Montag, 3. August 2015

SMTP SPAM campaign - hxxp://ppt.cc/

So I have just shut down my smtp server, cause there was a huge income of emails.  All of them related to the same websites

Example:
Received: from 174.128.178.126 by 46.203.227.24; Mon, 03 Aug 2015 06:19:41 -0600
Message-ID: <OBQGDHMJCXMWTMUCUVHKKO@163.com>
From: "<A7>䯥<A4><CD>" <rsosmpk@163.com>
Reply-To: "<A7>䬶<A4>ͪ<BA><A8>k<A5><U+0373>̷s<A9><DB>" <iceaegrnltj@163.com>
To: QUOTED
Subject: <A7>䯥<A4>ͪ<BA><A4>k<A4>H
Date: Mon, 03 Aug 2015 17:19:41 +0500
X-Mailer: Microsoft Outlook Express 6.00.2462.0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="--0901866075153714"
X-Priority: 3
X-MSMail-Priority: Normal

----0901866075153714
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

        <span style=3D"font-size:36px;"><span style=3D"color:#b22222;"><span styl=
e=3D"font-size: 28px;">=B7s=B7s=A4H=C3=FE=AA=BA=A7=DA=AD=CC=B4N=ADn=BA=C9=B1=
=A1=A8=C9=A8=FC=B3t=AD=B9=B7R=B1=A1=AA=BA=A7=D6=B7P</span></span></span></=
p>
<p>

<p>
        <span style=3D"font-size:48px;"><b><a href=3D"hxxp://ppt.cc/II6He"><font =
color=3D"blue" face=3D"Arial">http://ppt.cc/II6He</font></a></b></span></p=
>
 The a href always points to the same domain
hxxp://ppt.cc/
and redirects to
 www.okbank.com.tw
I have found 55 unique IP addresses involved in this campaign
119.87.120.192
123.247.168.120
123.247.198.208
14.24.45.95
14.25.165.167
14.26.175.28
173.9.87.247
176.37.98.14
177.2.108.58
179.111.208.144
182.205.109.78
183.40.236.56
183.41.212.203
183.42.216.12
183.42.38.174
183.43.231.35
183.43.61.210
184.149.184.13
189.8.94.174
190.151.23.19
190.151.32.18
191.251.194.156
198.199.85.188
200.195.135.195
201.247.149.77
202.29.215.100
202.62.10.210
204.186.103.3
23.254.201.124
27.128.76.129
27.149.31.141
36.42.135.117
36.43.162.102
38.83.102.106
41.231.85.184
45.55.30.180
45.79.152.176
46.203.227.24
46.246.186.60
54.251.115.56
84.61.8.22
94.103.80.52
94.125.88.10