I can confirm that this is cutwail. I'm showing 100% agreement in spot
checking of your list of IPs.
This particular cutwail variant, unlike the others, has been percolating
at low volumes for a long time. The other more sophisticated versions
have all pretty much gone away.
It is particularly bizarre that it infests one ISP like this. I'm
wondering if someone managed to force the infection to do IP
reallocations frequently to IP-hop. Cutwail normally has thousands of
infected IPs per campaign spread across ISPs.
The other possibility is that someone stole the SMTP emission part and
reused it in something less bot-like.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop