[mailop] Overdue bi-weekly report on what the Spam Auditors are seeing..

Thu, 12 Nov 2020 18:22:22 -0800

It's been a while since I sent one of these out, and since one of the senior threat researchers is off this week, on a well deserved break, thought I would take a look at what the rest of the team is reporting..
* The amount of leakage from Gmail and o365 continues to climb, are they getting budget conscious? Most of it is lame/old spam, seen for years, just higher volumes, but seeing more dangerous stuff increasing in volumes. And worse, they are finding new tricks to abuse those platforms, a lot of 'sharepoint' notification spam/malware, and .. 


 Return-Path: 
<3zd6txw8jbuysizqmttm.sijtivouiqt.kwu0itm0tqv25uioqk....@trix.bounces.google.com>


Trix are for kids I guess.
I've invited you to fill in the following form:
Untitled form

To fill it in, visit:
https://docs.google.com/forms.. yada yada..

Greetings to you my dear,
My name is Mrs Marie Evis I have a donation of ($10.500.000.00) for you.

Umm..  X-MagicMail-Quarantine: Yes ;)

* AUTH attacks continue to grow from Azure, Amazon, and Google Cloud


Just loved this response from MS CERT today ;) I guess a response is 
better than nothing right?



"This message is to notify you that the Computer Emergency Response Team 
has reviewed your reported issue and has actioned <sic> it appropriately.



The activity reported is associated with a customer account within the 
Microsoft Azure service. Microsoft Azure provides a cloud computing 
platform in which customers can deploy their own software applications. 
Customers, not Microsoft, control what applications are deployed on 
their account.


The specific details of this case will not be provided in... "


I guess actioned appropriately means?? ignored?? I think all infosec 
peeps hear that from all kinds of hosting providers, it isn't us, it's 
the customer, but we can't tell you who that is.. which is why the bad 
guys like those networks, as take down's can take a long time.



Heficed/Digital Energy continues to be a thorn in the side, with rentals 
to obvious spammers and worse.



Digital Ocean has an actor that continues to get new IP(s) as fast as 
the old ones get listed..  Using older domains.. about 50 new ones every 
day, for the past couple of weeks. Same domains, just different IPs, eg..


134.209.69.189  x37     mail.marikinadentist.com
134.209.83.168  x54     mail.muntinlupadentist.com
134.209.88.61   x1      mail.domainsfusion.com
138.197.162.71  x6      mail.kevenbrochu.com
138.197.204.134 x6      mail.ealingmassage.com
138.197.211.98  x25     mail.talentpoolcapability.com
138.197.215.18  x4      mail.infomodas.com

OVH still seeing new obvious miscreants getting IP Space

They also have a couple of actors that use pretty obvious naming 
conventions.. easy to spot.. wonder if OVH will change practices or 
simply buy more IP(s) when all the ones they have get marked dirty?



Cutwail attacks started back up, but not getting much traction, only 
about 50 new IP(s) every day.



Still can't believe how many ISP's don't offer their customers rDNS, or 
have simply no NS servers responding to queries.. don't they realize 
that setting up rDNS is a lot cheaper than dealing with support calls 
about slow connections?


And there is this range been up and running for a while now..

107.158.123.147 x1      mail.neimanmarcus.com
107.158.123.148 x4      view.eyraud.com
107.158.123.150 x5      sender.nordstromrack.com
107.158.123.174 x5      view.abercrombie.com


Don't REALLY think it is associated with those companies.. Love it's 
neighbours..


GeoIP country code[107.158.123.174] = "US"
EHLO command received, args: ecumenical.profilighthjksh.us
MAIL command received, args: FROM:<flightsimulat...@profilighthjksh.us>


Somebody should sic a lawyer or two on that operator I would hazard to 
suggest..


Wonder who hasnt' noticed that..?

Organization:   Eonix Corporation (EONIX)


Oh, and of course.. seems that we're getting more and more famous, 
seeing dedicated 'phishing' sites for our products.. lovely huh? And not 
like you can get quick take downs.  Wonder why they tackle our products, 
I am sure there are easier ways to spam, given the protections in place.



Happy to report, that while SendGrid still has the SAME problem for over 
8 months, the new reported IPs each day are significantly down.. Might 
not mean that SendGrid fixed the problem, but since more and more 
companies started flagging/rejecting them more, maybe spammers moving on 
to greener pastures..



But in general, invoice type phishing lures (think ransomware) and fake 
email account resets are still the flavour de jure, and everyone is 
selling a 'list of industry contacts'..



Fake Fedex has seemed to have died down in North America, but seeing it 
appearing in a lot of new languages now.. I mean they do ship all over 
the world..   Still seeing the odd really bad DHL lure..



Compromises on Brazilian networks (CPE and Windows) has regained steam, 
PLEASE Brazilian CERT, explain to your network operators how to block 
traffic to port 25 from dynamic networks..


Oh, and these guys are re-appearing again..

13.69.25.159        (M)           1   smtpout08.sonicleads.io
13.80.125.68        (M)           1   smtpout11.sonicleads.io
13.92.171.63        (M)           1   smtpout16.sonicleads.io
13.95.30.219        (M)           1   smtpout04.sonicleads.io
13.95.122.62        (M)           1   smtpout12.sonicleads.io


Not sure if they are list washing, or just sending to a very bad 
database of email addresses.


Anyone know these guys?

52.222.73.83                      2   smtp2.gov1.qemailserver.com
52.222.73.120                     1   smtp1.gov1.qemailserver.com
52.222.75.85                      2   smtp3.gov1.qemailserver.com
52.222.89.228                     1   smtp5.gov1.qemailserver.com


Might mention to them it is time to redirect their domain to an https 
version.. BEFORE trying to redirect to their mail corporate website.



Oh, and FACEBOOK, will you frigging STOP sending emails to invalid 
users, or are you list washing too? Or maybe so big they are just 
checking for EVERY possible email in the world.. Or, is someone abusing 
their API's and systems for some nefarious purpose...


66.220.144.143                   21   66-220-144-143.mail-mail.facebook.com
   66.220.144.144                30   66-220-144-144.mail-mail.facebook.com
   66.220.144.145                26   66-220-144-145.mail-mail.facebook.com
   66.220.144.146                28   66-220-144-146.mail-mail.facebook.com
   66.220.144.147                28   66-220-144-147.mail-mail.facebook.com
   66.220.144.148                21   66-220-144-148.mail-mail.facebook.com
   66.220.144.149                24   66-220-144-149.mail-mail.facebook.com
   66.220.144.150                30   66-220-144-150.mail-mail.facebook.com



Well, that's all for this week... Everyone try to stay safe out there, 
afraid that even here in British Columbia, we have started the second 
wave..



But if it helps, the hackers and bad guys have been working from home 
for years, and they seem to be doing alright..


        -- Michael --









--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop














    











					Reply via email to