On 2020-12-17 11:12, Michael Peddemors via mailop wrote:
I don't know if they are giving up, finally realizing that generating
spam for IoT devices isn't getting through, but it seems that we are at
a 12 month low for that form of attack.
Don't get me wrong, still averaging 25% of all inbound traffic to SMTP
ports coming from DUL networks with no PTR records, and about 25% from
known spam sources (compromised servers mostly)
But in general, attempts from DUL networks has steeply declined.
This MAY be because finally more ISP's are blocking port 25 on egress
from their dynamic segments, but in general Windows PC based bots and
IoT bot spam is down.
However, compromised Cisco router spam, and other GPON device spam still
quite active. But seeing a lot more AUTH attacks instead..
Anyone else can back up these observations?
Our perspective is somewhat different.
Stuff we attribute specifically as IoT is down somewhat. We've never
seen a notable connection between IoT and email spam, despite IoT
seeming an ideal platform to spam from (aside from port 25 blocking). I
think it's a different community with different motivations and goals.
The number of classical botnets (that generally don't send spam) is just
as high as it always was.
More traditional email spambots of the "compromised PeeCee" variety are
WAY DOWN from years ago. Gone are the days of a Rustock, Szribi,
Kelihos etc. Cutwail is still about on a largeish number of IPs, but
has generally moved away from the Pee-Cees emitting the spam directly,
but instead through compromised intermediaries - eg: the periodic
massive blasts of AUTH-forging. But the actual volumes effectively
emitted is relatively low.
The one remaining PeeCee "spambot" of note is something we've been
calling "gamut", but I've never really been sure what it is. This is
what is responsible almost exclusively for bitcoin extortion and Russian
pseudo-Canadian pharma, but has been involved in the past with malware
distribution. It typically comes from a fairly small number of IPs per
blast (1000-3000), with high volume per IP. But in the aggregate over
periods of a month or so, runs about 100K IPs.
Much of what we see now is compromised *servers* (mostly webservers and
the like), with stealrat, various CMS compromises etc.
Another major contributor is something that mostly comes from android
phones, and the occasional web browser. This appears to be a common
library with an embedded "feature" that appears easily abuseable
(whether by vulnerability or deliberate inclusion) that's included in
many downloadable apps, Seen mostly with small to medium sized
businesses and home networks. Not providers per-se. I can say very
little beyond that for a variety of reasons. The only thing I will say
is that the only effective way of dealing with it is outbound port 25
blocking. Just finding the device responsible for it is QUITE hard in
the environment it appears to prefer.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
