RamNode is another network to be on the lookout for. Formerly a great
operation when run by Nick, but they sold to InMotion Hosting who seems
to be letting anything go. Even emailing ARIN abuse emails results in
replies I'll paraphrase as "There's an undocumented hurdle you need to
jump through to send abuse complaints, so we can't accept this." RamNode
has a self service cloud, and spammers have seemingly discovered it now.
They're creating servers, blasting out spam, deleting them, and
repeating. If you want to see a good sample, grep your logs for
"peelregion.ca" and that'll just be one of the trends:
root@gw:~# darun grep peelregion.ca /var/log/exim/mainlog \| wc -l
longhorn.mxrouting.net: 40
tuesday.mxrouting.net: 312
monday.mxrouting.net: 252
wednesday.mxrouting.net: 0
moose.mxrouting.net: 370
eagle.mxlogin.com: 1292
pixel.mxrouting.net: 64
blizzard.mxrouting.net: 202
safari.mxrouting.net: 96
shadow.mxrouting.net: 400
taylor.mxrouting.net: 70
echo.mxrouting.net: 296
lucy.mxrouting.net: 330
arrow.mxrouting.net: 460
sunfire.mxrouting.net: 508
london.mxroute.com: 292
On 2022-08-24 12:35, Michael Peddemors via mailop wrote:
Been a while since I posted one of these, so it might be lengthy..
First of all, Gmail and o365 seem to just be mailing in their attempts
at stopping outbound spam.. Volumes steadily increasing, and such
obvious bad spam, phishing, nigerian scams et al..
But..
Return-Path: <[email protected]>
Received: from mail-tyzapc01rlhn2179.outbound.protection.outlook.com
(HELO APC01-TYZ-obe.outbound.protection.outlook.com) (40.95.110.179)
I mean really.. even the smallest ISP's make sure that they aren't
allowing a MAIL FROM to be from a domain they don't service..
Gmail 'undisclosed recipients' remains the highest volume from them..
While there possibly can be a case where an email client doesn't put
in a recipient, eg all addresses are bcc'ed, this is a big indicator
of spammy content.
This week, another operator started up with throwaway domains, spread
out over various hosting companies.. We have seen him before, every
couple weeks..
This weeks batch coming from:
RackNerd
GB Network Solutions Sdn. Bhd.
ZenLayer
Corporate Colocation Inc. (CORPO-6)
Netinternet Bilisim Teknolojileri AS
GOhost.KZ
ServerHub
LogicWeb
Krypt/VLSI
VELIANET
Contabo Inc. (CONTA-48)
LayerHost
A different well known actor, more IPXO and routed networks with wide
IP ranges all spamming.. throwaway domains.. Any traffic from IPXO or
IPXO routed/maintained should be treated as suspect.
(Examples for the above available off list by request)
Continued problems with ESP's, SendGrid, MailGun et al, either bad
customers with harvested email addresses, or compromised accounts.
Brazilian BotNet traffic is back active, Brazilian ISP's remain among
the worlds' worst sources.. mostly hacked routers, and Windows
compromises.
Mirai and its family of Malware continue unabated.
OVH, ColoCrossing, Azure, Google Cloud, Tencent, and AWS hacker
traffic, trying to compromise email accounts continues unabated.
Serverion attackers are getting more agressive, I dont' think they
even care about detection, there are so many easy targets out there.
Contabo networks getting worse again..
Salesforce, you have someone sending obfuscated attachments pretty
regularly for the past few weeks.
More spam coming from compromised accounts through legitimate email
servers.. legacy outbound spam protections don't appear to be doing
well, see it out of many of the wellknown cloud filtering companies.
The Chinese networks appear to have some targeted hackers using
dynamic IP range naming conventions, but attacks appear clustered and
unrelated to typical bot traffic. More research is ongoing.
Hetzner is pretty big, but seeing an increase again, mostly from
server compromises, default PTR naming conventions, so easy to stop.
Someone (SendGrid) tell Intuit to clean up their database, or remove
invalid email addresses properly.. Unless they have been compromised
too? <wink>
Starting to see more Apple Cloud email compromise/spam starting to
appear, but have to say that Yahoo has seen improving numbers.. But
their are some actors pulling a newer technique of creating similar
named Yahoo accounts, and then forwarding compromised accounts to
those mailboxes.. Not sure if meant for exfil, or just so the customer
doesn't know they are compromised..
Email phishing faking the email provider's login sites, has now
overtaken traditional phishing via DHL lures. Thing is, these threat
actors know how long a take down request for a web page takes.. if
ever.
And coreserver.jp is getting really bad for the past couple of months,
for sending phishing..
And Russian spammers are burning through Russian IPs at an incredible
pace.. maybe trying to utilize it to the max, before one government or
the other chooses to block international traffic?
And, of course Digital Ocean is still an ongoing problem..
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and
intended
solely for the use of the individual or entity to which they are
addressed.
Please note that any views or opinions presented in this email are
solely
those of the author and are not intended to represent those of the
company.
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
