Okay, this isn’t that much of a threat as it seems, as most of it can be stopped by using simple RBL (Real Time Blacklists) that block the generic home style connections, sometimes referred to as DUL or Dynamic IP Space, and because of the sheer amount of it, even filtering technologies have a handle on this, but the sheer volume does make it news.
And especially, since the payloads of the emails are generally very malicious, eg ransom ware, viruses, and phishing.
But there is a lot of coming through loosely configured emails servers (allow to relay) and static business connections.
There are two main variants currently affecting the Internet, one that claims to be an ‘invoice’ with a .zip attachment, designed to fool the average office payables person to open up the zip file, usually it looks like:
Hello , I have attached the financial report you requested. Regards Ervin Tran Executive Director Finance & Information Systems
And the attachment will be something like.. sales_report_xls_555555.zip.
The sending address will usually look like..
Return-Path: <firstname.lastname@example.org> Received: from rrcs-71-43-52-85.se.biz.rr.com (HELO rrcs-71-43-52-85.se.biz.rr.com) (18.104.22.168)
(Notice the name.number@ format)
Now, real email servers would normally have a more specific PTR or rDNS record, so this is probably a dedicated office IP Address, but of course it COULD have lots of compromised devices behind that IP that are infected with the bot.
Sucuri Labs (https://blog.sucuri.net/) recently posted an interesting blog on how CCTV (cameras) have been hacked to perform attacks, but it could be anything from fridges, smart TV’s, to actual networking gear. Everything that is ‘smart’ means it potentially could be hacked, and become part of a botnet.
The other scam is a little different approach.
Hello! We are looking for employees working remotely. My name is Teri, am the personnel manager of a large International company. Most of the work you can do from home, that is, at a distance. Salary is $2500-$5000. If you are interested in this offer, please visit Our Site Best regards!
The actual ‘Our Site’ link that they want you to click on is a compromised server.
Without those compromised servers, this attack wouldn’t work.. Often it is compromised ‘WordPress’ sites, where the owner used a ‘plugin’ that had a security hole.
But the best thing you can do for your customers, is keep those emails out of their in boxes. Use up to date filters, and DUL Blacklists in your email servers (eg. http://spamrats.com RATS-DYNA)
Roughly 40% of all attempts to connect to your email server, are coming from these types of botnets on dynamic IP space.