Interestingly,
(And yes, it has been happening a long time)
We just engaged on this issue (and others) with senior members of their
abuse team.
First reported to Amazon on November 27th, but this is a great example
why we escalated to senior members responsible.
Aside from slow take down time lines as a whole in the large cloud
providers, and that issue.. their limitations on giving feedback doesn't
help the infosec community, and issues like this can't be handled by a
'whack-a-mole' approach, and certainly don't have time to report every
occurence of this.
BTW, that domain is a 'free dynamic subdomain' ..
It's only one of several pandemic issues raised with Amazon.. hopefully
we have some feedback soon ;)
On 2020-02-08 8:56 a.m., Michael Rathbun via mailop wrote:
[NOTE: this is relevant to mail operations as a number of legitimate senders
are customers of Amazon AWS. Several of them are my clients.]
An operation that is easily distinguished by
EHLO phylobago.mysecuritycamera.org
and a payload that begins with "This message is from a trusted sender." and a
visible FROM of
livenewsupd...@millan.pgw.jp
has made 66 delivery attempts over the past six days, from 60 Amazon IPs. If
a given IP was not on Spamhaus CSS at the time of delivery, it appears that it
would have been added soon after. These figures reflect data from logs that
have not yet been rolled into the archive.
There are three deliverable local addresses in their customary drop, two which
come to me and the other being "Nadine". The rest of the recipients are
spamtrap accounts that result in the message being delivered to Rev. Bayes,
and the IP dropped into the IP REFUSE list for at least 1440 minutes. At the
moment there are 48 AWS IP addresses in that list.
It is difficult to imagine how such a large-scale and essentially static
operation (the EHLO, MAIL FROM and visible FROM, together with the opening
string have been constant since the first messages rolled in on 16 Dec 2019)
could persist.
There was an apparent service interruption from 01 Jan to 09 Jan, after which
delivery attempts continue as usual. The most recent delivery was
approximately 45 minutes ago (the IP, 54.91.110.45, was not in CSS at delivery
time; it is now). In that interval, at least four of the refuse-listed IPs
have encountered refusal.
Is nobody else seeing this and reporting it to AWS abuse?
mdr
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
