[NOTE: this is relevant to mail operations as a number of legitimate senders
are customers of Amazon AWS. Several of them are my clients.]
An operation that is easily distinguished by
> EHLO phylobago.mysecuritycamera.org
and a payload that begins with "This message is from a trusted sender." and a
visible FROM of
>livenewsupd...@millan.pgw.jp
has made 66 delivery attempts over the past six days, from 60 Amazon IPs. If
a given IP was not on Spamhaus CSS at the time of delivery, it appears that it
would have been added soon after. These figures reflect data from logs that
have not yet been rolled into the archive.
There are three deliverable local addresses in their customary drop, two which
come to me and the other being "Nadine". The rest of the recipients are
spamtrap accounts that result in the message being delivered to Rev. Bayes,
and the IP dropped into the IP REFUSE list for at least 1440 minutes. At the
moment there are 48 AWS IP addresses in that list.
It is difficult to imagine how such a large-scale and essentially static
operation (the EHLO, MAIL FROM and visible FROM, together with the opening
string have been constant since the first messages rolled in on 16 Dec 2019)
could persist.
There was an apparent service interruption from 01 Jan to 09 Jan, after which
delivery attempts continue as usual. The most recent delivery was
approximately 45 minutes ago (the IP, 54.91.110.45, was not in CSS at delivery
time; it is now). In that interval, at least four of the refuse-listed IPs
have encountered refusal.
Is nobody else seeing this and reporting it to AWS abuse?
mdr
--
"There are no laws here, only agreements."
-- Masahiko
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
