The Spam Auditor Blog: The information nexus for the anti-spam community.

Trends in Networks: Spam #17

Posted on February 18, 2021 by Thomas

Never ending freenom and xyz TLD spam continues on Digital Ocean. A big burst came in on Valentines day from these newsgood.xyz domains.

Feb12
159.65.97.208	x1	box.hasferst.xyz
164.90.222.36	x7	ocean.heurlin.xyz
167.71.236.182	x20	mail.gizmospace.ml

Feb13
104.248.198.228	x1	box.tspsonghericeltd.xyz
188.166.212.60	x2	mail.granti.xyz

Feb14
157.230.239.171	x20	bizograpes.xyz
157.230.58.216	x12	linkviral.xyz
167.99.216.59	x27	newsgood.xyz
68.183.11.228	x101	newsgood-09.xyz
68.183.7.149	x80	newsgood-02.xyz
68.183.7.150	x63	newsgood-05.xyz
68.183.7.154	x82	newsgood-08.xyz
68.183.7.155	x82	newsgood-07.xyz
68.183.7.170	x88	newsgood-03.xyz
68.183.7.172	x134	newsgood-10.xyz
68.183.7.175	x112	newsgood-06.xyz

Feb15
128.199.131.253	x9	hrt0.314.plxo.ml
142.93.65.8	x1	box.dastersd.xyz
157.230.58.216	x10	linkviral.xyz
159.65.199.232	x1	box.mantramedicals.xyz
161.35.216.89	x2	hrt0.trtox.gq
165.227.129.179	x4	hrt0.trtox.ga
165.227.95.234	x3	box.gerdsawe.xyz
206.189.225.26	x1	tendr.xyz

Feb16
128.199.121.10	x4	mail.etheshi.ml
134.122.11.82	x13	converterr.xyz
138.197.103.198	x3	box.fersdah.xyz
139.59.211.171	x11	rt0.zvxwi.gq
139.59.28.143	x5	rt0.218.xorox.gq
139.59.32.165	x8	rt0.212.xorox.gq
139.59.71.143	x9	rt0.225.xorox.gq
142.93.202.30	x6	rt0.203.xorox.gq
159.203.175.87	x1	box.partnersrk.ml
159.65.148.199	x8	rt0.210.xorox.gq
165.227.103.247	x23	rt0.205.xorox.gq
165.227.166.79	x6	rt0.zvxwi.cf
165.227.174.132	x4	rt0.orxo.ml
167.172.131.137	x3	mail.rinznaemailmarketing.xyz
167.99.147.123	x1	box.exactestimators.xyz
178.62.48.189	x4	rt0.219.xorox.gq
178.62.76.83	x4	box.fartyms.xyz
188.166.53.106	x4	box.firolgolds.xyz
46.101.25.217	x12	rt0.202.xorox.gq

Feb17
134.122.11.82	x3	converterr.xyz
139.59.134.103	x1	box.iomdersa.xyz
142.93.65.8	x1	box.dastersd.xyz
159.203.175.87	x1	box.partnersrk.ml
161.35.143.89	x1	box.estimationnn.ml
165.227.74.34	x1	box.amigobuzz.tk
178.62.41.164	x1	box.heriong.xyz
206.189.157.200	x6	box.jimhersd.xyz

Feb18
104.248.127.37	x1	box.healthhandfitness.tk
161.35.190.86	x1	box.srkhamza.tk
178.128.218.126	x5	mail0.aue-co.xyz

Interesting emerging pattern coming from the HEFICED networks. Throwaway domains with a slot0 ptr/reverse dns pattern. We see it sending a lot of account phishing and fake invoice spam.

185.142.24.12	x1	slot0.nindacc.com
185.142.24.65	x6	slot0.cosk.xyz
185.142.24.103	x6	slot0.fery.xyz
185.142.24.105	x3	slot0.daue.xyz
185.142.24.108	x9	slot0.adifed.com

This entry was posted in Informative and tagged digital ocean, domain, fake invoice spam, freenom, freenom tld, heficed, phishing, spam, spammer, top level domain. Bookmark the permalink.

Leave a Reply Cancel reply

You must be logged in to post a comment.