We have been noticing all week very high traffic volumes coming from
Cisco's infrastructures.. IronPort cloud filtering..
(Wonder if it has been since we restricted RBL lookups from their open
DNS resolvers ;) hehehe.. no, it is probably just a coincidence)
Finally got one of the phishing ones in my personal email account, so I
can share a little more.
For the record, allowing 'phishing' to leak from your infrastructure is
a sure way to end up on RBL's.. we have to do a better job on that, but
as it appears this has been ongoing for a couple of weeks, suggest that
it be investigated more..
Looks like the abuse might be coming from Azure IP space.
Last nights reports of very high traffic to invalid email address came
from the following:
68.232.139.178 20 esa3.aegis.c3s2.iphmx.com
68.232.139.184 18 esa4.aegis.c3s2.iphmx.com
68.232.149.174 1 esa.kindermorgan.iphmx.com
68.232.150.62 18 esa1.aegis.c3s2.iphmx.com
68.232.150.70 20 esa2.aegis.c3s2.iphmx.com
68.232.153.30 1 esa.kindermorgan.iphmx.com
68.232.153.152 1 esa.hc2524-96.iphmx.com
Curious as to the esaN.aegis.c3s2 naming convention, what that
signifies, and why the numbers are so high?
Sample and comments:
Return-Path: <[email protected]>
Received: from esa2.spamcop.iphmx.com (HELO esa2.spamcop.iphmx.com)
(68.232.143.151)
by <SNIP> with SMTP
(9d8c9d8a-7c8d-11ed-8d40-cb130267621d); Thu, 15 Dec 2022 07:32:00 -0800
Received: from vmx.spamcop.net (HELO vmx5.spamcop.net) ([184.94.240.112])
by esa2.spamcop.iphmx.com with ESMTP; 15 Dec 2022 07:31:52 -0800
^^^ Okay, all via SpamCop???
Received: from capmatic.com (unknown [20.169.223.20])
(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by vmx5.spamcop.net (Postfix) with ESMTPSA id 117B1ED267
for <SNIP>; Thu, 15 Dec 2022 07:31:51 -0800 (PST)
^^^^ Notice the IP Address, an Azure IP address, using SMTP
authentication, we have seen a marked increase in SMTP AUTH attacks from
Azure space, but cannot comment on this individual case/IP.
From: destination_domainNotification <[email protected]>
^^^^ Typical Phishing Method, easy to filter..
To: <SNIP>
Subject: Account Expiry Notification
Date: 15 Dec 2022 15:31:50 +0000
Message-ID: <[email protected]>
Has someone figured out how to 'game' SpamCop?
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
