Re: [mailop] OMEGATECH hacker's /22 netblock (was: Re: Cisco Ironport asking RECIPIENT if their customer is sending spam?)

Wed, 03 Jun 2026 18:43:27 -0700 

I see a varied population of miscreants on 158.94.208/22:

Since May:
* 158.94.211.236
* 158.94.211.83
Classic smtp checking with [email protected] dropbox, with WIN-
7N1FIECL6IC EHLO

* 158.94.209.22
* 158.94.209.99
Emails claiming to be from buying departments impersonating different
Mexican companies. The attachment is a rar file (with mismatching
extension) containing a .exe

* 158.94.209.32
Credential scanning with [email protected] dropbox

* 158.94.210.212
* 158.94.210.93
Phishing emails (DHL, Verify your email, New Voicemail...)

* 158.94.210.228
Scam + spameri

* 158.94.210.98
SMTP checker

* 158.94.211.220
SMTP checking from WIN-7N1FIECL6IC

* 158.94.209.214
Spameri checking, but used a EHLO of "158-94-209-214"
Mo
re SMTP check, with a HELO of "User"


And, as an addendum, I see 179.60.149.108 and 23.129.64.128/25
"sending" emails (of the kind that use docs.google.com urls as payload)
 "authenticating" as a local user EHLOing as 158.94.208.76


Going further back, there are many more ips involved (158.94.208.17
158.94.208.56 158.94.208.82 158.94.208.83 158.94.208.141 158.94.208.175
158.94.208.193 158.94.208.215 158.94.208.241 158.94.209.22
158.94.209.25 158.94.209.105 158.94.209.112 158.94.209.116
158.94.209.131 158.94.209.145 158.94.209.166 158.94.209.192
158.94.210.30 158.94.210.42 158.94.210.63 158.94.210.93 158.94.210.111
158.94.210.167 158.94.210.190 158.94.210.217 158.94.211.18
158.94.211.21 158.94.211.35 158.94.211.56 158.94.211.64 158.94.211.65
158.94.211.67 158.94.211.85 158.94.211.90 158.94.211.95 158.94.211.112
158.94.211.121 158.94.211.154 158.94.211.199 158.94.211.202
158.94.211.206 158.94.211.208 158.94.211.212 158.94.211.220
158.94.211.248) but the activities seem to be the same.


It's also interesting to see their broad usage of WIN-7N1FIECL6IC EHLO and 
spameri target, but it occasionally changes dropboxes, and behavvior, probably 
due to using a different tool.In some cases WIN-7N1FIECL6IC uses a Return-Path 
of [email protected], in
which they do provide credentials (such as ftp123/ftp123,
admin/admin...) but almost every time they are empty.
In about a dozen instances, the HELO is win-7n1fiecl6ic.domain, with a
Return-path of test@<domain>, sending a common smtp checker output
("Valid SMTP ...")


Regards

_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop

Reply via email to