Trends in Networks: Spam #10

Posted on October 21, 2020 by Thomas

Here are this week’s spammy Freenom and .xyz TLDs coming from the Digital Ocean network.

Oct16
134.122.41.131	x1	girlssoft.gq
134.122.45.114	x1	chocolatesoft.tk
134.122.45.115	x1	chocolatesoft.ml
134.122.45.119	x2	softaustralia.ga
134.122.45.120	x1	softaustin.ga
134.122.45.121	x2	softaustralia.tk
134.122.45.123	x2	softaustralia.gq
134.122.45.50	x2	softaustralia.ml
134.122.45.78	x2	softaustralia.cf
143.110.181.131	x6	panel.mailadminsupport.ml
159.203.6.49	x1	chocolatesoft.cf
159.65.154.89	x1	box.contact-card.xyz
64.227.23.76	x2	sev0.mails112.ml
67.205.165.6	x1	server.mailsupportsolution.xyz

Oct17
134.122.41.131	x1	girlssoft.gq
134.122.45.114	x1	chocolatesoft.tk
134.122.45.115	x1	chocolatesoft.ml
134.122.45.119	x2	softaustralia.ga
134.122.45.120	x1	softaustin.ga
134.122.45.121	x2	softaustralia.tk
134.122.45.123	x2	softaustralia.gq
134.122.45.50	x2	softaustralia.ml
134.122.45.78	x2	softaustralia.cf
143.110.181.131	x6	panel.mailadminsupport.ml
159.203.6.49	x1	chocolatesoft.cf
159.65.154.89	x1	box.contact-card.xyz
64.227.23.76	x2	sev0.mails112.ml
67.205.165.6	x1	server.mailsupportsolution.xyz

Oct18
104.248.120.222	x14	rdns0.gfasde.xyz

Oct19
104.248.120.222	x14	rdns0.gfasde.xyz
104.131.186.84	x3	rdns0.lokghs.xyz
104.131.8.146	x1	rdns0.freamd.xyz
104.248.120.222	x6	rdns0.gfasde.xyz
134.122.36.187	x1	gluesoft.gq
134.122.37.92	x1	airsoftreserve.tk
134.122.42.43	x2	soft987.cf
134.209.44.46	x12	rdns0.hyterm.xyz
138.68.238.17	x2	rdns0.pesaaf.xyz
143.110.228.46	x2	mail0.grandair.xyz
157.245.255.52	x1	mirellamedia.xyz
161.35.171.159	x1	sks0.dueno.cf
165.22.224.116	x1	soft987.tk
165.227.28.217	x2	sks0.mulxi.cf
167.99.142.172	x2	sks0.dueno.ga
46.101.174.61	x2	mail.sacopet.xyz
68.183.193.244	x1	softballshirts.ml

Oct20
104.248.8.85	x1	rdns0.paydm.xyz
128.199.195.28	x2	dbd0.301.mevvia.ml
134.122.33.78	x1	soft987.ml
134.122.41.243	x1	wedfgh.tk
134.122.45.56	x1	softballshirts.gq
134.209.44.46	x2	rdns0.hyterm.xyz
138.197.166.248	x3	softdjweb.gq
138.197.169.16	x2	soofiexporter.cf
142.93.151.80	x2	webservic.tk
142.93.62.240	x2	onlinetech.gq
159.203.21.11	x1	wedfgh.cf
159.203.45.152	x1	vaerosoft.cf
159.89.14.247	x8	dbd0.326.mevvia.ml
161.35.175.31	x7	dbd0.319.mevvia.ml
165.22.233.188	x2	webservic.ga
165.22.233.242	x3	webservicee.gq
167.172.206.199	x1	server.account-verify001.tk
167.99.180.175	x1	webservicee.ga
167.99.182.113	x1	vaerosoft.ga
178.62.94.127	x8	dbd0.303.mevvia.ml
188.166.229.65	x2	bizcloud-facsfla.xyz
188.166.88.210	x3	dbd0.328.mevvia.ml
68.183.192.229	x1	webservic.cf
68.183.199.161	x1	softrow.tk
68.183.199.70	x1	wedfgh.gq
68.183.202.60	x2	webservicee.cf
68.183.203.121	x1	wedfgh.ml

Oct21
157.230.179.83	x1	srv0.mails50.tk

To elaborate on the enormous marketing spam campaign coming from the Digital Ocean network mentioned last week, this activity does not seem to be slowing down. Those who are subscribed to the SDLU (spammers.dontlike.us) mailing list may have read about these ‘compromised’ Digital Ocean IPs sending a high volume of messages. This actor is utilizing older domains (domains registered 5-10+ years ago), likely picked up as they were expired. Using older domains is one way for a domain to look more ‘legitimate’ on the surface; at the very least an older domain is intuitively more reputable than a freshly registered one (when the domain name is not a recognizable brand).

Many, if not all of these suspicious domains, are registered with Name.com. They also share the same registrant organization ‘Hosting Magic’. No company under the name ‘Hosting Magic’ could be found with a brief google search.

The above picture is what an email from this spam campaign typically looks like. The link will redirect you to a spammy looking ad-click style website, nothing of substance.

Below are some of the Digital Ocean IPs we’ve detected sending this marketing spam over the past week.

Oct16
104.248.1.202	x109	mail.valenzueladentist.com
104.248.13.55	x105	mail.palisadesplumber.com
104.248.3.173	x126	mail.guardiantaskforce.com
128.199.60.247	x34	mail.my779.com
134.122.37.99	x76	mail.soundclothes.com
134.122.54.64	x116	mail.calviciepedia.com
138.197.129.27	x22	mail.artindependentfair.com
138.197.13.54	x27	mail.clayclaimsshanese.com
138.197.70.59	x121	mail.kevenbrochu.com
142.93.126.246	x102	mail.westhillsplumber.com
142.93.179.73	x120	mail.killer-recipes.com
142.93.78.246	x24	mail.marikinadentist.com
159.203.163.114	x31	mail.costumeonlinestore.com
159.203.164.182	x23	mail.carcharohome.com
159.203.44.29	x35	mail.eaglerockplumbing.com
159.203.89.222	x21	mail.bollywoodvoice.com
159.65.118.32	x24	mail.ealingmassage.com
159.65.120.88	x19	mail.mandaluyongdentist.com
159.89.24.253	x78	mail.radiantartphotography.com
161.35.226.99	x123	mail.miriamchia.com
161.35.235.115	x93	mail.vqsecurity.com
161.35.235.219	x118	mail.a2zinsulation.com
165.227.155.101	x82	mail.bodycarekits.com
165.227.157.230	x91	mail.radiosolnascente.com
165.227.36.82	x23	mail.denimdash5k.com
167.172.130.102	x80	mail.lounge-sound-system.com
167.172.148.173	x3	mail.masteryijingtimespace.com
167.172.198.119	x114	mail.boredomtree.com
178.62.10.41	x108	mail.see-dinos.com
178.62.66.14	x19	mail.colorado9holes.com
188.166.61.125	x32	mail.domesdvr.com
188.166.61.76	x27	mail.canogaparkplumber.com
198.199.91.24	x24	mail.ratcheteerwrench.com
46.101.14.137	x82	mail.night-club-sound-systems.com
64.227.107.98	x78	mail.diyskincarekits.com
67.207.81.5	x110	mail.sandiegopianoteacher.com
68.183.154.120	x78	mail.night-club-sound-system.com
68.183.42.50	x86	mail.bar-sound-systems.com

Oct17
104.131.48.90	x28	mail.canogaparkplumber.com
134.122.34.252	x149	mail.masteryijingtimespace.com
134.209.166.232	x131	mail.see-dinos.com
134.209.184.176	x150	mail.miriamchia.com
134.209.25.57	x143	mail.mandaluyongdentist.com
138.197.138.47	x24	mail.carcharohome.com
138.197.197.228	x38	mail.costumeonlinestore.com
138.197.209.180	x143	mail.diyskincarekits.com
138.68.246.34	x44	mail.marikinadentist.com
138.68.252.215	x30	mail.eaglerockplumbing.com
138.68.253.2	x34	mail.guardiantaskforce.com
138.68.5.244	x30	mail.killer-recipes.com
142.93.186.138	x148	mail.night-club-sound-system.com
142.93.229.39	x148	mail.soundclothes.com
142.93.231.164	x130	mail.vqsecurity.com
142.93.44.176	x47	mail.clayclaimsshanese.com
142.93.75.159	x39	mail.my779.com
143.110.228.102	x143	mail.domesdvr.com
143.110.232.133	x170	mail.boredomtree.com
159.203.3.63	x32	mail.bollywoodvoice.com
159.65.117.239	x23	mail.bodycarekits.com
159.65.123.126	x24	mail.bar-sound-systems.com
159.89.110.131	x132	mail.night-club-sound-systems.com
159.89.114.174	x141	mail.radiosolnascente.com
165.227.0.222	x26	mail.radiantartphotography.com
165.227.37.39	x38	mail.colorado9holes.com
165.227.38.68	x15	mail.westhillsplumber.com
167.99.181.237	x3	mail.ealingmassage.com
178.62.216.204	x27	mail.lounge-sound-system.com
178.62.43.159	x178	mail.artindependentfair.com
188.166.98.138	x37	mail.gxtsolutions.com
209.97.159.69	x154	mail.ratcheteerwrench.com
46.101.14.36	x131	mail.muntinlupadentist.com
46.101.249.8	x31	mail.calviciepedia.com
64.227.12.240	x140	mail.palisadesplumber.com
64.227.39.182	x8	mail.kevenbrochu.com
68.183.120.104	x128	mail.valenzueladentist.com
68.183.148.65	x144	mail.sandiegopianoteacher.com

Oct18
104.248.13.236	x158	mail.vqsecurity.com
104.248.173.72	x170	mail.soundclothes.com
134.122.110.115	x125	mail.carcharohome.com
134.122.37.129	x137	mail.denimdash5k.com
134.209.194.97	x135	mail.my779.com
138.197.167.209	x32	mail.bodycarekits.com
138.197.206.148	x29	mail.palisadesplumber.com
138.197.222.125	x23	mail.kevenbrochu.com
138.197.223.93	x22	mail.see-dinos.com
138.68.234.130	x33	mail.diyskincarekits.com
142.93.42.187	x30	mail.westhillsplumber.com
159.65.113.201	x31	mail.canogaparkplumber.com
159.65.117.136	x23	mail.miriamchia.com
159.65.122.79	x26	mail.clayclaimsshanese.com
159.89.81.227	x18	mail.guardiantaskforce.com
161.35.235.197	x130	mail.ealingmassage.com
165.22.203.179	x132	mail.gxtsolutions.com
165.227.129.43	x191	mail.eaglerockplumbing.com
165.227.136.91	x34	mail.marikinadentist.com
167.99.188.130	x173	mail.night-club-sound-systems.com
178.62.127.126	x179	mail.valenzueladentist.com
178.62.214.31	x26	mail.bollywoodvoice.com
178.62.52.163	x120	mail.colorado9holes.com
188.166.95.183	x26	mail.sandiegopianoteacher.com
204.48.28.226	x124	mail.ratcheteerwrench.com
206.189.189.205	x136	mail.boredomtree.com
206.189.23.127	x136	mail.masteryijingtimespace.com
207.154.245.165	x125	mail.calviciepedia.com
209.97.136.65	x199	mail.mandaluyongdentist.com
46.101.119.87	x28	mail.night-club-sound-system.com
46.101.16.26	x118	mail.a2zinsulation.com
64.225.68.209	x173	mail.radiantartphotography.com
64.227.101.62	x161	mail.radiosolnascente.com
64.227.106.191	x137	mail.costumeonlinestore.com
64.227.78.174	x168	mail.bar-sound-systems.com
67.207.90.67	x149	mail.killer-recipes.com
68.183.155.246	x153	mail.domesdvr.com
68.183.33.85	x131	mail.artindependentfair.com

Oct19
104.248.173.72	x40	mail.chairmap.com
134.209.204.95	x175	mail.boredomtree.com
134.209.27.45	x196	mail.colorado9holes.com
134.209.33.139	x180	mail.sandiegopianoteacher.com
138.197.134.30	x23	mail.marikinadentist.com
138.197.152.211	x23	mail.night-club-sound-systems.com
138.68.103.236	x21	mail.kevenbrochu.com
138.68.243.179	x47	mail.palisadesplumber.com
142.93.159.27	x204	mail.ratcheteerwrench.com
143.110.148.102	x13	mail.gxtsolutions.com
157.230.181.133	x184	mail.night-club-sound-system.com
157.245.71.42	x16	mail.clayclaimsshanese.com
157.245.74.125	x32	mail.a2zinsulation.com
159.203.45.71	x20	mail.see-dinos.com
159.65.84.60	x21	mail.soundclothes.com
159.89.101.189	x198	mail.westhillsplumber.com
165.227.10.56	x35	mail.radiantartphotography.com
165.227.139.17	x189	mail.miriamchia.com
165.227.170.177	x201	mail.diyskincarekits.com
165.227.25.205	x34	mail.muntinlupadentist.com
165.227.39.168	x32	mail.canogaparkplumber.com
165.227.9.16	x22	mail.killer-recipes.com
165.227.9.85	x23	mail.calviciepedia.com
167.71.84.155	x211	mail.bollywoodvoice.com
167.99.129.81	x215	mail.eaglerockplumbing.com
167.99.137.115	x234	mail.mandaluyongdentist.com
167.99.137.16	x204	mail.vqsecurity.com
167.99.137.188	x195	mail.domesdvr.com
167.99.179.67	x212	mail.my779.com
178.62.92.74	x21	mail.ealingmassage.com
188.166.96.49	x26	mail.valenzueladentist.com
206.189.23.127	x204	mail.masteryijingtimespace.com
207.154.232.253	x188	mail.guardiantaskforce.com
209.97.141.50	x202	mail.bar-sound-systems.com
209.97.157.30	x156	mail.lounge-sound-system.com
46.101.21.239	x173	mail.bodycarekits.com
64.225.73.108	x185	mail.carcharohome.com
64.227.106.191	x226	mail.costumeonlinestore.com
64.227.109.198	x216	mail.denimdash5k.com
68.183.33.85	x210	mail.artindependentfair.com

Oct20
104.131.188.219	x22	mail.sandiegopianoteacher.com
134.122.33.153	x98	mail.carcharohome.com
138.197.164.224	x24	mail.bollywoodvoice.com
143.110.147.177	x102	mail.colorado9holes.com
157.245.125.93	x105	mail.ratcheteerwrench.com
157.245.74.125	x23	mail.a2zinsulation.com
159.203.45.71	x22	mail.see-dinos.com
159.65.115.163	x28	mail.bar-sound-systems.com
159.65.65.35	x29	mail.my779.com
159.65.70.177	x20	mail.radiosolnascente.com
161.35.154.119	x97	mail.killer-recipes.com
161.35.228.5	x104	mail.artindependentfair.com
161.35.36.248	x99	mail.denimdash5k.com
161.35.95.120	x105	mail.boredomtree.com
162.243.172.251	x21	mail.marikinadentist.com
165.22.33.247	x100	mail.muntinlupadentist.com
165.227.10.56	x26	mail.radiantartphotography.com
165.227.170.177	x148	mail.diyskincarekits.com
165.227.39.168	x25	mail.canogaparkplumber.com
167.172.235.139	x96	mail.valenzueladentist.com
167.172.57.70	x92	mail.kevenbrochu.com
167.71.135.230	x103	mail.guardiantaskforce.com
167.99.129.81	x152	mail.eaglerockplumbing.com
167.99.137.16	x167	mail.vqsecurity.com
167.99.139.34	x116	mail.night-club-sound-systems.com
167.99.200.25	x110	mail.palisadesplumber.com
167.99.240.108	x118	mail.clayclaimsshanese.com
167.99.240.112	x101	mail.mandaluyongdentist.com
167.99.5.125	x17	mail.soundclothes.com
188.166.107.78	x24	mail.masteryijingtimespace.com
188.166.107.91	x28	mail.gxtsolutions.com
207.154.204.122	x100	mail.bodycarekits.com
207.154.224.166	x125	mail.lounge-sound-system.com
46.101.172.229	x23	mail.calviciepedia.com
46.101.22.73	x15	mail.ealingmassage.com
64.227.29.85	x89	mail.westhillsplumber.com
64.227.39.186	x108	mail.night-club-sound-system.com
67.205.182.14	x25	mail.miriamchia.com
68.183.196.93	x105	mail.costumeonlinestore.com
68.183.200.134	x103	mail.domesdvr.com

Oct21
104.248.172.87	x88	mail.night-club-sound-systems.com
104.248.2.164	x91	mail.carcharohome.com
138.197.183.11	x22	mail.night-club-sound-system.com
138.197.183.62	x24	mail.gxtsolutions.com
138.197.183.98	x22	mail.radiosolnascente.com
138.197.200.47	x18	mail.see-dinos.com
138.68.70.222	x18	mail.soundclothes.com
142.93.178.74	x94	mail.a2zinsulation.com
142.93.68.123	x28	mail.killer-recipes.com
157.245.132.233	x24	mail.kevenbrochu.com
157.245.77.189	x17	mail.colorado9holes.com
159.203.15.200	x23	mail.lounge-sound-system.com
159.203.30.245	x20	mail.eaglerockplumbing.com
159.203.5.215	x30	mail.artindependentfair.com
165.22.200.254	x77	mail.diyskincarekits.com
167.71.12.239	x83	mail.westhillsplumber.com
167.71.135.124	x92	mail.canogaparkplumber.com
167.99.147.69	x84	mail.bodycarekits.com
167.99.156.82	x86	mail.miriamchia.com
167.99.201.172	x87	mail.palisadesplumber.com
167.99.232.46	x80	mail.guardiantaskforce.com
167.99.239.125	x18	mail.my779.com
178.62.114.241	x90	mail.sandiegopianoteacher.com
178.62.115.53	x86	mail.muntinlupadentist.com
178.62.192.225	x23	mail.valenzueladentist.com
178.62.201.21	x27	mail.masteryijingtimespace.com
178.62.213.234	x22	mail.marikinadentist.com
178.62.26.117	x79	mail.bollywoodvoice.com
192.241.129.100	x21	mail.domesdvr.com
198.199.122.144	x26	mail.mandaluyongdentist.com
206.189.18.9	x15	mail.clayclaimsshanese.com
207.154.210.23	x84	mail.boredomtree.com
46.101.248.102	x21	mail.vqsecurity.com
64.227.108.137	x97	mail.calviciepedia.com
64.227.108.75	x73	mail.bar-sound-systems.com
64.227.109.165	x91	mail.ratcheteerwrench.com
64.227.98.92	x90	mail.costumeonlinestore.com
67.205.141.242	x30	mail.ealingmassage.com
67.205.164.88	x30	mail.denimdash5k.com

This entry was posted in Informative and tagged , , , , , , , , , . Bookmark the permalink.

Leave a Reply