The following IP addresses at several providers of inexpensive VPS services are sending spam for several customers. The IP addresses HELO as a hostname in the ddns.net domain. This domain is owned by no-ip.com, a provider of distributed IP services.
The first IP address below is sending phish. The second is sending spam for provider of business training services. The other four are sending spam advertising internet services. Spams making use of the ddns.net domain in HELO and (in some cases) as rDNS started abruptly about five days ago.
VPSNet Lithuania, Digital Ocean, Telefonica Argentina, and Telecom Argentina): Please determine which accounts were involved in this spam and close those accounts.
NO-IP: Please remove these spamers now and take action to prevent this sort of abuse of your network.
SENDING IPs:
91.211.247.199 stonenotificamail.ddns.net (HELO: stonenotificamail.ddns.net) (VPSNet.lt)
143.198.133.115 aj20.gfordmail.ddns.net (HELO: gfordmail.ddns.net) (Digital Ocean)
186.57.132.169 186-57-132-169.speedy.com.ar (HELO: piragua.ddns.net) (Telefonica Argentina)
186.57.164.99 186-57-164-99.speedy.com.ar (HELO: piragua.ddns.net) (Telefonica Argentina)
186.57.165.209 186-57-165-209.speedy.com.ar (HELO: piragua.ddns.net) (Telefonica Argentina)
190.136.214.107 host107.190-136-214.telecom.net.ar (HELO: pacu.basss.ddns.net) (Telecom Argentina)
SPAM SAMPLES:
Received: from stonenotificamail.ddns.net (stonenotificamail.ddns.net [91.211.247.199])
Date: Sun, 7 Nov 2021 02:##:## +0000 (UTC)
From: Stone <root@stonenotificamail.ddns.net>
Subject: Conta temporariamente bloqueada
<snip>
Detectamos um acesso suspeito em sua conta
Bloqueamos sua conta temporariamente, devido a um acesso suspeito que nosso sistema detectou ao errar a senha de 6 dígitos diversas vezes.
Você não poderá realizar saques e fazer transferência via pix até verificarmos se você é realmente o titular da conta.
[ Acessar Agora ]
[[ https://dash.saudi-ems.com/vendor/composer/acesso/ ]]
<snip>
Received: from gfordmail.ddns.net (unknown [143.198.133.115])
Date: Mon, 8 Nov 2021 17:##:## +0530
From: «Piyush Verma» <namoacademy899@gmail.com>
Subject: Webinar on Business Writing <x>
<snip>
Webinar on
Business Writing <x>
<snip>
Best regards
For GFORD Institute of Management Pvt Ltd
Piyush Verma
Email: gfordseminar@outlook.com
Mob. : 9711114779 / 9315556407
For Query and nominations – 9540012349 only Whatsapp
For unsubscribe from the mailing list, please mail us on deletemailgford@gmail.com
<snip>
Received: from piragua.ddns.net (186-57-132-169.speedy.com.ar [186.57.132.169])
Date: 07 Nov 2021 20:##:## -0300
From: «Personal Empresas»<noreply@piragua.ddns.net >
Subject: VENITE PERSONAL EMPRESAS OFERTA ESPECIAL
<snip>
Atencion personalizada para tu cuenta. Conéctame :
info@empresaspersonal.com
http://www.empresaspersonal.com
Numero directo 11-6471-9791 — whatsapps .
Saluda Atte. Jorge Guerrero —
Ejecutivo Empresas Telecom Personal.
Si desea dejar de recibir este new letter escriba aqui .
bajaletter@gmail.com
<snip>
Received: from pacu.basss.ddns.net (localhost [127.0.0.1])
Date: Fri, 5 Nov 2021 06:##:## +0000
From: ** EmpresasPewrsonal <no-reply@empresaspersonal.com>
Subject: baja tus costos con PERSONAL
<snip>
[ Ver ON LINE ]
[[ http://basss.ddns.net/lists/lt.php?<x> ]]
<snip>
email : info@empresaspersonal.com WhatsApp : 54 11 9 6471-9791
—
Este email fue enviado a dellagiust@web-mail.com.ar de no-reply@empresaspersonal.com.
O Ud puede desuscribirse para evitar recibir emails en el futuro.
<snip>
WHOIS:
% Information related to ‘91.211.244.0 — 91.211.247.255’
% Abuse contact for ‘91.211.244.0 — 91.211.247.255’ is ‘abuse@vpsnet.lt’
inetnum: 91.211.244.0 — 91.211.247.255
netname: VPSNET-COM
descr: www.VPSnet.com
country: LT
org: ORG-UA290-RIPE
admin-c: UEH5-RIPE
tech-c: UEH5-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-by: VPSNET-LT
created: 2009-02-02T13:17:24Z
last-modified: 2018-03-22T15:17:50Z
source: RIPE
organisation: ORG-UA290-RIPE
org-name: UAB ESNET
country: LT
org-type: LIR
address: Zuvedru 36
address: LT10103
address: Vilnius
address: LITHUANIA
phone: +37068450242
abuse-c: AC28451-RIPE
mnt-ref: RIPE-NCC-HM-MNT
mnt-ref: VPSNET-LT
mnt-by: RIPE-NCC-HM-MNT
mnt-by: VPSNET-LT
created: 2014-12-05T08:35:29Z
last-modified: 2020-12-16T12:25:25Z
source: RIPE # Filtered
role: UAB ESNET Hostmaster
address: UAB «Esnet»
address: Zuvedru g. 36, Vilnius
address: LT-10103, Lithuania
abuse-mailbox: abuse@vpsnet.lt
remarks: *************************************************
remarks: * For spam/abuse/security issues please contact *
remarks: * ————— abuse@vpsnet.lt ————— *
remarks: *************************************************
nic-hdl: UEH5-RIPE
mnt-by: VPSNET-LT
mnt-by: JS76764-MNT
created: 2018-03-08T11:31:00Z
last-modified: 2018-03-08T11:36:34Z
source: RIPE # Filtered
% Information related to ‘91.211.244.0/22AS61053’
route: 91.211.244.0/22
descr: ESNET
origin: AS61053
mnt-by: VPSNET-LT
created: 2013-03-06T10:41:59Z
last-modified: 2018-03-22T15:20:51Z
source: RIPE
NetRange: 143.198.0.0 — 143.198.255.255
CIDR: 143.198.0.0/16
NetName: DIGITALOCEAN-143-198-0-0
NetHandle: NET-143-198-0-0-1
Parent: NET143 (NET-143-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS14061
Organization: DigitalOcean, LLC (DO-13)
RegDate: 2020-01-24
Updated: 2020-04-03
Comment: Routing and Peering Policy can be found at https://www.as14061.net
Comment:
Comment: Please submit abuse reports at https://www.digitalocean.com/company/contact/#abuse
Ref: https://rdap.arin.net/registry/ip/143.198.0.0
OrgName: DigitalOcean, LLC
OrgId: DO-13
Address: 101 Ave of the Americas
Address: 10th Floor
City: New York
StateProv: NY
PostalCode: 10013
Country: US
RegDate: 2012-05-14
Updated: 2021-05-03
Comment: http://www.digitalocean.com
Comment: Simple Cloud Hosting
Ref: https://rdap.arin.net/registry/entity/DO-13
OrgAbuseHandle: ABUSE5232-ARIN
OrgAbuseName: Abuse, DigitalOcean
OrgAbusePhone: +1-347-875-6044
OrgAbuseEmail: abuse@digitalocean.com
OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE5232-ARIN
OrgNOCHandle: NOC32014-ARIN
OrgNOCName: Network Operations Center
OrgNOCPhone: +1-347-875-6044
OrgNOCEmail: noc@digitalocean.com
OrgNOCRef: https://rdap.arin.net/registry/entity/NOC32014-ARIN
OrgTechHandle: NOC32014-ARIN
OrgTechName: Network Operations Center
OrgTechPhone: +1-347-875-6044
OrgTechEmail: noc@digitalocean.com
OrgTechRef: https://rdap.arin.net/registry/entity/NOC32014-ARIN
inetnum: 186.57.0.0/16
status: allocated
aut-num: N/A
owner: Telefonica de Argentina
ownerid: AR-TEAR7-LACNIC
responsible: Luis Francisco Pérez Sánchez
address: Av. Independencia, 169, PB
address: 1099 — Buenos Aires — CF
country: AR
phone: +54 8102220102 [0000]
owner-c: TEA
tech-c: TEA
abuse-c: TEA
inetrev: 186.57.0.0/16
nserver: DNS1.MRSE.COM.AR
nsstat: 20211105 AA
nslastaa: 20211105
nserver: DNS2.MRSE.COM.AR
nsstat: 20211105 AA
nslastaa: 20211105
nserver: DNS3.MRSE.COM.AR
nsstat: 20211105 AA
nslastaa: 20211105
nserver: DNS4.MRSE.COM.AR
nsstat: 20211105 AA
nslastaa: 20211105
created: 20081230
changed: 20081230
nic-hdl: TEA
person: Telefonica de Argentina
e-mail: tasamail.ar@telefonica.com
address: AV. ING. HUERGO, 723,
address: 1065 — Capital Federal — BA
country: AR
phone: +54 11 43335000
created: 20030618
changed: 20110603
status: reallocated
aut-num: N/A
owner: Apolo -Gold-Telecom-Per
ownerid: AR-APGO-LACNIC
responsible: Aseguramiento de Datos
address: Dorrego, 2520, piso 3°
address: 1425 — Capital Federal —
country: AR
phone: +54 11 4968-7975
owner-c: ADA
tech-c: ADA
abuse-c: ADA
created: 20070803
changed: 20070803
inetnum-up: 190.136.0.0/16
nic-hdl: ADA
person: Administrador Abuse
e-mail: abuse@ta.telecom.com.ar
address: Alicia Moreau de Justo, 50, —
address: 1107 — Ciudad Autónoma de Buenos Aires —
country: AR
phone: +54 11 49684000
created: 20030211
changed: 20110316
Domain Name: ddns.net
Registry Domain ID: 73816572_DOMAIN_NET-VRSN
Registrar WHOIS Server: whois.srsplus.com
Registrar URL: http://srsplus.com
Updated Date: 2020-02-07T16:50:29Z
Creation Date: 2001-06-28T16:04:59Z
Registrar Registration Expiration Date: 2022-06-28T16:04:59Z
Registrar: TLDS LLC. d/b/a SRSPlus
Registrar IANA ID: 320
Reseller:
Domain Status: clientTransferProhibited http://icann.org/epp#clientTransferProhibited
Registry Registrant ID:
Registrant Name: Dan Durrer
Registrant Organization: No-IP.com
Registrant Street: 425 Maestro Dr. Second Floor
Registrant City: Reno
Registrant State/Province: NV
Registrant Postal Code: 89511
Registrant Country: US
Registrant Phone: +1.7758531883
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: domains@no-ip.com
Registry Admin ID:
Admin Name: Dan Durrer
Admin Organization: No-IP.com
Admin Street: 425 Maestro Dr. Second Floor
Admin City: Reno
Admin State/Province: NV
Admin Postal Code: 89511
Admin Country: US
Admin Phone: +1.7758531883
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: domains@no-ip.com
Registry Tech ID:
Tech Name: Dan Durrer
Tech Organization: No-IP.com
Tech Street: 425 Maestro Dr. Second Floor
Tech City: Reno
Tech State/Province: NV
Tech Postal Code: 89511
Tech Country: US
Tech Phone: +1.7758531883
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: domains@no-ip.com
Name Server: nf2.no-ip.com
Name Server: nf1.no-ip.com
Name Server: nf4.no-ip.com
Name Server: nf3.no-ip.com
DNSSEC: Unsigned