Some hosting companies never end up on our radar, as they have systems in place to catch customers who sign-up for IP Space and VPS’s just to start spamming, but there are others who seem to constantly have problems with new break outs from new customers.
An example today is at SoftLayer, a customer who signed up Jun 4th, 2015 and is listed as Linecom Systems Media for the 158.85.128.120/29 IP Space, today triggered alerting system at almost every ISP we monitor. In order to do that, you would expect the SoftLayer should have bells going off in their network monitoring as well.
This company didn’t even bother to use throwaway domains, or update the default rDNS SoftLayer uses, so most people would not see it in their inboxes, but the overhead on the internet and the ISP mail servers is significant.
158.85.128.120 : 158.85.128.120-static.reverse.softlayer.com
158.85.128.121 : 158.85.128.121-static.reverse.softlayer.com
158.85.128.122 : 158.85.128.122-static.reverse.softlayer.com
158.85.128.123 : 158.85.128.123-static.reverse.softlayer.com
158.85.128.124 : 158.85.128.124-static.reverse.softlayer.com
158.85.128.125 : 158.85.128.125-static.reverse.softlayer.com
158.85.128.126 : 158.85.128.126-static.reverse.softlayer.com
158.85.128.127 : 158.85.128.127-static.reverse.softlayer.com
Now, the abuse contact for this one, goinalyndz75@gmail.com also looks very curious, and the systems identify themselves as ‘Linux 3.1-3.10’, the intent seemed to be intended to use .link throwaway domain, (actsdb.link) similar to the common .work, .science low cost domains, and this was a fake review for a restaurant in Seattle.
Looks like they have a database of email addresses that is very clean, low bounce rate, but this kind of abusive behavior risks the hosting providers reputation as well.
At least SoftLayer does a good job of ‘rwhois’, but the point is that allowing this to occur hurts everyone. Again, we recommend networks monitor their own networks on egress, and trigger some form of automated lock out when SMTP volumes from brand new customers go through the roof, whether it is because it is a ‘bad customer’, or simply a customer that doesn’t know how to secure their servers.
Oh, BTW.. the spam engine used is one seen commonly at hosting companies.
PS, Not targeted at SoftLayer specifically. Today, we also saw new outbreaks from:
Centarra Networks Inc. (the following dont’ do as good of a job on ‘rwhois’)
198.52.219.236 : r5fwk.farainm.science 198.52.219.237 : 33k2kmnef.nustiue.science 198.52.219.238 : fd7gb.citubeir.science 198.52.219.239 : ileci1jx.dajun.science 198.52.219.240 : qfrad4m.cianje.science 198.52.219.242 : dfgja.aletan.science
And Linode..
45.79.139.141 : gurusmart.biz 45.79.147.162 : joombusiness.com 45.79.155.161 : shopsmarts.biz 45.79.202.166 : like-minded.biz 45.79.207.165 : xtremeshop.biz
And LogicWeb