That subdomain style, I've been eyeballing that trend for a while. This
guy got super mad at me for identifying that trend on a network that
hadn't yet started sending spam:
https://forum.directadmin.com/threads/rbl_dns_list-suggestion.64780/post-350740
But you see the trend here: https://bgp.he.net/net/5.183.96.0/22#_dns
Ex:
5.183.97.2 pwit.castlerockcompany.org.uk
5.183.97.3 ctran.expeditiondevelopment.org.uk
5.183.97.4 fscanf.acadiainternational.org.uk
5.183.97.5 souvi.acadiainternational.org.uk
5.183.97.6 ahmal.acadiainternational.org.uk
And you see at one of the web pages, this same page gets around a lot on
domains that look like those: http://castlerockcompany.org.uk
I wonder if this is a bunch of different actors sharing tools and
methods, or if it's a single string running through a metric fuck ton of
networks.
On 2022-08-30 14:16, Michael Peddemors via mailop wrote:
Normally, we could simply post this on a blog, but the traffic is
significant enough that other mail operators might be interested..
Last couple of days a LOT of new IP Address abuse from the same actors
using throwaway domains, on the typical suspect hosting providers, but
the sheer volume should be noticible.
Of course, this actor is pretty spammy in nature, and decent filtering
should be catching it anyways, but it is worth noting his methods
given the sheer volume.
Sampling of Activity (Sorry for the long scroll)
23.19.140.69 (RS) 3 stay.ernaline.com
23.19.140.86 (RS) 3 dirty.ernaline.com
104.148.33.87 (M) 1 hikids.foolation.com
104.148.33.96 (M) 1 rayane.fronstionsequal.com
104.148.33.102 (M,RS) 1 oduesp.fronstionsequal.com
104.148.33.113 (M) 1 fastmo.siderigheidl.com
104.148.33.120 (M) 1 guida.siderigheidl.com
103.198.26.9 2 ce-multiavantages.com
103.198.26.81 3 ce-multiavantages.com
103.198.26.88 2 planetbmx.com
103.198.26.92 3 123bizlisting.com
104.237.200.118 x1 tarsel.whernis.com
104.237.200.119 x3 delner.whernis.com
104.237.200.120 x1 izar.whernis.com
104.237.200.123 x1 dreuz.whernis.com
107.179.20.17 x1 volven.marilamei.com
107.179.20.18 x1 mongo.marilamei.com
107.179.20.20 x1 pixmag.marilamei.com
107.6.208.14 x5 ulinzi.stereometricalls.com
108.166.214.27 x2 ungear.donsitide.net
108.166.214.29 x2 ammri.donsitide.net
154.16.171.159 x1 oortap.meteorographicals.com
162.253.215.163 x2 zarkos.toatip.com
162.253.215.164 x9 geoffj.toatip.com
162.253.215.165 x4 clipy.toatip.com
162.253.215.166 x6 ammi.toatip.com
173.208.184.122 x72 sonato.treinamentospro.com
173.208.184.124 x61 senolo.treinamentoparaempresa.com
173.82.144.164 x56 obegivicance.com
173.82.144.165 x73 fasloc.obegivicance.com
173.82.144.166 x61 ktur.obegivicance.com
173.82.144.167 x173 entoil.obegivicance.com
173.82.144.168 x153 voeung.obegivicance.com
173.82.48.93 x17 vntut.faminitory.com
173.82.48.94 x47 bippo.faminitory.com
173.82.48.95 x31 igen.faminitory.com
173.82.48.96 x43 gidyea.faminitory.com
176.119.25.25 x2 urbis.automechadnism.com
176.119.25.26 x4 qikan.automechadnism.com
176.119.25.27 x16 cague.automechadnism.com
176.119.25.28 x8 matsen.automechadnism.com
178.239.161.100 x6 zobec.microchiroptera.com
178.239.161.101 x11 macjoe.microchiroptera.com
178.239.161.102 x8 flyman.microchiroptera.com
178.239.161.103 x10 gaobie.microchiroptera.com
185.136.206.170 x4 uuduue.neverely.com
185.136.206.171 x8 guishi.neverely.com
185.136.206.172 x6 mattim.neverely.com
185.136.206.173 x7 escapo.neverely.com
185.136.206.174 x5 fendel.neverely.com
185.136.206.175 x5 dabbah.neverely.com
185.136.206.177 x10 lyrone.neverely.com
185.136.206.178 x7 amoh.neverely.com
185.136.206.179 x20 nenyo.neverely.com
185.136.206.180 x11 webcam.neverely.com
185.136.206.181 x14 msgid.neverely.com
185.26.145.100 x11 peell.uncompetitiveness.com
185.26.145.101 x9 varby.uncompetitiveness.com
185.26.145.102 x19 franga.uncompetitiveness.com
185.26.145.103 x19 kotko.uncompetitiveness.com
185.26.145.104 x14 cdir.uncompetitiveness.com
185.26.145.105 x9 omiru.uncompetitiveness.com
185.26.145.106 x7 rrnb.uncompetitiveness.com
185.26.145.107 x19 nchr.uncompetitiveness.com
185.26.145.108 x13 cet.uncompetitiveness.com
185.26.145.109 x17 walpe.uncompetitiveness.com
185.26.145.110 x8 smwall.uncompetitiveness.com
185.26.145.99 x8 bunl.uncompetitiveness.com
188.125.169.3 x2 ishara.soverich.biz
188.125.169.5 x2 symn.soverich.biz
194.102.39.129 x18 ysv.hishationgla.com
194.102.39.13 x11 kahkai.omoplatoscopy.com
194.102.39.130 x12 schaug.omoplatoscopy.com
194.102.39.131 x24 hatman.omoplatoscopy.com
194.102.39.132 x15 bundli.omoplatoscopy.com
195.146.2.38 x13 mahers.behavings.com
195.231.23.145 x4 disproportionnation.com
195.231.23.146 x62 gonten.disproportionnation.com
195.231.23.147 x68 gmanck.disproportionnation.com
198.148.108.18 x227 nortugust.com
198.148.108.19 x869 mpbse.nortugust.com
198.148.108.20 x677 donez.nortugust.com
198.148.108.21 x855 domes.nortugust.com
198.148.108.22 x706 dwds.nortugust.com
204.10.89.195 x180 bruxe.sympatholician.com
204.10.89.196 x81 boucan.sympatholician.com
204.10.89.197 x86 puzol.sympatholician.com
204.10.89.198 x98 yurye.sympatholician.com
23.105.179.147 x33 nearacherm.com
23.105.191.37 x158 hault.nearacherm.com
23.105.191.38 x44 evened.nearacherm.com
23.105.191.39 x54 kurram.nearacherm.com
23.19.131.43 x11 losse.destriad.best
23.19.131.44 x12 mdona.destriad.best
23.19.131.58 x9 komari.destriad.best
23.19.131.59 x15 betond.destriad.best
27.255.65.157 x1 jelts.manulties.com
27.255.77.131 x2 chaufa.alcoholjically.com
27.255.77.132 x2 sulca.alcoholjically.com
27.255.77.133 x3 agasep.alcoholjically.com
27.255.77.134 x1 stoboi.alcoholjically.com
38.79.140.147 x2 fuha.anisostemonouss.com
38.79.140.148 x6 kiyun.anisostemonouss.com
38.79.140.149 x19 picier.anisostemonouss.com
42.112.20.45 x7 gidyea.inventisting.com
42.112.20.56 x1 loire.inventisting.com
42.112.20.58 x1 talere.inventisting.com
45.228.64.215 x14 jcozby.casurvic.com
45.228.64.216 x9 lansun.casurvic.com
45.228.64.217 x17 cobohd.casurvic.com
45.228.64.91 x19 hardwo.specifiel.com
45.228.64.92 x13 kinlib.specifiel.com
45.228.64.93 x27 fasel.specifiel.com
45.228.64.94 x14 asatms.specifiel.com
45.228.64.95 x10 mimc.specifiel.com
46.166.129.158 x5 allowever.com
46.166.129.195 x5 eswm.allowever.com
46.41.150.174 x6 goodwi.userscoresting.com
64.71.177.149 x218 149.128-27.177.71.64.in-addr.arpa,sugglening.com
64.71.177.150 x465 150.128-27.177.71.64.in-addr.arpa,hamat.sugglening.com
64.71.177.151 x517 151.128-27.177.71.64.in-addr.arpa,fneb.sugglening.com
64.71.177.152 x287 152.128-27.177.71.64.in-addr.arpa,strei.sugglening.com
64.71.177.153 x454 153.128-27.177.71.64.in-addr.arpa,tayob.sugglening.com
65.49.37.83 x2 83.64-26.37.49.65.in-addr.arpa,smycke.legislance.com
65.49.37.84 x2 84.64-26.37.49.65.in-addr.arpa,mayta.legislance.com
65.49.37.85 x9 85.64-26.37.49.65.in-addr.arpa,najdek.legislance.com
69.30.226.203 x368 naa.febrite.com
69.30.226.204 x239 sangye.febrite.com
69.30.226.205 x609 gabris.febrite.com
69.30.226.206 x154 overhe.febrite.com
72.11.138.51 x1 kramt.diffusiometer.com
72.11.138.52 x2 brei.diffusiometer.com
72.11.138.53 x2 cuison.diffusiometer.com
72.11.138.54 x3 iwami.diffusiometer.com
85.95.249.108 x4 bijons.estigato.com
85.95.249.109 x1 evacuo.estigato.com
85.95.249.110 x1 olvna.estigato.com
85.95.249.211 x3 satyra.peakened.com
85.95.249.212 x9 hhdys.peakened.com
85.95.249.213 x7 denato.peakened.com
85.95.249.214 x8 byrol.peakened.com
89.34.27.46 x2 api.esqmatters.com
89.34.27.54 x1 api.cilltd.com
89.34.27.73 x1 my.mizianis.com
89.40.145.153 x8 usby.thersternmes.com
89.40.145.154 x10 zuitv.thersternmes.com
89.40.145.155 x15 ercmd.thersternmes.com
95.110.229.31 x9 twines.mudineve.com
95.110.229.33 x4 cybill.mudineve.com
95.110.229.35 x9 assion.mudineve.com
95.110.229.37 x3 listad.mudineve.com
95.110.229.39 x19 oritz.mudineve.com
95.173.164.204 x1 kinard.sttcos.com
95.173.169.50 x7 klisse.subjugaries.com
95.173.169.52 x6 airley.subjugaries.com
95.173.177.187 x68 jelveh.throtest.com
95.173.177.188 x99 ifsa.throtest.com
95.173.177.189 x121 agatsu.throtest.com
95.173.177.190 x27 curdy.throtest.com
95.211.225.198 x5 kareo.examounad.com
95.211.225.248 x9 nahi.examounad.com
95.211.230.166 x8 majedu.examounad.com
95.211.230.180 x3 uchiwa.examounad.com
All the expected sources..
Nexeon
LayerHost
Krypt
MultaCom
H4Y-TECHNOLOGIES-LLC
RadHost/SpryServer
WholeSale Internet
Virtual Systems LLC
Hydra Communications Ltd/Bandwidth Technologies Ltd
Fiberserver-internet-Teknolijileri
Bursabil Bilisim Teknoloji LTD.
DATATELEKOM
Virtono Networks SRL
Aruba/Technorail
LeaseWeb
EHOSTICT
Utopian Technology, LLC (via Cogent)
FPT Telecom
HOSTING EN LA WEB S.A.S.
NFORCE_ENTERTAINMENT
Hurricane Electric
QuadraNet
AktasWeb internet Hizmetleri-IZMIR
Data Space Sp. z o.o.
(If you wonder about why networks gain bad reputations, most of the
names above are well known to anyone in the threat detection space)
Taking a look at some of the spam does reveal interesting information..
MAIL FROM Style: <el3c0odk...@znane.reticularia.com>
No Trace Headers
DKIM/Domain-Key Signatures (of course, spammers all do that now)
d=static-ip-69-64-61-29.inaddr.ip-pool.com;
From: " iPhone 14 Pro Max "
<nabmdiib1uztba6qc62w4gxuzaekdd9rda4hjcjbw8uy9re...@static-ip-69-64-61-29.inaddr.ip-pool.com>
Subject: - An iPhone 14 Pro Max For You -
Typical Snowshoe spamming, old techniques.. Affiliate marketing? Or
malware distribution..
URL Links using dynserv.org.. 302's to known risky hosers, eg..
XonServers/Serverius/MNT-PINSUPPORT
Hosts a single script which uses.. https://www.blank.com/?a=47286
Which ultimately reaches.. wait for it.. boxmode.io again..
However, looking at the headers, and while they 'could' be forged, or
the person's server could be 'hacked', it is an indicator that this
may be a 'proxy' mail attack, and if they were sloppy, from a GoDaddy
server.
host static-ip-69-64-61-29.inaddr.ip-pool.com
(Good that GoDaddy does put up 'rwhois'.. it's the right thing to do)
69.64.61.29, OrgAbuseEmail: i...@fsend4.com
(Let you play with that, a GoDaddy could confirm traffic behaviors)
You can play with the actual sites located at those IPs..
Simple way to see that they are all related.. (Submit your
Application, port 25/53/80/443)
This has all the hallmarks of setting up SMTP proxies..
..........
In other news.. Any comments about these guys on AWS?
3.217.146.99 1 mx25.herpderpderpderp.com
3.223.133.125 (M) 1 mx12.herpderpderpderp.com
3.223.197.220 1 mx2.emailablev.com
3.226.89.155 (RS) 2 va1.mx-check.com
3.230.138.138 1 mx33.herpderpderpderp.com
3.232.210.203 1 mx28.herpderpderpderp.com
18.211.173.81 1 mx56.emailablev.com
18.213.77.199 1 mx57.herpderpderpderp.com
18.235.37.232 1 mx32.herpderpderpderp.com
20.36.250.82 1 smtp-az1.employeenavigator.com
23.20.177.35 1 mx24.emailablev.com
34.194.104.45 1 mx23.emailablev.com
34.197.108.150 1 mx22.emailablev.com
34.200.59.180 1 mx46.herpderpderpderp.com
34.200.89.184 1 mx21.emailablev.com
34.201.192.216 1 mx14.herpderpderpderp.com
34.208.167.216 (RS) 2 or1.mx-check.com
34.223.147.170 (RS) 1 or1.mx-check.com
34.225.61.253 1 mx5.herpderpderpderp.com
34.231.164.219 1 mx6.herpderpderpderp.com
34.232.136.69 1 mx7.herpderpderpderp.com
34.238.203.121 1 mx47.herpderpderpderp.com
35.162.96.220 (RS) 4 or1.mx-check.com
35.171.196.143 (M) 1 mx40.herpderpderpderp.com
35.174.99.136 1 mx39.herpderpderpderp.com
35.175.14.118 1 mx18.emailablev.com
44.193.114.160 1 mx58.herpderpderpderp.com
44.193.221.145 1 mx51.emailablev.com
44.194.131.142 1 mx54.herpderpderpderp.com
44.194.167.225 1 mx60.emailablev.com
44.224.90.34 (RS) 1 or1.mx-check.com
44.232.143.237 (RS) 1 or1.mx-check.com
44.239.194.177 (RS) 2 or1.mx-check.com
52.1.124.253 1 mx17.emailablev.com
52.20.224.244 1 mx1.emailablev.com
52.36.102.158 (RS) 1 or1.mx-check.com
52.45.85.36 1 mx38.emailablev.com
52.52.57.190 (M,RS) 1 ca2.mx-check.com
52.53.95.112 (RS) 3 ca2.mx-check.com
52.205.4.6 1 mx8.herpderpderpderp.com
54.67.35.251 (M,RS) 3 ca2.mx-check.com
54.144.60.39 1 mx49.emailablev.com
54.148.43.154 (RS) 2 or1.mx-check.com
54.156.182.178 1 mx52.emailablev.com
54.157.177.127 1 mx16.emailablev.com
54.166.36.247 1 mx43.emailablev.com
54.173.34.66 (M) 1 mx27.herpderpderpderp.com
54.177.107.105 (RS) 2 ca2.mx-check.com
54.197.54.129 1 mx59.emailablev.com
54.225.132.60 1 mx37.emailablev.com
54.225.166.31 1 mx36.emailablev.com
54.235.70.42 1 mx15.emailablev.com
54.235.163.230 1 mx35.emailablev.com
54.243.154.37 1 mx10.emailablev.com
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and
intended
solely for the use of the individual or entity to which they are
addressed.
Please note that any views or opinions presented in this email are
solely
those of the author and are not intended to represent those of the
company.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
