showker Posted May 15 Share Posted May 15 We've been reporting a deluge of spam eminating from Microsoft "onMicrosoft.com" at Microsoft IP addresses all around the world. They finally stopped. But now we're under attack by the spam cartel eminating from IPXO. I know, someone else said here that IPXO claims they are not doing it. But the new IP addresses clearly resolve to the IPXO data center. We've gotten 70+ in the last 24 hours : [spam] Brotherhood Of Light (dozens of these) [spam] atenttion 2508 and many, many with a dot in the subject line, and a dot in the message area. It won't let me upload a JPG image, I have the direct evidence in screens. Quote Link to comment Share on other sites More sharing options...
petzl Posted May 15 Share Posted May 15 (edited) 2 hours ago, showker said: We've been reporting a deluge of spam eminating from Microsoft "onMicrosoft.com" at Microsoft IP addresses all around the world. They finally stopped. But now we're under attack by the spam cartel eminating from IPXO. I know, someone else said here that IPXO claims they are not doing it. But the new IP addresses clearly resolve to the IPXO data center. We've gotten 70+ in the last 24 hours : [spam] Brotherhood Of Light (dozens of these) [spam] atenttion 2508 and many, many with a dot in the subject line, and a dot in the message area. It won't let me upload a JPG image, I have the direct evidence in screens. Been hammering me also! my boiler plate to nowhere seem to stop after I contacted https://www.ipxo.com left my email address they must of thought I were a potential customer and gave a thumbs up there abuse is as I were asked Trying this contact just now again?? Best I think to report to Cloudfare though webpage they only allow me one a week and do nothing? https://www.cloudflare.com/trust-hub/abuse-approach/ 23.26.60.155 Dos Attack reset password 23.26.60.155 abuse[AT]ipxo[DOT]com support[AT]ipxo[DOT]com phishing-report[AT]us-cert[DOT]gov abuse[AT]cloudflare[DOT]com https://www.spamcop.net/w3m?action=checkblock&ip=23.26.60.155 SpamCop users have reported system as a source of spam about 1410 times s in the past week 23.26.60.155 as URL redirects to free cloud server https://private-panel.betterhost.pro/auth/login no registrar Name: private-panel.betterhost.pro IP: 172.67.193.63, 104.21.92.122 abuse[AT]cloudflarecom Domain: betterhost.pro Edited May 15 by petzl Quote Link to comment Share on other sites More sharing options...
ninth Posted May 16 Share Posted May 16 (edited) 10 hours ago, showker said: We've gotten 70+ in the last 24 hours Why not block these email addresses - hello@outlook.com etc? They will get a bounce and go god bothering someone else. Could we see the full SC report post link please? Edited May 16 by ninth Quote Link to comment Share on other sites More sharing options...
petzl Posted May 16 Share Posted May 16 1 hour ago, ninth said: Why not block these email addresses - hello@outlook.com etc? They will get a bounce and go god bothering someone else. Could we see the full SC report post link please? The addresses keep changing spammer uses what is known as a "Dictionary attack" see below spammer post's 150,000 spams a week Example User Names Used By 23.26.60.155 User-name: dpdgr_slur User-name: dqjhoknqrzlwrq User-name: dqjholwd.euhvw User-name: duqhwwh_bdvxwrpl User-name: duzdggho User-name: fdvhb.odqhyh User-name: fhqwhqqldodvkohb2 User-name: fxulrxv1946 User-name: gruhwkhd_z_fdvvohu User-name: deudkdp.yrjho User-name: dghodlghnrporv User-name: dlophqwwzrvwurnh1 User-name: dqwkrqb_m_sdwrfn User-name: edwwhubvwudlqhg4 User-name: eodnh_edvkdz User-name: fkdv.q.ghfdqq User-name: fkdqwhooh_fdlurqh User-name: foliwrq_vljqv User-name: gjuhhqkloo16 User-name: grudwkb.qrdnhv User-name: hpdeoh21 User-name: ilolehuwr_r_txlyrc User-name: ilvfkhwwl4761 User-name: jdvwursrgvdqgl2 User-name: jhudog_nrcxedo User-name: jni1385 User-name: judqyloohbkhufkhu User-name: lvudholpfodzkruq User-name: mrkqqd.l.jorv User-name: mrobq_slhwc Quote Link to comment Share on other sites More sharing options...
IPXO Posted May 16 Share Posted May 16 Hi there! IPXO's Marketplace serves as a platform for those who have or need IP addresses, offering an intermediary service that brings businesses together. While we are not directly responsible for the use of the IPs, we monitor the situation to ensure that IPs leased through our platform are used appropriately. We are already aware of this situation and have taken action by suspending the client (hosting service) responsible for the IPs in question. You can read more about what suspension means here: https://www.ipxo.com/kb/ipxo-platform/account-statuses-at-ipxo/ Based on our internal processes, we have given our client (the hosting service) a time frame to address any abusive activities on their end. If no action is taken to resolve the issue, we will terminate the subnet currently involved in abusive behavior. If you have any additional information you wish to provide, please submit it through our abuse report page at https://www.ipxo.com/report-abuse/ so our dedicated team can ensure a timely resolution. Many thanks for your help, IPXO Team Quote Link to comment Share on other sites More sharing options...
petzl Posted May 16 Share Posted May 16 11 hours ago, IPXO said: Hi there! IPXO's Marketplace serves as a platform for those who have or need IP addresses, offering an intermediary service that brings businesses together. While we are not directly responsible for the use of the IPs, we monitor the situation to ensure that IPs leased through our platform are used appropriately. We are already aware of this situation and have taken action by suspending the client (hosting service) responsible for the IPs in question. You can read more about what suspension means here: https://www.ipxo.com/kb/ipxo-platform/account-statuses-at-ipxo/ Based on our internal processes, we have given our client (the hosting service) a time frame to address any abusive activities on their end. If no action is taken to resolve the issue, we will terminate the subnet currently involved in abusive behavior. If you have any additional information you wish to provide, please submit it through our abuse report page at https://www.ipxo.com/report-abuse/ so our dedicated team can ensure a timely resolution. Many thanks for your help, IPXO Team Well tried the webform no recognition that I sent it? Doubtful it went Quote Link to comment Share on other sites More sharing options...
petzl Posted May 17 Share Posted May 17 (edited) 16 hours ago, IPXO said: Many thanks for your help, Well you need to know that a *.EML file is sent by spam victims as a "forward as attachment" file eml You can read these in a text APP like Windows notepad You need to accept the eml at present your web page won't accept them? There are plenty of eml file viewers out there Even APP's to extract headers "MHA view header" (Message Header Analyzer) google search gives https://t.ly/X9UFW Seems the flood IMO is possibly by a competitor who wants you down You are renting shared IP's cheap from what I work out, you must be succeeding I guess? Edited May 17 by petzl Quote Link to comment Share on other sites More sharing options...
ninth Posted May 18 Share Posted May 18 On 5/16/2024 at 6:35 PM, petzl said: The addresses keep changing spammer uses what is known as a "Dictionary attack" see below spammer post's 150,000 spams a week I thought it was strange that outlook/gmail account names one hello and david could still be in use but spamvertisers live in virtual reality. I was told by a reliable source that spammers use secondary accounts designed to be a recovery email to send mailouts. There is a limit on the number of these accounts but they only need one each time because they usually get blocked so delete and add one number to the end of firstnamelastname. I'm guessing this way the original account does not get flagged and the temporary accounts are gone by the time reports are made. Quote Link to comment Share on other sites More sharing options...
petzl Posted May 19 Share Posted May 19 (edited) 3 hours ago, ninth said: I thought it was strange that outlook/gmail account names one hello and david could still be in use but spamvertisers live in virtual reality. I was told by a reliable source that spammers use secondary accounts designed to be a recovery email to send mailouts. There is a limit on the number of these accounts but they only need one each time because they usually get blocked so delete and add one number to the end of firstnamelastname. I'm guessing this way the original account does not get flagged and the temporary accounts are gone by the time reports are made. One hello was always with no body? The others just a pretend phishing message I suspect this "spammer" was a revenge attack on IPXO possibly a competitor? IPXO are renting IPV4, IP addresses (shared) from 50 cents a month, so seems was out to shut them down! But that is a guess? Dictionary email address attacks are usually to find address that don't bounce. They seem to also found a lot of poisoned email addresses that hit spam-traps This spammer seemed to know how to avoid detection which makes me think he was not a spammer just a criminal. Probably the one that placed the malware on IP in first place, IPXO have removed it The machine using this IP is infected with malware that is emitting spam, or is sharing a connection with an infected device. <https://check.spamhaus.org/listed/?searchterm=Brotherhood Of Light.txt> Edited May 19 by petzl Quote Link to comment Share on other sites More sharing options...
ninth Posted May 21 Share Posted May 21 Interesting that spamhaus does not remove IP blocks unless request from ISP. Quote Link to comment Share on other sites More sharing options...
showker Posted May 24 Author Share Posted May 24 We just set the address and anything from them directly into the TRASH. Problem solved. Where is Anonymous when we need them ????? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.