Re: [mailop] Digital Ocean Sextortion Spammers..
On Mon, Apr 08, 2019 at 02:13:51PM -0700, Dennis Glatting wrote: > I got tired of the SSH/SMTP attacks from DO and zero effective response > to abuse reports, so I've been slowly adding their net blocks for the > last six months. I've been doing this for quite some time, for the same reason: numerous attacks, absolutely no response from Digital Ocean. Here's what I've accumulated so far (CIDR/netname); I welcome additions/corrections. 14.209.0.0/16 DO-13 45.55.0.0/16DIGITALOCEAN-11 67.205.128.0/18 DIGITALOCEAN-13 67.207.64.0/19 DIGITALOCEAN-14 68.183.0.0/16 DO-13 104.131.0.0/16 DIGITALOCEAN-9 104.236.0.0/16 DIGITALOCEAN-10 104.248.0.0/16 DO-13 107.170.0.0/16 DIGITALOCEAN-8 134.209.0.0/16 DO-13 138.68.0.0/16 DIGITALOCEAN-15 138.197.0.0/16 DIGITALOCEAN-16 142.93.0.0/16 DO-13 157.230.0.0/16 DO-13 159.65.0.0/16 DIGITALOCEAN-22 159.89.0.0/16 DIGITALOCEAN-21 159.203.0.0/16 DIGITALOCEAN-12 162.243.0.0/16 DIGITALOCEAN-7 165.22.0.0/16 DO-13 165.227.0.0/16 DIGITALOCEAN-19 167.99.0.0/16 DIGITALOCEAN-23 174.138.0.0/17 DIGITALOCEAN-17 192.34.56.0/21 DIGITALOCEAN-2 192.81.208.0/20 DIGITALOCEAN-3 192.241.128.0/17DIGITALOCEAN-6 198.199.64.0/18 DIGITALOCEAN-5 206.81.0.0/19 DIGITALOCEAN-32 206.189.0.0/16 DIGITALOCEAN-30 207.154.192.0/18DIGITALOCEAN-18 209.97.128.0/18 DIGITALOCEAN-31 ---rsk ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Digital Ocean Sextortion Spammers..
on Mon, Apr 08, 2019 at 03:48:24PM -0600, Grant Taylor via mailop wrote: > If I were to do something like that, I'd likely find out the IP > space that $HostingCompany is using and wholesale block them. I'm > confident there are ways to do this based on the Global Internet > Default Free Zone BGP feeds. I.e. null route any IPs associated > with their ASN(s). Blocking by ASN is easier. -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/ Internet security and antispam hostname intelligence: http://enemieslist.com/ ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
[mailop] Digital Ocean Sextortion Spammers..
Op 08-04-19 om 17:35 schreef Michael Peddemors: > However, traditional methods like 'fail2ban' to block those attacks > won't work too well into the future, with things like Carrier Grade > Nat (one device can poison an IP Address used by thousands). > We're not even blocking those attacks. We're just loging them. When some accounts successfully authenticate from an IP address which generates excessive authentication failures, the account gets locked out. It just means the account has a weak password, or the password leaked. Something you might want to know anyway. We haven't seen false positives since we've implemented this. With carrier grade NAT this indeed possibly can create an issue for innocent users, but haven't seen that yet. Regards, Frido ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Digital Ocean Sextortion Spammers..
On 4/8/19 3:13 PM, Dennis Glatting wrote: I got tired of the SSH/SMTP attacks from DO and zero effective response to abuse reports, so I've been slowly adding their net blocks for the last six months. Fair enough. Is there a reason why you're adding them as a onesie twosie manner? If I were to do something like that, I'd likely find out the IP space that $HostingCompany is using and wholesale block them. I'm confident there are ways to do this based on the Global Internet Default Free Zone BGP feeds. I.e. null route any IPs associated with their ASN(s). -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Digital Ocean Sextortion Spammers..
On Mon, 2019-04-08 at 07:51 -0700, Michael Peddemors wrote: > This has gone on now for more than a month, and they aren't even > trying > to hide.. > I got tired of the SSH/SMTP attacks from DO and zero effective response to abuse reports, so I've been slowly adding their net blocks for the last six months. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Digital Ocean Sextortion Spammers..
On Mon, 8 Apr 2019 08:35:48 -0700, Michael Peddemors wrote: >Don't even get us started on the AUTH Attacks ;) > >Course, those (server.com) are coming from all the Content Delivery >Networks.. Thankfully, that bot net is less than 1000 IP(s) strong still. > >But the AUTH attacks related to server.com look to be all compromised >servers, and based on the start of the attack, probably based out of >Bangledesh area, most of the IP(s) appear to have the Postgres port >open.. suspect that might have been the attack vector... We have seen 606 individual IPs, and a total of 55346 connection attempts over the past 7 days. Less than 5% of the IPs I have spot-checked against major blacklist/blocklist operations show as listed. Very few have rDNS. Interesting. mdr -- Sometimes half-ass is exactly the right amount of ass. -- Wonderella ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Digital Ocean Sextortion Spammers..
Don't even get us started on the AUTH Attacks ;) Course, those (server.com) are coming from all the Content Delivery Networks.. Thankfully, that bot net is less than 1000 IP(s) strong still. But the AUTH attacks related to server.com look to be all compromised servers, and based on the start of the attack, probably based out of Bangledesh area, most of the IP(s) appear to have the Postgres port open.. suspect that might have been the attack vector... Most AUTH attacks aren't from Content Delivery Networks, unless they are part of a compromise. Currently, the ubiquiti/linksys/cisco plus compromised windows machines make the bulk of those Auth attacks. However, traditional methods like 'fail2ban' to block those attacks won't work too well into the future, with things like Carrier Grade Nat (one device can poison an IP Address used by thousands). But back to Digital Ocean, not a network I would want to operate an email server on, if your neighbouring IP(s) are this bad ;) On 2019-04-08 8:05 a.m., Michael Rathbun wrote: On Mon, 8 Apr 2019 07:51:47 -0700, Michael Peddemors wrote: This has gone on now for more than a month, and they aren't even trying to hide.. 50 more IP(s) and domains overnight.. Each of those netblock contributes several IPs conducting the "EHLO server. com" AUTH LOGIN attacks, now in its second week. I haven't bothered to gather competetive numbers for the AWS netblocks, but they appear to be as prolific. mdr -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Digital Ocean Sextortion Spammers..
> On 8 Apr 2019, at 16:09, Benoit Panizzon wrote: > >> This has gone on now for more than a month, and they aren't even trying >> to hide.. > > Interesting digitalocean is also hosting at least two UBS.com > phishing sites and it took quite a while to persuade their abuse-desk to > verify by looking at the code of the site, or to use an VPN to access > the site from a swiss ip address. > > The phishing site only appears when accessed from a swiss ip address. If > you access the site from any other GeoIP, it either shows a message > telling that the site is suspended, or redirecing to google or similar. Sounds like what Techcrunch was discussing here: https://techcrunch.com/2019/04/02/inside-a-spam-operation/ laura -- Having an Email Crisis? We can help! 800 823-9674 Laura Atkins Word to the Wise la...@wordtothewise.com (650) 437-0741 Email Delivery Blog: https://wordtothewise.com/blog ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Digital Ocean Sextortion Spammers..
> This has gone on now for more than a month, and they aren't even trying > to hide.. Interesting digitalocean is also hosting at least two UBS.com phishing sites and it took quite a while to persuade their abuse-desk to verify by looking at the code of the site, or to use an VPN to access the site from a swiss ip address. The phishing site only appears when accessed from a swiss ip address. If you access the site from any other GeoIP, it either shows a message telling that the site is suspended, or redirecing to google or similar. Mit freundlichen Grüssen -Benoît Panizzon- -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Digital Ocean Sextortion Spammers..
On Mon, 8 Apr 2019 07:51:47 -0700, Michael Peddemors wrote: >This has gone on now for more than a month, and they aren't even trying >to hide.. > >50 more IP(s) and domains overnight.. Each of those netblock contributes several IPs conducting the "EHLO server. com" AUTH LOGIN attacks, now in its second week. I haven't bothered to gather competetive numbers for the AWS netblocks, but they appear to be as prolific. mdr -- The Duckage Is Feep. -- Vaul Pixie ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
[mailop] Digital Ocean Sextortion Spammers..
This has gone on now for more than a month, and they aren't even trying to hide.. 50 more IP(s) and domains overnight.. 68.183.16.237 1 mx.f.anonymous-hacker.top 68.183.24.381 mx.d.anonymous-hacker.top 68.183.24.120 1 mx.a.anonymous-hacker.top 68.183.24.125 1 mx.j.anonymous-hacker.top 68.183.31.871 mx.e.anonymous-hacker.top 68.183.31.212 1 mx.c.anonymous-hacker.top 68.183.48.232 1 mx.c.anonymoushackers.rocks 68.183.50.150 1 mx.h.anonymoushacker.club 68.183.56.151 1 mx.b.anonymoushackers.rocks 68.183.58.641 mx.i.anonymoushacker.club 68.183.60.217 1 mx.a.anonymoushacker.club 104.248.29.142 1 mx.b.anonymoushacker.top 104.248.43.40 1 mx.g.anonymoushacker.top 104.248.45.105 1 mx.f.anonymoushacker.top 104.248.45.106 1 mx.e.anonymoushacker.top 104.248.133.88 1 mx.a.anonymoushacker.top 104.248.135.144 1 mx.i.anonymoushacker.top 104.248.137.96 1 mx.h.anonymoushacker.top 104.248.234.166 1 mx.h.anonymous-hacker.top 104.248.234.236 1 mx.i.anonymous-hacker.top 104.248.238.102 1 mx.b.anonymous-hacker.top 104.248.238.109 1 mx.g.anonymous-hacker.top 104.248.255.64 1 mx.j.anonymoushacker.top 104.248.255.191 1 mx.c.anonymoushacker.top 134.209.90.13 1 mx.i.anonymoushacker.rocks 134.209.194.236 1 mx.d.anonymoushacker.rocks 134.209.194.250 1 mx.g.anonymoushacker.rocks 134.209.202.78 1 mx.f.anonymoushacker.rocks 134.209.202.81 1 mx.j.anonymoushacker.rocks 134.209.202.85 1 mx.h.anonymoushacker.rocks 134.209.202.97 1 mx.e.anonymoushacker.rocks 134.209.202.98 1 mx.b.anonymoushacker.rocks 134.209.202.146 1 mx.a.anonymoushacker.rocks 138.197.3.134 1 mx.j.anonymoushackers.rocks 138.197.3.243 1 mx.a.anonymoushackers.rocks 138.197.11.43 1 mx.d.anonymoushackers.rocks 138.197.64.15 1 mx.i.anonymoushackers.rocks 138.197.64.126 1 mx.f.anonymoushackers.rocks 138.197.145.163 1 mx.c.anonymous-hackers.club 142.93.34.471 mx.b.anonymous-hacker.club 142.93.34.100 1 mx.h.anonymous-hacker.club 142.93.34.145 1 mx.c.anonymous-hacker.club 142.93.34.231 1 mx.j.anonymous-hacker.club 142.93.34.250 1 mx.g.anonymous-hacker.club 142.93.36.241 mx.e.anonymous-hacker.club 142.93.36.197 1 mx.d.anonymous-hacker.club 142.93.44.186 1 mx.f.anonymous-hacker.club 142.93.44.253 1 mx.a.anonymous-hacker.club 142.93.100.10 1 mx.d.anonymoushacker.top 159.65.97.281 mx.a.anonymoushackrr.xyz 159.65.145.121 1 mx.j.anonymoushackers.club 159.65.146.103 1 mx.e.anonymoushackers.club 159.65.149.157 1 mx.d.anonymoushackers.club 159.65.149.197 1 mx.h.anonymoushackers.club 159.65.149.215 1 mx.b.anonymoushackers.club 159.65.153.88 1 mx.i.anonymoushackers.club 159.65.153.105 1 mx.a.anonymoushackers.club 159.65.153.208 1 mx.c.anonymoushackers.club 159.65.157.174 1 mx.g.anonymoushackers.club 159.65.158.163 1 mx.f.anonymoushackers.club 159.203.73.167 1 mx.e.anonymoushackers.rocks 165.227.32.190 1 mx.h.anonymous-hackers.club 165.227.46.20 1 mx.b.anonymous-hackers.club 165.227.46.26 1 mx.e.anonymous-hackers.club 165.227.46.45 1 mx.f.anonymous-hackers.club 165.227.46.83 1 mx.j.anonymous-hackers.club 165.227.46.84 1 mx.i.anonymous-hackers.club 165.227.46.111 1 mx.a.anonymous-hackers.club 165.227.46.142 1 mx.g.anonymous-hackers.club 165.227.47.103 1 mx.d.anonymous-hackers.club 167.99.67.101 1 mx.g.anonymoushackers.top 167.99.163.69 1 mx.d.anonymous-hacker.xyz 167.99.163.114 1 mx.g.anonymous-hacker.xyz 167.99.169.27 1 mx.e.anonymous-hacker.xyz 167.99.169.215 1 mx.j.anonymous-hacker.xyz 167.99.171.16 1 mx.i.anonymous-hacker.xyz 167.99.171.18 1 mx.c.anonymous-hacker.xyz 167.99.171.68 1 mx.h.anonymous-hacker.xyz 167.99.173.81 1 mx.b.anonymous-hacker.xyz 167.99.173.119 1 mx.f.anonymous-hacker.xyz 167.99.173.233 1 mx.a.anonymous-hacker.xyz 167.99.188.24 1 mx.f.anonymoushackr.xyz 174.138.56.50 1 mx.c.anonymoushacker.club 174.138.56.126 1 mx.f.anonymoushacker.club 174.138.56.186 1 mx.j.anonymoushacker.club 174.138.56.208 1 mx.g.anonymoushacker.club 174.138.63.187 1 mx.e.anonymoushacker.club 174.138.63.196 1 mx.b.anonymoushacker.club 174.138.63.227 1 mx.d.anonymoushacker.club 178.128.16.47 1 mx.b.anonymoushackers.top 178.128.20.28 1 mx.e.anonymoushackers.top 178.128.24.67 1 mx.c.anonymoushackers.top 178.128.28.134 1 mx.i.anonymoushackers.top 178.128.28.168 1 mx.a.anonymoushackers.top 178.128.219.202 1 mx.d.anonymoushackers.top 207.154.246.193 1 mx.a.anonymoushackz.xyz 209.97.138.234 1