dmarc stats – or hi to 754th Electronic Systems Group of the us air force.

scumbag spammer Robert Soloway

scumbag spammer Robert Soloway

Dmarc (my blog) is something really really boring – in fact most microsoft admins have never heard of it along with spf but that is the sad state of microsoft who i love to poke fun at given an opportunity (my blog) to do so.

Anyhow i was getting bored of collecting some other information and so decided to document dmarc attempts.

I can do this as non microsoft people have things that send this info remotely so this is not something i was looking for but an event that a mail provider saw.

A month in and i have 37 offenders and 86% of them originated from China

Here is two months, note the suspicious quantities of certain subnets.

sort -n dkim.bl| uniq -c

      1 58.100.0.105 58.100.0.0 - 58.101.255.255 WASUHZ CN ipas@cnnic.cn
      1 58.100.0.110
      1 58.100.0.166
      1 58.100.0.207
      1 58.100.0.236
      1 58.100.0.26
      1 58.100.0.32
      1 58.100.0.46
      1 58.100.0.73
      1 58.100.1.145
      1 58.100.1.155
      1 58.100.1.211
      1 58.100.182.224
      1 58.100.201.100
      1 58.100.201.104
      2 58.100.201.105
      1 58.100.201.131
      1 58.100.201.138
      1 58.100.201.140
      1 58.100.201.152
      1 58.100.201.155
      1 58.100.201.207
      1 58.100.201.236
      1 58.100.201.244
      1 58.100.201.246
      1 58.100.201.81
      1 58.100.201.88
      1 58.100.2.100
      1 58.100.2.118
      1 58.100.2.128
      1 58.100.2.170
      1 58.100.2.187
      1 58.100.2.19
      1 58.100.2.192
      1 58.100.2.197
      1 58.100.2.201
      1 58.100.2.240
      1 58.100.2.31
      1 58.100.2.34
      1 58.100.24.4
      1 58.100.2.97
      1 58.100.3.107
      2 58.100.3.13
      1 58.100.3.140
      1 58.100.3.16
      1 58.100.3.175
      1 58.100.3.179
      1 58.100.3.184
      1 58.100.3.194
      1 58.100.3.242
      2 58.100.3.27
      1 58.100.3.4
      1 58.100.3.90
      1 58.100.4.177
      1 58.100.4.237
      1 58.100.4.248
      1 58.100.5.105
      1 58.100.5.146
      1 58.100.5.15
      1 58.100.5.180
      1 58.100.5.94
      1 58.100.6.106
      1 58.100.6.110
      1 58.100.6.216
      1 58.100.6.219
      1 58.100.6.39
      1 58.100.7.107
      1 58.100.7.113
      1 58.100.7.135
      1 58.100.7.149
      1 58.100.7.18
      1 58.100.7.228
      1 58.100.7.56
      1 58.100.7.84
      1 58.101.149.139
      1 58.101.149.143
      1 58.101.149.158
      2 58.101.149.177
      1 58.101.149.180
      1 58.101.149.221
      1 58.101.149.222
      1 58.101.149.223
      1 58.101.149.228
      3 58.101.149.234
(91)  1 58.101.208.115
      1 101.71.192.51 101.64.0.0 - 101.71.255.255 UNICOM-ZJ CN zhouxm@chinaunicom.cn
      1 101.71.193.235
      1 101.71.194.100
      1 101.71.194.198
      1 101.71.196.49
      1 101.71.196.70
      1 101.71.196.8
      1 101.71.197.4
      1 101.71.197.60
      1 101.71.217.144
(11)  1 101.71.217.192
 (1)  1 114.148.3.208 114.148.0.0 - 114.148.127.255 OCN JP
      1 123.158.33.124 123.152.0.0 - 123.159.255.255 UNICOM-ZJ CN abuse@cnc-noc.net
 (2)  1 123.158.33.197
      1 124.90.194.31 124.90.0.0 - 124.91.255.255 UNICOM-ZJ CN abuse@cnc-noc.net
      1 124.90.199.159
      1 124.90.199.235
      1 124.90.69.93
      1 124.90.70.79
 (6)  1 124.90.71.85
      1 128.238.7.189 128.238.0.0 - 128.238.255.255 POLY-U-NET US noc-na23-poly-arin@nyu.edu
      1 131.44.184.194 131.44.0.0 - 131.44.255.255 RANDOLPH1-NET US disa.columbus.ns.mbx.arin-registrations@mail.mil
      1 140.28.152.236 140.28.0.0 - 140.28.255.255 DNIC-RNET-140-028 US disa.columbus.ns.mbx.arin-registrations@mail.mil
      1 218.109.107.134 218.109.107.0 - 218.109.107.255 WASU-BB CN abuse@hzdtv.com
      1 218.109.220.125
      1 218.109.221.247
      1 218.109.243.207
 (5)  1 218.109.253.141
      1 219.82.112.65 219.82.112.0 - 219.82.112.255 WASU-BB CN abuse@hzdtv.com
      1 219.82.160.124 219.82.160.0 - 219.82.160.255 WASU-BB CN abuse@hzdtv.com
      1 219.82.164.18 219.82.164.0 - 219.82.164.255 WASU-BB CN abuse@hzdtv.com 
      1 219.82.166.132 219.82.166.0 - 219.82.166.255 WASU-BB CN abuse@hzdtv.com
      1 219.82.184.136 219.82.184.0 - 219.82.184.255 WASU-BB CN abuse@hzdtv.com
      1 219.82.187.68 219.82.187.0 - 219.82.187.255 WASU-BB CN abuse@hzdtv.com
      1 219.82.35.1 219.82.35.0 - 219.82.35.255 WASU-BB CN abuse@hzdtv.com
      1 219.82.50.249 219.82.50.0 - 219.82.50.255 WASU-BB CN abuse@hzdtv.com
      1 219.82.51.206 219.82.51.0 - 219.82.51.255 WASU-BB CN abuse@hzdtv.com
      1 219.82.51.75
 (3)  1 219.82.57.167
      1 228.143.204.76 dmarc report error

secretOf interest is the false ip i copied and pasted from the dmarc reports so the error is not mine that is what some isp sent.   Most of these are Chinese, but the 754th Electronic Systems Group in the US airforce deserve an honourable mention although there a bit shit at what they do as there’s a reddit topic on them and when us apes notice them you have a problem.

I wonder what they where trying to do ?

The text should be parseable with ” ” into a spreadsheet.

4 responses

  1. Pingback: A most impressive botnet | Bananas in the Falklands

  2. Pingback: Chinese botnets in the mist | Bananas in the Falklands

  3. Pingback: even more dmarc fun | Bananas in the Falklands

  4. Pingback: Dead letter abuse boxes (or an end to dmarc probers) | Bananas in the Falklands

by golly but...

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s