Today's breach is brought to you by Cheetahmail. Their 63.146.96.248/29 range is apparently spewing the same Adobe spam that has plagued the ESP industry since November 2009. This has been confirmed at three receiving sites.
Senderbase indicates that this range is all related to childrensplace.com. rDNS (below) indicates the block is owned by Cheetahmail.
We have to ask: Since Email Service Providers know what the vector into their systems is (spear phishing with a keylogger, either of an ESP staffer or someone with access to a client account) and they know what the criminals spam on the outbounds (fake Skype and Adobe software), how could this possibly still be happening?
This is a perfect example of why telling end-users to be careful about spear-phishing (as virtually ever one of the 100+ breached Epsilon clients did) is inane. If ESPs, presumably on high alert are incapable of preventing spearphishing by being careful, one has to wonder why they expect normal Internet users to be able to do so.
It is high time that the ESP community stepped up and began to treat end-user data with appropriate security measures. Anything less is unacceptable.
CAUCE President John Levine has also blogged about this, with an example of the spam.
$ dig -x 63.146.96.248
; <<>> DiG 9.6.-ESV-R3 <<>> -x 63.146.96.248
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24202
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 12, ADDITIONAL: 6;; QUESTION SECTION:
;248.96.146.63.in-addr.arpa. IN PTR;; ANSWER SECTION:
248.96.146.63.in-addr.arpa. 86400 IN PTR mta810.email.childrensplace.com.;; AUTHORITY SECTION:
96.146.63.in-addr.arpa. 259200 IN NS a.ns.96.146.63.in-addr.arpa.
96.146.63.in-addr.arpa. 259200 IN NS b.ns.96.146.63.in-addr.arpa.
96.146.63.in-addr.arpa. 259200 IN NS c.ns.96.146.63.in-addr.arpa.
96.146.63.in-addr.arpa. 259200 IN NS d.ns.96.146.63.in-addr.arpa.
96.146.63.in-addr.arpa. 259200 IN NS e.ns.96.146.63.in-addr.arpa.
96.146.63.in-addr.arpa. 259200 IN NS f.ns.96.146.63.in-addr.arpa.
96.146.63.in-addr.arpa. 259200 IN NS a.ns.cheetahmail.com.
96.146.63.in-addr.arpa. 259200 IN NS b.ns.cheetahmail.com.
96.146.63.in-addr.arpa. 259200 IN NS c.ns.cheetahmail.com.
96.146.63.in-addr.arpa. 259200 IN NS d.ns.cheetahmail.com.
96.146.63.in-addr.arpa. 259200 IN NS e.ns.cheetahmail.com.
96.146.63.in-addr.arpa. 259200 IN NS f.ns.cheetahmail.com.