I've got that whole AS46573 on my internal RBL. Just a complete trash
network. You can blindfold yourself and throw a dart at any of their
/24s and every single one looks like this:
https://bgp.he.net/net/23.247.86.0/24#_dns
On 2021-09-07 15:37, Michael Peddemors via mailop wrote:
It's always amazing at how they like to start at the beginning of the
long weekends, and normally would not report easy to recognize spam
attack..
But the volumes were SO great, this should almost be a segment on
Krebs on Security ;) And I know that a lot of well known networks got
hurt by this as well, eg Liquid Web, GoDaddy, Hurricane Electric.. all
lurkers on this list..
The typical MO?
104.223.219.109 x3 rsoud.booestathome.com
104.223.219.122 x5 totealpromo.com
104.223.219.141 x1 akesan.reveitalize.com
104.223.219.143 x6 komari.reveitalize.com
104.223.219.147 x2 krstne.reveitalize.com
104.223.219.16 x3 totisp.truestresources.com
104.223.219.164 x1 nydahl.siteechap.com
104.223.219.169 x6 tierod.siteechap.com
104.223.219.170 x5 ikeina.siteechap.com
104.223.219.176 x2 evenne.aweesomeicon.com
104.223.219.182 x2 fallin.aweesomeicon.com
104.223.219.204 x3 gearl.teleesgu.com
(Way too many to post to this list, but I am sure the threat teams
will be tweeting and sharing)
MAIL command received, args: FROM:<ret...@aslug.poweerful.com>
BODY=8BITMIME
MAIL command received, args: FROM:<ret...@josten.furored.eu>
BODY=8BITMIME
Yep, you might recognize this actor already.. Attacking a REALLY old
data set of email addresses, many are invalid..
Malware vector..
Subject: Do this daily for NEW KNEES in 30 days
<a
href="http://genervoice.com/rgjhkjkjkct.html/?o=b2Q9MXN5cDYxMzY4ZDJhZGFiMzcwdHhj&l=MXMyMXhjOQ%3D%3D&i=UzBiejVyZm05M3kxMndqMDJ5X3ZxMTA3Nw%3D%3D&c=Zm05M3k%3DMHB3c2E5LTFqbmw5N3M=2p49bd";
>
<img
src="https://i.postimg.cc/2jWG6VbT/nnnnnndsdfsfsdfggf.png";>
But what is amazing is HOW much IP space this single attacker managed
to get or warm up, before this launch..
157.52.145.11 x19 gallia.azooizi.com
157.52.145.14 x1 olesen.azooizi.com
157.52.145.148 x13 fasloc.batfde.com
157.52.145.15 x15 petrac.azooizi.com
157.52.145.17 x43 trifos.azooizi.com
157.52.145.180 x4 phuthi.forgentel.com
157.52.145.19 x1 fulleneter.com
157.52.145.199 x31 thowls.hoodifind.com
157.52.145.201 x25 odbija.hoodifind.com
157.52.145.215 x2 gepapt.freempt.com
157.52.145.23 x2 nexgtv.fulleneter.com
157.52.145.25 x5 atmjj.fulleneter.com
157.52.145.26 x3 heifi.fulleneter.com
157.52.145.27 x38 raidza.fulleneter.com
157.52.145.31 x13 anerie.fulleneter.com
157.52.145.33 x7 lykele.fulleneter.com
157.52.145.38 x4 pezya.fullercens.com
157.52.145.39 x66 zephir.fullercens.com
157.52.145.4 x32 rmrbw.azooizi.com
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and
intended
solely for the use of the individual or entity to which they are
addressed.
Please note that any views or opinions presented in this email are
solely
those of the author and are not intended to represent those of the
company.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
![https://i.postimg.cc/2jWG6VbT/nnnnnndsdfsfsdfggf.png"](https://i.postimg.cc/2jWG6VbT/nnnnnndsdfsfsdfggf.png"){kind=link}