Re: [mailop] Malware waves from hotmail.com
Many thanks for the links - these would seem to accomplish the desired task. On Sat, Jun 5, 2021 at 6:11 PM joemailop--- via mailop wrote: > Hello Scott, > > Azure's IP space, updated once a week with one week lead before they go > live - > https://www.microsoft.com/en-us/download/details.aspx?id=56519 > > From the looks of the json filename, it is changed after each release, so > I wouldn't recommend re-downloading the below json file for new updates - > > https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20210531.json > > AWS - https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html - > If the download URL doesn't change (doesn't seem to me that it does), you > can go straight to https://ip-ranges.amazonaws.com/ip-ranges.json. If you > have an AWS account, you can sign up for notifications when new subnets are > added. (It requires using their SNS service.) > > GCP - https://cloud.google.com/compute/docs/faq#find_ip_range - If the > download URL doesn't change (doesn't seem to me that it does), you can go > straight to https://www.gstatic.com/ipranges/cloud.json > > -joe > > > On 6/5/2021 at 7:22 AM, "Michael Peddemors via mailop" > wrote: > > > >Sorry, bit laid up and typing with one hand, but luckily all the > >top > >three publicly list their IP(s), unfortunately they do it via web > >URLs' > >that you need to parse instead of via say a rwhois entry. > > > >(some are listed at various services you can query in RBL format > >such as > >RATS-AZURE) > > > >Some you can check via PTR naming conventions, and others you can > >do an > >ASN lookup. > > > >don't have the URL's handy, but welcome to reach out off list. > > > > > > > >On 2021-06-04 4:08 p.m., Scott Mutter via mailop wrote: > >> On Fri, Jun 4, 2021 at 1:24 PM Michael Peddemors via mailop > >> mailto:mailop@mailop.org>> wrote: > >> > >> With apache, you can use modsecurity quite easily, and you > >can block > >> all > >> azure (and other cloud providers ranges) from certain > >services like > >> wordpress, or contact forms etc.. (you can even do dns based > >checks or > >> rbldnsd) .. > >> > >> > >> Are there any links for this? AFAIK mod_security is just a > >module - to > >> actually do anything it requires a ruleset. Further from that, > >how does > >> it determine what is Azure and what is not? Is it just blocking > >IP > >> addresses? Seems you'd need a list of all of the Azure IP > >address > >> space. And from what I have seen the offending IPs are all over > >the place: > >> > >> 157.55.39.138 > >> 207.46.13.5 > >> 20.83.33.136 > >> 20.94.247.9 > >> 40.124.141.27 > >> 40.124.141.27 > >> 40.124.193.244 > >> 40.76.220.206 > >> > >> Are just a few. > >> > >> But if there's a way to block Azure and other cloud based > >services, I'd > >> be interested in that. But I'd suspect you'd need a list of all > >of > >> their IP address spaces - is that information available some > >where? > >> > >> > >> ___ > >> mailop mailing list > >> mailop@mailop.org > >> https://list.mailop.org/listinfo/mailop > >> > > > > > > > >-- > >"Catch the Magic of Linux..." > >--- > >- > >Michael Peddemors, President/CEO LinuxMagic Inc. > >Visit us at http://www.linuxmagic.com @linuxmagic > >A Wizard IT Company - For More Info http://www.wizard.ca > >"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices > >Ltd. > >--- > >- > >604-682-0300 Beautiful British Columbia, Canada > > > >This email and any electronic data contained are confidential and > >intended > >solely for the use of the individual or entity to which they are > >addressed. > >Please note that any views or opinions presented in this email are > >solely > >those of the author and are not intended to represent those of the > >company. > >___ > >mailop mailing list > >mailop@mailop.org > >https://list.mailop.org/listinfo/mailop > > ___ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop > ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Malware waves from hotmail.com
Hello Scott, Azure's IP space, updated once a week with one week lead before they go live - https://www.microsoft.com/en-us/download/details.aspx?id=56519 From the looks of the json filename, it is changed after each release, so I wouldn't recommend re-downloading the below json file for new updates - https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20210531.json AWS - https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html - If the download URL doesn't change (doesn't seem to me that it does), you can go straight to https://ip-ranges.amazonaws.com/ip-ranges.json. If you have an AWS account, you can sign up for notifications when new subnets are added. (It requires using their SNS service.) GCP - https://cloud.google.com/compute/docs/faq#find_ip_range - If the download URL doesn't change (doesn't seem to me that it does), you can go straight to https://www.gstatic.com/ipranges/cloud.json -joe On 6/5/2021 at 7:22 AM, "Michael Peddemors via mailop" wrote: > >Sorry, bit laid up and typing with one hand, but luckily all the >top >three publicly list their IP(s), unfortunately they do it via web >URLs' >that you need to parse instead of via say a rwhois entry. > >(some are listed at various services you can query in RBL format >such as >RATS-AZURE) > >Some you can check via PTR naming conventions, and others you can >do an >ASN lookup. > >don't have the URL's handy, but welcome to reach out off list. > > > >On 2021-06-04 4:08 p.m., Scott Mutter via mailop wrote: >> On Fri, Jun 4, 2021 at 1:24 PM Michael Peddemors via mailop >> mailto:mailop@mailop.org>> wrote: >> >> With apache, you can use modsecurity quite easily, and you >can block >> all >> azure (and other cloud providers ranges) from certain >services like >> wordpress, or contact forms etc.. (you can even do dns based >checks or >> rbldnsd) .. >> >> >> Are there any links for this? AFAIK mod_security is just a >module - to >> actually do anything it requires a ruleset. Further from that, >how does >> it determine what is Azure and what is not? Is it just blocking >IP >> addresses? Seems you'd need a list of all of the Azure IP >address >> space. And from what I have seen the offending IPs are all over >the place: >> >> 157.55.39.138 >> 207.46.13.5 >> 20.83.33.136 >> 20.94.247.9 >> 40.124.141.27 >> 40.124.141.27 >> 40.124.193.244 >> 40.76.220.206 >> >> Are just a few. >> >> But if there's a way to block Azure and other cloud based >services, I'd >> be interested in that. But I'd suspect you'd need a list of all >of >> their IP address spaces - is that information available some >where? >> >> >> ___ >> mailop mailing list >> mailop@mailop.org >> https://list.mailop.org/listinfo/mailop >> > > > >-- >"Catch the Magic of Linux..." >--- >- >Michael Peddemors, President/CEO LinuxMagic Inc. >Visit us at http://www.linuxmagic.com @linuxmagic >A Wizard IT Company - For More Info http://www.wizard.ca >"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices >Ltd. >--- >- >604-682-0300 Beautiful British Columbia, Canada > >This email and any electronic data contained are confidential and >intended >solely for the use of the individual or entity to which they are >addressed. >Please note that any views or opinions presented in this email are >solely >those of the author and are not intended to represent those of the >company. >___ >mailop mailing list >mailop@mailop.org >https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Malware waves from hotmail.com
Sorry, bit laid up and typing with one hand, but luckily all the top three publicly list their IP(s), unfortunately they do it via web URLs' that you need to parse instead of via say a rwhois entry. (some are listed at various services you can query in RBL format such as RATS-AZURE) Some you can check via PTR naming conventions, and others you can do an ASN lookup. don't have the URL's handy, but welcome to reach out off list. On 2021-06-04 4:08 p.m., Scott Mutter via mailop wrote: On Fri, Jun 4, 2021 at 1:24 PM Michael Peddemors via mailop mailto:mailop@mailop.org>> wrote: With apache, you can use modsecurity quite easily, and you can block all azure (and other cloud providers ranges) from certain services like wordpress, or contact forms etc.. (you can even do dns based checks or rbldnsd) .. Are there any links for this? AFAIK mod_security is just a module - to actually do anything it requires a ruleset. Further from that, how does it determine what is Azure and what is not? Is it just blocking IP addresses? Seems you'd need a list of all of the Azure IP address space. And from what I have seen the offending IPs are all over the place: 157.55.39.138 207.46.13.5 20.83.33.136 20.94.247.9 40.124.141.27 40.124.141.27 40.124.193.244 40.76.220.206 Are just a few. But if there's a way to block Azure and other cloud based services, I'd be interested in that. But I'd suspect you'd need a list of all of their IP address spaces - is that information available some where? ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Malware waves from hotmail.com
On Fri, 2021-06-04 at 18:08 -0500, Scott Mutter via mailop wrote: > On Fri, Jun 4, 2021 at 1:24 PM Michael Peddemors via mailop > wrote: > > With apache, you can use modsecurity quite easily, and you can block all > > azure (and other cloud providers ranges) from certain services like > > wordpress, or contact forms etc.. (you can even do dns based checks or > > rbldnsd) .. > > > > > > > Are there any links for this? AFAIK mod_security is just a module - to > actually do anything it requires a ruleset. Further from that, how does it > determine what is Azure and what is not? Is it just blocking IP addresses? > Seems you'd need a list of all of the Azure IP address space. And from what > I have seen the offending IPs are all over the place: > > 157.55.39.138 > 207.46.13.5 > 20.83.33.136 > 20.94.247.9 > 40.124.141.27 > 40.124.141.27 > 40.124.193.244 > 40.76.220.206 > > Are just a few. > > But if there's a way to block Azure and other cloud based services, I'd be > interested in that. But I'd suspect you'd need a list of all of their IP > address spaces - is that information available some where? These should give everything routed to AS8075 (Microsoft) as of yesterday. It's a good start. V4URL=`curl -s https://publicdata.caida.org/datasets/routing/routeviews-prefix2as/pfx2as-creation.log -o - | tail --lines=1 | awk '{print "https://publicdata.caida.org/datasets/routing/routeviews-prefix2as/"$3}'` ; curl -s "${V4URL}" -o - | zegrep "\s8075$" | awk '{print $1"/"$2}' V6URL=`curl -s https://publicdata.caida.org/datasets/routing/routeviews6-prefix2as/pfx2as-creation.log -o - | tail --lines=1 | awk '{print "https://publicdata.caida.org/datasets/routing/routeviews6-prefix2as/"$3}'` ; curl -s "${V6URL}" -o - | zegrep "\s8075$" | awk '{print $1"/"$2}' ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Malware waves from hotmail.com
On Fri, Jun 4, 2021 at 1:24 PM Michael Peddemors via mailop < mailop@mailop.org> wrote: > With apache, you can use modsecurity quite easily, and you can block all > azure (and other cloud providers ranges) from certain services like > wordpress, or contact forms etc.. (you can even do dns based checks or > rbldnsd) .. > > Are there any links for this? AFAIK mod_security is just a module - to actually do anything it requires a ruleset. Further from that, how does it determine what is Azure and what is not? Is it just blocking IP addresses? Seems you'd need a list of all of the Azure IP address space. And from what I have seen the offending IPs are all over the place: 157.55.39.138 207.46.13.5 20.83.33.136 20.94.247.9 40.124.141.27 40.124.141.27 40.124.193.244 40.76.220.206 Are just a few. But if there's a way to block Azure and other cloud based services, I'd be interested in that. But I'd suspect you'd need a list of all of their IP address spaces - is that information available some where? ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Malware waves from hotmail.com
On 2021-06-04 at 10:35:26 UTC-0400 (Fri, 4 Jun 2021 16:35:26 +0200) Martin Flygenring via mailop is rumored to have said: Have anyone found a good way to block these using SpamAssassin? We tried to make some rules, but it's hard to make any with that gibberish and short subject and body. SA's has built-in non-scoring rules for short HTML bodies but for some reason not short plaintext. That should be fixable... The rule we made initially looked at the length of the body. It was good at catching these, but unfortunately it also got some false positives due to how SpamAssassin splits longer mails into smaller segments: All body paragraphs (double-newline-separated blocks text) are turned into a line breaks removed, whitespace normalized single line. Any lines longer than 2kB are split into shorter separate lines (from a boundary when possible), this may unexpectedly prevent pattern from matching. Patterns are matched independently against each of these lines. This is almost certainly due to not using "rawbody" or "full" rules instead of "body" rules which cook the body as you describe. It is also important to use the '/m' regex modifier to match anything more than a single line. That causes some long mails to get tagged as short mails with less than 20 characters, due to one of the lines in the long email had less than 20 characters. I'd have to see the specific of the case to be sure, but I expect that is a consequence of using a 'body' rule without the multiline modifier. Additionally some subjects deviate from the "3 2 1 5"-character pattern, like "Habvd l qh" Trying to abstract the Subject word-length pattern is hopeless. I have not seen this particular pattern in spam but if you are interested in getting SA help from a broader audience that may include people who have found solutions, the SpamAssassin Users list is at us...@spamassassin.apache.org -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Malware waves from hotmail.com
> -Original Message- > From: mailop On Behalf Of Michael Peddemors via > mailop > Sent: Friday, June 4, 2021 2:24 PM > To: mailop@mailop.org > Subject: Re: [mailop] Malware waves from hotmail.com > > With apache, you can use modsecurity quite easily, and you can block all > azure (and other cloud providers ranges) from certain services like > wordpress, or contact forms etc.. (you can even do dns based checks or rbldnsd) .. > > Unless desktop in the cloud becomes more prevalent, you should make sure that > resources designed to be accessed by end users only, dont accept connections > from potentially compromised servers, or the bad actors throwing up relays.. > > and yes, Azure, Googlecloud, Amazon threat activity is severely on the rise I would just add, that if possible block access to xmlrpc.php I think there is a rule included in modsec, but I just disable it outright if not needed. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Malware waves from hotmail.com
With apache, you can use modsecurity quite easily, and you can block all azure (and other cloud providers ranges) from certain services like wordpress, or contact forms etc.. (you can even do dns based checks or rbldnsd) .. Unless desktop in the cloud becomes more prevalent, you should make sure that resources designed to be accessed by end users only, dont accept connections from potentially compromised servers, or the bad actors throwing up relays.. and yes, Azure, Googlecloud, Amazon threat activity is severely on the rise On 2021-06-04 10:06 a.m., Alan Hodgson via mailop wrote: On Fri, 2021-06-04 at 11:45 -0500, Scott Mutter via mailop wrote: Not to hijack this thread and send it off-topic, but I'm also seeing a lot of brute force attempts (mostly WordPress login attempts) from various and wide-ranging subnets of Microsoft IPs. Has Microsoft's network been compromised? Azure. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Malware waves from hotmail.com
On Fri, 2021-06-04 at 11:45 -0500, Scott Mutter via mailop wrote: > Not to hijack this thread and send it off-topic, but I'm also seeing a lot > of brute force attempts (mostly WordPress login attempts) from various and > wide-ranging subnets of Microsoft IPs. > > Has Microsoft's network been compromised? Azure. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Malware waves from hotmail.com
Not to hijack this thread and send it off-topic, but I'm also seeing a lot of brute force attempts (mostly WordPress login attempts) from various and wide-ranging subnets of Microsoft IPs. Has Microsoft's network been compromised? On Fri, Jun 4, 2021 at 10:46 AM Jörg Backschues via mailop < mailop@mailop.org> wrote: > On 04.06.21 at 10:20h Bjoern Franke wrote via mailop: > > > since several weeks we are getting several mails a day from hotmail.com > > users with subjects like "fob xt k xerhc", an attached malware PDF like > > [1] and adressed to ~200 recipients. > > The good thing is, that the patterns are very clearly here: > > - subject: 3 characters, blank, 2 characters > - body: 4 characters, blank, 2 characters > - file name: 7 characters with .pdf extension > > The bad thing is, that there's no feedback from Microsoft's abuse desk > for several weeks. > > -- > Regards Jörg > > ___ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop > ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Malware waves from hotmail.com
On 04.06.21 at 10:20h Bjoern Franke wrote via mailop: since several weeks we are getting several mails a day from hotmail.com users with subjects like "fob xt k xerhc", an attached malware PDF like [1] and adressed to ~200 recipients. The good thing is, that the patterns are very clearly here: - subject: 3 characters, blank, 2 characters - body: 4 characters, blank, 2 characters - file name: 7 characters with .pdf extension The bad thing is, that there's no feedback from Microsoft's abuse desk for several weeks. -- Regards Jörg ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Malware waves from hotmail.com
Have anyone found a good way to block these using SpamAssassin? We tried to make some rules, but it's hard to make any with that gibberish and short subject and body. The rule we made initially looked at the length of the body. It was good at catching these, but unfortunately it also got some false positives due to how SpamAssassin splits longer mails into smaller segments: All body paragraphs (double-newline-separated blocks text) are turned into a line breaks removed, whitespace normalized single line. Any lines longer than 2kB are split into shorter separate lines (from a boundary when possible), this may unexpectedly prevent pattern from matching. Patterns are matched independently against each of these lines. That causes some long mails to get tagged as short mails with less than 20 characters, due to one of the lines in the long email had less than 20 characters. Additionally some subjects deviate from the "3 2 1 5"-character pattern, like "Habvd l qh" -- Martin Flygenring (maf) Systems Engineer, One.com On 04/06/2021 10.20, Bjoern Franke via mailop wrote: Hi, since several weeks we are getting several mails a day from hotmail.com users with subjects like "fob xt k xerhc", an attached malware PDF like [1] and adressed to ~200 recipients. Mabye we should consider blocking all outbound servers of Microsoft because some part of their network is sending malware. Oh, wait... Regards Bjoern [1]https://www.virustotal.com/gui/file/0266273639c665b5420a08f372ec94c277d34a2a09aa3c9fd171b6473fb9d552/detection ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop