Yeah, if they wanted to, they could pay for a reporting service.. that
would alert them to bad behavior.. and I think we all have too much to
do to report things if it isn't going to make a difference..
Or of course, so could Amazon, Google and AWS.. Seems the bigger they
are, the cheaper they get.. ;)
Oh, and OFF TOPIC..
Increase in PHISHING from t-online.de
I believe there is an admin lurking on this list..
Increase of DHL Phishing from compromised accounts on their network,
wanted to chat offlist on this subject.. Trying to confirm if this actor
is using real compromised accounts, or creating fake accounts and using
the same authentication attack methods as we see with compromised
accounts, just a bit of curiousity and information for the threat team,
as we increase granular identification of actors involved..
(Course, glad to talk to anyone still suffering under load from dealing
with this, seems some common trends across the industry right now, and
common pain points)
The reason I was reminded of this, was the OVH discussions.. seeing more
use of their networks to launch phishing through compromised account..
(Shameless plug.. see RATS-AUTH, RATS-NULL, add look-ups to all auth
attempts.. )
On 2021-08-10 12:12 p.m., Antonie Popovic wrote:
We will move to reject anyway but I was thinking more about helping them
with the IPs in order to clean their customer base a bit. But most
probably they are well aware and they just don't wanna lose money :)
Toni.
On Tue, Aug 10, 2021 at 5:01 PM Michael Peddemors via mailop
<mailop@mailop.org <mailto:mailop@mailop.org>> wrote:
Yeha, OVH is up there, and while they generally have a poor abuse team,
(with maybe one or two notable exceptions) and they do nothing to be
pro-active in preventing snow shoe spammers (you should see our data on
them), maybe we should post a hall of shame..
With OVH, you 'can' report to CASL etc.. which probably we should do..
Digital Ocean on the other hand.. no effort at all.
But we have a lot of other very bad hosters out there. It used to be
just bad VPS providers, but nowadays.. look at all the phishing attacks
from Azure, Google, and Amazon..
Seems everyone is simply just phoning their abuse in, and no
accountability..
That's what RBL's are for ;)
On 2021-08-10 7:34 a.m., Mary via mailop wrote:
>
> At least they are not as bad as OVH, which must be the worlds
most hated IP space :)
>
> DigitalOcean should block port 25 by default on all new accounts,
like Linode does. A major change by linode, which cleaned their IP
space quite fast. I still get the occasional wordpress scan, but
those are minor...
>
>
>
> On Tue, 10 Aug 2021 07:19:15 -0700 Michael Peddemors via mailop
<mailop@mailop.org <mailto:mailop@mailop.org>> wrote:
>
>> Of course you are talking about these.. (yeah, it's a pandemic over
>> there) and no use reporting them..
>>
>> Received: from mail0.crzcompany.com
<http://mail0.crzcompany.com> (HELO mail0.crzcompany.com
<http://mail0.crzcompany.com>)
>> (159.65.131.137)
>>
>> From: E-mail Server <i...@crzcompany.com
<mailto:i...@crzcompany.com>>
>> Subject: Password Expiry
>>
>> (Several variations, all similar, and mail0 or rdns0 is a common
trait)
>>
>> We simply use it to confirm that they should be blacklisted..
>> But most of their space is already marked dirty by many RBL's and
>> filtering services, and there was a thread on this topic already
on this
>> list about how even DO isn't recommending their IP space for email I
>> seem to recall.
>>
>> We just use our dynamic rule engine, and distributed feedback
systems so
>> that when any of our technologies or customers systems detect such
>> activity, it's instantly on the bad list if it wasn't already..
>>
>> We even have an RBL just for Digital Ocean IP Space ;) (Use it in
>> conjunction with other rules, makes for simple way to filter)
>>
>> But based on the extensive nature of the problem over there, the
>> reputation of their whole network is already degraded in many
filtering
>> services.. By now there probably is even a SpamAssassin scoring
penalty ;)
>>
>>
>>
>>
>> On 2021-08-10 12:26 a.m., Popovic Antonie via mailop wrote:
>>> Hi everyone,
>>>
>>> I can see a lot of spoofing activity from Digital Ocean servers
and I
>>> was wondering if someone already tried their abuse report and
if it's of
>>> any use, if they have control over what happens on their
infrastructure.
>>>
>>> Or in case we have someone from Digital Ocean here, could you
please let
>>> me know if there is any point in trying to report the abuse
based of the
>>> DMARC aggregated reports (a few millions).
>>>
>>>
>>> Looking forward to hearing your experiences,
>>>
>>> Toni
>>> _______________________________________________
>>> mailop mailing list
>>> mailop@mailop.org <mailto:mailop@mailop.org>
>>> https://list.mailop.org/listinfo/mailop
<https://list.mailop.org/listinfo/mailop>
>>
>>
>>
>> --
>> "Catch the Magic of Linux..."
>>
------------------------------------------------------------------------
>> Michael Peddemors, President/CEO LinuxMagic Inc.
>> Visit us at http://www.linuxmagic.com
<http://www.linuxmagic.com> @linuxmagic
>> A Wizard IT Company - For More Info http://www.wizard.ca
<http://www.wizard.ca>
>> "LinuxMagic" a Registered TradeMark of Wizard Tower
TechnoServices Ltd.
>>
------------------------------------------------------------------------
>> 604-682-0300 Beautiful British Columbia, Canada
>>
>> This email and any electronic data contained are confidential
and intended
>> solely for the use of the individual or entity to which they are
addressed.
>> Please note that any views or opinions presented in this email
are solely
>> those of the author and are not intended to represent those of
the company.
>> _______________________________________________
>> mailop mailing list
>> mailop@mailop.org <mailto:mailop@mailop.org>
>> https://list.mailop.org/listinfo/mailop
<https://list.mailop.org/listinfo/mailop>
> _______________________________________________
> mailop mailing list
> mailop@mailop.org <mailto:mailop@mailop.org>
> https://list.mailop.org/listinfo/mailop
<https://list.mailop.org/listinfo/mailop>
>
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com <http://www.linuxmagic.com>
@linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
<http://www.wizard.ca>
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and
intended
solely for the use of the individual or entity to which they are
addressed.
Please note that any views or opinions presented in this email are
solely
those of the author and are not intended to represent those of the
company.
_______________________________________________
mailop mailing list
mailop@mailop.org <mailto:mailop@mailop.org>
https://list.mailop.org/listinfo/mailop
<https://list.mailop.org/listinfo/mailop>
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
