couttsj Posted March 13, 2012 Share Posted March 13, 2012 This morning I am getting a bunch of email attempts from the 64.191.x.x block. This block is assigned to Network Solutions (hostnoc.net). Has Network Solutions been compromised? J.A. Coutts Also the 64.120.x.x block. To be more precise: 1. 64.120.189.219 on port 2156|11:02:32 1. 64.120.205.228 on port 16525|11:23:47 1. 64.120.206.48 on port 29004|04:09:40 1. 64.120.210.144 on port 20648|04:18:26 1. 64.120.235.204 on port 19974|09:16:06 1. 64.120.238.133 on port 15815|06:21:53 1. 64.191.24.146 on port 10448|10:25:28 1. 64.191.32.113 on port 5436|11:06:14 1. 64.191.36.136 on port 33107|10:34:07 1. 64.191.43.187 on port 10486|09:27:33 1. 64.191.60.243 on port 42094|05:38:04 1. 64.191.85.86 on port 46801|07:40:54 Each one was used twice. Link to comment Share on other sites More sharing options...
turetzsr Posted March 13, 2012 Share Posted March 13, 2012 ...Not sure how to use the Cisco Reputation Lookup facility but perhaps you can figure it out, perhaps with a more detailed IP address. Please let us know if you're able to discover anything! Link to comment Share on other sites More sharing options...
Farelf Posted March 14, 2012 Share Posted March 14, 2012 Well, one can drill down through the Browseable map of IPv4 netspace (IP space map) on the SC Statistics page and, once down to the /16 or /24 level, take a link to the Cisco-SenderBase lookup to look down to individual IP addresses. For instance, from 64.0.0.0/8 it is seen that 64.79.0.0/16 is the worst in that neighbourhood by a long way (lots of allocations to different owners, didn't look further but it is easy enough to do so). Concentrating on the blocks you nominate, 64.120.0.0/16 has some spam but minor as a proportion at that level. Looking down, 64.120.216.0/24 is the worst part of that, both spam volume and spam proportion and from there the SB link shows the 6 servers on which the stats (good with bad) are presumably based. 64.191.0.0/16 doesn't show anything worrisome at that level but, going down, the worst /24 by a mile is 64.191.14.0/24 with 64 servers showing in SenderBase to contribute to the "ham and spam" figures. 64.120.216.0/24 is HOSTNOC-5BLK and 64.191.0.0/17 (64.191.0.0 - 64.191.127.255) is HOSTNOC-3BLK So, yes, there is evidence of some problems in HOSTNOC netspace but none of widespread compromise, I would say. I know nothing of the ports you report they used though - that doesn't look right. Link to comment Share on other sites More sharing options...
couttsj Posted March 14, 2012 Author Share Posted March 14, 2012 So, yes, there is evidence of some problems in HOSTNOC netspace but none of widespread compromise, I would say. I know nothing of the ports you report they used though - that doesn't look right. The port numbers are meaningless. That is just the next available port on the sender side that is used to establish the TCP connection to port 25 on the receiver side. They just happen to show up in the log file like that. I might have thought that these were real attempts from Network Solutions to contact some old customers on our network, but the MAIL FROM: addresses were obviously fictional. The domain portion however was real, and matched the IP address. J.A. Coutts Link to comment Share on other sites More sharing options...
couttsj Posted March 16, 2012 Author Share Posted March 16, 2012 The problem is much bigger than I first thought. The results from yesterday are shown below. The common points for all of them are: 1. All are located within the NetWork Solutions block of IPs. 2. All are hosted by Moniker.com ns1.monikerdns.net [208.73.210.41] ns2.monikerdns.net [208.73.211.42] ns3.monikerdns.net [50.57.11.89] ns4.monikerdns.net [50.57.11.88] 3. All respond to port 25 & port 80 4. Web Page is blank <HTML><BODY></BODY></HTML> Network Solutions Whois server identifies some of them by ID number. J.A. Coutts -------------------------------------------------------- Spammer 64.120.137.230 Identified!|19:58:05 network:block:64.120.137.224/27 network:organization;I:T0000019714 bzj002.com MX mail.bzj002.com Spammer 64.120.189.210 Identified!|11:41:19 network:block:64.120.189.192/27 network:organization;I:T0000013487 ustonz.com MX smx.ustonz.com Spammer 64.120.189.35 Identified!|19:08:55 network:block:64.120.189.32/28 network:organization;I:T0000008004 leaparker.com MX mail.leaparker.com Spammer 64.120.235.212 Identified!|19:54:08 d20world.com MX exchange.d20world.com Spammer 64.120.235.216 Identified!|06:59:46 jogosmoveis.com MX nullmx.jogosmoveis.com Spammer 64.120.238.184 Identified!|08:27:53 network:block:64.120.238.160/27 network:organization;I:T0000008004 1mulu.com MX smx.1mulu.com Spammer 64.191.122.103 Identified!|11:16:31 network:block:64.191.122.96/27 network:organization;I:T0000008004 almoalij.com MX webmail.almoalij.com Spammer 64.191.122.108 Identified!|07:44:34 network:block:64.191.122.96/27 network:organization;I:T0000008004 gepkocsi.com MX mail2.gepkocsi.com Spammer 64.191.2.60 Identified!|07:15:03 casaup.com MX mx3.casaup.com Spammer 64.191.24.158 Identified!|08:37:23 gzshjjls.com MX nullmx.gzshjjls.com Spammer 64.191.32.105 Identified!|13:02:55 network:block:64.191.32.96/27 network:organization;I:T0000023998 matchsalon.com MX mail2.matchsalon.com Spammer 64.191.43.167 Identified!|18:11:31 17008888.com MX www.17008888.com Spammer 64.191.43.173 Identified!|11:37:43 qdjtjy.com MX exchange.qdjtjy.com Spammer 64.191.51.5 Identified!|08:06:04 yuledajia818.com MX smx.yuledajia818.com Spammer 64.191.6.68 Identified!|14:42:07 network:block:64.191.6.64/27 network:organization;I:T0000027201 schuheschweiz.net MX webmail.schuheschweiz.net Spammer 64.191.63.67 Identified!|09:50:47 douban123.com MX smtp2.douban123.com Spammer 64.191.85.88 Identified!|09:51:14 network:block:64.191.85.80/28 network:organization;I:T0000008004 onlinevideolosangeles.com MX higherpower.onlinevideolosangeles.com Spammer 66.197.148.92 Identified!|16:48:52 No PTR Spammer 66.197.168.61 Identified!|05:40:26 168955.com MX nullmx.168955.com Spammer 66.197.229.132 Identified!|09:58:31 network:block:66.197.229.128/27 network:organization;I:T0000008004 itakeurpic.com MX mx3.itakeurpic.com Spammer 66.197.229.157 Identified!|05:05:32 network:block:66.197.229.128/27 network:organization;I:T0000008004 flextense.net MX mail.flextense.net Spammer 66.197.241.74 Identified!|05:03:29 network:block:66.197.241.64/27 network:organization;I:T0000008561 italiagioielli.net MX smtp2.italiagioielli.net Spammer 66.197.241.79 Identified!|08:07:21 network:block:66.197.241.64/27 network:organization;I:T0000008561 mickleigh.com MX pop.mickleigh.com Spammer 66.197.241.88 Identified!|18:08:45 network:block:66.197.241.64/27 network:organization;I:T0000008561 dinarmyo.com MX mail.dinarmyo.com Spammer 66.197.245.226 Identified!|05:13:49 penloyd.com MX mail.penloyd.com Spammer 66.96.195.162 Identified!|16:43:21 network:block:66.96.195.128/26 network:organization;I:T0000024343 89811111.com MX pop.89811111.com Spammer 66.96.195.186 Identified!|14:34:01 network:block:66.96.195.128/26 network:organization;I:T0000024343 pinzhentang.com MX webmail.pinzhentang.com Spammer 66.96.199.43 Identified!|06:24:23 network:block:66.96.199.32/27 network:organization;I:T0000008561 phantomddl.com MX smtp2.phantomddl.com Spammer 66.96.235.230 Identified!|09:51:08 network:block:66.96.235.224/28 network:organization;I:T0000011175 gyxmzj.com mail.gyxmzj.com Spammer 66.96.253.52 Identified!|19:09:13 network:block:66.96.253.32/27 network:organization;I:T0000026176 jflmag.com MX webmail.jflmag.com Spammer 96.9.140.82 Identified!|09:55:31 timeka.net MX pop.timeka.net Spammer 96.9.147.117 Identified!|07:36:33 bizkaya.com MX exchange.bizkaya.com Spammer 96.9.154.232 Identified!|09:40:03 network:block:96.9.154.224/27 network:organization;I:T0000008561 my-tuner.com MX amx.my-tuner.com Spammer 96.9.162.38 Identified!|11:24:12 gowin24.net MX smx.gowin24.net Spammer 96.9.169.137 Identified!|05:39:17 network:block:96.9.169.128/27 network:organization;I:T0000008004 chessmasterclassics.com MX ns2.chessmasterclassics.com Spammer 96.9.172.130 Identified!|13:00:20 network:block:96.9.172.128/27 network:organization;I:T0000006716 vozvanie.com amx.vozvanie.com Spammer 96.9.172.71 Identified!|04:19:29 hnliheng.com MX smx.hnliheng.com Link to comment Share on other sites More sharing options...
Farelf Posted March 17, 2012 Share Posted March 17, 2012 In most instances SC has a different reporting address than the ARIN abuse address. That should be good, hopefully indicating they take the reports seriously, to be optimistic. I exceeded my query limit with just the last two but a safe bet would be they are also spamcop[at]burst.net. [edit, yes they are]. Some of the variant addresses might simply require cache refreshing - I picked up one of those but there could be others. Anyway, server host notification is a courtesy - the main game is to put the errant IP addresses into the SCBL whenever they reach the tripping point. Keep reporting them if you are able. IP Address Abuse mail (ARIN) SpamCop Abuse Add. Name PTR 64.120.137.230 nic[at]hostnoc.net spamcop[at]burst.net mail.bzj002.com 64.120.189.210 as above as above smx.ustonz.com 64.120.189.35 as above as above mail.leaparker.com 64.120.235.212 as above as above exchange.d20world.com 64.120.235.216 as above as above nullmx.jogosmoveis.com 64.120.238.184 as above as above smx.1mulu.com 64.191.122.103 as above tech[at]varsonint.com webmail.almoalij.com 64.191.122.108 as above as above mail2.gepkocsi.com 64.191.2.60 as above tech[at]omni-reachservices.com mx3.casaup.com 64.191.24.158 as above spamcop[at]burst.net nullmx.gzshjjls.com 64.191.32.105 as above as above mail2.matchsalon.com 64.191.43.167 as above as above www.17008888.com 64.191.43.173 as above as above exchange.qdjtjy.com 64.191.51.5 as above tech[at]forestbaynetservices.com smx.yuledajia818.com 64.191.6.68 as above spamcop[at]burst.net webmail.schuheschweiz.net 64.191.63.67 as above as above smtp2.douban123.com 64.191.85.88 as above as above higherpower.onlinevideolosangeles.com 66.197.148.92 tech[at]newrametech.com tech[at]newrametech.com smtp2.kartepearge.com 66.197.168.61 hunter[at]cyberia.net.lb abuse[at]cyberia.net.lb +others nullmx.168955.com 66.197.229.132 nic[at]hostnoc.net spamcop[at]burst.net mx3.itakeurpic.com 66.197.229.157 as above as above mail.flextense.net 66.197.241.74 tech[at]sanfried.com as above smtp2.italiagioielli.net 66.197.241.79 as above as above pop.mickleigh.com 66.197.241.88 as above as above mail.dinarmyo.com 66.197.245.226 nic[at]hostnoc.net as above mail.penloyd.com 66.96.195.162 as above as above pop.89811111.com 66.96.195.186 as above as above webmail.pinzhentang.com 66.96.199.43 as above as above smtp2.phantomddl.com 66.96.235.230 as above as above mail.gyxmzj.com 66.96.253.52 as above as above webmail.jflmag.com 96.9.140.82 as above as above pop.timeka.net 96.9.147.117 as above as above exchange.bizkaya.com 96.9.154.232 as above as above amx.my-tuner.com 96.9.162.38 as above as above smx.gowin24.net 96.9.169.137 as above as above ns2.chessmasterclassics.com 96.9.172.130 as above as above amx.vozvanie.com 96.9.172.71 as above as above smx.hnliheng.com SpamCop doesn't address the domain registrar and name servers - there are other spamfighting groups which do that. Moniker is not well-regarded in those circles, I think. Yes, there are some nuisances abusing the NetWork Solutions resources. You have detected some commonality or pattern, so it does seem a bit concerted/co-ordinated. That's good, it will make it easier to apply pressure. As said, the "helicopter view" from the SC stats pages does not show that abuse to be huge within the scheme of things - but that is relative, obviously you are seeing a lot from that source. Certainly, if everyone who got spam from there reported it then the spammers would be seriously inconvenienced, at the very least. Link to comment Share on other sites More sharing options...
couttsj Posted March 17, 2012 Author Share Posted March 17, 2012 Yes, there are some nuisances abusing the NetWork Solutions resources. You have detected some commonality or pattern, so it does seem a bit concerted/co-ordinated. That's good, it will make it easier to apply pressure. As said, the "helicopter view" from the SC stats pages does not show that abuse to be huge within the scheme of things - but that is relative, obviously you are seeing a lot from that source. Certainly, if everyone who got spam from there reported it then the spammers would be seriously inconvenienced, at the very least. I think it goes beyond that. The list of IPs for yesterday are completely different than the ones for the day before. Not one was used more than once. I checked the mail servers on these addresses, and they do not support relaying, but they also do not verify the EHLO or the MAIL FROM:. So I was able to send an email with the following commands: --> telnet 64.120.189.215 25 220 mail.hitandrungolf.com ESMTP service ready --> EHLO me 250-mail.hitandrungolf.com says hello 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-CHUNKING 250-8BITMIME 250-AUTH CRAM-MD5 250-AUTH=CRAM-MD5 250-XACK 250-SIZE 0 250-VERP 250 DSN --> MAIL FROM: anyone[at]anywhere.com 250 2.1.0 MAIL ok --> RCPT TO: administrator[at]hitandrun.com 250 2.1.5 <administrator[at]hitandrun.com> ok --> DATA --> Please stop sending me your crap! --> . 354 send message 250 2.6.0 message received --> QUIT 221 2.0.0 mail.hitandrungolf.com says goodbye ---------------------------------------------------------------------- Since these servers do not support relaying but do support authenticated remote login, I am 99.9% sure that Network Solutions has been compromised. I also checked a few of the registrations, and all these domains were registered in February/March, and all were updated on Mar. 12, 2012. That must be when this campaign started. Interestingly enough, Spamcop had one of Network Solutions real email servers listed yesterday: x-pobox-client-address: 205.178.190.239 X-Sift-Reason: dnsbl/bl.spamcop.net bounced NetRange: 205.178.128.0 - 205.178.191.255 OrgName: Network Solutions, LLC Country: US Mar 16, 2:21 pm NSCC0+4760856280[at]mail1.networksolutions.com J.A. Coutts Link to comment Share on other sites More sharing options...
Farelf Posted March 18, 2012 Share Posted March 18, 2012 Sounds good to me - time to submit your evidence and suspicions to Network Solutions management/abuse management: http://www.nocster.com/ Link to comment Share on other sites More sharing options...
couttsj Posted March 21, 2012 Author Share Posted March 21, 2012 Sounds good to me - time to submit your evidence and suspicions to Network Solutions management/abuse management. I did just that, but it should be no surprise to anyone that it was totally ignored. These big companies are all the same. Try to do them a favor and they are so under staffed that they can't even be bothered to read their own emails. But I suppose that no response is better than an automated response. J.A. Coutts Link to comment Share on other sites More sharing options...
couttsj Posted March 31, 2012 Author Share Posted March 31, 2012 It turns out that Burst.net is at least partially responsible for all this spam traffic by virtue of the fact that 75% of their hosting business is wholesaled to other hosting companies. http://krebsonsecurity.com/2012/03/microso...spyeye-botnets/ In other words, they contend that they are not responsible for what these other companies do. This is the biggest cop-out I have ever heard. SpamCop should blacklist their entire IP ranges. J.A. Coutts Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.