On Tue, May 24, 2016 at 2:18 PM, Michael Wise <michael.w...@microsoft.com> wrote:
> Are these IP addresses on CBL? > I did a spot check of a recent attack. The email address was jabradb...@kanawhascales.com and it got signed up to 12 lists during May 17 and 18. Amazingly, whoever is on the other end of that address clicked to confirm every one of those confirmation messages. All confirmation clicks appear to come from a netblock owned by Barracuda Networks... Hmm... Each signup request came from a different IP address. 5 were on CBL (as of right now) and 7 were not. In case anyone is interested, I also checked them against MinFraud from Maxmind. Of the 7 CBL did not detect, it said 5 of them were high risk of being fraudulent source. Between the two, only 2 would get through. If anyone is interested, these are the IPs used for the signup form submission: 107.184.168.161 - CBL, MF 67.208.149.17 - CBL, MF "low" 116.212.155.5 - 73.4.8.181 - MF 76.74.237.61 - CBL, MF 96.245.176.53 - MF 50.196.42.201 - MF 32.213.237.56 - 50.192.254.21 - MF 76.74.237.61 - CBL, MF 74.196.162.37 - MF 76.74.237.61 - CBL, MF I am definitely going to start checking CBL and MinFraud for these forms. Thanks for the tip. Are these addresses in a larger pool, like a Nigerian coffee shop? > Doesn't seem like it. I spot checked a couple and they look like ISPs in the states. > At some point, you should have a CAPTCHA, and also possibly a list of > ranges of known bad actors. > > > We do have CAPTCHA available. I think it is time to start pushing it on the customers a little harder...
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
