INTERNET WEATHER REPORT 🌧☁️☀️

AS48090 (PPTECHNOLOGY LIMITED) has just been added to ASN watchlist. This autonomous system announces only two BGP prefixes:

45.148.10.0/24

195.178.110.0/24

Abuse reports sent to dmzhostabuse@gmail.com go unanswered.

Drop It Like It’s Hot.

Latest updates to the ASN watchlist posted here: https://internetweather.net/asn-watchlist/

INTERNET WEATHER REPORT 🌧☁️☀️

AS401172 (Inspici LLC) has just been added to ASN watchlist. This autonomous system announces only one BGP prefix: 45.84.89.0/24

Drop It Like It’s Hot.

Latest updates to the ASN watchlist posted here: https://internetweather.net/asn-watchlist/

INTERNET WEATHER REPORT 🌧☁️☀️

AS394711 (Limenet) has just been added to ASN watchlist. This autonomous system is nothing but phishing sites and DDoS malware hosting.

Lots of prefixes (netblocks) to drop: https://bgp.tools/as/394711#prefixes

Latest updates to the ASN watchlist posted here: https://internetweather.net/asn-watchlist/

INTERNET WEATHER REPORT 🌧☁️☀️

AS214961 (Stellar Group SAS) has just been added to ASN watchlist. And it’s an easy one to drop:

sudo iptables –append INPUT –src 178.215.236.0/24 –jump DROP

Latest updates to the ASN watchlist posted here: https://internetweather.net/asn-watchlist/

Don’t delay, drop all traffic from 194.180.49.0/24 today!

As previously mentioned, AS201814 is operated by very intelligent cybercriminals who know how to speak BGP. This means those packets are already hitting your firewall, or worse, getting through it.

Drop all traffic to/from AS47890 (UNMANAGED LTD) immediately!

Tons of fraudulently obtained netblocks (full list here) used exclusively for cybercriminal activities.

Don’t delay, drop today!

Taking a break from your usual ASN and netblock blocklist updates for a moment, here is a review of a interesting phishing email campaign facilitated by cybersecurity vendor Trend Micro and web services behemoth AWS. Upon contacting the AWS abuse team, they have denied all culpability in facilitating this attack, despite relaying the message to hundreds if not thousands of potential victims.

Here’s the full headers and body of the phishing email in question:

Received: by 2002:a59:ab06:0:b0:478:9d64:fab9 with SMTP id m6csp66065vqo;

        Tue, 11 Jun 2024 16:01:05 -0700 (PDT)

X-Forwarded-Encrypted: i=2; AJvYcCWDrAGGtC2m1onb7LFYCjv1BC9XJ+WlrxA2orXQHC8zjGWFBP75UZQtxZA/oJ8WMfFpMnrkLn1vJASrPaL9xi1bag==

X-Google-Smtp-Source: AGHT+IHQ3dEhDwhP6x1X9adkT7TkCdY1tLusMpXcKc8aCxMSPU5ckH1+6Cdne2rQPWgimdJUtl/P

X-Received: by 2002:a05:6102:58ca:b0:48c:4343:bdd1 with SMTP id ada2fe7eead31-48d91dd7fb8mr438978137.3.1718146865049;

        Tue, 11 Jun 2024 16:01:05 -0700 (PDT)

ARC-Seal: i=1; a=rsa-sha256; t=1718146865; cv=none;

        d=google.com; s=arc-20160816;

        b=e+9vHhHnmu2ID1hz6ITpRsTHCoJ9c+AfougdCYoLFnESlvl0hsfmWtthhyD6sKwUwp

         Pt6b0uOxMFNrGAn9CumizRXFIHF6KATD/P3Y5L37N7kMT0A6aDHbCgVeu1K+XHfve6xZ

         Z8kPaIUZyppyyGTSj4gzmaNaNTD2gHQF8Z0aVLg8fz/jCb2sxxDS/RHuQPrflyO7xM55

         hYumu0FpSUGr3unr2kqkMdaETtD+LSzNlVnKCWqarbfPo+Sqz0igncv397lvtETPsAke

         NfpDvKoAEkE/Kv1s7U9JozVHncDNuQOJ6hZc9EmYS4qa7iIHCW86vFanGRoLpxJdqpN+

         5ffw==

ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;

        h=to:message-id:content-transfer-encoding:mime-version:date:subject

         :from:reply-to;

        bh=9gfaAQNWzewfSWarEWPKe2oOmPeo0qhBp+Lp4QXtIYs=;

        fh=zEMK+f3w3jEJ+rVETDLljm1MjZ16EIk9osNt+OMcE4w=;

        b=GRTXm0xHsFMd6DmkImo463++WkMeQX9nbYh9vxVKv/zQ8doP57T4pFJHdZAYq9PYoB

         d0m74mTJds+rDmJficAWS0dapZlaqI+qIPWDevv52wmVDpo5w7IpuFj7qVSnYIcmf2P3

         t06I0zlh3aOit/IeMyTs+7M+ynrg2mxrV/iqY052FAMCneMK6Ex+U9LWQvSAoxP4df8w

         wXZoEiFfq8zLz6vLubeSkr9Ksd8y2wGkNQ1LLjtI72JF+CevSNND3UttsrqgrV0m6sao

         9OEMojj0uwoZ+FZAZl0y7iGaOgsfHsygizLHNLojtQ1cJCWw4EOGhXv/jjbmZ1OEUVmV

         WfmA==;

        dara=google.com

ARC-Authentication-Results: i=1; mx.google.com;

       spf=pass (google.com: domain of postmaster@repostorp01.tmes.trendmicro.com designates 18.208.22.164 as permitted sender) smtp.helo=repostorp01.tmes.trendmicro.com

Return-Path: <>

Received: from repostorp01.tmes.trendmicro.com (repostorp01.tmes.trendmicro.com. [18.208.22.164])

        by mx.google.com with ESMTPS id ada2fe7eead31-48c1a11cf00si3123299137.205.2024.06.11.16.00.59

        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);

        Tue, 11 Jun 2024 16:01:04 -0700 (PDT)

Received-SPF: pass (google.com: domain of postmaster@repostorp01.tmes.trendmicro.com designates 18.208.22.164 as permitted sender) client-ip=18.208.22.164;

Authentication-Results: mx.google.com;

       spf=pass (google.com: domain of postmaster@repostorp01.tmes.trendmicro.com designates 18.208.22.164 as permitted sender) smtp.helo=repostorp01.tmes.trendmicro.com

Received: from 187.73.238.226_.trendmicro.com (unknown [192.168.172.45])

by repostorp01.tmes.trendmicro.com (Postfix) with SMTP id 241C31000535C;

Tue, 11 Jun 2024 23:00:58 +0000 (UTC)

X-TM-MAIL-RECEIVED-TIME: 1718146838.436000

X-TM-MAIL-UUID: aefb7c85-f6e4-4352-9684-4cf18a77b496

Received: from mail.dmeletrico.com.br (unknown [187.73.238.226])

by repre01.tmes.trendmicro.com (Trend Micro Email Security) with ESMTPS id 6AB99100017D4;

Tue, 11 Jun 2024 23:00:38 +0000 (UTC)

Received: from User (200.243.120.130) by SRVEX01.DMELETRICO.COM.BR

 (172.16.1.204) with Microsoft SMTP Server id 14.1.438.0; Tue, 11 Jun 2024

 19:57:29 -0300

Reply-To: <edwincastro7891@gmail.com>

From: LEGACY

Subject: RE:DONATION

Date: Tue, 11 Jun 2024 15:57:29 -0700

MIME-Version: 1.0

Content-Type: text/html; charset=”Windows-1251″

Content-Transfer-Encoding: 7bit

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2600.0000

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

Message-ID: <b92775e3-c2e7-4d64-81d3-bc81935c3f29@SRVEX01.DMELETRICO.COM.BR>

To: Undisclosed recipients:;

X-Originating-IP: [200.243.120.130]

X-TM-AS-Product-Ver: SMEX-11.7.0.1055-9.100.1008-28448.000

X-TM-AS-Result: Yes-71.954900-5.000000-31

X-TM-AS-User-Approved-Sender: No

X-TM-AS-User-Blocked-Sender: No

X-TM-Deliver-Signature: 1BCA224F8385781ADA83DFF9AE32AA80

X-TM-Addin-Auth: tK4fOJQkEqeSww5PPJKPyDA0k85spN7uzJacjE9oIfE5zzCWz3xQdsSP6bf

nCQG6uasYN7JVEVGAYVr8M/4fVHtCcASWLcsBOyp5Or2POhfdMKeISfXqLV4dq5llvaXRp9XejH

mvypD04xWhjOeX6fP3q7px4yGcEX6J/0+/2HH+QOek6mJPIBABgQt3XxhMva90I8ve/ifWLNxrT

MZ60PpcYrDexOAUgF5/A8HOa8huD2tjNTLIsMT+jog/0LemL/u5eNoVS69SqIdM392Chg==.Mfe

zytm9VCSt01leBHjZg5AwtNeQSREmAoS2GW9cdv9QVDURR6xcqpOdvHH290LV2bqtiB4kKHrBqt

ooU0UPi08pwjbGLCJkWQhtsC6hPAY2+fzmYtV55whYoSqueI1l5gWO8q3bMFOaB5HjzQnHDnFeS

xQ1d0x3Sc/jbEY2oNJfldP7vmP86ZPnDTgYvqAXnE7FG5m3UtbCXjKamzaEUNLBWJr+ufV+bTO/

FUZg/+rqM021vFLnOl7MfwCZ0e0mg3SQEPtkzQbvevtmgSiBTl97pP1ze2ZS4JGpEmQckXOePxU

C7G/5D0svT3GxDBEkN0u8gAHdW8wt++Ta7jg9gA==

X-TM-Addin-ProductCode: EMS

<HTML><HEAD><TITLE></TITLE>

</HEAD>

<BODY bgcolor=#FFFFFF leftmargin=5 topmargin=5 rightmargin=5 bottommargin=5>

<FONT size=2 color=#000000 face=”Arial”>

<DIV>

I have made a donation in your name.Note, this is the second time I am contacting you. Contact me on my private email on:&nbsp; edwincastro7891@gmail.com</DIV>

</FONT>

</BODY></HTML>

You know the drill by now. Drop it like it’s hot!

Drop traffic from all prefixes (netblocks) listed here:
https://bgp.tools/as/201814#prefixes

ASN Watchlist

(it’s really a drop list)

You know the drill by now. Drop it like it’s hot!

Prefix | Description
31.43.191.0/24 | FOP Dmytro Nedilskyi
92.63.197.0/24 | TOV E-RISHENNYA
185.156.73.0/24 | TOV E-RISHENNYA
185.156.74.0/24 | TOV VAIZ PARTNER
185.193.88.0/24 | TOV E-RISHENNYA

ASN Watchlist

(it’s really a drop list)

You know the drill by now. Drop it like it’s hot!

ASN Watchlist

(it’s really a drop list)