This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/anti-abuse-wg@ripe.net/
[anti-abuse-wg] Malware/ransomware current live distribution IPs
- Previous message (by thread): [anti-abuse-wg] Malware/ransomware current live distribution IPs
- Next message (by thread): [anti-abuse-wg] Malware/ransomware current live distribution IPs
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Ronald F. Guilmette
rfg at tristatelogic.com
Thu Jun 30 23:08:43 CEST 2016
In message <15295.1467317095 at server1.tristatelogic.com>, I wrote: > >andre at ox.co.za you wrote: > >>If you would like to add superblock.ascams.com - these seem like good links: >> >>Exim : http://www.exim.org/howto/rbl.html >>postfix :https://www.howtoforge.com/block_spam_at_mta_level_postfix > >Note: The specific domains and IPs I have just posted >are pointless to block in mail server configs, because the final >"landing page" domains that are actually spreading the infectious >agents are never seen, and will never be seen in e-mails. Rather, >there _is_ spam... lots of it... trying to get people to go to these >infection domains, but only via a sequence of one or two redirections >(through other domains) first. Conveniently, to further this point, these same spammers just sent me ANOTHER one of their standard spams. ** WARNING ** Browsing to the URL below may result in infection! Spam body/payload: ============================================================================= Hello, Here is some information that inspired me a lot, read it please, it may be helpful <http://xishentothi.politicalresumes.com/xyrzxk> Yours faithfully, fistvani at andrew.cmu.edu Hello, Here is some information that inspired me a lot, read it please, it may be helpful [1]http://xishentothi.politicalresumes.com/xyrzxk Yours faithfully, fistvani at andrew.cmu.edu References 1. http://xishentothi.politicalresumes.com/xyrzxk ============================================================================= Please note that actually, the domain "politicalresumes.com" does not... except in a very limited sense... "belong" to the spammer(s). Rather, as has been reported by (I believe) Cisco/Talos, the actual owner of this domain has simply been infected, and whatever credentials he uses to control/manipulate the DNS for his domain have been absconded with by the spammer(s). They in turn have *added* several new subdomains to this base domain name. These currently include, at the very least: fekudamo.politicalresumes.com lardipruto.politicalresumes.com rdostapidy.politicalresumes.com wongakyma.politicalresumes.com xishentothi.politicalresumes.com Anyway, following the link in the above spam payload/body gets you to a trivial redirector... kindly hosted by Godaddy... which then attempts to take you to this new URL: http://gooodweightlossgood.com/?a=388338&c=wl_con&s=33 There is another redirection once you get there. When you get to the final landing page, that's the one where you get infected with/by Javascript malware. Regards, rfg
- Previous message (by thread): [anti-abuse-wg] Malware/ransomware current live distribution IPs
- Next message (by thread): [anti-abuse-wg] Malware/ransomware current live distribution IPs
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]