What is happening at Unified Layer?

Posted on July 20, 2016 by MagicMail

It is always unusual when some of the larger hosting companies generate too much spam, as you would expect them to have a stronger handle on it. Unified Layer has had many challenges over the last year, but we are seeing a new significant pattern emerging.

Over the last 2-3 days we see a significant increase of spam attempts from their networks.

50.87.248.60 1 box1060.bluehost.com
 50.87.248.104 1 box1104.bluehost.com
 50.87.248.126 2 box1126.bluehost.com
 50.87.248.176 1 box1176.bluehost.com
 50.87.248.221 1 box1221.bluehost.com
 50.87.248.248 3 box1248.bluehost.com
66.147.240.95 2 host295.hostmonster.com
 66.147.240.164 1 host364.hostmonster.com
 66.147.240.173 1 host373.hostmonster.com
 66.147.240.186 1 host386.hostmonster.com
66.147.242.162 1 box562.bluehost.com
 66.147.242.181 1 box581.bluehost.com
66.147.244.68 2 box768.bluehost.com
 66.147.244.114 4 box814.bluehost.com
 66.147.244.153 2 box653.bluehost.com
 66.147.244.187 1 box687.bluehost.com
 66.147.244.192 2 box692.bluehost.com
 66.147.244.217 1 box717.bluehost.com
 66.147.244.223 2 box723.bluehost.com
 66.147.244.242 1 box742.bluehost.com
69.89.31.84 5 box284.bluehost.com
 69.89.31.105 1 box305.bluehost.com
 69.89.31.124 2 box324.bluehost.com
 69.89.31.132 1 box332.bluehost.com
 69.89.31.133 2 box333.bluehost.com
 69.89.31.149 3 box349.bluehost.com
 69.89.31.168 1 box368.bluehost.com
 69.89.31.174 2 box374.bluehost.com
 69.89.31.178 4 box378.bluehost.com
 69.89.31.189 4 box389.bluehost.com
 69.89.31.195 2 box395.bluehost.com
 69.89.31.214 1 box414.bluehost.com
 69.89.31.217 1 box417.bluehost.com
 69.89.31.220 1 box420.bluehost.com
 69.89.31.225 1 box425.bluehost.com
 69.89.31.238 2 box438.bluehost.com
69.195.124.51 2 box851.bluehost.com
 69.195.124.65 2 box865.bluehost.com
 69.195.124.70 3 box870.bluehost.com
 69.195.124.90 3 box890.bluehost.com
 69.195.124.133 4 box933.bluehost.com
 69.195.124.140 1 box940.bluehost.com
 69.195.124.167 2 box967.bluehost.com
 69.195.124.176 1 box976.bluehost.com
 69.195.124.253 1 box1053.bluehost.com
74.220.207.120 3 host120.hostmonster.com
 74.220.207.147 2 host147.hostmonster.com
 74.220.207.193 1 host193.hostmonster.com
74.220.215.63 1 host263.hostmonster.com
 74.220.215.101 1 host301.hostmonster.com
 74.220.215.238 3 host238.hostmonster.com
74.220.219.55 3 box455.bluehost.com
 74.220.219.62 1 box462.bluehost.com
 74.220.219.68 2 box468.bluehost.com
 74.220.219.113 2 box513.bluehost.com
173.254.24.16 2 rsb16.rhostbh.com
 173.254.24.17 1 rsb17.rhostbh.com
 173.254.24.20 1 rsb20.rhostbh.com
 173.254.24.21 1 rsb21.rhostbh.com
 173.254.24.22 1 rsb22.rhostbh.com
 173.254.24.25 1 rsb25.rhostbh.com
 173.254.24.30 4 rsb30.rhostbh.com
 173.254.24.32 4 rsb32.rhostbh.com
 173.254.24.33 1 rsb33.rhostbh.com
 173.254.24.34 3 rsb34.rhostbh.com
 173.254.24.37 1 rsb37.rhostbh.com
 173.254.24.42 1 rsb42.rhostbh.com
 173.254.24.54 2 rsb54.rhostbh.com
173.254.28.14 1 just14.justhost.com
 173.254.28.35 1 just35.justhost.com
 173.254.28.85 4 just85.justhost.com
 173.254.28.114 1 just114.justhost.com
 173.254.28.117 1 just117.justhost.com
 173.254.28.163 1 just163.justhost.com
 173.254.28.172 1 just172.justhost.com
173.254.56.11 2 rsj11.rhostjh.com
 173.254.56.12 2 rsj12.rhostjh.com
 173.254.56.15 1 rsj15.rhostjh.com
 173.254.56.17 1 rsj17.rhostjh.com
 173.254.56.27 3 rsj27.rhostjh.com
 173.254.56.34 4 rsj34.rhostjh.com

Now, interesting is that almost every IP is listed in ‘rwhois’ as being operated by different individuals on a /32 basis, so either this problem is a systemic issue with the environments, or these entries in the ‘rwhois’ are not accurate or false, and actually belong to one player.

We see lots of examples in the logs where the messages are being sent to invalid email addresses, using an apparent ‘bounce’, eg..

MAIL command received, args: FROM:<>

This means either the bounce is forged, or it might be real ‘back scatter’.

These are all Linux systems, and interestingly they are using modern methods of TLS when sending.  We haven’t been able to locate a message to a legitimate email address, so this ‘might’ be some form of exploit where someone is using the Unified Layers servers as a way to do email address harvesting, but the servers all appear to be cPanel servers.

cPanel servers in general are not known for generating backscatter, so this is either an unusual situation with an unusual configuration, that allows for backscatter, or this is OS generated spam, pretending to be a bounce.  Based on the fact that each email address is tried in succession five times, the later appears more likely.

And since all the servers have generic host names, it might be that they are ‘shared’ servers, except for the ‘rwhois’ delegations indicate they are dedicated servers. So probably simply servers that were never configured by their owners properly, eg a custom PTR record.

So, assuming the later, is there a network wide compromise operating on their networks? Or are these servers configured with a software that has a vulnerability, eg a plugin?

 

 

This entry was posted in Informative and tagged , , . Bookmark the permalink.

Leave a Reply