[anti-abuse-wg] Malware/ransomware current live distribution IPs
- Previous message (by thread): [anti-abuse-wg] Malware/ransomware current live distribution IPs
- Next message (by thread): [anti-abuse-wg] Malware/ransomware current live distribution IPs
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Ronald F. Guilmette
rfg at tristatelogic.com
Thu Jun 30 23:08:43 CEST 2016
In message <15295.1467317095 at server1.tristatelogic.com>, I wrote: > >andre at ox.co.za you wrote: > >>If you would like to add superblock.ascams.com - these seem like good links: >> >>Exim : http://www.exim.org/howto/rbl.html >>postfix :https://www.howtoforge.com/block_spam_at_mta_level_postfix > >Note: The specific domains and IPs I have just posted >are pointless to block in mail server configs, because the final >"landing page" domains that are actually spreading the infectious >agents are never seen, and will never be seen in e-mails. Rather, >there _is_ spam... lots of it... trying to get people to go to these >infection domains, but only via a sequence of one or two redirections >(through other domains) first. Conveniently, to further this point, these same spammers just sent me ANOTHER one of their standard spams. ** WARNING ** Browsing to the URL below may result in infection! Spam body/payload: ============================================================================= Hello, Here is some information that inspired me a lot, read it please, it may be helpful <http://xishentothi.politicalresumes.com/xyrzxk> Yours faithfully, fistvani at andrew.cmu.edu Hello, Here is some information that inspired me a lot, read it please, it may be helpful [1]http://xishentothi.politicalresumes.com/xyrzxk Yours faithfully, fistvani at andrew.cmu.edu References 1. http://xishentothi.politicalresumes.com/xyrzxk ============================================================================= Please note that actually, the domain "politicalresumes.com" does not... except in a very limited sense... "belong" to the spammer(s). Rather, as has been reported by (I believe) Cisco/Talos, the actual owner of this domain has simply been infected, and whatever credentials he uses to control/manipulate the DNS for his domain have been absconded with by the spammer(s). They in turn have *added* several new subdomains to this base domain name. These currently include, at the very least: fekudamo.politicalresumes.com lardipruto.politicalresumes.com rdostapidy.politicalresumes.com wongakyma.politicalresumes.com xishentothi.politicalresumes.com Anyway, following the link in the above spam payload/body gets you to a trivial redirector... kindly hosted by Godaddy... which then attempts to take you to this new URL: http://gooodweightlossgood.com/?a=388338&c=wl_con&s=33 There is another redirection once you get there. When you get to the final landing page, that's the one where you get infected with/by Javascript malware. Regards, rfg
- Previous message (by thread): [anti-abuse-wg] Malware/ransomware current live distribution IPs
- Next message (by thread): [anti-abuse-wg] Malware/ransomware current live distribution IPs
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]