izatt82 Posted August 7, 2012 Share Posted August 7, 2012 We have been getting hammered with spam emails from Received: from prh00393.prod.fedex.com (prh00393.prod.fedex.com [199.81.10.49]) by mx22.infosec.fedex.com (FedEx MX) with SMTP id 81.MD.55510.XCX3W0TL; Tue, 7 Aug 2012 15:17:39 +0100 Which looks to be a valid SMTP server at fedex. Anybody else seeing anything like that? Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted August 7, 2012 Share Posted August 7, 2012 If security is as high as a priority for them as getting people packages on time, I'd guess it's pretty low! Quote Link to comment Share on other sites More sharing options...
izatt82 Posted August 7, 2012 Author Share Posted August 7, 2012 After further research they may all be spoofed, but from the looks of the header it looks like they are spoofing the message and boucing it off of fedex's SMTP servers. This may all be a spoof, but from our end it is hard to tell. It's also hard to block because we use FEDEX. I tried a few rules that hopefully won't also block valid emails, but we will see. Quote Link to comment Share on other sites More sharing options...
digip Posted August 8, 2012 Share Posted August 8, 2012 (edited) IP Information for 199.81.10.49 IP Location: United States Collierville Fedex ASN: AS7726 Resolve Host: prh00393.prod.fedex.com Non-authoritative answer: Name: mx22.infosec.fedex.com Addresses: 199.81.217.45 199.81.130.124 IP Information for 199.81.217.45 IP Location: United States Collierville Fedex ASN: AS7726 Resolve Host: mx22.infosec.fedex.com IP Information for 199.81.130.124 IP Location: United States Memphis Fedex ASN: AS7726 IP Address: 199.81.130.124 All IP's seem legit. If the body of the email was complete spam though, you might want to notify their abuse department. Try calling +1-901-263-4898 or emailing dns-admin@network.fedex.com and letting them know of the spam. Its more than likely forged, but not entirely impossible that they left an open mail relay up for sending mail without authentication on one of their servers, or like you said, they got pwned and had their shit attacked. If more customers are getting the same spam, chances are one of their databases got whacked too, and I wouldn't be surprised if we hear about it in the news. Edited August 8, 2012 by digip Quote Link to comment Share on other sites More sharing options...
digip Posted August 10, 2012 Share Posted August 10, 2012 web site poop Sure. While you're at it, why not try spamming us with the other 74 domains you track as well. GTFO! http://www.ewhois.com/analytics-id/UA-1641900/ Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.