It's been a while since I did one of these, planning on having the team
members prepare these and start posting the bi-weekly updates.
This week, has seen an overall increase of spam from many sources, and
of course phishing attempts in general are a large part of it. Emotet
is leading the way, but there are several other's that are jumping on
the band wagon. For the record, you might like to block all
authentication attempts from the AWS/Azure/GoogleCloud IP Space, by
default as these are becoming favorite launch points for AUTH abuse.
This week also saw a resurgence in Windows based AUTH attacks, and
credential stuffing.. after several weeks of reduced traffic. Country
AUTH restrictions can help greatly, but of course everyone should be
moving to 2FA to protect their email accounts.
This is the 3rd week of the 'funding' spam, mostly from just a couple of
hosting providers, such as 'Rise Servers' aka "Heficed", but seeing them
appear on some other networks as well.. Those IP Spaces are quickly
marked by RBL's when detected..
Received: from go1.essentialbizfifund.com (HELO
go1.essentialbizfifund.com) (193.58.133.241)
Netflix Phishing is once again a popular lure this week.. But looks to
be taking advantage of server compromises.. will note that another
popular word press plugin was reported as vulnerable this week, and
might be associated..
Received: from static.45.85.202.116.clients.your-server.de (HELO
static.45.85.202.116.clients.your-server.de) (116.202.85.45)
Yes, Hetzner.. a large resurgence on your networks..
Hetzner and GMO responsible for most of those..
Brazilian bot spam on the rise again, after a lull for a couple of months..
More Spam ranges/assignments on Krypt and Hostwinds networks, but not
much of a surprise there.
More fake phishing type domains appearing again on Azure.. domain was
just registered, and doesn't look like it's vodafone.. only running a
couple of days, but surprised more notice not being taken on this one,
if it is a phishing domain, and/or takedowns.
Umm.. can you say 'NameCheap'?
40.86.205.213 16 vodo6.vodafone-pt.com
40.86.228.54 4 vodo3.vodafone-pt.com
40.86.230.175 3 vodo10.vodafone-pt.com
40.86.230.183 11 vodo4.vodafone-pt.com
40.87.100.21 11 prata5.vodafone-pt.com
And of course, no let up on the SendGrid phishing yet.
And election time is coming soon, so not surprising to see some Russian
IP space warming up..
There is a strange outbreak that happened out of Romania, that is a spam
attack, and using an older database of email addresses looks like the
servers behind the spam filtering cluster do not validate the MAIL FROM
addresses, but that is a drawback of cloud filtering systems, as they
don't have insight into which 'senders' are legitimate.
Sep 2 08:52:41 fe1 msd[2795]: EHLO command received after STARTTLS,
args: clean307.mxserver.ro
Sep 2 08:52:42 fe1 msd[2795]: MAIL command received, args:
FROM:<royalbank...@mail.net> SIZE=53341
But all in all, looks like another long weekend is almost apon us, so
expect to see more of all the same activity, to happen all weekend long..
Try to enjoy the last major holiday weekend of the summer, but remember
you might have a busy Monday.. stay safe!
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
