Re: [mailop] Things to do on a Sunday, when there is an atmospheric river.. Investigate 'code200 UAB'
On 2022-10-30 at 15:17 -0700, Michael Peddemors via mailop wrote: > Can anyone give insight into this company? > > They have an IMMENSE amount of IP space from PSI/Cogent.. > > (Someone might like to look into this from Cogent's end) > > Their website (https://www.code200.global/contact) has no real > company information, and Google shows a Lithunian company by that > name with 17 employees. The website also claim they are based in Lithuania. Interestingly, these "IT experts" with "clients all over the world", that provide "dedicated hosting and cloud", chose to make and host their website with... wix. > But almost all of that IP space is active, with either > PTR > naming conventions of code200.global .. > > Oct 30 09:02:51 be msd[3651510]: CONN: 38.79.219.120 -> 25 GeoIP = > [US] > PTR = code200.global OS = Linux 2.2.x-3.x > Oct 30 09:02:51 be msd[3651510]: HELO command received, args: > code200.global > Oct 30 09:02:52 be msd[3651510]: MAIL command received, args: > FROM: > > Doing list washing.. > > ... or.. > > 38.128.158.229x1prd-ol-25ad6o.sourcexnet.com > 38.128.158.231x1prd-ol-6n0jkp.unsignedstatic.com > 38.128.158.233x1prd-ol-hf8c87.spaceisstupid.com > 38.128.158.235x1prd-ol-fc0xdw.marketdatax.com > > They advertise that they are selling internet connections for $19.95 > and hosting, but this doesn't appear to be the case.. > > Oct 30 11:46:08 be msd[4182031]: CONN: 149.100.189.246 -> 25 GeoIP = > [IT] PTR = prd-ol-5sp9th.froyogogo.com OS = Linux 2.2.x-3.x > Oct 30 11:46:09 be msd[4182031]: HELO command received, args: > prd-ol-5SP9TH.froyogogo.com > Oct 30 11:46:09 be msd[4182031]: MAIL command received, args: > FROM: > > You will recall that name from a while back in out reports.. > > This seems to be someone trying to prove they have justification for > IP space, but this is simply huge swaths of IP space used to slow > roll list washing it appears.. > > Any one else have comments on them? I have a few hits from them. Being really small, that is noticeable by itself. They seem to be doing the checks by pairs. At almost the same time, they check the expected mailbox from one ip address, then a second ip requests a made up mailbox in the same domain with a random alphanumeric local part of 13 characters (in order to compare with a non-existing mailbox, apparently). Interestingly, they use esmtps for the fake address but smtp (HELO with no STARTTLS) for the real one. In one case, the email used was tied to a company, and code200 check was followed 3 weeks later by a mail from them using salesforce ip space (they had not sent anything for months). I can only conclude that they contracted code200 for listwashing. In addition to PTRs of code200.global, the rdns (performed today) of the ip addresses they used show: - prd-ol-XX.maillistclean.com - prd-ol-XX.froyogogo.com - prd-ol-XX.megamx.net where XX are (random?) alphanumeric codes. (both the HELO name and MAIL FROM domain were code200.global, not the prd-ol one) whois show these ranges to still belong to "Code 200, UAB" on different US cities. Regards ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Things to do on a Sunday, when there is an atmospheric river.. Investigate 'code200 UAB'
They are validating addresses using incomplete SMTP dialogs. Either nullroute or block at the MAIL FROM stage, so they don't even get to check whether RCPT TO would be accepted. Cheers, Hans-Martin Am 30. Oktober 2022 23:23:51 schrieb Michael Peddemors via mailop : Can anyone give insight into this company? They have an IMMENSE amount of IP space from PSI/Cogent.. (Someone might like to look into this from Cogent's end) Their website (https://www.code200.global/contact) has no real company information, and Google shows a Lithunian company by that name with 17 employees. But almost all of that IP space is active, with either PTR naming conventions of code200.global .. Oct 30 09:02:51 be msd[3651510]: CONN: 38.79.219.120 -> 25 GeoIP = [US] PTR = code200.global OS = Linux 2.2.x-3.x Oct 30 09:02:51 be msd[3651510]: HELO command received, args: code200.global Oct 30 09:02:52 be msd[3651510]: MAIL command received, args: FROM: Doing list washing.. ... or.. 38.128.158.229x1prd-ol-25ad6o.sourcexnet.com 38.128.158.231x1prd-ol-6n0jkp.unsignedstatic.com 38.128.158.233x1prd-ol-hf8c87.spaceisstupid.com 38.128.158.235x1prd-ol-fc0xdw.marketdatax.com They advertise that they are selling internet connections for $19.95 and hosting, but this doesn't appear to be the case.. Oct 30 11:46:08 be msd[4182031]: CONN: 149.100.189.246 -> 25 GeoIP = [IT] PTR = prd-ol-5sp9th.froyogogo.com OS = Linux 2.2.x-3.x Oct 30 11:46:09 be msd[4182031]: HELO command received, args: prd-ol-5SP9TH.froyogogo.com Oct 30 11:46:09 be msd[4182031]: MAIL command received, args: FROM: You will recall that name from a while back in out reports.. This seems to be someone trying to prove they have justification for IP space, but this is simply huge swaths of IP space used to slow roll list washing it appears.. Any one else have comments on them? -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
[mailop] Things to do on a Sunday, when there is an atmospheric river.. Investigate 'code200 UAB'
Can anyone give insight into this company? They have an IMMENSE amount of IP space from PSI/Cogent.. (Someone might like to look into this from Cogent's end) Their website (https://www.code200.global/contact) has no real company information, and Google shows a Lithunian company by that name with 17 employees. But almost all of that IP space is active, with either PTR naming conventions of code200.global .. Oct 30 09:02:51 be msd[3651510]: CONN: 38.79.219.120 -> 25 GeoIP = [US] PTR = code200.global OS = Linux 2.2.x-3.x Oct 30 09:02:51 be msd[3651510]: HELO command received, args: code200.global Oct 30 09:02:52 be msd[3651510]: MAIL command received, args: FROM: Doing list washing.. ... or.. 38.128.158.229x1prd-ol-25ad6o.sourcexnet.com 38.128.158.231x1prd-ol-6n0jkp.unsignedstatic.com 38.128.158.233x1prd-ol-hf8c87.spaceisstupid.com 38.128.158.235x1prd-ol-fc0xdw.marketdatax.com They advertise that they are selling internet connections for $19.95 and hosting, but this doesn't appear to be the case.. Oct 30 11:46:08 be msd[4182031]: CONN: 149.100.189.246 -> 25 GeoIP = [IT] PTR = prd-ol-5sp9th.froyogogo.com OS = Linux 2.2.x-3.x Oct 30 11:46:09 be msd[4182031]: HELO command received, args: prd-ol-5SP9TH.froyogogo.com Oct 30 11:46:09 be msd[4182031]: MAIL command received, args: FROM: You will recall that name from a while back in out reports.. This seems to be someone trying to prove they have justification for IP space, but this is simply huge swaths of IP space used to slow roll list washing it appears.. Any one else have comments on them? -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop