First: I see these leaking into outages@ as well. Second: Anyone else sad you were not spoofed? What? Am I not good enough to spoof? <pout> -- TTFN, patrick
On Oct 26, 2015, at 10:27 AM, John Sage via Outages <outages@outages.org> wrote:
On 10/26/2015 07:13 AM, Rich Kulawiec via Outages wrote:
On Mon, Oct 26, 2015 at 06:19:11AM -0700, John Sage wrote:
After the appropriate wgets and less'es those all seemed to point back to
avazunic [dot] com
which is registered in -- wait for it -- CN...
I have noted 374 different domains (so far) in this attack and have analyzed them at a cursory level. Thus far, I see no pattern of registration, DNS, geography, hosting, etc. I strongly suspect that many of these, perhaps even most or all, represent web sites that have been breached and are being used to spread the payload.
In my OP I was referring to the domain name that the ultimate payload contained, after the cobweb of redirects in the initial spam was followed back to an endpoint.
But I only did six or so, early yesterday, so who knows...
#EOF
- John --
_______________________________________________ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages