First, i was a little sloppy in my wording of my original message. My real question was more how widespread this phishing/malware campaign is, and how many folks on the Outages mailing list have been victims. CloudFlare was a side-issue and I was mostly just bitching. Sorry for my slop! I'm not running my own MTA, so my doing any blocking isn't that simple (and, I'm trying to convince my email service to do more!). But, even if I were running my own MTA, it'd be a real fight to suppress this crap. What I am seeing is this: 1) Phisher registers 2 domains. One runs an MTA, one is a phishing web server. 2) Within 18 hrs of registering the domains, phisher sends their spam. Within 36 to 48hrs of the phishing attack, the website is dead, and DNS stops resolving shortly thereafter. All emails sent to the MTA bounce, even an autoreply. 3) Websites are usually hosted on registrar-provided webservers. 4) Websites are usually CloudFlare protected. I've complained about their protecting "just registered" domains, but to no avail. 5) MTAs are not protected by CloudFlare (at least not that I can tell). MTAs appear to be hosted by random providers, and quite likely could be PAAS MTAs with which I am not familiar. 6) DNS for the website is almost always CloudFlare DNS, and some known crimeware DNS the rest of the time. 7) DNS for the MTA is usually (but not always) the registrar's DNS, and the registrars they have been using have had their DNS CloudFlare protected (and are usually known "crimeware" registrars). Uh, I think that covers it. (What did I miss?) What I have been complaining to CloudFlare about is protecting domains which are newly registered. That is a well-known crimeware tactic: register a domain (usually using stolen credit cards), use it for an attack, then toss it. If CloudFlare would simply block the websites of recently registered domains, that would go a LONG way to cutting down on successful phishing (and ransomware) attacks, IMPO. I hope this is a little clearer than my initial post. Jon Kibler On 7/15/2025 at 3:43 AM, "Jeremy Chadwick via Outages-discussion" <outages-discussion@outages.org> wrote:What stops you from blocking the connecting SMTP server IP address or CIDRs? I can't tell if what you're describing indicates the mails are coming from CloudFlare outbound SMTP servers or not. If the SMTP connections **are** coming from CloudFlare CIDRs (for example, say, some customer of theirs abusing Email Workers and thus the outbound spam/phishing mails come from CloudFlare IPs), then reporting it to CF is the right thing. PeeringDB has some additional PoCs for abuse reporting: https://www.peeringdb.com/net/4224 If the SMTP connections **aren't** coming from CloudFlare CIDRs, then worrying about DNS records of whatever domains they're MAIL FROM'ing or From:'ing is (mostly) irrelevant, especially if they're domains the spammers control (i.e. they aren't spoofing, so SPF won't help, and they can control their own DKIM records). What you really want to be doing is reporting the abuse to whoever is hosting the network the SMTP servers reside on. If it's a hosting provider, look them up in ARIN whois, read the providers' ToS, and report them to the provider. -- | Jeremy Chadwick jdc@koitsu.org | | UNIX Systems Administrator PGP 0x2A389531 | | Making life hard for others since 1977. | On Mon, Jul 14, 2025 at 02:18:32PM -0400, Jon R Kibler via Outages-discussion wrote:
All, Is anyone else getting slammed with a flood of phishing-spam / malware from "Interactive Brokers" which is addressed to their outages email address? Or, am I the unlucky one? I've tried nearly everything I can think of to block them, but it seems they have an infinite number of MTAs from which they can originate their attacks. Worse, all of the domains which I have seen from which they appear to be sending have DNS hosted by CloudFlare, yet CloudFlare has been unresponsive to the abuse complaints I have filed. Anyone else tried complaining? TIA for your thoughts and feedback.JRK ______________________________________________ Outages-discussion mailing list outages-discussion@outages.org Sign up for an account https://lists.outages.org/accounts/signup/ To subscribe send an email to outages-discussion-join@outages.org To unsubscribe send an email to outages-discussion-leave@outages.org To contact the list owners outages-owner@outages.org Archives https://lists.outages.org/archives/list/outages-discussion@outages.org/
Thank you for using outages-discussion Lists!
______________________________________________ Outages-discussion mailing list outages-discussion@outages.org Sign up for an account https://lists.outages.org/accounts/signup/ To subscribe send an email to outages-discussion-join@outages.org To unsubscribe send an email to outages-discussion-leave@outages.org To contact the list owners outages-owner@outages.org Archives https://lists.outages.org/archives/list/outages-discussion@outages.org/ Thank you for using outages-discussion Lists!