Been a while since I posted one of these, so it might be lengthy..
First of all, Gmail and o365 seem to just be mailing in their attempts
at stopping outbound spam.. Volumes steadily increasing, and such
obvious bad spam, phishing, nigerian scams et al..
But..
Return-Path: <darinainv...@gmail.com>
Received: from mail-tyzapc01rlhn2179.outbound.protection.outlook.com
(HELO APC01-TYZ-obe.outbound.protection.outlook.com) (40.95.110.179)
I mean really.. even the smallest ISP's make sure that they aren't
allowing a MAIL FROM to be from a domain they don't service..
Gmail 'undisclosed recipients' remains the highest volume from them..
While there possibly can be a case where an email client doesn't put in
a recipient, eg all addresses are bcc'ed, this is a big indicator of
spammy content.
This week, another operator started up with throwaway domains, spread
out over various hosting companies.. We have seen him before, every
couple weeks..
This weeks batch coming from:
RackNerd
GB Network Solutions Sdn. Bhd.
ZenLayer
Corporate Colocation Inc. (CORPO-6)
Netinternet Bilisim Teknolojileri AS
GOhost.KZ
ServerHub
LogicWeb
Krypt/VLSI
VELIANET
Contabo Inc. (CONTA-48)
LayerHost
A different well known actor, more IPXO and routed networks with wide IP
ranges all spamming.. throwaway domains.. Any traffic from IPXO or IPXO
routed/maintained should be treated as suspect.
(Examples for the above available off list by request)
Continued problems with ESP's, SendGrid, MailGun et al, either bad
customers with harvested email addresses, or compromised accounts.
Brazilian BotNet traffic is back active, Brazilian ISP's remain among
the worlds' worst sources.. mostly hacked routers, and Windows compromises.
Mirai and its family of Malware continue unabated.
OVH, ColoCrossing, Azure, Google Cloud, Tencent, and AWS hacker traffic,
trying to compromise email accounts continues unabated.
Serverion attackers are getting more agressive, I dont' think they even
care about detection, there are so many easy targets out there.
Contabo networks getting worse again..
Salesforce, you have someone sending obfuscated attachments pretty
regularly for the past few weeks.
More spam coming from compromised accounts through legitimate email
servers.. legacy outbound spam protections don't appear to be doing
well, see it out of many of the wellknown cloud filtering companies.
The Chinese networks appear to have some targeted hackers using dynamic
IP range naming conventions, but attacks appear clustered and unrelated
to typical bot traffic. More research is ongoing.
Hetzner is pretty big, but seeing an increase again, mostly from server
compromises, default PTR naming conventions, so easy to stop.
Someone (SendGrid) tell Intuit to clean up their database, or remove
invalid email addresses properly.. Unless they have been compromised
too? <wink>
Starting to see more Apple Cloud email compromise/spam starting to
appear, but have to say that Yahoo has seen improving numbers.. But
their are some actors pulling a newer technique of creating similar
named Yahoo accounts, and then forwarding compromised accounts to those
mailboxes.. Not sure if meant for exfil, or just so the customer doesn't
know they are compromised..
Email phishing faking the email provider's login sites, has now
overtaken traditional phishing via DHL lures. Thing is, these threat
actors know how long a take down request for a web page takes.. if ever.
And coreserver.jp is getting really bad for the past couple of months,
for sending phishing..
And Russian spammers are burning through Russian IPs at an incredible
pace.. maybe trying to utilize it to the max, before one government or
the other chooses to block international traffic?
And, of course Digital Ocean is still an ongoing problem..
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
