Kudos to Michael Rathbun for putting the bug in my ear again..
Sorry, been under the weather last couple of weeks, with a rare blood
infection.. so much fun, but back in the saddle again, so that's why you
haven't heard much from me..
In leiu of my bi-weekly state of the union (spam threats) email, I think
we should consider working together to do a little 'doxing' of the bad
guys.. Now, I know it is done in other places, SpamHaus used to post
regularly about ROCKSO spammers, etc.. but since it appears to be
affecting everyone on the list, why not co-operatively take on one bad
guy every couple of weeks..
This week I will start with an operator that has been around for ages.
This guy has been using handles like WEBXURY-INC on Global Frag Networks
(groan) now known as LayerHost, and he still uses them to this day.
Customer: WebXury Inc (C05731746)
RegDate: 2015-05-18
Updated: 2015-05-18
Also under the name
Customer: ELIDC (C06878932)
RegDate: 2018-01-18
Updated: 2018-01-18
(Notice this one has more information, but ..)
Address: juyimogen
City: zhengzhou
StateProv: HENAN
PostalCode: 450000
Country: CN
And a few others..
(LayerHost/Global Frag has only avoided being completely blocked,
because at least they do SWIP/rwhois into sections, making it easier to
delineate the actual players, even if they deserve some complicit
reputation for allowing them)
This guy likes using .shop and other poorer reputation TLD's, and tends
to like real throwaway domains.
Example(s):
waterlebertysystemkfd.shop
fungosemdksd.shop
(Note, the use of semi-random last three char(s) in domain names)
He uses a random host name under that domain for the server
identification (EHLO), and uses MAIL FROM formatted as part of the
domain name, eg..
fungo...@fungosemdksd.shop
waterlibertygu...@waterlebertysystemkfd.shop
But not always exact, so probably still chooses/edits by hand, just has
very little imagination. Added small thing he likes to do, is redirect
the HTTP queries to his IP/domains to YouTube..
NS records show A records go to CloudFlare of course.
80/tcp open http Apache httpd 2.2.15 ((CentOS))
No actual content, so he doesn't bother with 443..
He often doesn't get DNS timing right, so you might already be rejecting
most of his stuff, eg doesn't wait for DNS changes to propagate before
sending.
His pattern of email is actually quite obvious, so IF one happens to get
through existing filters, easy enough to catch, but usually you see
simply high volume of failures from his IP(s).
While he might LOOK like the .cam spammer (Also on LayerHost) he is a
different actor. Predates the .cam spammer, maybe a trainee, apprentice
that stuck out on their own. .cam operator is more like..
from 23.247.84.161 (192.168.0.105:25)
EHLO command received, args: 05e8aaab.keydisetion.cam
FROM:<bloodsugarcont...@keydisetion.cam
Often seen as ..
Customer: Root Networks LLC (C04842100)
RegDate: 2014-01-07
Updated: 2018-03-19
Two different Modus Operendi (never can spell that)
Now, LayerHost of course could probably fill in the details on this (or
their reseller <sic>) but let's the rest of us have the fun.
The goal is not only to DOX this actor, but list EVERY IP Range they are
using in their spam operations..
Does this sound like fun for this mailing list, or is this too off topic
or noisy?
-- Michael --
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
