It seems like more and more spammers are taking advantage of ‘cloud services’ that allow you to spin up a bunch of servers, and IP(s) and a really big pipe, and they can do a lot of damage in just a few hours..
Today, it was Rackspace Cloud servers. While it is a little to early to say how this happens, or whether it is permitted, or whether it could be someone else’s account being subverted, it is a real problem.
For instance, Rackspace Cloud Servers (C04958933) 220.127.116.11/20, Rackspace Backbone (C03351414) 18.104.22.168/23, Rackspace Cloud Servers (C04779949), 22.214.171.124/20 all lit up to send an enormous amount of spam on large parts of the networks.
Now, there is no sub-delegation or ‘rwhois’ listing on who is using the space, or exactly how much of the space they are using (ARIN guidelines don’t tend to get used much by companies who can rent out IP(s) by the minute) but we can quickly look at a typical cross section.
(Normally, DNS could tell you a lot, but they usually run a very short TTL, and are gone by the time you go looking)
And all the spam tends to use the same spam engine at once.. In this case, a Subject like “_COMPLIMENTARY EXPERIAN, and EQUIFAX SCORES Are WAITING, _NOVEMBER 2014.” a standard From:
“2014)_Scores_Details_” and a rDNS/HELO pattern like
Received: from info.spirits1yellow.com (HELO smtp.unpactions.com) (126.96.36.199)
Normally, a HELO that is completely a different domain from the rDNS is typical of a hacker, but in this case the hostname.domain reflected in the rDNS is only something someone with admin access to a control panel that allows them to change the PTR records can do, and all the domains are typical throwaway names.
Here is just a few examples that stormed an ISP we monitor.
info.spirits1yellow.com (HELO smtp.unpactions.com) (188.8.131.52)
info.gold01bond.com (HELO smtp.orion365metals.com) (184.108.40.206)
info.gonzocrazedbe.com (HELO smtp.freedom2015life.com) (220.127.116.11)
info.isolate12workload.com (HELO smtp.patrolbbmoon.com) (18.104.22.168)
info.muppets10xmasfun.com (HELO smtp.exploretoliving.com) (22.214.171.124)
info.simple01actskind.com (HELO smtp.healthy360choices.com) (126.96.36.199)
info.inkaways98truth.com (HELO smtp.westkyl.com) (188.8.131.52)
geminis3leosbe.com (HELO smtp.timers365on.com) (184.108.40.206)
There is more of course, but that gives you an idea..
Now it used to be spammers hacked servers, PC’s, and anything connected (“Internet of Things”, remember the fridge that was reported as spamming) but it seems now that they find it a lot easier to simply buy or rent IP Space (and with IP space running out, a lot of willing hosting providers who want to use up/fill up what they have so they can get more). Of course, they might not always use a real name, (or a real credit card) to get the space, but it is easy to get.
You ‘could’ say just block the hosting providers that are letting them do that, but this isn’t some ne’er do well in a foreign country, this is a reputable hosting company right here at home. What do you do then? In just a few hours, using something as powerful as a RackSpace cloud, you can spit out millions of email messages..
So what do you do?
What do you think should be done?
Is the hosting provider responsible?
For now, let’s assume Rackspace was as surprised as the rest of the world when it happened, after all, a lot bigger companies have been cracked/hacked/duped lately.. It might have been that, but even then.. We have to be careful who we give such powerful weapons too.
PS, Unless of course you ARE “Ready to regrow thicker fuller hair” ..
This time they signed the email..
Prefer, not_ to _receive_ anything, thank you.
800 E.Rochambeau Dr, F