Trends in Networks: Spam #16

Posted on February 11, 2021 by Thomas

Some more throwaway freenom and xyz domains spamming on the Digital Ocean networks. I’m slowly working on expanding this report to more networks, just have been pretty busy with everything else going on. These actors have been shooting out this campaign out for such a long time, I wonder how often they trick people with domains like ‘host.customersupportbill.tk’…

Feb5
157.230.215.186	x1	srv0.us103.ga
159.89.115.247	x3	softavv.ml
161.35.4.231	x20	box.bedswert.xyz
192.241.131.54	x2	box.baersdath.xyz
206.189.47.130	x6	diy0.girixi.gq
64.227.119.169	x5	diy0.trtox.ga
64.227.26.26	x1	box.mandesty.xyz
67.207.89.121	x21	smtp1.offerte-ita.xyz
68.183.192.76	x1	softavv.ga
68.183.235.72	x7	ziambra.tk

Feb6
104.248.61.185	x1	srv0.usa114.cf
157.245.93.42	x1	srv0.us83.ga
161.35.1.19	x1	srv0.us100.gq
167.172.132.156	x2	srv0.us83.cf
64.227.13.18	x1	srv0.usa114.ml
67.205.129.233	x1	box.csanitizer.tk
67.207.89.121	x16	smtp1.offerte-ita.xyz
68.183.102.77	x1	srv0.us83.gq
68.183.62.57	x3	host.customersupportbill.tk

Feb7
104.248.61.185	x1	srv0.usa114.cf
142.93.12.138	x1	srv0.usa114.gq
161.35.50.61	x2	srv0.us83.ml
67.207.89.121	x5	smtp1.offerte-ita.xyz
68.183.128.71	x3	srv0.us83.tk

Feb8
128.199.142.118	x2	server.postal.ga
128.199.162.151	x2	server.mailxl.cf
128.199.200.200	x1	server.handler.cf
128.199.219.202	x2	server.nomorereply.cf
138.197.194.125	x7	box.aresdehs.xyz
138.197.216.69	x3	box.serfades.xyz
139.59.255.36	x1	server.mai1.ml
157.230.212.4	x1	server.hand1er.cf
157.230.222.89	x2	mail.enomail.xyz
161.35.190.86	x1	box.srkhamza.tk
167.172.251.46	x1	box.servicessrk.ga
68.183.192.76	x1	softavv.ga

Feb9
128.199.219.202	x1	server.nomorereply.cf
134.209.72.39	x9	box.dsaesrd.xyz
138.197.216.69	x1	box.serfades.xyz
157.230.233.89	x1	box.papersubmission.ml
159.65.117.219	x17	dke0.207.zvxwi.ml
165.227.143.33	x1	dke0.orxo.ga
167.99.44.15	x3	dke0.224.zvxwi.ml
167.99.8.129	x5	mail.sakhemailmarkerting.xyz
188.166.236.103	x3	dke0.209.zvxwi.ml
206.189.124.171	x22	dke0.218.zvxwi.ml
64.225.63.66	x1	reapfirst.xyz
67.207.89.121	x2	smtp1.offerte-ita.xyz
68.183.31.107	x16	dke0.214.zvxwi.ml
68.183.31.194	x12	dke0.220.zvxwi.ml

Feb10
128.199.8.161	x1	box.kerdasts.xyz
138.197.216.69	x14	box.serfades.xyz
157.230.80.125	x1	box.gersdatd.xyz
159.65.97.208	x1	box.hasferst.xyz
206.189.150.82	x1	server.mailxl.cf
206.189.225.26	x1	tendr.xyz
206.189.45.121	x1	server.handler.cf
64.225.63.66	x1	reapfirst.xyz
67.207.89.121	x17	smtp1.offerte-ita.xyz

Feb11
134.122.45.34	x2	softyyh.cf
134.122.45.86	x1	softyyh.gq
138.197.216.69	x7	box.serfades.xyz
161.35.106.108	x2	box.desdseh.xyz
161.35.190.86	x1	box.srkhamza.tk
167.99.181.196	x1	box.mtsupport.xyz
206.189.83.197	x1	server.postal.ga

Interesting that the bulk of the marketing campaign is gone, but some of it still exists. These guys are actually a lot more diligent in removing themselves from RBLs than the freenom Spammers…

142.93.114.247	x1	mail.reachings.net
157.230.169.184	x1	mail.reachings.org
157.230.224.76	x1	or1.auditings.org
157.245.192.242	x1	mail.observings.net
162.243.174.130	x1	s35dv56sd1v.com
164.90.181.145	x2	host.prospected.net
165.22.229.252	x8	mail.countings.net
165.22.237.158	x1	mail.lessened.net
165.227.66.7	x1	smtp.confirmings.net
167.71.159.33	x1	mail.empowerings.org
167.71.44.181	x1	server.productdeliverhelp.com
46.101.98.134	x4	host.investings.org
64.227.99.28	x9	dfxbv4s85v4fds.com
68.183.154.94	x1	smtp.nominals.net
68.183.195.194	x1	mail.respondings.net

This entry was posted in Informative and tagged , , , , , , , . Bookmark the permalink.

Leave a Reply