On 4/29/2019 12:12 PM, Michael Peddemors via mailop wrote:
On 2019-04-29 8:37 a.m., Michael Peddemors via mailop wrote:
Speaking of.. anyone have any insight into these guys? They keep popping up on various CDN's eg, DO, AZURE, etc..
Most, possibly all of these networks are blocked here. It's a limited view because of that but their connections here seem to be only for the purpose of address validation, list washing. Before blocking them they were seen going up to the DATA phase but never proceeding through to actually sending a message.
From what I've seen here these addresses have only been showing up on port 25, not IMAP or POP3. Their reputation is usually green at talosintelligence. Which is really remarkable since from my perspective here, if they never deliver any mail, how do they get a green reputation? The answer seems to be that they must be emitting some type of valid mail stream in order to earn a good reputation but it is done with the validation attempts mixed in at a low enough rate to avoid detection.
These particular ones with Digital Ocean seem to done by a single operator. The reverse DNS pattern is consistent even with most on Digital Ocean but some others with Choopa / Vultr. Domains are registered at namecheap. DNS is provided by googledomains. The fact that they have been doing it for such a long time is amazing. It would be more understandable if it was being carried out through a botnet where tracing it would be much more difficult. Obviously the ISPs, registrars, and name service providers have no problems with providing them services for it. Perhaps they just have bigger problems to deal with. Perhaps list washing has gained such respectability today that few think there is anything wrong with it. Although "namespace mining" is listed by Microsoft reason for blocking.
Address validation must be quite lucrative today given the volume of it that's taking place. Digital Ocean and the botnet of Amazon are packed with them.
- John J. _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
