Hi Benoit, Benoit Panizzon schrieb am Thu, Oct 27, 2022 at 10:45:31AM +0200: > > Let me guess: You've got an abuse report to your abuse e-mail address > > about some IP ranges and domains (including up-network.ch) which have > > no relation to your AS at all? > > > > If yes: You're not the only one. > > Yes after the 3rd report, from yet another source we got after I sent > the email, the joe-job got quite apparent.
Ok, we so far just got one such mail. > The first report was rather short but could be understood as are report > about https://dashboard.myrdp.gg/login being a phishing site hosted by > one of our customers under the IP: 45.158.77.203 Ok, so you actually have a relation to some of the mentioned assets? We don't have any. > On Tuesday we got 3 more report from another sender sent to different > abuse and NOC addresses regarding the same phishing site, not the full > URL anymore, but a more sensible list of affected IP addresses: > > 45.148.119.0/24 > 171.22.147.0/24 > 45.148.116.0/24 > MyRDP.gg > up-network.ch That list is actually the same that we got to our abuse address, too. For reference, here's the relevant part of that weird mail as we received it: | Date: Tue, 25 Oct 2022 14:59:36 +0200 | From: ab...@cognitive-cloud.com | To: abuse@[…] | Subject: Abuse report | X-Mailer: mail (GNU Mailutils 3.7) | | Hello, | | We have detected that the AS: "AS203790 - Association UP-NETWORK" is responsible for hosting a phishing campaign targeting French institutions and private banks. | | We ask you to stop their service completely, an investigation is in progress | | 45.148.119.0/24 | 171.22.147.0/24 | 45.148.116.0/24 | MyRDP.gg | up-network.ch | | You can check all the proof here : | - https://ipinfo.io/AS203790 | | ================= | 45.148.116.57 macartevitaleameli.fr | 171.22.147.226 amelicartevitaleverif.com | 171.22.147.40 assure-cartes.com | ================= [Signature or at least what seems to be a signature stripped] I assume that most of these mails looked like this one. > So I guess this is some kind of campaign targeting up-network. Yes, I interpret this as trying to convince other organisations to block up-network.ch's IP ranges in their AS. Which is kinda weird. First time I see such a request on the abuse address of an unrelated organisation. But it is difficult to say if this a helpless, but true request or an hostile attack. Asking to block 3x /24 just because of three phishing sites seems a bit of an overzealous reaction to me, though. This is what blacklists are for. Regards, Axel -- /~\ Plain Text Ribbon Campaign | Axel Beckert \ / Say No to HTML in E-Mail and News | a...@deuxchevaux.org (Mail) X See http://arc.pasp.de/ | a...@noone.org (Mail+Jabber) / \ I love long mails: http://email.is-not-s.ms/ | https://axel.beckert.ch/ _______________________________________________ swinog mailing list -- swinog@lists.swinog.ch To unsubscribe send an email to swinog-le...@lists.swinog.ch
