Jump to content

[Resolved] 4xp.com spam


couttsj
 Share

Recommended Posts

5. 212.179.146.225 on port 41896|08:59:59

5. EHLO 4xp.com

5. MAIL FROM:<sarahk[at]4xp.com>

5. QUIT

5. Closed.|09:00:00

This one has me very puzzled. It started early yesterday morning with single attempts, and has progressed

to 5 simultaneous attempts every 30 minutes. But that is not the puzzling part. It appears that 4xp.com

is a legitimate forex trading site. Yesterday it was located in the UK and hosted by mydyndns.org.

Today it is located in the US [204.13.162.123] and is hosted by dsredirection.com. However, the IP

address being used in the spam attempts [212.179.146.225] showed a reverse lookup of mail.4xp.com

yesterday, but today it fails a reverse lookup. Whois.ripe.net reports:

inetnum: 212.179.146.224 - 212.179.146.231

netname: FOREX-PLACE-LTD

country: IL (Isreal)

It would apprear that Forex Place got hijacked, and they are desperately trying to separate themselves

from the spammer.

Edited by couttsj
Link to comment
Share on other sites

Interesting. SORBS is showing spam from that address with msg IDs ending in [at]EXG-4XP.4XP.local for some time (most recent recorded 28 December last). Apart from that 212.179.146.225 looks pretty clean and does appear to be under the control of bezeqint.net (RIPE record showing FOREX-PLACE-LTD netname attributed to hostmaster[at]bezeqint.net).

The 4xp.com TXT record is

v=spf1 ip4:95.142.16.195 ip4:95.142.16.196 ip4:95.142.16.197 ip4:95.142.16.198 ip4:95.142.16.199 ip4:95.142.16.200 ip4:94.236.19.162 ip4:79.125.89.245 ip4:212.179.146.224 ip4:212.179.146.225 ip4:212.179.146.226 ip4:212.179.146.227 ip4:212.179.146.228 ip4:

79.125.53.164 ip4:46.137.5.88 -all

The 4xp.com MX record is

4xp.com MX preference = 20, mail exchanger = mx2.mailhop.org

4xp.com MX preference = 10, mail exchanger = mx1.mailhop.org

mx2.mailhop.org internet address = 216.146.33.7

mx1.mailhop.org internet address = 216.146.33.3

mx1.mailhop.org internet address = 216.146.33.1

mx2.mailhop.org internet address = 216.146.33.5

... and robtex shows

216.146.32.0/24 216.146.32.1 216.146.32.2 216.146.32.3 216.146.32.4 216.146.32.5 216.146.32.6 216.146.32.7 216.146.33.0/24 216.146.33.1 216.146.33.2 216.146.33.3 216.146.33.4 216.146.33.5 216.146.33.6 216.146.33.7

I have no idea what that all means except they must send and receive an awful lot of time critical mail through lots of servers and it would seem if 212.179.146.225 is actually spamming/been fed a bad mail list then, presumably, abuse[at]bezeqint.net should be told soonest.

Link to comment
Share on other sites

Thanks for the follow-up. Indeed 212.179.146.225 does pass the rDNS lookup

C:\WINDOWS\system32>nslookup mail.4xp.com 8.8.8.8

Server: google-public-dns-a.google.com

Address: 8.8.8.8

Non-authoritative answer:

Name: mail.4xp.com

Address: 212.179.146.225

C:\WINDOWS\system32>nslookup -type=ptr 212.179.146.225 8.8.8.8

Server: google-public-dns-a.google.com

Address: 8.8.8.8

Non-authoritative answer:

225.146.179.212.in-addr.arpa name = mail.4xp.com

It looks like it is (without checking them all) the only one out of the SPF (TXT) record ...

C:\WINDOWS\system32>nslookup -type=txt 4xp.com 8.8.8.8

Server: google-public-dns-a.google.com

Address: 8.8.8.8

Non-authoritative answer:

4xp.com text =

"v=spf1 ip4:95.142.16.195 ip4:95.142.16.196 ip4:95.142.16.197 ip4:95.142

.16.198 ip4:95.142.16.199 ip4:95.142.16.200 ip4:94.236.19.162 ip4:79.125.89.245

ip4:212.179.146.224 ip4:212.179.146.225 ip4:212.179.146.226 ip4:212.179.146.227

ip4:212.179.146.228 ip4:"

"79.125.53.164 ip4:46.137.5.88 -all"

... that does reference 4xp.com.

Not sure that ANY address recorded in the SPF record needs to specifically reference 4xp.com in the rDNS lookup or, consequently, that it is significant when one (or more) doesn't but if the delivery attempts have stopped anyway I suppose the point is moot.

Marking "Resolved" - should be "Mysterious" if the truth be told.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...