them to hastily open the link in the email and thus become infected.

Malware phishing campaign impersonates Spamhaus

In a new phishing campaign discovered by ProofPoint researcher Matthew Mesa, malware distributors are sending emails that pretend to be from the Spamhaus Project.

These email states that the recipient must “Urgently Take Action” because their email address has been added to the Spamhaus Block List (SBL) and will be blacklisted on mail servers unless they follow the instructions found at a listed URL.

The full text  of this phishing email can be read below:

SBL Reminder: Email: Your email address moved to Spamhaus Blacklist (SBL)

SBL# - The Spamhaus Project - SBL International Anti-Spam Systems

Good afternoon,

It is an automated letter from the original Spamhaus Block List (SBL) instance to notify you that this Email slightly below has been included in
Issue: phishing spam supplier

Our software have discovered redirecting of a variety of spam letters off of your own email address. Consequently, we have been forced to blacklist your email.


In case you pay no attention to this information, we could suppose that this email address doesn't belong to you and it's used for trash mailings. This just means, that we will be forced to include your e-mail address to our stop list.
Which means that recipients will be unable to receive emails out of this address ; your email will be suspended forever.

SBL System Robot
The Spamhaus Project

In the email will be a Google Drive link and a password for a file that is allegedly the instructions needed to remove the email address from the Spamhaus Block List.

Clicking on this link will download a password protected file named that contains an obfuscated Visual Basic Script (VBS) file SPAMHAUS_SBL_i9k.vbs.

When executing the VBS file, it will create a randomly named text file in the %Temp% folder, which Mesa states are Ursnif malware executables, which is then launched by the script.

Ursnif is a data-stealing Trojan that records what a victim types on a computer, what sites they browse to, what is copied into the Windows clipboard, and what programs they run. This information is then saved in log files and sent back to the attacker’s web site.

Using this information, attackers can steal your data, gather login credentials, and further compromise a victim’s accounts or even their network.

Avoiding phishing threats

As more users become aware of the common invoice, shipping notices, and financial reports phishing scams, attackers need to come up with unique phishing themes to convince a recipient to open an attached document or click on an enclosed link.

By using scare tactics, such as adding an email address to a spam block list, the attackers hope that the recipient will make a rushed decision and overlook clues like the document being a VBS file and open it.

As login credentials are always a prime target for these types of attacks, it is highly recommended that users add two-factor authentication to their logins if available as this will make it harder for attackers to log into exposed accounts.

When receiving emails, no matter who they are from, always be sure to scan any attachments or files being distributed before opening them.

It is also advised that you contact your network or email administrator about strange emails so that they can be warned and aware of these attacks.


The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.