Jon, I'm sorry to say that the approach you're taking to solving the spams you're experiencing really isn't going to relieve you of the problem. You're fixated on DNS, which is really not what you should be focused on. It's irrelevant, and your own messages/story that I'm replying to is confirmation of that. It doesn't matter if they're using CF or not. CF is not the problem, so I'm not surprised they don't respond. You need to be looking at Received: headers and working out where the spam actually originated from, i.e. the sender IP, and then contacting that provider (use ARIN etc. to look up the CIDR / who owns the IP). If you need tools to help decode/organise Received headers (date/order matters!), use MXToolbox's https://mxtoolbox.com/EmailHeaders.aspx tool. Report the abuse/spam to the originating network from which it came. Your Email provider should be able to all of this for you, including blocking offending inbound IP addresses at the SMTP connection level. Tell your Email provider to use DNSBLs, or if they don't want to block them at that level, use DNSBLs to score mail from offending networks and then through whatever filtering rules they offer, mark as spam (or send to trash) based on score or ranking. Or just run your own MDA (not MTA, MDA). It isn't hard. Yes, really. Use postfix and call it a day. Footnote: none of this is outage-related. I'm glad you sent to -discussion (big kudos!), but it's off-topic even for here. -- | Jeremy Chadwick jdc@koitsu.org | | UNIX Systems Administrator PGP 0x2A389531 | | Making life hard for others since 1977. | On Tue, Jul 15, 2025 at 01:09:46PM -0400, jrk1231-outml@nym.hush.com wrote:
First, �i was a little sloppy in my wording of my original message. My real question was more how widespread this phishing/malware campaign is, and how many folks on the Outages mailing list have been victims. CloudFlare was a side-issue and I was mostly just bitching. Sorry for my slop!
I'm not running my own MTA, so my doing any blocking isn't that simple (and, I'm trying to convince my email service to do more!). But, even if I were running my own MTA, it'd be a real fight to suppress this crap.
What I am seeing is this: 1) Phisher registers 2 domains. One runs an MTA, one is a phishing web server. 2) Within 18 hrs of registering the domains, phisher sends their spam. Within 36 to 48hrs of the phishing attack, the website is dead, and DNS stops resolving shortly thereafter. All emails sent to the MTA bounce, even an autoreply. 3) Websites are usually hosted on registrar-provided webservers. 4) Websites are usually CloudFlare protected. I've complained about their protecting "just registered" domains, but to no avail. 5) MTAs are not protected by CloudFlare (at least not that I can tell). MTAs appear to be hosted by random providers, and quite likely could be PAAS MTAs with which I am not familiar. 6) DNS for the website is almost always CloudFlare DNS, and some known crimeware DNS the rest of the time. 7) DNS for the MTA is usually (but not always) the registrar's DNS, and the registrars they have been using have had their DNS CloudFlare protected (and are usually known "crimeware" registrars).
Uh, I think that covers it. (What did I miss?)
What I have been complaining to CloudFlare about is protecting domains which are newly registered. That is a well-known crimeware tactic: register a domain (usually using stolen credit cards), use it for an attack, then toss it. If CloudFlare would simply block the websites of recently registered domains, that would go a LONG way to cutting down on successful phishing (and ransomware) attacks, IMPO.
I hope this is a little clearer than my initial post.
Jon Kibler
On 7/15/2025 at 3:43 AM, "Jeremy Chadwick via Outages-discussion" <outages-discussion@outages.org> wrote:What stops you from blocking the connecting SMTP server IP address or CIDRs?
I can't tell if what you're describing indicates the mails are coming from CloudFlare outbound SMTP servers or not.
If the SMTP connections **are** coming from CloudFlare CIDRs (for example, say, some customer of theirs abusing Email Workers and thus the outbound spam/phishing mails come from CloudFlare IPs), then reporting it to CF is the right thing. PeeringDB has some additional PoCs for abuse reporting: https://www.peeringdb.com/net/4224
If the SMTP connections **aren't** coming from CloudFlare CIDRs, then worrying about DNS records of whatever domains they're MAIL FROM'ing or From:'ing is (mostly) irrelevant, especially if they're domains the spammers control (i.e. they aren't spoofing, so SPF won't help, and they can control their own DKIM records). What you really want to be doing is reporting the abuse to whoever is hosting the network the SMTP servers reside on. If it's a hosting provider, look them up in ARIN whois, read the providers' ToS, and report them to the provider.
-- | Jeremy Chadwick jdc@koitsu.org | | UNIX Systems Administrator PGP 0x2A389531 | | Making life hard for others since 1977. |
On Mon, Jul 14, 2025 at 02:18:32PM -0400, Jon R Kibler via Outages-discussion wrote:
All, Is anyone else getting slammed with a flood of phishing-spam / malware from "Interactive Brokers" which is addressed to their outages email address? Or, am I the unlucky one? I've tried nearly everything I can think of to block them, but it seems they have an infinite number of MTAs from which they can originate their attacks. Worse, all of the domains which I have seen from which they appear to be sending have DNS hosted by CloudFlare, yet CloudFlare has been unresponsive to the abuse complaints I have filed. Anyone else tried complaining? TIA for your thoughts and feedback.JRK ______________________________________________ Outages-discussion mailing list outages-discussion@outages.org Sign up for an account https://lists.outages.org/accounts/signup/ To subscribe send an email to outages-discussion-join@outages.org To unsubscribe send an email to outages-discussion-leave@outages.org To contact the list owners outages-owner@outages.org Archives https://lists.outages.org/archives/list/outages-discussion@outages.org/
Thank you for using outages-discussion Lists!
______________________________________________ Outages-discussion mailing list outages-discussion@outages.org Sign up for an account https://lists.outages.org/accounts/signup/ To subscribe send an email to outages-discussion-join@outages.org To unsubscribe send an email to outages-discussion-leave@outages.org To contact the list owners outages-owner@outages.org Archives https://lists.outages.org/archives/list/outages-discussion@outages.org/
Thank you for using outages-discussion Lists!