| George Langford via plug on 30 Aug 2021 11:18:18 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] my bash script to report rogue Microsoft 365 servers (CJ Fearnley) |
A lot of spammers are using the same technique. Here's a simple test: 1. Collect the IPv4 addresses from the headers of some recent spams.2. Collect the domain & subdomain from the beginning of each link in those spams;
that's what appears http://<== here ==>/ ... in the URL.
3. Look 'em all up with dig -x or (preferably) nmap & save the
results.
4. Look em up again & again, say, twenty times. 5. Run this script on any two pairs of those results:diff -y --suppress-common-lines --width=160 Result-A.txt Result-B.txt
They will never be the same ...Attached are two files of my recent data gleaned this way from about 3500 spams. One is a list of multi-address PTR's; the other is a list of multi-PTR addresses. Some of these may just be load-levelling; others may shut off the server to upload new data rather frequently, considering that I'm re-running the scans often.
Here's an example: WhoIs 101.78.213.10 101.78.128.0 - 101.78.255.255 HKBN Enterprise Solutions HK Limited HK dig -x 101.78.213.10 10.213.78.101.in-addr.arpa. 900 IN PTR mail.richharvest.hk. 10.213.78.101.in-addr.arpa. 900 IN PTR mail.tshp.hk. 10.213.78.101.in-addr.arpa. 900 IN PTR mail.pangpangfrozen.com. 10.213.78.101.in-addr.arpa. 900 IN PTR mail1.tongshunhing.com. I got ==> 101.78.213.10 mail1.tongshunhing.com 101.78.213.10 mail.pangpangfrozen.com 101.78.213.10 mail.richharvest.hk 101.78.213.10 mail.tshp.hk OK, but see ==> https://bgp.he.net/net/101.78.128.0/17#_dnsWhere 101.78.213.10 shows only mail1.tongshunhing.com in the PTR box.
Other data on weaponization of the Internet is summarized here: Hyper-Weaponization of IPv6 ==> https://www.pinthetaleonthedonkey.com/IPv6/Multi-Addressed-PTRs/IPv6.PTR-Ranked-Counts-January2020-ScratchStart.html Exploitation of Multi-addressed PTR's ==> https://www.pinthetaleonthedonkey.com/Webpage/VG5dwyxa9mST.html Wordpress attacks ==> https://www.pinthetaleonthedonkey.com/StatisticsAllYears/May-2018-WordPress/WordPress-attacks-MiDomane.com-May-2018.htm https://www.pinthetaleonthedonkey.com/ChineseServers/pinthetaleonthedonkey-WordPress-Quadranet-May-2018.htmGeorge Langford (amenex at https://trisquel.info/en/forum/trisquel-users)
50.3.188.102 188.3.50-static.rdns.serverhub.com 50.3.188.107 188.3.50-static.rdns.serverhub.com 50.3.188.116 188.3.50-static.rdns.serverhub.com 50.3.188.121 188.3.50-static.rdns.serverhub.com 50.3.188.122 188.3.50-static.rdns.serverhub.com 50.3.188.96 188.3.50-static.rdns.serverhub.com 103.109.37.109 dc37.kdata.vn 103.109.37.203 dc37.kdata.vn 116.98.239.246 dynamic-ip-adsl.viettel.vn 171.229.76.198 dynamic-ip-adsl.viettel.vn 171.236.69.79 dynamic-ip-adsl.viettel.vn 171.238.145.34 dynamic-ip-adsl.viettel.vn 171.241.0.223 dynamic-ip-adsl.viettel.vn 171.243.4.191 dynamic-ip-adsl.viettel.vn 185.105.109.148 free.eurobyte.ru 46.30.42.227 free.eurobyte.ru 46.30.42.252 free.eurobyte.ru 46.30.45.120 free.eurobyte.ru 46.30.45.84 free.eurobyte.ru 194.150.214.120 free.galaxydata.ru 194.150.214.123 free.galaxydata.ru 194.150.215.189 free.galaxydata.ru 109.237.96.143 free.hostglobal.plus 109.237.96.179 free.hostglobal.plus 45.144.30.143 free.pq.hosting 45.144.30.154 free.pq.hosting 45.144.30.166 free.pq.hosting 45.144.30.169 free.pq.hosting 45.144.30.178 free.pq.hosting 195.62.46.188 godness.org.uk 195.62.46.192 godness.org.uk 195.62.46.194 godness.org.uk 185.222.57.185 hosted-by.rootlayer.net 185.222.57.240 hosted-by.rootlayer.net 185.222.57.242 hosted-by.rootlayer.net 185.222.57.251 hosted-by.rootlayer.net 185.222.58.100 hosted-by.rootlayer.net 45.137.22.39 hosted-by.rootlayer.net 127.0.0.1 localhost 127.137.27.211 localhost 127.145.90.157 localhost 27.73.85.153 localhost 211.157.147.130 lucky1.263xmail.com 211.157.147.133 lucky1.263xmail.com 173.232.90.123 mail.halstonmta.com 173.232.90.19 mail.halstonmta.com 173.232.90.2 mail.halstonmta.com 173.232.90.20 mail.halstonmta.com 173.232.90.22 mail.halstonmta.com 173.232.90.24 mail.halstonmta.com 173.232.90.6 mail.halstonmta.com 173.232.90.74 mail.halstonmta.com 173.232.90.8 mail.halstonmta.com 45.144.30.113 ru.gov.dkchi.com 45.144.30.114 ru.gov.dkchi.com 195.62.32.136 squidtest9 195.62.32.29 squidtest9 195.62.32.32 squidtest9 195.62.32.43 squidtest9 113.172.152.88 static.vnpt.vn 113.178.36.187 static.vnpt.vn 113.178.73.131 static.vnpt.vn 14.162.208.225 static.vnpt.vn 14.168.211.92 static.vnpt.vn 14.169.135.41 static.vnpt.vn 14.186.197.79 static.vnpt.vn 14.187.17.63 static.vnpt.vn 14.232.190.70 static.vnpt.vn 14.253.150.168 static.vnpt.vn 173.254.192.136 unassigned.quadranet.com 173.254.192.152 unassigned.quadranet.com 198.55.124.229 unassigned.quadranet.com 198.55.124.230 unassigned.quadranet.com 103.10.44.135 undefined.hostname.localhost 103.10.44.138 undefined.hostname.localhost 103.238.83.22 undefined.hostname.localhost 103.238.83.25 undefined.hostname.localhost 45.254.33.11 undefined.hostname.localhost 82.147.70.108 undefined.hostname.localhost 82.147.70.81 undefined.hostname.localhost 82.147.70.83 undefined.hostname.localhost 170.130.74.190 web.modestomta.com 170.130.74.216 web.modestomta.com 170.130.74.244 web.modestomta.com 170.130.74.246 web.modestomta.com
85.132.122.26 mx1.azstat.org 85.132.122.26 st1.azstat.org 101.78.213.10 mail1.tongshunhing.com 101.78.213.10 mail.pangpangfrozen.com 101.78.213.10 mail.richharvest.hk 101.78.213.10 mail.tshp.hk 116.98.239.246 dynamic-adsl.viettel.vn 116.98.239.246 dynamic-ip-adsl.viettel.vn 117.54.2.130 mail.megafinance.co.id 117.54.2.130 zmega.megafinance.co.id 165.166.142.52 smtpclma01.spiritcom.com 165.166.142.52 smtpclma02.spiritcom.com 171.229.76.198 dynamic-adsl.viettel.vn 171.229.76.198 dynamic-ip-adsl.viettel.vn 171.236.69.79 dynamic-adsl.viettel.vn 171.236.69.79 dynamic-ip-adsl.viettel.vn 171.241.0.223 dynamic-adsl.viettel.vn 171.241.0.223 dynamic-ip-adsl.viettel.vn 171.243.4.191 dynamic-adsl.viettel.vn 171.243.4.191 dynamic-ip-adsl.viettel.vn 185.203.41.148 pusthakalu.de 185.203.41.148 willowyarns.com 188.87.211.19 correo.lepe.es 188.87.211.19 imap.lepe.es 188.87.211.19 smtp.lepe.es 190.130.15.70 mail.houseinc.ml 190.130.15.70 mail.houseinc.org 190.130.15.70 mail.lafloridahn.com 192.154.230.158 mx1.healthinsuranceforfree.com 192.154.230.158 srv369.fingerpaint.online 202.14.92.90 alfonsus.uajy.ac.id 202.14.92.90 ip-90-92-net.uajy.ac.id 202.53.11.28 email.indiamr.com 202.53.11.28 mail.avenirts.com 213.182.40.66 autoreply.odalys5.ecritel.net 213.182.40.66 odalys5.ecritel.net 222.236.44.84 mail.smch.co.kr 222.236.44.84 smch.co.kr 222.236.44.84 webmail.smch.co.kr
___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug