Jump to content

Network Solutions Compromised?


couttsj

Recommended Posts

This morning I am getting a bunch of email attempts from the 64.191.x.x block. This block is assigned to Network Solutions (hostnoc.net). Has Network Solutions been compromised?

J.A. Coutts

Also the 64.120.x.x block. To be more precise:

1. 64.120.189.219 on port 2156|11:02:32

1. 64.120.205.228 on port 16525|11:23:47

1. 64.120.206.48 on port 29004|04:09:40

1. 64.120.210.144 on port 20648|04:18:26

1. 64.120.235.204 on port 19974|09:16:06

1. 64.120.238.133 on port 15815|06:21:53

1. 64.191.24.146 on port 10448|10:25:28

1. 64.191.32.113 on port 5436|11:06:14

1. 64.191.36.136 on port 33107|10:34:07

1. 64.191.43.187 on port 10486|09:27:33

1. 64.191.60.243 on port 42094|05:38:04

1. 64.191.85.86 on port 46801|07:40:54

Each one was used twice.

Link to comment
Share on other sites

Well, one can drill down through the Browseable map of IPv4 netspace (IP space map) on the SC Statistics page and, once down to the /16 or /24 level, take a link to the Cisco-SenderBase lookup to look down to individual IP addresses.

For instance, from 64.0.0.0/8 it is seen that 64.79.0.0/16 is the worst in that neighbourhood by a long way (lots of allocations to different owners, didn't look further but it is easy enough to do so). Concentrating on the blocks you nominate, 64.120.0.0/16 has some spam but minor as a proportion at that level. Looking down, 64.120.216.0/24 is the worst part of that, both spam volume and spam proportion and from there the SB link shows the 6 servers on which the stats (good with bad) are presumably based.

64.191.0.0/16 doesn't show anything worrisome at that level but, going down, the worst /24 by a mile is 64.191.14.0/24 with 64 servers showing in SenderBase to contribute to the "ham and spam" figures.

64.120.216.0/24 is HOSTNOC-5BLK and 64.191.0.0/17 (64.191.0.0 - 64.191.127.255) is HOSTNOC-3BLK

So, yes, there is evidence of some problems in HOSTNOC netspace but none of widespread compromise, I would say. I know nothing of the ports you report they used though - that doesn't look right.

Link to comment
Share on other sites

So, yes, there is evidence of some problems in HOSTNOC netspace but none of widespread compromise, I would say. I know nothing of the ports you report they used though - that doesn't look right.

The port numbers are meaningless. That is just the next available port on the sender side that is used to establish the TCP connection to port 25 on the receiver side. They just happen to show up in the log file like that. I might have thought that these were real attempts from Network Solutions to contact some old customers on our network, but the MAIL FROM: addresses were obviously fictional. The domain portion however was real, and matched the IP address.

J.A. Coutts

Link to comment
Share on other sites

The problem is much bigger than I first thought. The results from yesterday are shown below. The common points for all of them are:

1. All are located within the NetWork Solutions block of IPs.

2. All are hosted by Moniker.com

ns1.monikerdns.net [208.73.210.41]

ns2.monikerdns.net [208.73.211.42]

ns3.monikerdns.net [50.57.11.89]

ns4.monikerdns.net [50.57.11.88]

3. All respond to port 25 & port 80

4. Web Page is blank <HTML><BODY></BODY></HTML>

Network Solutions Whois server identifies some of them by ID number.

J.A. Coutts

--------------------------------------------------------

Spammer 64.120.137.230 Identified!|19:58:05

network:block:64.120.137.224/27

network:organization;I:T0000019714

bzj002.com

MX mail.bzj002.com

Spammer 64.120.189.210 Identified!|11:41:19

network:block:64.120.189.192/27

network:organization;I:T0000013487

ustonz.com

MX smx.ustonz.com

Spammer 64.120.189.35 Identified!|19:08:55

network:block:64.120.189.32/28

network:organization;I:T0000008004

leaparker.com

MX mail.leaparker.com

Spammer 64.120.235.212 Identified!|19:54:08

d20world.com

MX exchange.d20world.com

Spammer 64.120.235.216 Identified!|06:59:46

jogosmoveis.com

MX nullmx.jogosmoveis.com

Spammer 64.120.238.184 Identified!|08:27:53

network:block:64.120.238.160/27

network:organization;I:T0000008004

1mulu.com

MX smx.1mulu.com

Spammer 64.191.122.103 Identified!|11:16:31

network:block:64.191.122.96/27

network:organization;I:T0000008004

almoalij.com

MX webmail.almoalij.com

Spammer 64.191.122.108 Identified!|07:44:34

network:block:64.191.122.96/27

network:organization;I:T0000008004

gepkocsi.com

MX mail2.gepkocsi.com

Spammer 64.191.2.60 Identified!|07:15:03

casaup.com

MX mx3.casaup.com

Spammer 64.191.24.158 Identified!|08:37:23

gzshjjls.com

MX nullmx.gzshjjls.com

Spammer 64.191.32.105 Identified!|13:02:55

network:block:64.191.32.96/27

network:organization;I:T0000023998

matchsalon.com

MX mail2.matchsalon.com

Spammer 64.191.43.167 Identified!|18:11:31

17008888.com

MX www.17008888.com

Spammer 64.191.43.173 Identified!|11:37:43

qdjtjy.com

MX exchange.qdjtjy.com

Spammer 64.191.51.5 Identified!|08:06:04

yuledajia818.com

MX smx.yuledajia818.com

Spammer 64.191.6.68 Identified!|14:42:07

network:block:64.191.6.64/27

network:organization;I:T0000027201

schuheschweiz.net

MX webmail.schuheschweiz.net

Spammer 64.191.63.67 Identified!|09:50:47

douban123.com

MX smtp2.douban123.com

Spammer 64.191.85.88 Identified!|09:51:14

network:block:64.191.85.80/28

network:organization;I:T0000008004

onlinevideolosangeles.com

MX higherpower.onlinevideolosangeles.com

Spammer 66.197.148.92 Identified!|16:48:52

No PTR

Spammer 66.197.168.61 Identified!|05:40:26

168955.com

MX nullmx.168955.com

Spammer 66.197.229.132 Identified!|09:58:31

network:block:66.197.229.128/27

network:organization;I:T0000008004

itakeurpic.com

MX mx3.itakeurpic.com

Spammer 66.197.229.157 Identified!|05:05:32

network:block:66.197.229.128/27

network:organization;I:T0000008004

flextense.net

MX mail.flextense.net

Spammer 66.197.241.74 Identified!|05:03:29

network:block:66.197.241.64/27

network:organization;I:T0000008561

italiagioielli.net

MX smtp2.italiagioielli.net

Spammer 66.197.241.79 Identified!|08:07:21

network:block:66.197.241.64/27

network:organization;I:T0000008561

mickleigh.com

MX pop.mickleigh.com

Spammer 66.197.241.88 Identified!|18:08:45

network:block:66.197.241.64/27

network:organization;I:T0000008561

dinarmyo.com

MX mail.dinarmyo.com

Spammer 66.197.245.226 Identified!|05:13:49

penloyd.com

MX mail.penloyd.com

Spammer 66.96.195.162 Identified!|16:43:21

network:block:66.96.195.128/26

network:organization;I:T0000024343

89811111.com

MX pop.89811111.com

Spammer 66.96.195.186 Identified!|14:34:01

network:block:66.96.195.128/26

network:organization;I:T0000024343

pinzhentang.com

MX webmail.pinzhentang.com

Spammer 66.96.199.43 Identified!|06:24:23

network:block:66.96.199.32/27

network:organization;I:T0000008561

phantomddl.com

MX smtp2.phantomddl.com

Spammer 66.96.235.230 Identified!|09:51:08

network:block:66.96.235.224/28

network:organization;I:T0000011175

gyxmzj.com

mail.gyxmzj.com

Spammer 66.96.253.52 Identified!|19:09:13

network:block:66.96.253.32/27

network:organization;I:T0000026176

jflmag.com

MX webmail.jflmag.com

Spammer 96.9.140.82 Identified!|09:55:31

timeka.net

MX pop.timeka.net

Spammer 96.9.147.117 Identified!|07:36:33

bizkaya.com

MX exchange.bizkaya.com

Spammer 96.9.154.232 Identified!|09:40:03

network:block:96.9.154.224/27

network:organization;I:T0000008561

my-tuner.com

MX amx.my-tuner.com

Spammer 96.9.162.38 Identified!|11:24:12

gowin24.net

MX smx.gowin24.net

Spammer 96.9.169.137 Identified!|05:39:17

network:block:96.9.169.128/27

network:organization;I:T0000008004

chessmasterclassics.com

MX ns2.chessmasterclassics.com

Spammer 96.9.172.130 Identified!|13:00:20

network:block:96.9.172.128/27

network:organization;I:T0000006716

vozvanie.com

amx.vozvanie.com

Spammer 96.9.172.71 Identified!|04:19:29

hnliheng.com

MX smx.hnliheng.com

Link to comment
Share on other sites

In most instances SC has a different reporting address than the ARIN abuse address. That should be good, hopefully indicating they take the reports seriously, to be optimistic. I exceeded my query limit with just the last two but a safe bet would be they are also spamcop[at]burst.net. [edit, yes they are]. Some of the variant addresses might simply require cache refreshing - I picked up one of those but there could be others.

Anyway, server host notification is a courtesy - the main game is to put the errant IP addresses into the SCBL whenever they reach the tripping point. Keep reporting them if you are able.

IP Address Abuse mail (ARIN) SpamCop Abuse Add. Name PTR
64.120.137.230 nic[at]hostnoc.net spamcop[at]burst.net mail.bzj002.com
64.120.189.210 as above as above smx.ustonz.com
64.120.189.35 as above as above mail.leaparker.com
64.120.235.212 as above as above exchange.d20world.com
64.120.235.216 as above as above nullmx.jogosmoveis.com
64.120.238.184 as above as above smx.1mulu.com
64.191.122.103 as above tech[at]varsonint.com webmail.almoalij.com
64.191.122.108 as above as above mail2.gepkocsi.com
64.191.2.60 as above tech[at]omni-reachservices.com mx3.casaup.com
64.191.24.158 as above spamcop[at]burst.net nullmx.gzshjjls.com
64.191.32.105 as above as above mail2.matchsalon.com
64.191.43.167 as above as above www.17008888.com
64.191.43.173 as above as above exchange.qdjtjy.com
64.191.51.5 as above tech[at]forestbaynetservices.com smx.yuledajia818.com
64.191.6.68 as above spamcop[at]burst.net webmail.schuheschweiz.net
64.191.63.67 as above as above smtp2.douban123.com
64.191.85.88 as above as above higherpower.onlinevideolosangeles.com
66.197.148.92 tech[at]newrametech.com tech[at]newrametech.com smtp2.kartepearge.com
66.197.168.61 hunter[at]cyberia.net.lb abuse[at]cyberia.net.lb +others nullmx.168955.com
66.197.229.132 nic[at]hostnoc.net spamcop[at]burst.net mx3.itakeurpic.com
66.197.229.157 as above as above mail.flextense.net
66.197.241.74 tech[at]sanfried.com as above smtp2.italiagioielli.net
66.197.241.79 as above as above pop.mickleigh.com
66.197.241.88 as above as above mail.dinarmyo.com
66.197.245.226 nic[at]hostnoc.net as above mail.penloyd.com
66.96.195.162 as above as above pop.89811111.com
66.96.195.186 as above as above webmail.pinzhentang.com
66.96.199.43 as above as above smtp2.phantomddl.com
66.96.235.230 as above as above mail.gyxmzj.com
66.96.253.52 as above as above webmail.jflmag.com
96.9.140.82 as above as above pop.timeka.net
96.9.147.117 as above as above exchange.bizkaya.com
96.9.154.232 as above as above amx.my-tuner.com
96.9.162.38 as above as above smx.gowin24.net
96.9.169.137 as above as above ns2.chessmasterclassics.com
96.9.172.130 as above as above amx.vozvanie.com
96.9.172.71 as above as above smx.hnliheng.com

SpamCop doesn't address the domain registrar and name servers - there are other spamfighting groups which do that. Moniker is not well-regarded in those circles, I think.

Yes, there are some nuisances abusing the NetWork Solutions resources. You have detected some commonality or pattern, so it does seem a bit concerted/co-ordinated. That's good, it will make it easier to apply pressure. As said, the "helicopter view" from the SC stats pages does not show that abuse to be huge within the scheme of things - but that is relative, obviously you are seeing a lot from that source. Certainly, if everyone who got spam from there reported it then the spammers would be seriously inconvenienced, at the very least.

Link to comment
Share on other sites

Yes, there are some nuisances abusing the NetWork Solutions resources. You have detected some commonality or pattern, so it does seem a bit concerted/co-ordinated. That's good, it will make it easier to apply pressure. As said, the "helicopter view" from the SC stats pages does not show that abuse to be huge within the scheme of things - but that is relative, obviously you are seeing a lot from that source. Certainly, if everyone who got spam from there reported it then the spammers would be seriously inconvenienced, at the very least.

I think it goes beyond that. The list of IPs for yesterday are completely different than the ones for the day before. Not one was used more than once. I checked the mail servers on these addresses, and they do not support relaying, but they also do not verify the EHLO or the MAIL FROM:. So I was able to send an email with the following commands:

--> telnet 64.120.189.215 25

220 mail.hitandrungolf.com ESMTP service ready

--> EHLO me

250-mail.hitandrungolf.com says hello

250-ENHANCEDSTATUSCODES

250-PIPELINING

250-CHUNKING

250-8BITMIME

250-AUTH CRAM-MD5

250-AUTH=CRAM-MD5

250-XACK

250-SIZE 0

250-VERP

250 DSN

--> MAIL FROM: anyone[at]anywhere.com

250 2.1.0 MAIL ok

--> RCPT TO: administrator[at]hitandrun.com

250 2.1.5 <administrator[at]hitandrun.com> ok

--> DATA

--> Please stop sending me your crap!

--> .

354 send message

250 2.6.0 message received

--> QUIT

221 2.0.0 mail.hitandrungolf.com says goodbye

----------------------------------------------------------------------

Since these servers do not support relaying but do support authenticated remote login, I am 99.9% sure that Network Solutions has been compromised. I also checked a few of the registrations, and all these domains were registered in February/March, and all were updated on Mar. 12, 2012. That must be when this campaign started. Interestingly enough, Spamcop had one of Network Solutions real email servers listed yesterday:

x-pobox-client-address: 205.178.190.239

X-Sift-Reason: dnsbl/bl.spamcop.net bounced

NetRange: 205.178.128.0 - 205.178.191.255

OrgName: Network Solutions, LLC

Country: US

Mar 16, 2:21 pm NSCC0+4760856280[at]mail1.networksolutions.com

J.A. Coutts

Link to comment
Share on other sites

Sounds good to me - time to submit your evidence and suspicions to Network Solutions management/abuse management.

I did just that, but it should be no surprise to anyone that it was totally ignored. These big companies are all the same. Try to do them a favor and they are so under staffed that they can't even be bothered to read their own emails. But I suppose that no response is better than an automated response.

J.A. Coutts

Link to comment
Share on other sites

  • 2 weeks later...

It turns out that Burst.net is at least partially responsible for all this spam traffic by virtue of the fact that 75% of their hosting business is wholesaled to other hosting companies.

http://krebsonsecurity.com/2012/03/microso...spyeye-botnets/

In other words, they contend that they are not responsible for what these other companies do. This is the biggest cop-out I have ever heard. SpamCop should blacklist their entire IP ranges.

J.A. Coutts

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...