couttsj Posted July 24, 2012 Share Posted July 24, 2012 5. 212.179.146.225 on port 41896|08:59:59 5. EHLO 4xp.com 5. MAIL FROM:<sarahk[at]4xp.com> 5. QUIT 5. Closed.|09:00:00 This one has me very puzzled. It started early yesterday morning with single attempts, and has progressed to 5 simultaneous attempts every 30 minutes. But that is not the puzzling part. It appears that 4xp.com is a legitimate forex trading site. Yesterday it was located in the UK and hosted by mydyndns.org. Today it is located in the US [204.13.162.123] and is hosted by dsredirection.com. However, the IP address being used in the spam attempts [212.179.146.225] showed a reverse lookup of mail.4xp.com yesterday, but today it fails a reverse lookup. Whois.ripe.net reports: inetnum: 212.179.146.224 - 212.179.146.231 netname: FOREX-PLACE-LTD country: IL (Isreal) It would apprear that Forex Place got hijacked, and they are desperately trying to separate themselves from the spammer. Link to comment Share on other sites More sharing options...
Farelf Posted July 25, 2012 Share Posted July 25, 2012 Interesting. SORBS is showing spam from that address with msg IDs ending in [at]EXG-4XP.4XP.local for some time (most recent recorded 28 December last). Apart from that 212.179.146.225 looks pretty clean and does appear to be under the control of bezeqint.net (RIPE record showing FOREX-PLACE-LTD netname attributed to hostmaster[at]bezeqint.net). The 4xp.com TXT record is v=spf1 ip4:95.142.16.195 ip4:95.142.16.196 ip4:95.142.16.197 ip4:95.142.16.198 ip4:95.142.16.199 ip4:95.142.16.200 ip4:94.236.19.162 ip4:79.125.89.245 ip4:212.179.146.224 ip4:212.179.146.225 ip4:212.179.146.226 ip4:212.179.146.227 ip4:212.179.146.228 ip4: 79.125.53.164 ip4:46.137.5.88 -all The 4xp.com MX record is 4xp.com MX preference = 20, mail exchanger = mx2.mailhop.org 4xp.com MX preference = 10, mail exchanger = mx1.mailhop.org mx2.mailhop.org internet address = 216.146.33.7 mx1.mailhop.org internet address = 216.146.33.3 mx1.mailhop.org internet address = 216.146.33.1 mx2.mailhop.org internet address = 216.146.33.5 ... and robtex shows 216.146.32.0/24 216.146.32.1 216.146.32.2 216.146.32.3 216.146.32.4 216.146.32.5 216.146.32.6 216.146.32.7 216.146.33.0/24 216.146.33.1 216.146.33.2 216.146.33.3 216.146.33.4 216.146.33.5 216.146.33.6 216.146.33.7 I have no idea what that all means except they must send and receive an awful lot of time critical mail through lots of servers and it would seem if 212.179.146.225 is actually spamming/been fed a bad mail list then, presumably, abuse[at]bezeqint.net should be told soonest. Link to comment Share on other sites More sharing options...
couttsj Posted July 25, 2012 Author Share Posted July 25, 2012 Looks like they got it under control, as the attempts stopped at 4:00 AM this morning, and the reverse lookup on [212.179.146.225] once again returns mail.4xp.com. J.A. Coutts Link to comment Share on other sites More sharing options...
Farelf Posted July 25, 2012 Share Posted July 25, 2012 Thanks for the follow-up. Indeed 212.179.146.225 does pass the rDNS lookup C:\WINDOWS\system32>nslookup mail.4xp.com 8.8.8.8 Server: google-public-dns-a.google.com Address: 8.8.8.8 Non-authoritative answer: Name: mail.4xp.com Address: 212.179.146.225 C:\WINDOWS\system32>nslookup -type=ptr 212.179.146.225 8.8.8.8 Server: google-public-dns-a.google.com Address: 8.8.8.8 Non-authoritative answer: 225.146.179.212.in-addr.arpa name = mail.4xp.com It looks like it is (without checking them all) the only one out of the SPF (TXT) record ... C:\WINDOWS\system32>nslookup -type=txt 4xp.com 8.8.8.8 Server: google-public-dns-a.google.com Address: 8.8.8.8 Non-authoritative answer: 4xp.com text = "v=spf1 ip4:95.142.16.195 ip4:95.142.16.196 ip4:95.142.16.197 ip4:95.142 .16.198 ip4:95.142.16.199 ip4:95.142.16.200 ip4:94.236.19.162 ip4:79.125.89.245 ip4:212.179.146.224 ip4:212.179.146.225 ip4:212.179.146.226 ip4:212.179.146.227 ip4:212.179.146.228 ip4:" "79.125.53.164 ip4:46.137.5.88 -all" ... that does reference 4xp.com. Not sure that ANY address recorded in the SPF record needs to specifically reference 4xp.com in the rDNS lookup or, consequently, that it is significant when one (or more) doesn't but if the delivery attempts have stopped anyway I suppose the point is moot. Marking "Resolved" - should be "Mysterious" if the truth be told. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.