Benoit Panizzon schrieb am Thu, Oct 27, 2022 at 10:45:31AM +0200:
Let me guess:
You've got an abuse report to your abuse e-mail address
about some IP ranges and domains (including up-network.ch) which have
no relation to your AS at all?
If yes: You're not the only one.
Yes after the 3rd report, from yet another source we got after I sent
the email, the joe-job got quite apparent.
Ok, we so far just got one such mail.
The first report was rather short but could be
understood as are report
being a phishing site hosted by
one of our customers under the IP: 188.8.131.52
Ok, so you actually have a relation to some of the mentioned assets?
We don't have any.
On Tuesday we got 3 more report from another sender
sent to different
abuse and NOC addresses regarding the same phishing site, not the full
URL anymore, but a more sensible list of affected IP addresses:
That list is actually the same that we got to our abuse address, too.
For reference, here's the relevant part of that weird mail as we received it:
| Date: Tue, 25 Oct 2022 14:59:36 +0200
| From: abuse(a)cognitive-cloud.com
| To: abuse@[…]
| Subject: Abuse report
| X-Mailer: mail (GNU Mailutils 3.7)
| We have detected that the AS: "AS203790 - Association UP-NETWORK" is
responsible for hosting a phishing campaign targeting French institutions and private
| We ask you to stop their service completely, an investigation is in progress
| You can check all the proof here :
| - https://ipinfo.io/AS203790
| 184.108.40.206 macartevitaleameli.fr
| 220.127.116.11 amelicartevitaleverif.com
| 18.104.22.168 assure-cartes.com
[Signature or at least what seems to be a signature stripped]
I assume that most of these mails looked like this one.
So I guess this is some kind of campaign targeting
Yes, I interpret this as trying to convince other organisations to
block up-network.ch's IP ranges in their AS. Which is kinda weird.
First time I see such a request on the abuse address of an unrelated
But it is difficult to say if this a helpless, but true request or an
Asking to block 3x /24 just because of three phishing sites seems a
bit of an overzealous reaction to me, though. This is what blacklists
/~\ Plain Text Ribbon Campaign | Axel Beckert
\ / Say No to HTML in E-Mail and News | abe(a)deuxchevaux.org (Mail)
X See http://arc.pasp.de/
| abe(a)noone.org (Mail+Jabber)
/ \ I love long mails: http://email.is-not-s.ms/