This is an extremely difficult campaign to target, and if we get public
SA rules that manage to target it, they'll feed those rules into AI and
adjust their campaign within 72 hours of noticing it. I have some pretty
strong indicators that they're watching me, for example. When I update
an exim ACL on GitHub their tactics change in as little as 12 hours.
On 2026-05-30 13:12, Raymond Dijkxhoorn via users wrote:
Hi!
Those are ongoing for over a year. Very high volume and many new domain
registrations.
Some of the problems we saw recently is that we listed large batches in
SURBL and several are no longer in DNS when the campaigns go out due to
the quick takedowns.
Another part of the set they use older com domains with ‘ok’ reputation
and shortly before the sending they move them to Cloudflare.
Can outline a lot about this specific ‘sender’ as we have been closely
following them for a long time now.
Lots of the same campaign types but the variations are always tiny.
Harder to filter unfortunately.
They use 20-25 domains a day for this. Parts are aged and parts are
brand new…
With kind regards,
Raymond Dijkxhoorn
Op 30 mei 2026 om 19:40 heeft John Hardin <[email protected]> het
volgende geschreven:
On Fri, 29 May 2026, Tom Williams via users wrote:
I have a few samples of these if anyone is interested.
Feel free to send me an archive via private email. The messages
ideally need to be complete raw messages (all headers intact). If you
need to sanitize local domain info feel free.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
[email protected] pgpk -a [email protected]
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Journalism is about covering important stories.
With a pillow, until they stop moving. -- David Burge
-----------------------------------------------------------------------
7 days until the 82nd anniversary of D-Day
