Update: Moved the IP list to somewhere else to keep this place clean. If you’re curious about how many, when it was done, where they claim to be coming from, then see the list here.
Here’s a brief explanation of why I wrote this and am doing this (in short: I saw it and I find it obnoxious and I want others to realize the problem and make sure they don’t become part of it too).
So, this may actually be an ‘already known’ botnet. I don’t know, and frankly I don’t really ‘care’ if it is or it isn’t. It’d probably be best if it isn’t, but I’ve not seen this before, so I figured I’d write about it as an alert in case it is new. Besides, phishing is a low act, and I don’t think anyone deserves to be a victim of it, no matter how far out it may seem. Simply being gullible does not mean you deserve to have your identity stolen, for example.
So, anyway, this morning when I looked at my logwatch email I saw the following (among other things, of course) :
3 Reject HELO/EHLO
31 Reject unknown client host
I then looked further to see the supposed hosts. Most however, were fake domains (not too surprising). What makes me think it is a botnet, though? Basically, the domains don’t exist, they seem random, the connection attempts were done around the same time – within a day – and it comes from different countries. They also claim to be from the same email, and they obviously are trying to phish or cause major issues, given the address’s domain:
To the non US folks, that’s financial and in particular tax, related agency of the US.
Note I do not check all the domains, but of the ones I checked, none (not too surprising given the names) exist. hall.com (just checked) does but I suspect it was randomly selected and it most certainly is not that IP that matches; that IP is from India; hall.com’s owner is in the Netherlands.
So, in any case, be on the look out – whether you’re an admin, an ISP or an end user. And remember, security is never fully obtained, but you do have to remain vigilant as possible and never assume things are as they appear – especially if your senses are telling you something isn’t right.
Do note that those domains listed do NOT MATCH THE IP – the IP is the SOURCE and it is the IPs THAT IS FRAUDULENTLY CLAIMING to be from those domains. The domains – most likely don’t exist – that do exist, are innocent. The IPs mentioned are the only problem, and likely just compromised machines who don’t even realize it (if it is a botnet it is almost assuredly this).