Possibly valuable attachments:
- We saw an increase in compromised email accounts sending Comcast
phishing emails which actually contained HTML that pulled valid Comcast
assets into the emails. To the point that we have halted all outgoing
mail containing those assets. This might correlate to the increase in
compromised accounts you noticed.
- SendGrid is actually responding to and taking action on abuse
complaints. This is worthy of celebration. It doesn't fix everything,
and you know as well as I do that by the time you hit one spammer a new
one pops up, but this indicates an actual intention to protect their
investments. I'm all for it.
On 2024-05-30 12:24, Michael Peddemors via mailop wrote:
Both life and Business have been very active, so it's been a bit since
I posted one of these.. It's about time again..
* SendGrid continues to allow the same common threats from escaping
* Increase in threat actors from Thailand/Vietnam region, but probably
proxies for Chinese actors
* Digital Ocean IP space of course very bad, and most people already
block/flag that IP space for spammers, but threat actors increasingly
using the space for email compromise attacks. Suggest that you block
all authentication from that IP space by default, for both IMAP and
SMTP, unless the IP is operated from a known good actor, similar to the
GCloud, Amazon, Azure problems.
* ColoCrossing still a major pain, hopefully the new acquisition will
improve the situation.
* NameCheap continues to allow the same abuse of their webmails for the
same actors, with no improvement. (It's NOT that hard)
* Botnet spam attacks continue their decline, however email compromise
attacks, and other attacks are on the rise, fortunately with old
fingerprints that make them easy to stop.
* OVH is just opening the door to spammers..
* RackNerd IP space is to the point it's almost auto-block now.
Something is going on with Comcast IP space, a large increase in email
compromise attacks, quite widespread, wonder if this is a case of CPE
equipment compromise?
Netease/ntesmail has a lot more abuse coming from it the last couple of
weeks.
Zimbra email compromises always surprise, given the amount of
governments still using it. They do know there is RBL's that list
known abusive BEC Attackers?
LogicWeb still is giving IP space to too many obvious bad actors.
(Doesn't anyone do a DNS walk on their IP space any more?)
Gmail and o365 leakage still showing these operators don't care about
outbound, the phishing templates are old, and obvious.. Enough with the
'1st page on Google' spam please? And the Nigerian Prince scams?
MailChimp and MailGun are quickly catching up to SendGrid, as far as
letting obvious known phishing templates from leaving their systems.
We thought 'backscatter' was a thing of the past, but seeing increases
from all kinds of sources. People, please do your spam filtering
earlier in the process.. (Just saw some this week from ionos.com
exchange servers?)
Portugese Invoice phishing seems to be on the decline, but this may be
more due to the networks responsible for hosting these actors are being
blocked more regularly.
But in general, fake invoice and RFQ emails are still the go-to for bad
actors, mostly through compromised email accounts. And would you
believe that DHL phishing is still a thing?
At least GoogleGroups spammers are on the decline as well.
One surprise, is the fear about AI and ChatGPT created malware
campaigns has not really seen the light of day. It's still about how
to get it delivered, rather than the content. And as someone once
pointed out, spammers often still use obvious bad language and obvious
fake content, they are looking to catch the less intelligent or tech
savvy targets.
Anyways, it's still a real scary place out there. Thanks to those out
there that are also in the fight to make the world a better place, just
wish that network operators were more responsible for what leaves their
networks..
And of course, let's all remember to block/drop those really bad
networks at the perimeter.. whether you use SpamHaus, SpamRats DROP
lists ARE your friend, and help make the internet a better place
Now, time to get the new toy out this weekend, and try to put the bad
things out of the mind.. have a safe and pain free weekend all.
-- Michael --
Todays' ASN to watch from the spam auditors?
Orelsoft AS200918
45.145.220.0/22
185.126.196.0/22
185.186.36.0/24
185.186.37.0/24
185.186.38.0/24
185.186.39.0/24
185.30.160.0/23
185.32.182.0/23
185.91.116.0/22
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
