Not enough time in the day anymore..
Haven't posted one of these in a little while, so a rare midweek post.
Patterns we are seeing this week:
* High Gmail spam leakage numbers (couple new techniques)
* SendGrid very bad still, eg Canada Post phishing et al
- MailGun? "My name is Alexei Navalny from Russia"
- MailChimp, lot's of stripped email addresses
* Router BotNet Auth Attacks on increase again
* High number of Amazon AWS IP(s) in spam and other attacks
* High number of GoogleContent IP(s) in spam attacks
* Digital Ocean IPs still trying (cloudwayapps.com)
* Large reduction in Brazilian router attacks (stopped or takedown?)
* Snowshoe spammers finding new IP space
* Register.it and Aruba.it, still can't get it together, high compromise
account spammers
Now, again of course, all this can be prevented, but still surprising
how little is being done at the source. Most of it is really obvious,
and so easy to detect at the sending side.
And of course, the compromise accounts we see worldwide could really
benefit from simple little things, authentication checks should be
improved, and of course not allowing authentication from known hack
bots, if you aren't checking safe RBL's which list attack sources (eg
SpamRats RATS-AUTH) or do not route lists such as RATS-NULL (there are
others that are freely available, I think SpamHaus also has an
authentication RBL).
They're free to use, why not use them.. Multiple ways to do look ups.
Oh, and while this might make the 'privacy' advocates shudder, if you DO
present the authenticating IP(s) in your headers, those companies in the
threat detection and mitigation space can find new attackers in play.
Share the IP(s) authenticating, in today's world of NAT and shared IP(s)
there is very little risk of exposing 'new' PPI, and it quickly helps
every one from being the next victim of known offenders.
Authentication-Results: h2847185.stratoserver.net;
spf=pass (sender IP is 193.56.29.194)
Received: from asianlife.com.np
(ec2-3-38-252-15.ap-northeast-2.compute.amazonaws.com [3.38.252.15])
by mail1.asianlife.com.np (Postfix) with ESMTPSA
At least have good trace headers..
But better yet, the user@ip format enables threat mitigation specialists
to notify you when you have compromised accounts sending spam, with more
precise details to address the problem.
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
