This has taken a while since there is a lot of it! By comparing our own records with listings that exist in the Apews dataset we have been able to conclude the following;
Single IP addresses that have made a direct connection to our servers in order to send spam email have also been found in C-1, C-2, C-12, C-35C-52, C-53, C-66, C-67, C-73 and C-630.
Mostly /24 listings can mostly be found in C-3, C-11, C-13, C-21, C-36, C-41, C-130, C-1375 and C-1402. These /24 generally include the above single IP addresses suggesting that they are maybe escalations.
Single IP addresses that have done port scanning, SSH probes, attempted PHP or SQL injection, password guessing, hosting landing pages that contain virus, trojan etc have only been found in C-16 and C-86.
CIDR that contain residential customers, typically have no reverse DNS and generic host names (as noted in some records by Apews) have been found in C-22, C-1010 and C-1403. These are often referred to as dynamic since they can be large DHCP pools too. These CIDR would not be RFC compliant for the sending of emails.
Other CIDR, usually larger than /24, can be found in C-14, C-15, C-17, C-18, C-20, C-79, C-258 and C-813.
June 14, 2012
June 7, 2012
L2.APEWS.ORG False Positive #16
A /19 that was listed back in April caught this recently, definitely a user subscribed newsletter;
Wed 2012-06-06 08:55:21: [140:457] Accepting SMTP connection from [109.123.106.210]
Wed 2012-06-06 08:55:21: [140:457] Looking up PTR record for 109.123.106.210 (210.106.123.109.IN-ADDR.ARPA)
Wed 2012-06-06 08:55:21: [140:457] D=210.106.123.109.IN-ADDR.ARPA TTL=(1439) PTR=[srv-eight.clevercherry.net]
Wed 2012-06-06 08:55:21: [140:457] Gathering A-records for PTR hosts
Wed 2012-06-06 08:55:21: [140:457] D=srv-eight.clevercherry.net TTL=(240) A=[109.123.106.210]
Wed 2012-06-06 08:55:21: [140:457] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Wed, 06 Jun 2012 08:55:21 -0100
Wed 2012-06-06 08:55:21: [140:457] <-- EHLO srv-eight.clevercherry.net
Wed 2012-06-06 08:55:21: [140:457] Performing reverse lookup on srv-eight.clevercherry.net (looking for 109.123.106.210)
Wed 2012-06-06 08:55:21: [140:457] D=srv-eight.clevercherry.net TTL=(240) A=[109.123.106.210]
Wed 2012-06-06 08:55:21: [140:457] --> 250-xxx.xxx.xxx Hello srv-eight.clevercherry.net, pleased to meet you
Wed 2012-06-06 08:55:21: [140:457] --> 250-ETRN
Wed 2012-06-06 08:55:21: [140:457] --> 250-AUTH=LOGIN
Wed 2012-06-06 08:55:21: [140:457] --> 250-AUTH LOGIN CRAM-MD5
Wed 2012-06-06 08:55:21: [140:457] --> 250-8BITMIME
Wed 2012-06-06 08:55:21: [140:457] --> 250 SIZE 0
Wed 2012-06-06 08:55:21: [140:457] <-- MAIL FROM:<xxx @ xxx.xxx> SIZE=16289
Wed 2012-06-06 08:55:21: [140:457] Performing reverse lookup on xxx.clevercherry.com (looking for 109.123.106.210)
Wed 2012-06-06 08:55:21: [140:457] D=xxx.clevercherry.com TTL=(240) A=[109.123.106.210]
Wed 2012-06-06 08:55:21: [140:457] Spam Blocker A-record resolution of [210.106.123.109.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.2)...
Wed 2012-06-06 08:55:21: [140:457] Spam Blocker D=210.106.123.109.L2.APEWS.ORG TTL=(35) A=[127.0.0.2]
Wed 2012-06-06 08:55:21: [140:457] L2.APEWS.ORG LISTED
Wed 2012-06-06 08:55:21: [140:457] Message will be accepted and X-RBL-Warning: header will be inserted.
Wed 2012-06-06 08:55:21: [140:457] --> 250 <xxx @ xxx.xxx>, Sender ok
Wed 2012-06-06 08:55:21: [140:457] <-- RCPT TO:<xxx @ xxx.xxx>
Wed 2012-06-06 08:55:21: [140:457] --> 250 <xxx @ xxx.xxx>, Recipient ok
Wed 2012-06-06 08:55:21: [140:457] <-- DATA
Wed 2012-06-06 08:55:21: [140:457] --> 354 Enter mail, end with <CRLF>.<CRLF>
Wed 2012-06-06 08:55:21: [140:457] --> 250 Ok, message saved <Message-ID: E1ScCvc-0005YX-27@srv-eight.clevercherry.net>
Wed 2012-06-06 08:55:21: [140:457] <-- QUIT
Wed 2012-06-06 08:55:21: [140:457] --> 221 See ya in cyberspace
Wed 2012-06-06 08:55:21: [140:457] SMTP session successful, 15603 bytes transferred.
Wed 2012-06-06 08:55:21: [140:457] Shuffling message(s) into proper queue(s)
Wed 2012-06-06 08:55:21: [140:457] Message received from srv-eight.clevercherry.net [109.123.106.210] <xxx @ xxx.xxx> with SMTP for <xxx @ xxx.xxx> [Size 10502] {j:\localq\6443522.msg}
Wed 2012-06-06 08:55:21: [140:457] Accepting SMTP connection from [109.123.106.210]
Wed 2012-06-06 08:55:21: [140:457] Looking up PTR record for 109.123.106.210 (210.106.123.109.IN-ADDR.ARPA)
Wed 2012-06-06 08:55:21: [140:457] D=210.106.123.109.IN-ADDR.ARPA TTL=(1439) PTR=[srv-eight.clevercherry.net]
Wed 2012-06-06 08:55:21: [140:457] Gathering A-records for PTR hosts
Wed 2012-06-06 08:55:21: [140:457] D=srv-eight.clevercherry.net TTL=(240) A=[109.123.106.210]
Wed 2012-06-06 08:55:21: [140:457] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Wed, 06 Jun 2012 08:55:21 -0100
Wed 2012-06-06 08:55:21: [140:457] <-- EHLO srv-eight.clevercherry.net
Wed 2012-06-06 08:55:21: [140:457] Performing reverse lookup on srv-eight.clevercherry.net (looking for 109.123.106.210)
Wed 2012-06-06 08:55:21: [140:457] D=srv-eight.clevercherry.net TTL=(240) A=[109.123.106.210]
Wed 2012-06-06 08:55:21: [140:457] --> 250-xxx.xxx.xxx Hello srv-eight.clevercherry.net, pleased to meet you
Wed 2012-06-06 08:55:21: [140:457] --> 250-ETRN
Wed 2012-06-06 08:55:21: [140:457] --> 250-AUTH=LOGIN
Wed 2012-06-06 08:55:21: [140:457] --> 250-AUTH LOGIN CRAM-MD5
Wed 2012-06-06 08:55:21: [140:457] --> 250-8BITMIME
Wed 2012-06-06 08:55:21: [140:457] --> 250 SIZE 0
Wed 2012-06-06 08:55:21: [140:457] <-- MAIL FROM:<xxx @ xxx.xxx> SIZE=16289
Wed 2012-06-06 08:55:21: [140:457] Performing reverse lookup on xxx.clevercherry.com (looking for 109.123.106.210)
Wed 2012-06-06 08:55:21: [140:457] D=xxx.clevercherry.com TTL=(240) A=[109.123.106.210]
Wed 2012-06-06 08:55:21: [140:457] Spam Blocker A-record resolution of [210.106.123.109.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.2)...
Wed 2012-06-06 08:55:21: [140:457] Spam Blocker D=210.106.123.109.L2.APEWS.ORG TTL=(35) A=[127.0.0.2]
Wed 2012-06-06 08:55:21: [140:457] L2.APEWS.ORG LISTED
Wed 2012-06-06 08:55:21: [140:457] Message will be accepted and X-RBL-Warning: header will be inserted.
Wed 2012-06-06 08:55:21: [140:457] --> 250 <xxx @ xxx.xxx>, Sender ok
Wed 2012-06-06 08:55:21: [140:457] <-- RCPT TO:<xxx @ xxx.xxx>
Wed 2012-06-06 08:55:21: [140:457] --> 250 <xxx @ xxx.xxx>, Recipient ok
Wed 2012-06-06 08:55:21: [140:457] <-- DATA
Wed 2012-06-06 08:55:21: [140:457] --> 354 Enter mail, end with <CRLF>.<CRLF>
Wed 2012-06-06 08:55:21: [140:457] --> 250 Ok, message saved <Message-ID: E1ScCvc-0005YX-27@srv-eight.clevercherry.net>
Wed 2012-06-06 08:55:21: [140:457] <-- QUIT
Wed 2012-06-06 08:55:21: [140:457] --> 221 See ya in cyberspace
Wed 2012-06-06 08:55:21: [140:457] SMTP session successful, 15603 bytes transferred.
Wed 2012-06-06 08:55:21: [140:457] Shuffling message(s) into proper queue(s)
Wed 2012-06-06 08:55:21: [140:457] Message received from srv-eight.clevercherry.net [109.123.106.210] <xxx @ xxx.xxx> with SMTP for <xxx @ xxx.xxx> [Size 10502] {j:\localq\6443522.msg}
Subscribe to:
Posts (Atom)