Well, in better news, I get my vaccine shot tomorrow ;)
Havent' posted one of these in a while, but last couple of weeks has
spam auditors very busy..
* Huge amounts of reports from Azure IP(s), Hit and Run
(If you are seeing the same, and frustrated, reach out, we can post one
days report, but hundreds of IP(s) every day triggering invalid rate
limiter reports, we call it hit and run, as the PTR's are usually gone
shortly after the attacks, or not present at all. Really surprised that
with the amount of IP(s) involved, this doesn't set off a lot of bell's
at MS. Combination of RATS-AZURE and rDNS naming patterns catch this
pretty easily though. However, they volume enough to really fill
someone's logs and use valuable resources)
* New Google Groups style spam outbreak..
(This is challenging to stop on the receiving end, but should be easy to
see on the Google side, Double Arc signed.. including part of a sample
header)
rom: "_Premature_Aging_ ..." <ad...@a2h.dynns.com>
Date: Sun, 25 Apr 2021 23:45:46 +0000
Message-ID:
<CAB_FO=tpu3q+unfo4hcuwhffrdynhhvbplotid+ah3y1jj9...@mail.gmail.com>
Subject: *****Reverse Aging With Common Morning habit
To: abi...@a2h.dynns.com
Content-Type: multipart/alternative; boundary="0000000000006ba36405c0d4a101"
X-Original-Sender: ad...@a2h.dynns.com
X-Original-Authentication-Results: mx.google.com; dkim=pass
header.i=@a2h-dynns-com.20150623.gappssmtp.com header.s=20150623
header.b=I4wJYHBY; spf=pass (google.com: domain of
ad...@a2h.dynns.com
designates 209.85.220.65 as permitted sender)
smtp.mailfrom=ad...@a2h.dynns.com
Precedence: list
Mailing-list: list cvcvxsds...@a2h.dynns.com; contact
cvcvxsdsdbb+own...@a2h.dynns.com
List-ID: <cvcvxsdsdbb.a2h.dynns.com>
X-Spam-Checked-In-Group: abi...@a2h.dynns.com
X-Google-Group-Id: 881967645003
List-Post:
<https://groups.google.com/a/a2h.dynns.com/group/cvcvxsdsdbb/post>,
<mailto:cvcvxsds...@a2h.dynns.com>
List-Help:
<https://support.google.com/a/a2h.dynns.com/bin/topic.py?topic=25838>,
<mailto:cvcvxsdsdbb+h...@a2h.dynns.com>
List-Archive: <https://groups.google.com/a/a2h.dynns.com/group/cvcvxsdsdbb/>
List-Subscribe:
<https://groups.google.com/a/a2h.dynns.com/group/abidal/subscribe>,
<mailto:abidal+subscr...@a2h.dynns.com>
List-Unsubscribe:
<mailto:googlegroups-manage+881967645003+unsubscr...@googlegroups.com>,
<https://groups.google.com/a/a2h.dynns.com/group/cvcvxsdsdbb/subscribe>
* Large increase in phishing/spam from known bad networks, especially
from the eastern european and russian bullet proof hosters.
(These are easy to stop though)
* Brazilian IoT spammers.
(Wow, the sheer volume is almost breathtaking, but why is that Brazilian
ISP's don't block port 25 on egress? Or that Brazilian CERT or LACNIC
get any traction in getting ISP's to address the problem? Both
compromised IoT routers and older Windows PC's)
* Compromised GPON routers
(This problem is more from SouthEast Asia, and it's only a few LARGE
networks responsible)
Above two are easily stopped with RBL's and regex databases at
connection, but the problem is heavily shifting to AUTH attacks, and
other attacks, and of course being dynamic networks, you can't run
reputation blocking on client->server communications safely.
* Large ISP's still with no rDNS for their customers?
Not really spam related, but seriously people.. You really are doing a
disservice to your customers and the internet. It only takes an hour or
two to set up.. Let's start a shaming campaign.
* Amazon AUTH Attacks, ec2 networks..
(Are there really that many servers getting compromised, or is the new
'safe haven' for hackers)
Highly recommend that if you run an email server, block ALL email
authentication from Amazon EC2 space, unless specifically required.
RATS-AUTH adding almost 100 IP(s) a day just from Amazon IP Space
* OVH... Do I need to say more?
* Increased sophistication in 'phishing' attacks..
This is of course the area that our spam auditing work on the most
lately, as the seriousness and damage it can cause are greatest. (You
have implemented transparent 2FA to all email authentication now havent'
you?)
Content is getting scaringly convincing, and we see an increase in
numbers where hackers are standing up servers, explicitly for launching
phishing attacks. And they are phishing for a lot more services than
ever. And of course, the many strains of viruses that use compromised
accounts. (If you having too many compromised accounts, reach out, some
easy tricks to automatically prevent and identify those)
And of course, the successes in ransomware, and the lack of speedy
takedown's, and action against providers that are most responsible, have
made this even more attractive.
In all honesty, it's probably been worse the last two weeks, that in the
last year, while thankfully most attacks are still fairly simple to stop
if you are in the industry, the poor email operators working along have
their hands full.
Keep safe everyone!
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
