Thank you for your Always interesting update. I'd like to add one campaign that is originating from Hotmail.com addresses, one server is mail-ps2kor01olkn0162.outbound.protection.outlook.com ([104.47.109.162] helo=KOR01-PS2-obe.outbound.protection.outlook.com) with titles always changing so that they never repeat... I receive tons of them and they are the only ones that from time to time are not filtered and land in the inboxes.
Can't understand how Hotmail is not taking action, now that its IP addresses are starting to appear in RBL... On 6/30/21, Chelsea Crocker via mailop <[email protected]> wrote: > Hi all, > > There hasn't been an update from the team in a while so it seems due > time for a small update of what we've been seeing lately from a spam > auditors perspective. > > > * Digital Ocean > > While it isn't unusual to see bad activity from this network and many of > your might already be blocking most of Digital Ocean. It is interesting > to see what types of obvious threat patterns are occurring. One would > hope even their team would be looking at such things like really fake > naming patterns, the obvious phishing phishing attacks, and not just the > common spam. For the last few weeks we've been seeing this and it has > only continued to increase > > 161.35.13.11 1 bizcloud-server.sainsburys.com > 165.22.85.222 1 bizcloud-power.mcut.edu.tw > 139.59.156.24 1 bizcloud-server.t-online.de > > 147.182.130.170 4 bizcloud-server.listreamum.com > 134.122.93.206 1 bizcloud-ghgjjgfhjjgdhost.com > 207.154.210.163 2 bizcloud-power.civicone > > > * Cloud Spammers (Azure) > > Many of the main Cloud providers, including Google/Amazon/Azure/UCloud > and others to name a few, keep getting worse and worse. The combination > of accessibility and the lax attention to outbound threats from these > operators only encourages their space to be used by the bad guys. > > We want to call out Azure this week for allowing this obvious actor on > their IP space. It's hard to believe this hasn't been noticed by the > Azure team. A quick note is that the naming pattern does change but we > are mentioning it as this is not legit mailings. > > > 52.183.68.21 1 envio3.formaunica06.online > 70.37.70.254 1 envio9.consultfatura09.online > 104.45.217.137 2 envio6.diaidealfatura07.online > > > > * Sextortion is still alive (and volume rising again) > > Surprising to see sextortion spam still alive with how low their success > rate is. A few new templates, easy to stop but your filtering rules may > need to be adjusted to catch these newer ones. > > > * This weeks biggest pain > > > Google Groups spam is back, is the talk about blocking more gmail > gaining any momentum? > When does it get bad enough that 'too big to block' no longer applies? > These patterns are so easy to spot, this is mostly just a volume issue > but it won't be long until we see these methods abused by some of the > worst actors. Lately, it has been been leaning towards some more > dangerous waters like catfishing. > > > If anyone need samples, please reach out, but we're sure we aren't the > only ones seeing this. > > Hope everyone isn't melting like we are out on the West Coast. > > A quick P.S., strongly recommend that you stop allowing authentication > from cloud providers by a default unless an IP actually has to > authenticate. We're seeing it getting bad out there and when one of your > accounts gets compromised, they'll hit others on your system. These guys > are keeping the volumes low enough that even rate limiters won't stop them. > > Cheers, > - Chelsea > > -- > "Pondering the Mind of a Threat Actor.." > > -------------------------------------------- > Chelsea Crocker, Threat Mitigation Specialist - LinuxMagic Inc. > For More Infohttps://www.linuxmagic.com > "LinuxMagic" is a Registered TradeMark of Wizard Tower TechnoServices Ltd. > For More Infohttps://www.wizard.ca > 604-682-0300 Beautiful British Columbia, Canada > > -------------------------------------------- > This email and any electronic data contained are confidential and > intended solely for the use of the individual or entity to which > they are addressed. Please note that any views or opinions presented > in this email are solely those of the author and are not intended > to represent those of the company. > > -------------------------------------------- > > _______________________________________________ > mailop mailing list > [email protected] > https://list.mailop.org/listinfo/mailop > _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
