Hi All,
Going into another weekend, and there is a lot of activity out there.
* Amazon EC2 spam on the increase again
* SendGrid Abuse still ongoing
* Similar patterns emerging in other ESP's
* Increase in VPS activation for malware Spam
* Cutwail increases on Chinese IP Space
* Emotet activates again
* Compromised Router Botnet spamming activity dying down
Interesting our spam auditors are not actually seeing much Emotet spam
actually reaching the filters or traps, and it could be simply because
the sources are already on common RBL's, or obvious non-email server
traffic, or virus checkers catching them already.
Fake "Mailbox is full" traffic increasing, from everywhere.. ESP's,
compromised accounts, bad VPS providers...
And of course, fake invoice attachments with Malware.
Gmail spammers on the increase again, (of course they are offering to
get your Google listings higher ;)
Got to love the 'Dynamic Rule Engine', makes it easy to throw out new
detection numbers..
X-DRE: shanghai_ucloud_spammer, another 'liberal' hosting provider.. obviously
used for Malware spamming..
Hotmail/Yahoo seeing an increase as well this week, but more of the Nigerian
Prince and Inheritance scams..
FiveLetterRussian domain has resurfaced, but now more widespread across many
VPS providers.
Received: from mail.gerul.ru (HELO mail.gerul.ru) (45.138.74.111)
An in general another increase in spam from 'bullet proof' hosting providers in
Russia
OVH Spammers are at it again, but they seem to be getting smaller blocks, eg
/29's.
Brazilian Spam and Spammers seems to have slowed down..
Also, this weeks callout to a hoster that is heavily abused:
inetnum: 212.83.160.0 - 212.83.191.255
netname: FRWOL
descr: Iliad
country: FR
admin-c: ACP23-RIPE
tech-c: TCP8-RIPE
status: ASSIGNED PA
mnt-by: MNT-TISCALIFR
mnt-by: MNT-TISCALIFR-B2B
remarks: Tag: Int
created: 2002-09-24T15:24:29Z
last-modified: 2017-05-03T15:23:26Z
source: RIPE
role: Administrative Contact for ProXad
address: Free SAS / ProXad
Time to either start using 'rwhois' on your networks, or expect the whole
network reputation to suffer...
Often it's the same faces when it comes to hosters.. (EONIX) and Powered by
Vesta ;)
50.2.251.153 x1 lotbons.shivjain.com
50.2.251.154 x1 deisoms.shivjain.com
50.2.251.161 x1 crineuthke.shivjain.com
51.141.86.194 x2 mcdo.store
51.143.165.120 x6 sheep.pink
51.195.137.160 x2 ns1.cdbcf.com
51.195.26.126 x4 fun88sports.com
51.195.26.129 x2 suppliesforless.com
51.222.26.17 x6 guesser2.salescrawler.com
51.222.50.250 x1 dlv4.srv3-orbis.net
51.222.50.253 x1 dlv6.srv3-orbis.biz
51.222.53.0 x2 dlv1.srv3-orbis.com
51.222.53.1 x2 dlv2.srv3-orbis.com
51.254.72.141 x1 vlado.elmbape.com
51.81.35.34 x2 guesser5.wdemg.com
51.83.204.166 x2 robertnews.info
51.89.16.182 x2 jazzlivewagering.com
51.89.19.140 x4 idatwork.net
51.89.19.141 x4 pricelessbostonsweeps.com
51.89.19.142 x3 salveonetworks.com
51.89.19.143 x2 philodendron.de
51.89.27.246 x4 studymath.org
51.89.28.185 x3 prettyvase.com
Verizon? I thought you were blocking port 25 on egress, guess not? SpamBot
activity..
Might suggest that you clearly indicate whether they are dynamic or static?
97.35.4.39 x14 39.sub-97-35-4.myvzw.com
97.42.192.231 x15 231.sub-97-42-192.myvzw.com
97.46.64.44 x14 44.sub-97-46-64.myvzw.com
97.46.68.112 x7 112.sub-97-46-68.myvzw.com
174.194.142.227 x19 227.sub-174-194-142.myvzw.com
174.195.4.83 x2 83.sub-174-195-4.myvzw.com
174.196.6.97 x11 97.sub-174-196-6.myvzw.com
174.204.70.147 x12 147.sub-174-204-70.myvzw.com
I think all ISP's would do better on standardizing on a naming convention..
Consider a naming convention that more clearly describes the purpose of your
IPs and Networks, eg..
154-70-130-3.static.
154-70-130-3.dynamic....
154-70-130-3.colocation....
154-70-130-3.corporate....
Which ever of course best describes the usage. This will enable others to
better understand the purpose when examining abuse patterns.
Of course, email servers would have 'custom' PTR records.
SpamAuditors are busy.. so you don't have to be ;)
Stay safe this weekend..
Remember, spam is not JUST an annoyance, it can lead to much more serious
consequences..
Let's do more to watch what is leaving our networks, think of it as a COVID
mask, I wear one to protect you, you wear one to protect me..
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
