Well, first rain in the Pacific Northwest in three months, the trees and
the grass are happy .. and as a good excuse as any to make it a short week.
But wanted to get this out for questions over the weekend.
Gesty.. I think we all know this actor, and see their footprint all over
the place, including other ESP's and large providers.
Today, we see it coming from a notorious leaky source, "register.it"
Headers show it's authenticating from ADSEUROPE IP space, using ,,
Received: from NubeGestyFor ([188.93.78.25]) by cmsmtp with ESMTPSA
X-Rid: s...@actualizatusconocimientos.es@
Brazilian spam.. Curious, has register.it started offering a relay
service, or changed their rate limiters to allow this activity?
For OVH..
Seeing a large increase in email authentication attacks from OVH space,
mostly with PTR matching this pattern..
PTR = vps-23594a8e.vps.ovh.net
Attempting password guessing, across all SMTP ports, 25,465,587.
They are easy to catch, and usually end up getting their IPs on an RBL,
but one wider spread piece of activity we aren't getting enough insight
into.
Has anyone else been observing activity from the following ranges?
Is it also AUTH attacks, or is it a spamming outbreak?
54.38.156.22 (M,RS) 4 vps-4aaf0480.vps.ovh.net
54.38.156.117 (M,RS) 4 vps-9abd49af.vps.ovh.net
54.38.156.124 (M,RS) 3 vps-d885dba6.vps.ovh.net
54.38.156.236 (M,RS) 6 vps-d24f39b1.vps.ovh.net
54.38.157.137 (M,RS) 2 vps-030cd424.vps.ovh.net
54.38.159.56 (M,RS) 6 vps-1f309a0e.vps.ovh.net
54.38.159.160 (M,RS) 3 vps-8c808b2c.vps.ovh.net
54.38.159.173 (M,RS) 2 vps-7486dda2.vps.ovh.net
54.38.159.182 (M,RS) 3 vps-89b9e286.vps.ovh.net
54.38.159.248 (M,RS) 3 vps-c4488cdd.vps.ovh.net
54.39.20.82 (M,RS) 3 vps-a3424546.vps.ovh.ca
54.39.20.114 (M,RS) 4 vps-269f67c1.vps.ovh.ca
54.39.20.127 (M,RS) 6 vps-b035d0f7.vps.ovh.ca
54.39.20.133 (M,RS) 4 vps-4cb06eab.vps.ovh.ca
54.39.20.163 (M,RS) 5 vps-dd1983e4.vps.ovh.ca
54.39.20.194 (M,RS) 3 vps-f6c5066d.vps.ovh.ca
54.39.20.201 (M,RS) 2 vps-7f0b7cba.vps.ovh.ca
54.39.20.226 (M,RS) 3 vps-c3300741.vps.ovh.ca
54.39.21.2 (M,RS) 4 vps-66246fa7.vps.ovh.ca
54.39.21.7 (M,RS) 6 vps-f621d01c.vps.ovh.ca
54.39.21.44 (M,RS) 6 vps-4dc0d5c3.vps.ovh.ca
54.39.21.55 (M,RS) 5 vps-1add25f7.vps.ovh.ca
54.39.22.110 (M,RS) 4 vps-29e7283d.vps.ovh.ca
54.39.23.155 (M,RS) 4 vps-ce4f0144.vps.ovh.ca
54.39.98.137 (M,RS) 5 vps-75f248d0.vps.ovh.ca
54.39.98.145 (M,RS) 5 vps-3f7f92b4.vps.ovh.ca
54.39.98.150 (M,RS) 1 vps-213ca2d3.vps.ovh.ca
54.39.98.151 (M,RS) 4 vps-857fc621.vps.ovh.ca
54.39.98.155 (M,RS) 4 vps-bdebdfa4.vps.ovh.ca
54.39.98.171 (M,RS) 3 vps-2679ef00.vps.ovh.ca
54.39.98.174 (M,RS) 3 vps-4d72b5c0.vps.ovh.ca
54.39.98.181 (M,RS) 4 vps-a341f4f0.vps.ovh.ca
54.39.98.183 (M,RS) 5 vps-e51a692b.vps.ovh.ca
54.39.98.184 (M,RS) 6 vps-d0b9760d.vps.ovh.ca
54.39.98.186 (M,RS) 5 vps-5cc70f61.vps.ovh.ca
54.39.98.196 (M,RS) 4 vps-337608d7.vps.ovh.ca
54.39.98.199 (M,RS) 4 vps-5c859463.vps.ovh.ca
54.39.98.200 (M,RS) 4 vps-d51ff7eb.vps.ovh.ca
54.39.98.202 (M,RS) 5 vps-a74457d6.vps.ovh.ca
54.39.98.210 (M,RS) 5 vps-fa388962.vps.ovh.ca
54.39.98.222 (M,RS) 5 vps-59084780.vps.ovh.ca
54.39.98.227 (M,RS) 3 vps-c35476ff.vps.ovh.ca
54.39.98.241 (M,RS) 3 vps-5d577433.vps.ovh.ca
54.39.99.35 (M,RS) 4 vps-4503cbf9.vps.ovh.ca
54.39.99.37 (M,RS) 4 vps-7d627fcd.vps.ovh.ca
54.39.99.40 (M,RS) 3 vps-72369c5e.vps.ovh.ca
54.39.99.43 (M,RS) 4 vps-e131c50d.vps.ovh.ca
54.39.99.44 (M,RS) 5 vps-fa21cd75.vps.ovh.ca
54.39.99.49 (M,RS) 2 vps-af4febbd.vps.ovh.ca
54.39.99.51 (M,RS) 4 vps-42db1b0e.vps.ovh.ca
54.39.99.52 (M,RS) 6 vps-0cf43083.vps.ovh.ca
54.39.99.53 (M,RS) 3 vps-502ba72e.vps.ovh.ca
54.39.99.54 (M,RS) 4 vps-167bf86a.vps.ovh.ca
54.39.99.56 (M,RS) 1 vps-ab7b5ee5.vps.ovh.ca
54.39.99.59 (M,RS) 6 vps-1c17526f.vps.ovh.ca
54.39.99.60 (M,RS) 3 vps-23478e44.vps.ovh.ca
54.39.99.61 (M,RS) 4 vps-2f7e5534.vps.ovh.ca
54.39.99.62 (M,RS) 5 vps-9000a7c3.vps.ovh.ca
54.39.99.63 (M,RS) 6 vps-ffffa3e9.vps.ovh.ca
54.39.99.69 (M,RS) 4 vps-43511e30.vps.ovh.ca
54.39.99.76 (M,RS) 5 vps-7c621e2b.vps.ovh.ca
Have a fun and safe weekend everyone.. And congrats to the two new
interns on our threat teams, for completing their first week.
-- Michael --
PS, You know a thread has run on too long, when you have to put a filter
in place to cut down on the noise ;) T-mobile..
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
