Does Politics affect Spam Outbreaks

While we are predominantly interested in email spam there are other attacks that can indicate ‘bad actors’, and the networks they operate from, that are worth examining. It can be tomorrow they change tactics and start sending spam.

We couldn’t help but notice a ‘surge’ in attacks from IP(s) in China, and it makes you wonder if the recent announcement by Trump of increased tariffs on Chinese goods had some affect in attackers making it more fair game to attack North American targets.

Especially when you see the targets coming from IP Space labeled as:

inetnum: 115.236.71.40 – 115.236.71.47
netname: HANGZHOU-OFFICE
country: CN
descr: Hangzhou city people’s government of the electronic government affairs office
descr:
admin-c: XW3198-AP
tech-c: CH122-AP
mnt-irt: IRT-CHINANET-ZJ
status: ASSIGNED NON-PORTABLE
mnt-by: MAINT-CN-CHINANET-ZJ-HZ
last-modified: 2015-07-03T05:08:02Z
source: APNIC
abuse-mailbox: antispam@dcb.hz.zj.cn

The attacks that are being seen are the same from many different networks such as:

inetnum:        220.189.249.64 - 220.189.249.127
netname:        XIUCHEN-PEOPLES-GOV
country:        CN
descr:          Jiaxing Xiuchen People's government
descr:          NULL
admin-c:        YP223-AP
tech-c:         CJ55-AP
status:         ASSIGNED NON-PORTABLE
mnt-by:         MAINT-CN-CHINANET-ZJ-JX
last-modified:  2008-09-04T06:55:26Z
source:         APNIC
---------------------------------------------

inetnum:        183.131.80.0 - 183.131.87.255
netname:        MOVEINTERNET-NETWORK
country:        CN
descr:          MoveInternet Network Technology Co., Ltd.��MoveInternet Network
descr:
admin-c:        CJ2235-AP
tech-c:         CS64-AP
mnt-irt:        IRT-CHINANET-ZJ
status:         ASSIGNED NON-PORTABLE
mnt-by:         MAINT-CN-CHINANET-ZJ-SX
last-modified:  2015-07-26T00:34:01Z
source:         APNIC
abuse-mailbox:  antispam@dcb.hz.zj.cn
---------------------------------------------

inetnum:        60.191.111.64 - 60.191.111.95
netname:        HANGZHOU-PEOPLE-GOVERNMENT
country:        CN
descr:          HangZhou City People Government Information Disposal Centre
descr:
admin-c:        XW1299-AP
tech-c:         CH122-AP
mnt-irt:        IRT-CHINANET-ZJ
status:         ASSIGNED NON-PORTABLE
mnt-by:         MAINT-CN-CHINANET-ZJ-HZ
abuse-mailbox:  antispam@dcb.hz.zj.cn
---------------------------------------------

inetnum:        122.224.209.240 - 122.224.209.255
netname:        TELECOM-TELECOM-TELECOM
country:        CN
descr:          TELECOM
descr:
admin-c:        BG166-AP
tech-c:         CH122-AP
status:         ASSIGNED NON-PORTABLE
mnt-by:         MAINT-CN-CHINANET-ZJ-HZ
e-mail:         anti_spam@mail.hz.zj.cn
---------------------------------------------

inetnum:        220.178.0.0 - 220.180.255.255
netname:        CHINANET-AH
country:        CN
descr:          CHINANET anhui province network
descr:          China Telecom
descr:          A12,Xin-Jie-Kou-Wai Street
descr:          Beijing 100088
admin-c:        CH93-AP
tech-c:         AT318-AP
status:         ALLOCATED non-PORTABLE
mnt-by:         MAINT-CHINANET
last-modified:  2008-09-04T06:52:51Z
source:         APNIC
---------------------------------------------

inetnum:        116.196.64.0 - 116.196.127.255
netname:        JDCOM
descr:          Beijing Jingdong 360 Degree E-commerce Co., Ltd.
country:        CN
admin-c:        LY4075-AP
tech-c:         WD815-AP
mnt-by:         MAINT-CNNIC-AP
mnt-routes:     MAINT-CNNIC-AP
mnt-irt:        IRT-CNNIC-CN
status:         ALLOCATED PORTABLE
last-modified:  2017-01-10T05:30:01Z
source:         APNIC
---------------------------------------------

inetnum:        119.28.0.0 - 119.29.255.255
netname:        TencentCloud
descr:          Tencent cloud computing (Beijing) Co., Ltd.
descr:          Floor 6, Yinke Building,38 Haidian St,
descr:          Haidian District Beijing
country:        CN
admin-c:        JT1125-AP
tech-c:         JX1747-AP
mnt-by:         MAINT-CNNIC-AP
mnt-irt:        IRT-CNNIC-CN
mnt-routes:     MAINT-TENCENT-NET-AP-CN
status:         ALLOCATED PORTABLE
last-modified:  2017-05-16T07:44:01Z
source:         APNIC
---------------------------------------------

inetnum:        183.131.88.0 - 183.131.95.255
netname:        CHINANET-ZJ-SX
country:        CN
descr:          CHINANET-ZJ Shaoxing node network
descr:          Zhejiang Telecom
admin-c:        CZ4-AP
tech-c:         CS64-AP
mnt-irt:        IRT-CHINANET-ZJ
status:         ALLOCATED NON-PORTABLE
mnt-by:         MAINT-CHINANET-ZJ
mnt-lower:      MAINT-CN-CHINANET-ZJ-SX
last-modified:  2015-05-12T19:44:04Z
source:         APNIC
abuse-mailbox:  antispam@dcb.hz.zj.cn
---------------------------------------------

inetnum:        115.231.216.0 - 115.231.223.255
netname:        CHINANET-ZJ-SX
country:        CN
descr:          CHINANET-ZJ Shaoxing node network
descr:          Zhejiang Telecom
admin-c:        CZ4-AP
tech-c:         CS64-AP
mnt-irt:        IRT-CHINANET-ZJ
status:         ALLOCATED NON-PORTABLE
mnt-by:         MAINT-CHINANET-ZJ
mnt-lower:      MAINT-CN-CHINANET-ZJ-SX
last-modified:  2014-10-13T19:20:02Z
abuse-mailbox:  antispam@dcb.hz.zj.cn
---------------------------------------------

inetnum:        101.254.0.0 - 101.254.255.255
netname:        shinenet
descr:          Beijing flash newsletter cas telecommunication technology Co., LTD
descr:          Beijing 3-3-102 valley in xuanwu district
country:        CN
admin-c:        ZW1689-AP
tech-c:         ZW1689-AP
mnt-by:         MAINT-CNNIC-AP
mnt-lower:      MAINT-CNNIC-AP
mnt-routes:     MAINT-CNNIC-AP
mnt-irt:        IRT-CNNIC-CN
status:         ALLOCATED PORTABLE
last-modified:  2011-01-24T04:37:29Z
source:         APNIC
---------------------------------------------

inetnum:        40.125.128.0 - 40.125.255.255
netname:        BLUECLOUD
descr:          Shanghai Blue Cloud Technology Co.,Ltd
descr:          M5, Jiuxianqiao East Road, Chaoyang District, Beijing
country:        CN
admin-c:        YW6852-AP
tech-c:         JS4044-AP
mnt-by:         MAINT-CNNIC-AP
mnt-lower:      MAINT-CNNIC-AP
mnt-irt:        IRT-CNNIC-CN
mnt-routes:     MAINT-CNNIC-AP
status:         ALLOCATED PORTABLE
last-modified:  2017-10-26T09:06:02Z
source:         APNIC
---------------------------------------------

inetnum:        115.231.216.0 - 115.231.223.255
netname:        CHINANET-ZJ-SX
country:        CN
descr:          CHINANET-ZJ Shaoxing node network
descr:          Zhejiang Telecom
admin-c:        CZ4-AP
tech-c:         CS64-AP
mnt-irt:        IRT-CHINANET-ZJ
status:         ALLOCATED NON-PORTABLE
mnt-by:         MAINT-CHINANET-ZJ
mnt-lower:      MAINT-CN-CHINANET-ZJ-SX
last-modified:  2014-10-13T19:20:02Z
source:         APNIC

(It goes on…)

Here is another sampling:

client 101.254.149.226
client 101.254.150.236
client 104.211.184.63
client 104.215.5.88
client 106.14.64.39
client 112.201.82.138
client 112.203.106.187
client 112.203.7.34
client 112.204.49.39
client 112.204.97.12
client 112.204.98.254
client 112.205.139.136
client 112.205.180.206
client 112.205.242.166
client 112.207.208.234
client 112.207.224.55
client 112.207.249.109
client 112.210.202.209
client 113.209.77.25
client 114.115.218.122
client 115.160.171.42
client 115.230.126.206
client 115.231.218.136
client 115.231.218.197
client 115.231.218.198
client 115.231.218.24
client 115.231.218.25
client 115.231.218.26
client 115.231.218.29
client 115.231.218.43
client 115.231.218.99
client 115.231.219.12
client 115.231.219.32
client 115.231.219.38
client 115.231.222.210
client 115.236.71.42
client 115.236.71.43
client 115.236.71.45
client 115.238.228.19
client 116.196.100.129
client 118.189.145.226
client 119.130.34.154
client 119.145.148.158
client 119.29.241.116
client 119.57.110.82
client 119.92.152.226
client 120.27.212.236
client 121.199.21.2
client 121.199.45.91
client 122.114.136.55
client 122.114.224.74
client 122.2.111.79
client 122.2.229.168
client 122.224.209.243
client 122.224.209.244
client 122.224.209.245
client 122.224.209.250
client 123.249.26.14
client 123.249.42.12
client 123.249.76.125
client 123.249.79.2
client 123.249.79.213
client 123.249.9.84
client 123.57.0.236
client 124.104.116.177
client 124.104.118.131
client 124.104.54.104
client 124.112.228.45
client 124.172.144.18
client 124.205.110.68
client 124.83.104.108
client 125.211.219.133
client 125.46.58.19
client 1.30.21.82
client 139.159.234.34
client 139.159.236.178
client 13.92.187.175
client 14.152.95.39
client 164.132.135.100
client 171.120.77.121
client 180.97.215.2
client 182.18.23.43
client 182.61.13.37
client 183.131.83.112
client 183.131.83.36
client 183.131.83.5
client 183.131.83.50
client 183.131.83.88
client 183.131.91.131
client 183.136.213.110
client 211.144.157.50
client 211.38.144.224
client 216.198.210.121
client 218.16.119.59
client 218.2.0.180
client 218.2.0.181
client 218.2.0.185
client 218.26.72.34
client 218.93.201.202
client 218.94.37.42
client 219.149.173.154
client 220.178.5.101
client 220.178.80.117
client 220.189.249.97
client 220.189.249.99
client 221.194.44.219
client 221.194.44.252
client 221.195.111.202
client 221.229.166.36
client 222.172.221.184
client 222.185.143.106
client 222.186.169.212
client 222.186.21.42
client 222.186.56.91
client 222.186.58.186
client 222.72.135.116
client 222.73.85.196
client 222.76.218.7
client 223.100.5.9
client 223.4.152.102
client 40.125.163.19
client 43.241.51.11
client 49.145.144.195
client 49.145.152.175
client 49.145.21.249
client 49.148.181.236
client 49.148.224.142
client 49.151.133.40
client 49.151.140.147
client 49.151.155.13
client 49.151.171.42
client 49.151.174.17
client 52.229.201.157
client 52.232.248.208
client 58.221.49.21
client 59.173.18.111
client 59.51.125.130
client 60.191.111.66
client 60.191.111.67
client 60.191.111.68
client 60.191.66.226
client 61.145.62.99
client 61.160.195.28
client 61.36.94.122

Now, this attack appears specific to trying to hit ‘tomcat’ servers and getting in through loose credentials, but it is quite coincidental to see a large spike in these attempts just after some political ‘saber rattling’.

Of course, they are easy enough to stop (for instance ‘mod_security’ on apache), but as a Spam Auditor that data can also be very valuable as IP Addresses used for one type of attack can often be used for others.

Consider setting up your IDS (Intrusion Detection Systems) or reporting tools to contribute these IP(s) to regular RBL’s and Blacklists, because you never know what the ‘NEXT’ type of attack might be..

This entry was posted in Informative and tagged , , , , . Bookmark the permalink.

Leave a Reply