I've seen this IP range you are talking about in cerber/ransomware variants doing scans on 6892/udp
On 10/13/2016 02:37 PM, Benoit Panizzon wrote: > Hi Stefan > >> the question is what's behind those domains? i didn't have the time to >> analyze it, yet. > > I had a bit a deeper look into it. > > The Emails them self come from various IP Addresses. It's obviously a > botnet. > > Almost all those xyz domains resolve to an IP within a /24 from AS41122. > > So I suppose this is a rogue Hoster as a quick search with google had > quite some hits. > > AS41122 has just two upstream peers. So maybe if some more drop them a > hint, they could issue a severe warning, or even de-peer AS41122. > > -Benoît Panizzon- > > > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
