Outside of the typical throwaway domain spam, we have been seeing a tremendous volume of marketing email coming from the Digital Ocean network. But first, here are this week’s Freenom and .xyz TLDs detected spamming on the Digital Ocean network.
Oct9 104.131.21.99 x3 kyuf0.607.omre.ml 104.131.52.28 x10 preeducation.tk 134.122.101.207 x1 account.tdress.xyz 134.209.157.244 x28 kyuf0.619.omre.ml 138.197.185.196 x5 kyuf0.622.omre.ml 138.197.65.199 x1 support.barlasoto.xyz 138.68.77.236 x1 members.resinfo.xyz 138.68.89.106 x1 kyuf0.625.omre.ml 139.59.152.86 x2 kyuf0.610.omre.ml 142.93.153.232 x7 kyuf0.623.omre.ml 142.93.230.101 x2 support-paylpal.ga 159.203.164.91 x7 kyuf0.617.omre.ml 159.89.6.29 x2 kyuf0.614.omre.ml 162.243.173.120 x1 kyuf0.606.omre.ml 165.22.210.60 x2 kyuf0.624.omre.ml 167.99.148.8 x1 return.seddit.xyz 178.62.10.205 x3 kyuf0.605.omre.ml 188.166.65.44 x3 kyuf0.608.omre.ml 192.241.145.167 x11 kyuf0.616.omre.ml 206.189.125.141 x10 kyuf0.615.omre.ml 206.189.31.119 x1 kyuf0.613.omre.ml 207.154.216.148 x1 kyuf0.626.omre.ml 207.154.240.126 x2 kyuf0.611.omre.ml 46.101.164.122 x1 kyuf0.620.omre.ml 46.101.174.61 x1 mail.sacopet.xyz 64.227.58.6 x1 subscriber.techcone.xyz 68.183.158.71 x1 support.toristan.xyz Oct10 128.199.2.128 x1 member.tcsmv.xyz 134.122.101.207 x2 account.tdress.xyz 134.122.109.125 x1 account.thisisluv.xyz 138.197.66.113 x1 support.techstoree.xyz 138.197.74.75 x2 support.tolittle.xyz 143.110.152.207 x1 member.godszone.xyz 143.110.152.233 x2 member.toewr.xyz 143.110.156.90 x1 member.goweek.xyz 159.89.106.249 x1 members.lesfauve.xyz 161.35.46.101 x1 account.tojmath.xyz 167.99.3.251 x2 return.dlintc.xyz 167.99.6.163 x1 techssoftt.ml 46.101.174.61 x2 mail.sacopet.xyz 64.225.124.174 x1 subscriber.tpokh.xyz 67.205.153.67 x1 return.skymass.xyz Oct11 none. Oct12 142.93.210.5 x1 rkr0.sievo.gq 161.35.92.232 x1 rkr0.sievo.ga 165.227.137.117 x29 rkr0.dueno.ml 46.101.8.130 x9 rkr0.sievo.cf Oct13 104.131.92.73 x10 cvp0.113.vuere.ml 104.131.92.83 x3 cvp0.119.vuere.ml 128.199.79.227 x1 gotosott.ml 134.122.127.121 x1 togoweb.ml 134.122.25.169 x2 cvp0.126.vuere.ml 138.197.10.223 x1 rdns0.bdasha.xyz 138.197.191.134 x1 softdude.cf 138.68.94.79 x5 cvp0.109.vuere.ml 139.59.128.98 x11 cvp0.116.vuere.ml 139.59.17.152 x3 cvp0.115.vuere.ml 139.59.62.221 x3 cvp0.108.vuere.ml 139.59.67.242 x2 cvp0.121.vuere.ml 142.93.124.211 x3 cvp0.118.vuere.ml 142.93.49.200 x8 rdns0.redsap.xyz 143.110.184.139 x1 cvp0.vuere.cf 157.245.240.113 x1 gotosot.gq 157.245.40.218 x28 cvp0.110.vuere.ml 161.35.102.172 x2 gotosot.ga 161.35.52.118 x1 gotosot.ml 161.35.7.200 x1 cvp0.105.vuere.ml 165.22.115.71 x7 cvp0.111.vuere.ml 165.22.195.30 x4 cvp0.128.vuere.ml 165.22.39.2 x3 cvp0.127.vuere.ml 178.62.59.101 x3 cvp0.123.vuere.ml 188.166.96.246 x18 cvp0.114.vuere.ml 206.189.224.58 x1 cvp0.125.vuere.ml 206.189.226.157 x14 cvp0.112.vuere.ml 206.81.15.104 x1 softballe.ga 207.154.203.178 x3 cvp0.122.vuere.ml 64.227.19.145 x1 softdude.ml 67.205.150.177 x2 rdns0.desar.xyz 68.183.30.134 x1 togoweb.gq 68.183.30.191 x2 softdude.gq 68.183.42.232 x3 cvp0.117.vuere.ml Oct14 104.131.126.226 x7 rdns0.redsta.xyz 104.131.41.105 x5 xbx.806.omre.ga 134.122.118.159 x1 softdude.tk 134.122.17.48 x1 gotosott.cf 134.122.32.136 x4 xbx0.809.omre.ga 134.209.85.154 x7 xbx.801.omre.ga 142.93.32.79 x16 xbx.804.omre.ga 142.93.50.239 x1 slidervid.xyz 142.93.51.47 x2 softhm.ga 142.93.61.47 x1 softhm.ml 157.230.59.192 x1 softparadise.ml 157.245.102.28 x5 xbx.807.omre.ga 159.65.155.23 x2 xbx.802.omre.ga 161.35.7.136 x1 gotosott.gq 161.35.92.206 x2 gotosot.cf 162.243.163.215 x4 xbx.805.omre.ga 188.166.188.54 x1 gotosott.tk 207.154.253.226 x18 xbx.808.omre.ga 46.101.165.194 x3 xbx.803.omre.ga 67.205.191.125 x1 softattorney.tk 68.183.30.114 x4 togoweb.cf Oct15 128.199.47.113 x3 bizcloud-mail.goregan.cf 157.245.177.126 x2 gotosott.ga 198.199.75.148 x1 rdns0.teleaurd.xyz 206.189.47.207 x8 xbx0.omre.cf 67.207.94.14 x1 softdude.ga 68.183.193.198 x2 amozoon.xyz 68.183.196.215 x1 softdrones.ml
The interesting thing about this marketing (spam) campaign is that it uses older domains, rather than the typical cheap new domains. It is very likely this actor has acquired old expired domains for a cheap price, as older domains generally have a better ‘reputation’ than newer domains when it comes to sending bulk email. Another pattern of activity that is not being caught by the provider, but this one is a bit harder to detect than the previous. Below is a snippet of some of the IPs and domains participating in this massive spam campaign. Next week I’ll provide more data and samples to further illustrate what is going on.
128.199.54.37 x11 mail.miriamchia.com 134.122.34.159 x21 mail.bar-sound-systems.com 134.122.34.239 x18 mail.soundclothes.com 134.122.37.70 x20 mail.night-club-sound-system.com 134.122.37.75 x16 mail.artindependentfair.com 134.122.41.135 x21 mail.westhillsplumber.com 134.209.177.67 x19 mail.carcharohome.com 134.209.37.57 x21 mail.palisadesplumber.com 138.197.104.86 x21 mail.domesdvr.com 138.197.5.81 x19 mail.killer-recipes.com 142.93.133.131 x20 mail.kevenbrochu.com 142.93.33.211 x13 mail.eaglerockplumbing.com 143.110.224.113 x20 mail.diyskincarekits.com 143.110.224.114 x20 mail.guardiantaskforce.com 143.110.224.115 x20 mail.muntinlupadentist.com 143.110.224.119 x21 mail.sandiegopianoteacher.com 143.110.224.140 x19 mail.radiantartphotography.com 143.110.224.215 x19 mail.ratcheteerwrench.com 143.110.232.24 x18 mail.night-club-sound-systems.com 159.65.115.10 x9 mail.mandaluyongdentist.com 159.65.115.252 x3 mail.radiosolnascente.com 159.65.119.49 x10 mail.bodycarekits.com 159.65.121.141 x9 mail.costumeonlinestore.com 178.62.40.183 x7 mail.ealingmassage.com 188.166.95.216 x11 mail.canogaparkplumber.com 45.55.44.24 x8 mail.denimdash5k.com 67.205.161.101 x6 mail.calviciepedia.com 104.248.91.239 x19 mail.masteryijingtimespace.com 165.227.89.6 x20 mail.clayclaimsshanese.com 167.71.111.113 x19 mail.boredomtree.com 167.99.185.225 x21 mail.colorado9holes.com 174.138.40.74 x20 mail.my779.com 206.189.190.231 x20 mail.see-dinos.com 46.101.13.62 x20 mail.valenzueladentist.com 46.101.15.158 x20 mail.bollywoodvoice.com 46.101.15.60 x19 mail.lounge-sound-system.com 46.101.16.53 x21 mail.vqsecurity.com 64.227.97.148 x20 mail.marikinadentist.com