Hi all,
There hasn't been an update from the team in a while so it seems due
time for a small update of what we've been seeing lately from a spam
auditors perspective.
* Digital Ocean
While it isn't unusual to see bad activity from this network and many of
your might already be blocking most of Digital Ocean. It is interesting
to see what types of obvious threat patterns are occurring. One would
hope even their team would be looking at such things like really fake
naming patterns, the obvious phishing phishing attacks, and not just the
common spam. For the last few weeks we've been seeing this and it has
only continued to increase
161.35.13.11 1 bizcloud-server.sainsburys.com
165.22.85.222 1 bizcloud-power.mcut.edu.tw
139.59.156.24 1 bizcloud-server.t-online.de
147.182.130.170 4 bizcloud-server.listreamum.com
134.122.93.206 1 bizcloud-ghgjjgfhjjgdhost.com
207.154.210.163 2 bizcloud-power.civicone
* Cloud Spammers (Azure)
Many of the main Cloud providers, including Google/Amazon/Azure/UCloud
and others to name a few, keep getting worse and worse. The combination
of accessibility and the lax attention to outbound threats from these
operators only encourages their space to be used by the bad guys.
We want to call out Azure this week for allowing this obvious actor on
their IP space. It's hard to believe this hasn't been noticed by the
Azure team. A quick note is that the naming pattern does change but we
are mentioning it as this is not legit mailings.
52.183.68.21 1 envio3.formaunica06.online
70.37.70.254 1 envio9.consultfatura09.online
104.45.217.137 2 envio6.diaidealfatura07.online
* Sextortion is still alive (and volume rising again)
Surprising to see sextortion spam still alive with how low their success
rate is. A few new templates, easy to stop but your filtering rules may
need to be adjusted to catch these newer ones.
* This weeks biggest pain
Google Groups spam is back, is the talk about blocking more gmail
gaining any momentum?
When does it get bad enough that 'too big to block' no longer applies?
These patterns are so easy to spot, this is mostly just a volume issue
but it won't be long until we see these methods abused by some of the
worst actors. Lately, it has been been leaning towards some more
dangerous waters like catfishing.
If anyone need samples, please reach out, but we're sure we aren't the
only ones seeing this.
Hope everyone isn't melting like we are out on the West Coast.
A quick P.S., strongly recommend that you stop allowing authentication
from cloud providers by a default unless an IP actually has to
authenticate. We're seeing it getting bad out there and when one of your
accounts gets compromised, they'll hit others on your system. These guys
are keeping the volumes low enough that even rate limiters won't stop them.
Cheers,
- Chelsea
--
"Pondering the Mind of a Threat Actor.."
--------------------------------------------
Chelsea Crocker, Threat Mitigation Specialist - LinuxMagic Inc.
For More Infohttps://www.linuxmagic.com
"LinuxMagic" is a Registered TradeMark of Wizard Tower TechnoServices Ltd.
For More Infohttps://www.wizard.ca
604-682-0300 Beautiful British Columbia, Canada
--------------------------------------------
This email and any electronic data contained are confidential and
intended solely for the use of the individual or entity to which
they are addressed. Please note that any views or opinions presented
in this email are solely those of the author and are not intended
to represent those of the company.
--------------------------------------------
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
