While we are predominantly interested in email spam there are other attacks that can indicate ‘bad actors’, and the networks they operate from, that are worth examining. It can be tomorrow they change tactics and start sending spam.
We couldn’t help but notice a ‘surge’ in attacks from IP(s) in China, and it makes you wonder if the recent announcement by Trump of increased tariffs on Chinese goods had some affect in attackers making it more fair game to attack North American targets.
Especially when you see the targets coming from IP Space labeled as:
inetnum: 115.236.71.40 – 115.236.71.47
netname: HANGZHOU-OFFICE
country: CN
descr: Hangzhou city people’s government of the electronic government affairs office
descr:
admin-c: XW3198-AP
tech-c: CH122-AP
mnt-irt: IRT-CHINANET-ZJ
status: ASSIGNED NON-PORTABLE
mnt-by: MAINT-CN-CHINANET-ZJ-HZ
last-modified: 2015-07-03T05:08:02Z
source: APNIC
abuse-mailbox: antispam@dcb.hz.zj.cn
The attacks that are being seen are the same from many different networks such as:
inetnum: 220.189.249.64 - 220.189.249.127 netname: XIUCHEN-PEOPLES-GOV country: CN descr: Jiaxing Xiuchen People's government descr: NULL admin-c: YP223-AP tech-c: CJ55-AP status: ASSIGNED NON-PORTABLE mnt-by: MAINT-CN-CHINANET-ZJ-JX last-modified: 2008-09-04T06:55:26Z source: APNIC --------------------------------------------- inetnum: 183.131.80.0 - 183.131.87.255 netname: MOVEINTERNET-NETWORK country: CN descr: MoveInternet Network Technology Co., Ltd.��MoveInternet Network descr: admin-c: CJ2235-AP tech-c: CS64-AP mnt-irt: IRT-CHINANET-ZJ status: ASSIGNED NON-PORTABLE mnt-by: MAINT-CN-CHINANET-ZJ-SX last-modified: 2015-07-26T00:34:01Z source: APNIC abuse-mailbox: antispam@dcb.hz.zj.cn --------------------------------------------- inetnum: 60.191.111.64 - 60.191.111.95 netname: HANGZHOU-PEOPLE-GOVERNMENT country: CN descr: HangZhou City People Government Information Disposal Centre descr: admin-c: XW1299-AP tech-c: CH122-AP mnt-irt: IRT-CHINANET-ZJ status: ASSIGNED NON-PORTABLE mnt-by: MAINT-CN-CHINANET-ZJ-HZ abuse-mailbox: antispam@dcb.hz.zj.cn --------------------------------------------- inetnum: 122.224.209.240 - 122.224.209.255 netname: TELECOM-TELECOM-TELECOM country: CN descr: TELECOM descr: admin-c: BG166-AP tech-c: CH122-AP status: ASSIGNED NON-PORTABLE mnt-by: MAINT-CN-CHINANET-ZJ-HZ e-mail: anti_spam@mail.hz.zj.cn --------------------------------------------- inetnum: 220.178.0.0 - 220.180.255.255 netname: CHINANET-AH country: CN descr: CHINANET anhui province network descr: China Telecom descr: A12,Xin-Jie-Kou-Wai Street descr: Beijing 100088 admin-c: CH93-AP tech-c: AT318-AP status: ALLOCATED non-PORTABLE mnt-by: MAINT-CHINANET last-modified: 2008-09-04T06:52:51Z source: APNIC --------------------------------------------- inetnum: 116.196.64.0 - 116.196.127.255 netname: JDCOM descr: Beijing Jingdong 360 Degree E-commerce Co., Ltd. country: CN admin-c: LY4075-AP tech-c: WD815-AP mnt-by: MAINT-CNNIC-AP mnt-routes: MAINT-CNNIC-AP mnt-irt: IRT-CNNIC-CN status: ALLOCATED PORTABLE last-modified: 2017-01-10T05:30:01Z source: APNIC --------------------------------------------- inetnum: 119.28.0.0 - 119.29.255.255 netname: TencentCloud descr: Tencent cloud computing (Beijing) Co., Ltd. descr: Floor 6, Yinke Building,38 Haidian St, descr: Haidian District Beijing country: CN admin-c: JT1125-AP tech-c: JX1747-AP mnt-by: MAINT-CNNIC-AP mnt-irt: IRT-CNNIC-CN mnt-routes: MAINT-TENCENT-NET-AP-CN status: ALLOCATED PORTABLE last-modified: 2017-05-16T07:44:01Z source: APNIC --------------------------------------------- inetnum: 183.131.88.0 - 183.131.95.255 netname: CHINANET-ZJ-SX country: CN descr: CHINANET-ZJ Shaoxing node network descr: Zhejiang Telecom admin-c: CZ4-AP tech-c: CS64-AP mnt-irt: IRT-CHINANET-ZJ status: ALLOCATED NON-PORTABLE mnt-by: MAINT-CHINANET-ZJ mnt-lower: MAINT-CN-CHINANET-ZJ-SX last-modified: 2015-05-12T19:44:04Z source: APNIC abuse-mailbox: antispam@dcb.hz.zj.cn --------------------------------------------- inetnum: 115.231.216.0 - 115.231.223.255 netname: CHINANET-ZJ-SX country: CN descr: CHINANET-ZJ Shaoxing node network descr: Zhejiang Telecom admin-c: CZ4-AP tech-c: CS64-AP mnt-irt: IRT-CHINANET-ZJ status: ALLOCATED NON-PORTABLE mnt-by: MAINT-CHINANET-ZJ mnt-lower: MAINT-CN-CHINANET-ZJ-SX last-modified: 2014-10-13T19:20:02Z abuse-mailbox: antispam@dcb.hz.zj.cn --------------------------------------------- inetnum: 101.254.0.0 - 101.254.255.255 netname: shinenet descr: Beijing flash newsletter cas telecommunication technology Co., LTD descr: Beijing 3-3-102 valley in xuanwu district country: CN admin-c: ZW1689-AP tech-c: ZW1689-AP mnt-by: MAINT-CNNIC-AP mnt-lower: MAINT-CNNIC-AP mnt-routes: MAINT-CNNIC-AP mnt-irt: IRT-CNNIC-CN status: ALLOCATED PORTABLE last-modified: 2011-01-24T04:37:29Z source: APNIC --------------------------------------------- inetnum: 40.125.128.0 - 40.125.255.255 netname: BLUECLOUD descr: Shanghai Blue Cloud Technology Co.,Ltd descr: M5, Jiuxianqiao East Road, Chaoyang District, Beijing country: CN admin-c: YW6852-AP tech-c: JS4044-AP mnt-by: MAINT-CNNIC-AP mnt-lower: MAINT-CNNIC-AP mnt-irt: IRT-CNNIC-CN mnt-routes: MAINT-CNNIC-AP status: ALLOCATED PORTABLE last-modified: 2017-10-26T09:06:02Z source: APNIC --------------------------------------------- inetnum: 115.231.216.0 - 115.231.223.255 netname: CHINANET-ZJ-SX country: CN descr: CHINANET-ZJ Shaoxing node network descr: Zhejiang Telecom admin-c: CZ4-AP tech-c: CS64-AP mnt-irt: IRT-CHINANET-ZJ status: ALLOCATED NON-PORTABLE mnt-by: MAINT-CHINANET-ZJ mnt-lower: MAINT-CN-CHINANET-ZJ-SX last-modified: 2014-10-13T19:20:02Z source: APNIC
(It goes on…)
Here is another sampling:
client 101.254.149.226 client 101.254.150.236 client 104.211.184.63 client 104.215.5.88 client 106.14.64.39 client 112.201.82.138 client 112.203.106.187 client 112.203.7.34 client 112.204.49.39 client 112.204.97.12 client 112.204.98.254 client 112.205.139.136 client 112.205.180.206 client 112.205.242.166 client 112.207.208.234 client 112.207.224.55 client 112.207.249.109 client 112.210.202.209 client 113.209.77.25 client 114.115.218.122 client 115.160.171.42 client 115.230.126.206 client 115.231.218.136 client 115.231.218.197 client 115.231.218.198 client 115.231.218.24 client 115.231.218.25 client 115.231.218.26 client 115.231.218.29 client 115.231.218.43 client 115.231.218.99 client 115.231.219.12 client 115.231.219.32 client 115.231.219.38 client 115.231.222.210 client 115.236.71.42 client 115.236.71.43 client 115.236.71.45 client 115.238.228.19 client 116.196.100.129 client 118.189.145.226 client 119.130.34.154 client 119.145.148.158 client 119.29.241.116 client 119.57.110.82 client 119.92.152.226 client 120.27.212.236 client 121.199.21.2 client 121.199.45.91 client 122.114.136.55 client 122.114.224.74 client 122.2.111.79 client 122.2.229.168 client 122.224.209.243 client 122.224.209.244 client 122.224.209.245 client 122.224.209.250 client 123.249.26.14 client 123.249.42.12 client 123.249.76.125 client 123.249.79.2 client 123.249.79.213 client 123.249.9.84 client 123.57.0.236 client 124.104.116.177 client 124.104.118.131 client 124.104.54.104 client 124.112.228.45 client 124.172.144.18 client 124.205.110.68 client 124.83.104.108 client 125.211.219.133 client 125.46.58.19 client 1.30.21.82 client 139.159.234.34 client 139.159.236.178 client 13.92.187.175 client 14.152.95.39 client 164.132.135.100 client 171.120.77.121 client 180.97.215.2 client 182.18.23.43 client 182.61.13.37 client 183.131.83.112 client 183.131.83.36 client 183.131.83.5 client 183.131.83.50 client 183.131.83.88 client 183.131.91.131 client 183.136.213.110 client 211.144.157.50 client 211.38.144.224 client 216.198.210.121 client 218.16.119.59 client 218.2.0.180 client 218.2.0.181 client 218.2.0.185 client 218.26.72.34 client 218.93.201.202 client 218.94.37.42 client 219.149.173.154 client 220.178.5.101 client 220.178.80.117 client 220.189.249.97 client 220.189.249.99 client 221.194.44.219 client 221.194.44.252 client 221.195.111.202 client 221.229.166.36 client 222.172.221.184 client 222.185.143.106 client 222.186.169.212 client 222.186.21.42 client 222.186.56.91 client 222.186.58.186 client 222.72.135.116 client 222.73.85.196 client 222.76.218.7 client 223.100.5.9 client 223.4.152.102 client 40.125.163.19 client 43.241.51.11 client 49.145.144.195 client 49.145.152.175 client 49.145.21.249 client 49.148.181.236 client 49.148.224.142 client 49.151.133.40 client 49.151.140.147 client 49.151.155.13 client 49.151.171.42 client 49.151.174.17 client 52.229.201.157 client 52.232.248.208 client 58.221.49.21 client 59.173.18.111 client 59.51.125.130 client 60.191.111.66 client 60.191.111.67 client 60.191.111.68 client 60.191.66.226 client 61.145.62.99 client 61.160.195.28 client 61.36.94.122
Now, this attack appears specific to trying to hit ‘tomcat’ servers and getting in through loose credentials, but it is quite coincidental to see a large spike in these attempts just after some political ‘saber rattling’.
Of course, they are easy enough to stop (for instance ‘mod_security’ on apache), but as a Spam Auditor that data can also be very valuable as IP Addresses used for one type of attack can often be used for others.
Consider setting up your IDS (Intrusion Detection Systems) or reporting tools to contribute these IP(s) to regular RBL’s and Blacklists, because you never know what the ‘NEXT’ type of attack might be..