Re: Phishing-Spam / Malware from "Interactive Brokers"?
First, i was a little sloppy in my wording of my original message. My real question was more how widespread this phishing/malware campaign is, and how many folks on the Outages mailing list have been victims. CloudFlare was a side-issue and I was mostly just bitching. Sorry for my slop! I'm not running my own MTA, so my doing any blocking isn't that simple (and, I'm trying to convince my email service to do more!). But, even if I were running my own MTA, it'd be a real fight to suppress this crap. What I am seeing is this: 1) Phisher registers 2 domains. One runs an MTA, one is a phishing web server. 2) Within 18 hrs of registering the domains, phisher sends their spam. Within 36 to 48hrs of the phishing attack, the website is dead, and DNS stops resolving shortly thereafter. All emails sent to the MTA bounce, even an autoreply. 3) Websites are usually hosted on registrar-provided webservers. 4) Websites are usually CloudFlare protected. I've complained about their protecting "just registered" domains, but to no avail. 5) MTAs are not protected by CloudFlare (at least not that I can tell). MTAs appear to be hosted by random providers, and quite likely could be PAAS MTAs with which I am not familiar. 6) DNS for the website is almost always CloudFlare DNS, and some known crimeware DNS the rest of the time. 7) DNS for the MTA is usually (but not always) the registrar's DNS, and the registrars they have been using have had their DNS CloudFlare protected (and are usually known "crimeware" registrars). Uh, I think that covers it. (What did I miss?) What I have been complaining to CloudFlare about is protecting domains which are newly registered. That is a well-known crimeware tactic: register a domain (usually using stolen credit cards), use it for an attack, then toss it. If CloudFlare would simply block the websites of recently registered domains, that would go a LONG way to cutting down on successful phishing (and ransomware) attacks, IMPO. I hope this is a little clearer than my initial post. Jon Kibler On 7/15/2025 at 3:43 AM, "Jeremy Chadwick via Outages-discussion" <outages-discussion@outages.org> wrote:What stops you from blocking the connecting SMTP server IP address or CIDRs? I can't tell if what you're describing indicates the mails are coming from CloudFlare outbound SMTP servers or not. If the SMTP connections **are** coming from CloudFlare CIDRs (for example, say, some customer of theirs abusing Email Workers and thus the outbound spam/phishing mails come from CloudFlare IPs), then reporting it to CF is the right thing. PeeringDB has some additional PoCs for abuse reporting: https://www.peeringdb.com/net/4224 If the SMTP connections **aren't** coming from CloudFlare CIDRs, then worrying about DNS records of whatever domains they're MAIL FROM'ing or From:'ing is (mostly) irrelevant, especially if they're domains the spammers control (i.e. they aren't spoofing, so SPF won't help, and they can control their own DKIM records). What you really want to be doing is reporting the abuse to whoever is hosting the network the SMTP servers reside on. If it's a hosting provider, look them up in ARIN whois, read the providers' ToS, and report them to the provider. -- | Jeremy Chadwick jdc@koitsu.org | | UNIX Systems Administrator PGP 0x2A389531 | | Making life hard for others since 1977. | On Mon, Jul 14, 2025 at 02:18:32PM -0400, Jon R Kibler via Outages-discussion wrote:
All, Is anyone else getting slammed with a flood of phishing-spam / malware from "Interactive Brokers" which is addressed to their outages email address? Or, am I the unlucky one? I've tried nearly everything I can think of to block them, but it seems they have an infinite number of MTAs from which they can originate their attacks. Worse, all of the domains which I have seen from which they appear to be sending have DNS hosted by CloudFlare, yet CloudFlare has been unresponsive to the abuse complaints I have filed. Anyone else tried complaining? TIA for your thoughts and feedback.JRK ______________________________________________ Outages-discussion mailing list outages-discussion@outages.org Sign up for an account https://lists.outages.org/accounts/signup/ To subscribe send an email to outages-discussion-join@outages.org To unsubscribe send an email to outages-discussion-leave@outages.org To contact the list owners outages-owner@outages.org Archives https://lists.outages.org/archives/list/outages-discussion@outages.org/
Thank you for using outages-discussion Lists!
______________________________________________ Outages-discussion mailing list outages-discussion@outages.org Sign up for an account https://lists.outages.org/accounts/signup/ To subscribe send an email to outages-discussion-join@outages.org To unsubscribe send an email to outages-discussion-leave@outages.org To contact the list owners outages-owner@outages.org Archives https://lists.outages.org/archives/list/outages-discussion@outages.org/ Thank you for using outages-discussion Lists!
Jon, On Jul 15, 2025, at 10:09 AM, Jon R Kibler via Outages-discussion <outages-discussion@outages.org> wrote:
If CloudFlare would simply block the websites of recently registered domains, that would go a LONG way to cutting down on successful phishing (and ransomware) attacks, IMPO.
Won’t the scumbags simply wait until the hypothetical Cloudflare block is removed, regardless of how long that takes, before sending the phish? Regards, -drc
Not likely. Most of these domains are created using stolen credit cards. As soon as the credit card owner or credit card company detects the fraud (usually, about a week??), the domain registration gets cancelled. That's why the phishers quickly push out their attacks after domains are registered. They give enough time for DNS to proprigate the registration and its zone, then launch the attack. Typically, they have a very short timeframe in which to pull off an anonymous attack. Yes, there are cases where this doesn't apply, but it would require a change to most phishing/malware attack models. IHTH. JRK On 7/15/2025 at 5:53 PM, "David Conrad" <drc@virtualized.org> wrote:
Jon,
On Jul 15, 2025, at 10:09 AM, Jon R Kibler via Outages-discussion <outages-discussion@outages.org> wrote:
If CloudFlare would simply block the websites of recently registered domains, that would go a LONG way to cutting down on successful phishing (and ransomware) attacks, IMPO.
Won’t the scumbags simply wait until the hypothetical Cloudflare block is removed, regardless of how long that takes, before sending the phish?
Regards, -drc
Searching my spam I see 7 messages, starting June 16 [image: image.png] On Tue, Jul 15, 2025 at 6:06 PM Jon R Kibler via Outages-discussion < outages-discussion@outages.org> wrote:
Not likely.
Most of these domains are created using stolen credit cards. As soon as the credit card owner or credit card company detects the fraud (usually, about a week??), the domain registration gets cancelled.
That's why the phishers quickly push out their attacks after domains are registered. They give enough time for DNS to proprigate the registration and its zone, then launch the attack. Typically, they have a very short timeframe in which to pull off an anonymous attack.
Yes, there are cases where this doesn't apply, but it would require a change to most phishing/malware attack models.
IHTH. JRK
On 7/15/2025 at 5:53 PM, "David Conrad" <drc@virtualized.org> wrote:
Jon,
On Jul 15, 2025, at 10:09 AM, Jon R Kibler via Outages-discussion <outages-discussion@outages.org> wrote:
If CloudFlare would simply block the websites of recently registered domains, that would go a LONG way to cutting down on successful phishing (and ransomware) attacks, IMPO.
Won’t the scumbags simply wait until the hypothetical Cloudflare block is removed, regardless of how long that takes, before sending the phish?
Regards, -drc
______________________________________________ Outages-discussion mailing list outages-discussion@outages.org Sign up for an account https://lists.outages.org/accounts/signup/ To subscribe send an email to outages-discussion-join@outages.org To unsubscribe send an email to outages-discussion-leave@outages.org To contact the list owners outages-owner@outages.org Archives https://lists.outages.org/archives/list/outages-discussion@outages.org/
Thank you for using outages-discussion Lists!
Jon, I'm sorry to say that the approach you're taking to solving the spams you're experiencing really isn't going to relieve you of the problem. You're fixated on DNS, which is really not what you should be focused on. It's irrelevant, and your own messages/story that I'm replying to is confirmation of that. It doesn't matter if they're using CF or not. CF is not the problem, so I'm not surprised they don't respond. You need to be looking at Received: headers and working out where the spam actually originated from, i.e. the sender IP, and then contacting that provider (use ARIN etc. to look up the CIDR / who owns the IP). If you need tools to help decode/organise Received headers (date/order matters!), use MXToolbox's https://mxtoolbox.com/EmailHeaders.aspx tool. Report the abuse/spam to the originating network from which it came. Your Email provider should be able to all of this for you, including blocking offending inbound IP addresses at the SMTP connection level. Tell your Email provider to use DNSBLs, or if they don't want to block them at that level, use DNSBLs to score mail from offending networks and then through whatever filtering rules they offer, mark as spam (or send to trash) based on score or ranking. Or just run your own MDA (not MTA, MDA). It isn't hard. Yes, really. Use postfix and call it a day. Footnote: none of this is outage-related. I'm glad you sent to -discussion (big kudos!), but it's off-topic even for here. -- | Jeremy Chadwick jdc@koitsu.org | | UNIX Systems Administrator PGP 0x2A389531 | | Making life hard for others since 1977. | On Tue, Jul 15, 2025 at 01:09:46PM -0400, jrk1231-outml@nym.hush.com wrote:
First, �i was a little sloppy in my wording of my original message. My real question was more how widespread this phishing/malware campaign is, and how many folks on the Outages mailing list have been victims. CloudFlare was a side-issue and I was mostly just bitching. Sorry for my slop!
I'm not running my own MTA, so my doing any blocking isn't that simple (and, I'm trying to convince my email service to do more!). But, even if I were running my own MTA, it'd be a real fight to suppress this crap.
What I am seeing is this: 1) Phisher registers 2 domains. One runs an MTA, one is a phishing web server. 2) Within 18 hrs of registering the domains, phisher sends their spam. Within 36 to 48hrs of the phishing attack, the website is dead, and DNS stops resolving shortly thereafter. All emails sent to the MTA bounce, even an autoreply. 3) Websites are usually hosted on registrar-provided webservers. 4) Websites are usually CloudFlare protected. I've complained about their protecting "just registered" domains, but to no avail. 5) MTAs are not protected by CloudFlare (at least not that I can tell). MTAs appear to be hosted by random providers, and quite likely could be PAAS MTAs with which I am not familiar. 6) DNS for the website is almost always CloudFlare DNS, and some known crimeware DNS the rest of the time. 7) DNS for the MTA is usually (but not always) the registrar's DNS, and the registrars they have been using have had their DNS CloudFlare protected (and are usually known "crimeware" registrars).
Uh, I think that covers it. (What did I miss?)
What I have been complaining to CloudFlare about is protecting domains which are newly registered. That is a well-known crimeware tactic: register a domain (usually using stolen credit cards), use it for an attack, then toss it. If CloudFlare would simply block the websites of recently registered domains, that would go a LONG way to cutting down on successful phishing (and ransomware) attacks, IMPO.
I hope this is a little clearer than my initial post.
Jon Kibler
On 7/15/2025 at 3:43 AM, "Jeremy Chadwick via Outages-discussion" <outages-discussion@outages.org> wrote:What stops you from blocking the connecting SMTP server IP address or CIDRs?
I can't tell if what you're describing indicates the mails are coming from CloudFlare outbound SMTP servers or not.
If the SMTP connections **are** coming from CloudFlare CIDRs (for example, say, some customer of theirs abusing Email Workers and thus the outbound spam/phishing mails come from CloudFlare IPs), then reporting it to CF is the right thing. PeeringDB has some additional PoCs for abuse reporting: https://www.peeringdb.com/net/4224
If the SMTP connections **aren't** coming from CloudFlare CIDRs, then worrying about DNS records of whatever domains they're MAIL FROM'ing or From:'ing is (mostly) irrelevant, especially if they're domains the spammers control (i.e. they aren't spoofing, so SPF won't help, and they can control their own DKIM records). What you really want to be doing is reporting the abuse to whoever is hosting the network the SMTP servers reside on. If it's a hosting provider, look them up in ARIN whois, read the providers' ToS, and report them to the provider.
-- | Jeremy Chadwick jdc@koitsu.org | | UNIX Systems Administrator PGP 0x2A389531 | | Making life hard for others since 1977. |
On Mon, Jul 14, 2025 at 02:18:32PM -0400, Jon R Kibler via Outages-discussion wrote:
All, Is anyone else getting slammed with a flood of phishing-spam / malware from "Interactive Brokers" which is addressed to their outages email address? Or, am I the unlucky one? I've tried nearly everything I can think of to block them, but it seems they have an infinite number of MTAs from which they can originate their attacks. Worse, all of the domains which I have seen from which they appear to be sending have DNS hosted by CloudFlare, yet CloudFlare has been unresponsive to the abuse complaints I have filed. Anyone else tried complaining? TIA for your thoughts and feedback.JRK ______________________________________________ Outages-discussion mailing list outages-discussion@outages.org Sign up for an account https://lists.outages.org/accounts/signup/ To subscribe send an email to outages-discussion-join@outages.org To unsubscribe send an email to outages-discussion-leave@outages.org To contact the list owners outages-owner@outages.org Archives https://lists.outages.org/archives/list/outages-discussion@outages.org/
Thank you for using outages-discussion Lists!
______________________________________________ Outages-discussion mailing list outages-discussion@outages.org Sign up for an account https://lists.outages.org/accounts/signup/ To subscribe send an email to outages-discussion-join@outages.org To unsubscribe send an email to outages-discussion-leave@outages.org To contact the list owners outages-owner@outages.org Archives https://lists.outages.org/archives/list/outages-discussion@outages.org/
Thank you for using outages-discussion Lists!
This will only scratch the surface of this problem and approaches to it, because it'd be hundreds of lines long if I did more than that. 1. This problem is massive because of two contributing factors: (1) ~1000 junk gTLDs that nobody needed or wanted except registrars and abusers (2) ubiquitous cloud hosting by providers who don't care about any abuse that's (a) outbound or (b) facilitated, only (c) inbound. 2. There's little-to-no point in complaining to registrars or clouds because they don't care, they don't want to care, nobody will make them care, and the most likely outcome is that they'll forward your complaint to the abusers. 3. If you run your own MTA, I highly recommend blocking all ~1000 junk gTLDs and punching specific holes in those blocks only for the domains that you want to receive email from. For small to medium sized operations, this works pretty well. (Do remember to exempt postmaster@, abuse@, etc.) 4. To supplement (3), configure your MTA to check the usual SpamHaus DNSBLs and RHSBLs. Doing (3) first will minimize the traffic to Spamhaus, which is good for you and for them. 5. If you're not running your own MTA, then get your provider to do (4) if possible. They probably won't do (3). 6. (5) leaves you with choices on the receiving side, and they're all onerous. But procmail (if available) is one way to tackle this. I use it locally as a backup to what's in the MTA. In particular, I have several hundred rules that attempt to grab obvious spam and are modestly successful at doing so. If you're interested, I'll be happy to share the ruleset with you off-list. You *could* supplement this list with rules for all of those ~1000 junk gTLDs but it would probably be easier to to write the far smaller number of rules required to handle the non-junk gTLDs (and any ccTLDs of interest to you) -- and then to make exceptions if/when they become necessary. ---rsk
Rich rote:
3. If you run your own MTA, I highly recommend blocking all ~1000 junk gTLDs and punching specific holes in those blocks only for the domains that you want to receive email from. For small to medium sized operations, this works pretty well. (Do remember to exempt postmaster@, abuse@, etc.)
Is there a good one-per-line list of those gTLDs? I'll have to figure out where to shoehorn that into Zimbra 8 (shut up), but it runs over Postfix, so... Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
On Wednesday, July 16, 2025 1:01:09 PM CDT Jay R. Ashworth via Outages- discussion wrote:
Rich rote:
3. If you run your own MTA, I highly recommend blocking all ~1000 junk gTLDs and punching specific holes in those blocks only for the domains that you want to receive email from. For small to medium sized operations, this works pretty well. (Do remember to exempt postmaster@, abuse@, etc.)
Is there a good one-per-line list of those gTLDs? I'll have to figure out where to shoehorn that into Zimbra 8 (shut up), but it runs over Postfix, so...
https://www.icann.org/en/contracted-parties/registry-operators/resources/lis... -- Joey Kelly Minister of the Gospel and Linux Consultant http://joeykelly.net 504-239-6550
On Jul 16, 2025, at 11:19 AM, Joey Kelly via Outages-discussion <outages-discussion@outages.org> wrote:
On Wednesday, July 16, 2025 1:01:09 PM CDT Jay R. Ashworth via Outages- discussion wrote:
Rich rote:
3. If you run your own MTA, I highly recommend blocking all ~1000 junk gTLDs and punching specific holes in those blocks only for the domains that you want to receive email from. For small to medium sized operations, this works pretty well. (Do remember to exempt postmaster@, abuse@, etc.)
Is there a good one-per-line list of those gTLDs? I'll have to figure out where to shoehorn that into Zimbra 8 (shut up), but it runs over Postfix, so...
https://www.icann.org/en/contracted-parties/registry-operators/resources/lis...
That is a list of all top level domains. I suspect that’s not what Jay was looking for. Something scraped out of https://newgtlds.icann.org/en/program-status/delegated-strings may be closer. Regards, -drc
On Wed, Jul 16, 2025 at 1:42 PM David Conrad via Outages-discussion < outages-discussion@outages.org> wrote:
On Jul 16, 2025, at 11:19 AM, Joey Kelly via Outages-discussion < outages-discussion@outages.org> wrote:
On Wednesday, July 16, 2025 1:01:09 PM CDT Jay R. Ashworth via Outages- discussion wrote:
Rich rote:
3. If you run your own MTA, I highly recommend blocking all ~1000 junk gTLDs and punching specific holes in those blocks only for the domains that you want to receive email from. For small to medium sized operations, this works pretty well. (Do remember to exempt postmaster@, abuse@, etc.)
Is there a good one-per-line list of those gTLDs? I'll have to figure out where to shoehorn that into Zimbra 8 (shut up), but it runs over Postfix, so...
https://www.icann.org/en/contracted-parties/registry-operators/resources/lis...
That is a list of all top level domains. I suspect that’s not what Jay was looking for.
Something scraped out of https://newgtlds.icann.org/en/program-status/delegated-strings may be closer.
Regards, -drc
here ya go https://dpaste.org/G57qd (generated by me, vet accordingly) -wes
Bye Bye Universal Acceptance <https://en.wikipedia.org/wiki/Universal_Acceptance> ! On Wed, Jul 16, 2025 at 7:33 PM wes via Outages-discussion < outages-discussion@outages.org> wrote:
On Wed, Jul 16, 2025 at 1:42 PM David Conrad via Outages-discussion < outages-discussion@outages.org> wrote:
On Jul 16, 2025, at 11:19 AM, Joey Kelly via Outages-discussion < outages-discussion@outages.org> wrote:
On Wednesday, July 16, 2025 1:01:09 PM CDT Jay R. Ashworth via Outages- discussion wrote:
Rich rote:
3. If you run your own MTA, I highly recommend blocking all ~1000 junk gTLDs and punching specific holes in those blocks only for the domains that you want to receive email from. For small to medium sized operations, this works pretty well. (Do remember to exempt postmaster@, abuse@, etc.)
Is there a good one-per-line list of those gTLDs? I'll have to figure out where to shoehorn that into Zimbra 8 (shut up), but it runs over Postfix, so...
https://www.icann.org/en/contracted-parties/registry-operators/resources/lis...
That is a list of all top level domains. I suspect that’s not what Jay
was
looking for.
Something scraped out of https://newgtlds.icann.org/en/program-status/delegated-strings may be closer.
Regards, -drc
here ya go
(generated by me, vet accordingly)
-wes ______________________________________________ Outages-discussion mailing list outages-discussion@outages.org Sign up for an account https://lists.outages.org/accounts/signup/ To subscribe send an email to outages-discussion-join@outages.org To unsubscribe send an email to outages-discussion-leave@outages.org To contact the list owners outages-owner@outages.org Archives https://lists.outages.org/archives/list/outages-discussion@outages.org/
Thank you for using outages-discussion Lists!
“Kip, a reverence for life does not require a man to respect Nature’s obvious mistakes.” “Sir?” “You need not serve Quiggle again. I don’t want his trade.” “Oh, I don’t mind. He’s harmless.” “I wonder how harmless such people are? To what extent civilization is retarded by the laughing jackasses, the empty-minded belittlers?” [ Robert A Heinlein, from the first "chapter book" I ever read, at age 6 ] Cheers, - jra ----- Original Message -----
From: "Joly MacFie via Outages-discussion" <outages-discussion@outages.org> To: "Post outages meta-discussion (troubleshooting, analysis, post-mortem, etc)" <outages-discussion@outages.org> Cc: "wes" <outages@the-wes.com>, "Joly MacFie" <jolynyc@gmail.com> Sent: Wednesday, July 16, 2025 9:56:52 PM Subject: [Outages-discussion] Re: Phishing-Spam / Malware from "Interactive Brokers"?
Bye Bye Universal Acceptance <https://en.wikipedia.org/wiki/Universal_Acceptance> !
On Wed, Jul 16, 2025 at 7:33 PM wes via Outages-discussion < outages-discussion@outages.org> wrote:
On Wed, Jul 16, 2025 at 1:42 PM David Conrad via Outages-discussion < outages-discussion@outages.org> wrote:
On Jul 16, 2025, at 11:19 AM, Joey Kelly via Outages-discussion < outages-discussion@outages.org> wrote:
On Wednesday, July 16, 2025 1:01:09 PM CDT Jay R. Ashworth via Outages- discussion wrote:
Rich rote:
3. If you run your own MTA, I highly recommend blocking all ~1000 junk gTLDs and punching specific holes in those blocks only for the domains that you want to receive email from. For small to medium sized operations, this works pretty well. (Do remember to exempt postmaster@, abuse@, etc.)
Is there a good one-per-line list of those gTLDs? I'll have to figure out where to shoehorn that into Zimbra 8 (shut up), but it runs over Postfix, so...
https://www.icann.org/en/contracted-parties/registry-operators/resources/lis...
That is a list of all top level domains. I suspect that’s not what Jay
was
looking for.
Something scraped out of https://newgtlds.icann.org/en/program-status/delegated-strings may be closer.
Regards, -drc
here ya go
(generated by me, vet accordingly)
-wes ______________________________________________ Outages-discussion mailing list outages-discussion@outages.org Sign up for an account https://lists.outages.org/accounts/signup/ To subscribe send an email to outages-discussion-join@outages.org To unsubscribe send an email to outages-discussion-leave@outages.org To contact the list owners outages-owner@outages.org Archives https://lists.outages.org/archives/list/outages-discussion@outages.org/
Thank you for using outages-discussion Lists!
Outages-discussion mailing list outages-discussion@outages.org Sign up for an account https://lists.outages.org/accounts/signup/ To subscribe send an email to outages-discussion-join@outages.org To unsubscribe send an email to outages-discussion-leave@outages.org To contact the list owners outages-owner@outages.org Archives https://lists.outages.org/archives/list/outages-discussion@outages.org/
Thank you for using outages-discussion Lists!
-- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
participants (8)
-
David Conrad -
Jay R. Ashworth -
Jeremy Chadwick -
Joey Kelly -
Joly MacFie -
jrk1231-outml@nym.hush.com -
Rich Kulawiec -
wes