Search

Recent Posts

Tags


« | Main | »

Epsilon breach: e-mail marketing issues

By Dale Reagan | April 29, 2011

In  the out-source era we continue to see it’s not my problem or it was a problem with one of our vendors…  So, which company is responsible for data that you share with them?  At some point we all need to ask ourselves, “Who are we doing business with?” Perhaps we should also ask, “Who should we be doing business with?”

** Note since I manage my own email server I can easily implement network related blocking/filtering and the effect is limited to me; if you are supporting multiple users then other approaches may be more appropriate…  Also, the IP addresses shown may or may NOT be connected to the Epsilon breach and GeoIP information may not be accurate (since it can change.)

What about the companies whose IP addresses are being used to send SPAM?  Based on the amount of SPAM that I am seeing it seems that companies are not monitoring their logs/network traffic OR, they are the SPAMMERS OR, they have decided that they do not care where their revenue comes from…

With network data, over time, you will see patterns emerge – the example below shows one such pattern. From April 13 to April 29 of 2011 I found log entries for the following IP addresses and [modified] email addresses.  Once SPAM makes it to my server the offending IP address is permanently blocked.  I also use Greylisting to limit connections by denying email from certain countries and domains.  As with any data set, patterns will emerge when you have adequate data.  I suspect that MOST of the IP addresses below are SERVERs on the Internet that have been:

for sending SPAM email.



173.213.53.182   |  CA, AB, Calgary, t2a6t8, 51.083302, -114.083298, 0, 0
207.210.87.137   |  US, GA, Atlanta, 30310, 33.725700, -84.430901, 524, 404
207.210.87.149   |  US, GA, Atlanta, 30310, 33.725700, -84.430901, 524, 404
207.210.87.158   |  US, GA, Atlanta, 30310, 33.725700, -84.430901, 524, 404
216.38.7.165     |  US, IL, Arlington Heights, 60005, 42.064301, -87.992104, 602, 847
74.80.151.227    |  US, IN, South Bend, 46613, 41.653500, -86.261398, 588, 574
207.210.254.132  |  US, MD, Ocean City, 21842, 38.338402, -75.124901, 576, 410
207.210.254.135  |  US, MD, Ocean City, 21842, 38.338402, -75.124901, 576, 410
207.210.254.72   |  US, MD, Ocean City, 21842, 38.338402, -75.124901, 576, 410
65.98.68.161     |  US, NJ, Clifton, 07014, 40.832600, -74.130699, 501, 973
64.191.95.46     |  US, PA, Scranton, 18501, 41.420101, -75.648499, 577, 570
64.191.95.51     |  US, PA, Scranton, 18501, 41.420101, -75.648499, 577, 570
64.191.95.57     |  US, PA, Scranton, 18501, 41.420101, -75.648499, 577, 570
216.139.212.213  |  US, TX, Austin, 78702, 30.264299, -97.713799, 635, 512
208.43.46.99     |  US, TX, Dallas, 75207, 32.782501, -96.820702, 623, 214
98.142.4.38      |  US, TX, Grand Prairie, 75052, 32.660599, -97.024902, 623, 972


subwaysandwhich (AT) baunopraya (DOT) BAD_Domain
subwaysandwhiches (AT) ahongbkprs (DOT) BAD_Domain
subwaysandwhiches (AT) arrgtcyon (DOT) BAD_Domain
subwaysandwhiches (AT) ashirbowne (DOT) BAD_Domain
subwaysandwhiches (AT) ayousveps (DOT) BAD_Domain
subwaysandwhiches (AT) birtleish (DOT) BAD_Domain
subwaysandwhiches (AT) blotetrabu (DOT) BAD_Domain
subwaysandwhiches (AT) brevsstad (DOT) BAD_Domain
subwaysandwhiches (AT) herbapicus (DOT) BAD_Domain
subwaysandwhiches (AT) indymanda (DOT) BAD_Domain
subwaysandwhiches (AT) kokkanoix (DOT) BAD_Domain
subwaysandwhiches (AT) paddanile (DOT) BAD_Domain
subwaysandwhiches (AT) seorawulk (DOT) BAD_Domain
subwaysandwhiches (AT) stamrita (DOT) BAD_Domain
subwaysandwhiches (AT) turpsmeer (DOT) BAD_Domain


Another example, also from April 2011.  The IP addresses below were used to send SPAM for the [modified] email addresses listed. Note that GeoIP information may not be accurate, however, the abuse pattern certainly does reflect that the IP ranges have a consistent pattern of transmitting SPAM…


50.23.211.165 | US, FL, Fort-Lauderdale
50.23.211.166 | US, FL, Fort-Lauderdale
50.23.211.167 | US, FL, Fort-Lauderdale
50.23.211.168 | US, FL, Fort-Lauderdale
50.23.211.169 | US, FL, Fort-Lauderdale
50.23.211.170 | US, FL, Fort-Lauderdale
50.23.211.171 | US, FL, Fort-Lauderdale
50.23.211.172 | US, FL, Fort-Lauderdale
50.23.211.173 | US, FL, Fort-Lauderdale
75.126.40.80 | US, TX, Dallas, 75207, 32.782501, -96.820702, 623, 214
75.126.40.81 | US, TX, Dallas, 75207, 32.782501, -96.820702, 623, 214
75.126.40.82 | US, TX, Dallas, 75207, 32.782501, -96.820702, 623, 214
75.126.40.83 | US, TX, Dallas, 75207, 32.782501, -96.820702, 623, 214
75.126.40.84 | US, TX, Dallas, 75207, 32.782501, -96.820702, 623, 214
75.126.40.86 | US, TX, Dallas, 75207, 32.782501, -96.820702, 623, 214
75.126.40.87 | US, TX, Dallas, 75207, 32.782501, -96.820702, 623, 214



info (AT) availableforlimitedmarket (dot) Bad_Domain
info (AT) aviewpunti (dot) Bad_Domain
info (AT) byondowy (dot) Bad_Domain
info (AT) canaryflightcloud (dot) Bad_Domain
info (AT) geddharst (dot) Bad_Domain
info (AT) halsedowy (dot) Bad_Domain
info (AT) lazysmahu (dot) Bad_Domain
info (AT) lyonkansa (dot) Bad_Domain
info (AT) nammafunli (dot) Bad_Domain
info (AT) renkdakir (dot) Bad_Domain
info (AT) soopsturus (dot) Bad_Domain
info (AT) swuresussex (dot) Bad_Domain
info (AT) tchusquam (dot) Bad_Domain
info (AT) teetousia (dot) Bad_Domain
info (AT) tyranaller (dot) Bad_Domain
info (AT) woomminot (dot) Bad_Doma


Some additional SPAM


dellgiveaway (AT) resueyates (dot) Bad_Domain
dellgiveaway (AT) iraqianniv (dot) Bad_Domain
dellgiveaway (AT) iraqianniv (dot) Bad_Domain
dellgiveaway (AT) boodhindyl (dot) Bad_Domain
dellgiveaway (AT) mynaxa (dot) Bad_Domain
dellgiveaway (AT) birtleish (dot) Bad_Domain


GeoIP Info for Above SPAMMERS

173.213.53.166 | CA, AB, Calgary, t2a6t8, 51.083302, -114.083298, 0, 0
173.213.53.185 | CA, AB, Calgary, t2a6t8, 51.083302, -114.083298, 0, 0
65.98.15.253 | US, NJ, Clifton, N/A, 40.857498, -74.149300, 501, 973
206.217.131.134 | US, NY, Buffalo, 14221, 42.986401, -78.727898, 514, 716
98.102.168.97 | US, OH, Cincinnati, N/A, 39.169899, -84.485901, 515, 513


And some more…



redlobster (AT) primetimeclothes (dot) Bad_Domain
redlobster (AT) lytesfous (dot) Bad_Domain
redlobster (AT) alfetorly (dot) Bad_Domain
redlobster (AT) supaharle (dot) Bad_Domain
redlobster (AT) okeygosse (dot) Bad_Domain
redlobster (AT) ayousveps (dot) Bad_Domain
redlobster (AT) haidagren (dot) Bad_Domain
redlobster (AT) coesulmic (dot) Bad_Domain
redlobster (AT) barietunal (dot) Bad_Domain
redlobster (AT) kokkanoix (dot) Bad_Domain
redlobster (AT) shirldeady (dot) Bad_Domain
redlobster (AT) ashirbowne (dot) Bad_Domain
redlobster (AT) tramaklip (dot) Bad_Domain


GeoIP info for Above SPAMMERS
173.213.53.185 | CA, AB, Calgary, t2a6t8, 51.083302, -114.083298, 0, 0
65.98.15.253 | US, NJ, Clifton, N/A, 40.857498, -74.149300, 501, 973
206.217.131.134 | US, NY, Buffalo, 14221, 42.986401, -78.727898, 514, 716
98.102.168.97 | US, OH, Cincinnati, N/A, 39.169899, -84.485901, 515, 513


I will guess that the IP addresses are from systems that:

See any patterns?  Seems we have a lot of hacked/compromised systems at some locations OR, the ISP supports SPAMMERS.

Who are you doing business with?

Topics: Computer Technology, News/Events, Problem Solving, System and Network Security, Web Technologies | Comments Off on Epsilon breach: e-mail marketing issues

Comments are closed.


________________________________________________
YOUR GeoIP Data | Ip: 73.21.121.1
Continent: NA | Country Code: US | Country Name: United States
Region: | State/Region Name: | City:
(US only) Area Code: 0 | Postal code/Zip:
Latitude: 38.000000 | Longitude: -97.000000
Note - if using a mobile device your physical location may NOT be accurate...
________________________________________________

Georgia-USA.Com - Web Hosting for Business
____________________________________