Re: [mailop] CutWail infections growing again, all China based..
On 2020-07-21 9:15 a.m., Bill Cole via mailop wrote: On 19 Jul 2020, at 22:38, Chris via mailop wrote: It is particularly bizarre that it infests one ISP like this. I'm wondering if someone managed to force the infection to do IP reallocations frequently to IP-hop. Cutwail normally has thousands of infected IPs per campaign spread across ISPs. I have noticed something Cutwail-like (fast-talking starting with bogus HELO name (e.g. ymlf-pc) ) clustering in single-ISP ranges, as if it spread via probing nearby IPs with whatever its infection vector is. No 2020 cases of that which I've noticed, but there's been a general decline in the phylum of fast-talkers from my vantage points this year. If someone wants to play around with these reports, and if this thread is interesting, probably should take it to the SDLU mailing list, or something similar.. was just interesting that it is contained to one network, and that the increase started about the same time as the emotet started back up again.. Last 24 hours new reports.. (Simple Cutwail) at bottom. The more sophisticated version still out there, but not increasing much.. be nice to see take downs of these. 156.96.56.48x2 190.146.128.23 x2 static-ip-19014612823.cable.net.co 92.46.239.2 x5 zinc.kz ... Simpler CutWail version.. 1.193.228.202 x1 NXDOMAIN 1.193.228.232 x1 NXDOMAIN 1.194.72.79 x1 1.194.90.163x1 1.195.126.94x1 NXDOMAIN 1.197.73.196x1 1.197.89.104x1 1.197.89.175x1 1.197.95.21 x1 103.151.124.79 x1 NXDOMAIN 106.42.60.203 x1 110.166.211.42 x2 NXDOMAIN 110.190.16.232 x1 NXDOMAIN 111.225.152.172 x1 NXDOMAIN 111.225.153.151 x1 NXDOMAIN 111.225.153.175 x1 NXDOMAIN 111.227.162.29 x1 111.227.229.182 x2 111.75.154.57 x1 111.75.228.29 x1 111.77.114.81 x1 NXDOMAIN 111.77.190.126 x1 NXDOMAIN 112.171.192.98 x12 NXDOMAIN 113.123.119.101 x1 NXDOMAIN 113.124.87.103 x1 NXDOMAIN 113.228.103.112 x1 NXDOMAIN 113.228.103.236 x1 NXDOMAIN 113.228.107.242 x1 NXDOMAIN 113.231.82.221 x1 NXDOMAIN 113.231.83.195 x1 NXDOMAIN 113.236.92.80 x1 NXDOMAIN 113.238.104.144 x1 NXDOMAIN 114.100.133.172 x1 NXDOMAIN 114.102.28.36 x1 NXDOMAIN 114.104.210.207 x1 NXDOMAIN 114.104.235.147 x1 NXDOMAIN 114.236.21.4x1 NXDOMAIN 114.236.22.94 x1 NXDOMAIN 114.239.149.97 x1 NXDOMAIN 114.239.172.138 x1 NXDOMAIN 114.96.37.36x1 NXDOMAIN 114.98.162.229 x1 NXDOMAIN 114.99.221.171 x1 NXDOMAIN 115.196.66.54 x1 NXDOMAIN 115.201.84.22 x1 NXDOMAIN 115.201.88.191 x1 NXDOMAIN 115.201.88.9x1 NXDOMAIN 115.211.125.159 x1 NXDOMAIN 115.211.125.179 x1 NXDOMAIN 115.211.52.200 x2 NXDOMAIN 115.211.55.44 x1 NXDOMAIN 115.211.61.126 x1 NXDOMAIN 115.220.130.9 x1 NXDOMAIN 115.229.16.191 x2 NXDOMAIN 115.230.51.77 x1 NXDOMAIN 116.209.138.13 x1 NXDOMAIN 116.209.142.111 x1 NXDOMAIN 116.3.98.171x1 117.26.40.37x1 37.40.26.117.broad.qz.fj.dynamic.163data.com.cn 117.66.44.77x1 NXDOMAIN 117.66.47.117 x1 NXDOMAIN 117.69.186.116 x1 NXDOMAIN 117.69.187.146 x1 NXDOMAIN 117.82.254.53 x1 NXDOMAIN 118.117.90.133 x1 NXDOMAIN 118.117.90.216 x1 NXDOMAIN 118.118.9.7 x1 NXDOMAIN 118.213.229.138 x1 NXDOMAIN 119.113.195.247 x1 NXDOMAIN 119.54.0.197x2 197.0.54.119.adsl-pool.jlccptt.net.cn 119.54.11.229 x1 229.11.54.119.adsl-pool.jlccptt.net.cn 119.54.12.170 x1 170.12.54.119.adsl-pool.jlccptt.net.cn 119.54.14.23x1 23.14.54.119.adsl-pool.jlccptt.net.cn 119.54.15.220 x1 220.15.54.119.adsl-pool.jlccptt.net.cn 119.54.16.228 x3 228.16.54.119.adsl-pool.jlccptt.net.cn 119.54.21.228 x2 228.21.54.119.adsl-pool.jlccptt.net.cn 119.54.24.116 x1 116.24.54.119.adsl-pool.jlccptt.net.cn 119.54.26.6 x1 6.26.54.119.adsl-pool.jlccptt.net.cn 119.54.29.167 x1 167.29.54.119.adsl-pool.jlccptt.net.cn 119.54.29.244 x1 244.29.54.119.adsl-pool.jlccptt.net.cn 119.54.31.177 x1 177.31.54.119.adsl-pool.jlccptt.net.cn 119.54.31.223 x1 223.31.54.119.adsl-pool.jlccptt.net.cn 119.54.34.221 x1 221.34.54.119.adsl-pool.jlccptt.net.cn 119.54.34.31x1 31.34.54.119.adsl-pool.jlccptt.net.cn 119.54.35.21x2 21.35.54.119.adsl-pool.jlccptt.net.cn 119.54.35.79x2 79.35.54.119.adsl-pool.jlccptt.net.cn 119.54.36.152 x1 152.36.54.119.adsl-pool.jlccptt.net.cn 119.54.36.159 x2 159.36.54.119.adsl-pool.jlccptt.net.cn 119.54.4.155x1 155.4.54.119.adsl-pool.jlccptt.net.cn 119.54.43.164 x1 164.43.54.119.adsl-pool.jlccptt.net.cn 119.54.43.182 x2 182.43.54.119.adsl-pool.jlccptt.net.cn 119.54.45.57x1
Re: [mailop] CutWail infections growing again, all China based..
On 19 Jul 2020, at 22:38, Chris via mailop wrote: It is particularly bizarre that it infests one ISP like this. I'm wondering if someone managed to force the infection to do IP reallocations frequently to IP-hop. Cutwail normally has thousands of infected IPs per campaign spread across ISPs. I have noticed something Cutwail-like (fast-talking starting with bogus HELO name (e.g. ymlf-pc) ) clustering in single-ISP ranges, as if it spread via probing nearby IPs with whatever its infection vector is. No 2020 cases of that which I've noticed, but there's been a general decline in the phylum of fast-talkers from my vantage points this year. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not For Hire (currently) ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] CutWail infections growing again, all China based..
I can confirm that this is cutwail. I'm showing 100% agreement in spot checking of your list of IPs. This particular cutwail variant, unlike the others, has been percolating at low volumes for a long time. The other more sophisticated versions have all pretty much gone away. It is particularly bizarre that it infests one ISP like this. I'm wondering if someone managed to force the infection to do IP reallocations frequently to IP-hop. Cutwail normally has thousands of infected IPs per campaign spread across ISPs. The other possibility is that someone stole the SMTP emission part and reused it in something less bot-like. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
[mailop] CutWail infections growing again, all China based..
While most of these are probably already stopped, via various RBL's and rulesets common to most spam protection, it is worth posting.. Seeing the infection spike again, but strangely all from Chinese IP Ranges. Note, for the one provider, it is especially a bad overnight jump. *.adsl-pool.jlccptt.net.cn (The other ones do not have PTR records, so probably never get anywhere, you think the hackers would check if the IP address has a PTR record before even trying to spam/spread) Of course, there is no A record for that domain, and the whois does not have valid contact information. whois jlccptt.net.cn Domain Name: jlccptt.net.cn ROID: 20021209s10021s00014224-cn Domain Status: clientUpdateProhibited Domain Status: clientTransferProhibited Registrant: 吉林省数据通信局 Registrant Contact Email: jl...@mail.jl.cn Sponsoring Registrar: 北京新网数码信息技术有限公司 Name Server: ns.jlccptt.net.cn Name Server: ns2.jljlptt.net.cn Registration Time: 1997-02-19 00:00:00 Expiration Time: 2021-07-01 00:00:00 DNSSEC: unsigned 119.54.0.73 x1 73.0.54.119.adsl-pool.jlccptt.net.cn 119.54.11.3 x2 3.11.54.119.adsl-pool.jlccptt.net.cn 119.54.12.113 x2 113.12.54.119.adsl-pool.jlccptt.net.cn 119.54.13.183 x2 183.13.54.119.adsl-pool.jlccptt.net.cn 119.54.19.244 x2 244.19.54.119.adsl-pool.jlccptt.net.cn 119.54.20.174 x1 174.20.54.119.adsl-pool.jlccptt.net.cn 119.54.23.185 x1 185.23.54.119.adsl-pool.jlccptt.net.cn 119.54.24.198 x2 198.24.54.119.adsl-pool.jlccptt.net.cn 119.54.24.2 x1 2.24.54.119.adsl-pool.jlccptt.net.cn 119.54.24.233 x1 233.24.54.119.adsl-pool.jlccptt.net.cn 119.54.25.128 x1 128.25.54.119.adsl-pool.jlccptt.net.cn 119.54.27.124 x1 124.27.54.119.adsl-pool.jlccptt.net.cn 119.54.27.44x2 44.27.54.119.adsl-pool.jlccptt.net.cn 119.54.28.55x1 55.28.54.119.adsl-pool.jlccptt.net.cn 119.54.28.93x2 93.28.54.119.adsl-pool.jlccptt.net.cn 119.54.31.17x1 17.31.54.119.adsl-pool.jlccptt.net.cn 119.54.31.180 x1 180.31.54.119.adsl-pool.jlccptt.net.cn 119.54.31.198 x7 198.31.54.119.adsl-pool.jlccptt.net.cn 119.54.32.135 x2 135.32.54.119.adsl-pool.jlccptt.net.cn 119.54.32.201 x2 201.32.54.119.adsl-pool.jlccptt.net.cn 119.54.35.105 x2 105.35.54.119.adsl-pool.jlccptt.net.cn 119.54.37.58x1 58.37.54.119.adsl-pool.jlccptt.net.cn 119.54.38.117 x1 117.38.54.119.adsl-pool.jlccptt.net.cn 119.54.38.246 x1 246.38.54.119.adsl-pool.jlccptt.net.cn 119.54.39.193 x1 193.39.54.119.adsl-pool.jlccptt.net.cn 119.54.39.56x1 56.39.54.119.adsl-pool.jlccptt.net.cn 119.54.4.7 x2 7.4.54.119.adsl-pool.jlccptt.net.cn 119.54.40.179 x2 179.40.54.119.adsl-pool.jlccptt.net.cn 119.54.40.86x1 86.40.54.119.adsl-pool.jlccptt.net.cn 119.54.41.44x1 44.41.54.119.adsl-pool.jlccptt.net.cn 119.54.42.50x2 50.42.54.119.adsl-pool.jlccptt.net.cn 119.54.43.17x1 17.43.54.119.adsl-pool.jlccptt.net.cn 119.54.43.230 x3 230.43.54.119.adsl-pool.jlccptt.net.cn 119.54.46.15x1 15.46.54.119.adsl-pool.jlccptt.net.cn 119.54.46.87x1 87.46.54.119.adsl-pool.jlccptt.net.cn 119.54.47.187 x1 187.47.54.119.adsl-pool.jlccptt.net.cn 119.54.47.198 x1 198.47.54.119.adsl-pool.jlccptt.net.cn 119.54.47.243 x2 243.47.54.119.adsl-pool.jlccptt.net.cn 119.54.5.22 x1 22.5.54.119.adsl-pool.jlccptt.net.cn 119.54.6.220x3 220.6.54.119.adsl-pool.jlccptt.net.cn 119.54.8.10 x1 10.8.54.119.adsl-pool.jlccptt.net.cn 119.54.9.206x1 206.9.54.119.adsl-pool.jlccptt.net.cn 119.54.9.47 x2 47.9.54.119.adsl-pool.jlccptt.net.cn 119.55.136.88 x1 88.136.55.119.adsl-pool.jlccptt.net.cn 119.55.139.9x2 9.139.55.119.adsl-pool.jlccptt.net.cn 119.55.224.159 x2 159.224.55.119.adsl-pool.jlccptt.net.cn 119.55.224.220 x1 220.224.55.119.adsl-pool.jlccptt.net.cn 119.55.225.160 x1 160.225.55.119.adsl-pool.jlccptt.net.cn 119.55.226.41 x2 41.226.55.119.adsl-pool.jlccptt.net.cn 119.55.227.213 x1 213.227.55.119.adsl-pool.jlccptt.net.cn 119.55.255.147 x1 147.255.55.119.adsl-pool.jlccptt.net.cn 119.55.255.19 x1 19.255.55.119.adsl-pool.jlccptt.net.cn 119.55.255.217 x1 217.255.55.119.adsl-pool.jlccptt.net.cn 122.140.115.121 x1 121.115.140.122.adsl-pool.jlccptt.net.cn 122.140.115.13 x1 13.115.140.122.adsl-pool.jlccptt.net.cn 122.140.115.194 x1 194.115.140.122.adsl-pool.jlccptt.net.cn 122.140.234.195 x1 195.234.140.122.adsl-pool.jlccptt.net.cn 122.140.234.229 x1 229.234.140.122.adsl-pool.jlccptt.net.cn 122.140.68.109 x1 109.68.140.122.adsl-pool.jlccptt.net.cn 122.140.68.151 x2 151.68.140.122.adsl-pool.jlccptt.net.cn 122.140.70.30 x2 30.70.140.122.adsl-pool.jlccptt.net.cn 122.140.70.78 x2 78.70.140.122.adsl-pool.jlccptt.net.cn 122.141.157.158 x1 158.157.141.122.adsl-pool.jlccptt.net.cn 122.143.218.117 x3
