Hi Benoit,
Benoit Panizzon schrieb am Thu, Oct 27, 2022 at 10:45:31AM +0200:
Let me guess: You've got an abuse report to your abuse e-mail address about some IP ranges and domains (including up-network.ch) which have no relation to your AS at all?
If yes: You're not the only one.
Yes after the 3rd report, from yet another source we got after I sent the email, the joe-job got quite apparent.
Ok, we so far just got one such mail.
The first report was rather short but could be understood as are report about https://dashboard.myrdp.gg/login being a phishing site hosted by one of our customers under the IP: 45.158.77.203
Ok, so you actually have a relation to some of the mentioned assets? We don't have any.
On Tuesday we got 3 more report from another sender sent to different abuse and NOC addresses regarding the same phishing site, not the full URL anymore, but a more sensible list of affected IP addresses:
45.148.119.0/24 171.22.147.0/24 45.148.116.0/24 MyRDP.gg up-network.ch
That list is actually the same that we got to our abuse address, too. For reference, here's the relevant part of that weird mail as we received it:
| Date: Tue, 25 Oct 2022 14:59:36 +0200 | From: abuse@cognitive-cloud.com | To: abuse@[…] | Subject: Abuse report | X-Mailer: mail (GNU Mailutils 3.7) | | Hello, | | We have detected that the AS: "AS203790 - Association UP-NETWORK" is responsible for hosting a phishing campaign targeting French institutions and private banks. | | We ask you to stop their service completely, an investigation is in progress | | 45.148.119.0/24 | 171.22.147.0/24 | 45.148.116.0/24 | MyRDP.gg | up-network.ch | | You can check all the proof here : | - https://ipinfo.io/AS203790 | | ================= | 45.148.116.57 macartevitaleameli.fr | 171.22.147.226 amelicartevitaleverif.com | 171.22.147.40 assure-cartes.com | ================= [Signature or at least what seems to be a signature stripped]
I assume that most of these mails looked like this one.
So I guess this is some kind of campaign targeting up-network.
Yes, I interpret this as trying to convince other organisations to block up-network.ch's IP ranges in their AS. Which is kinda weird. First time I see such a request on the abuse address of an unrelated organisation.
But it is difficult to say if this a helpless, but true request or an hostile attack.
Asking to block 3x /24 just because of three phishing sites seems a bit of an overzealous reaction to me, though. This is what blacklists are for.
Regards, Axel