I'm curious if anyone else is seeing this trend today. I've gathered and
mildly censored some logs around this campaign I'm seeing today:
https://clbin.com/DkSDr
Getting a bit of it across the fleet but none more than that one server
I pulled those logs from. Just some counts from the fleet of
"i...@usa.org" strings in the current exim log:
tuesday.mxrouting.net: 11
longhorn.mxrouting.net: 0
safari.mxrouting.net: 12
blizzard.mxrouting.net: 16
pixel.mxrouting.net: 32
lucy.mxrouting.net: 0
redbull.mxrouting.net: 2
echo.mxrouting.net: 16
witcher.mxrouting.net: 0
wednesday.mxrouting.net: 0
moose.mxrouting.net: 2
eagle.mxlogin.com: 28
london.mxroute.com: 76
shadow.mxrouting.net: 22
taylor.mxrouting.net: 0
monday.mxrouting.net: 6
sunfire.mxrouting.net: 1159
arrow.mxrouting.net: 18
Lucky for me, it mainly targeted domains that seem to have left our
service but left their MX records pointing to our servers (or
potentially domains that pointed MX to our servers just to poorly DDOS
it with this campaign). But it is an odd campaign indeed, and I haven't
seen one quite this bad while simultaneously consistent from Microsoft
servers in recent memory. Are others seeing a similar campaign? Mostly
just asking to determine if it's targeted.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop