________                    __                      __       
 /_  __/ /_  ________  ____ _/ /__      ______  _____/ /_______
  / / / __ \/ ___/ _ \/ __ `/ __/ | /| / / __ \/ ___/ //_/ ___/
 / / / / / / /  /  __/ /_/ / /_ | |/ |/ / /_/ / /  / ,< (__  ) 
/_/ /_/ /_/_/   \___/\__,_/\__/ |__/|__/\____/_/  /_/|_/____/  


==================
SUMMARY (FR-JB451)
==================

Beginning December 8, 2019, Threatworks began monitoring a large volume of spam originating 
from Hetzner, Digital Ocean, Internap, and Amazon AWS. The contents of the emails contain shortened
links via the site buff.ly, ow.ly, or direct links to XXXXXX.digitaloceanspaces.com. Upon reviewing
email headers we found that the domains the "from" address originates for the bulk of the spam is
unregistered, these were generally variations of JONqjnh@kantiflow.xyz and JMCcPbc@chatorbay.xyz.
Threatworks began registering the domains and installing DNS records to prevent the mail from 
properly configured mail servers.

==================
DNS RECORDS
==================

chatorbay.xyz.	1	IN	TXT	"v=spf1 ip4:8.8.8.8 a:mail.google.com -all"

dkim._domainkey.chatorbay.xyz.	1	IN	TXT	"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEA1eBjN/F7Gnn7srYPNfr9LEY9fYZZgnE77oKeCer50LVeD7NsgNgX06eg92+J3Fg2RDv
P+hDBxwdognEkLB6EMPsGqdAJaccS2dm69hyLBLZF7Xa2V/tMq+nR2x69vJGbWQFsP+1zjPE/Lw25gUTzlDQCRF
TCss+bls+t3S25qmUo2dMFqUeS+7DPPt2BK8wAOACG1Oj/YYSf74XvvL4gTaywml4iXyQbsp9+M5/gTGBVYdy8X
WXYXtZLAeOTfvmqpkLOs7IC7Z6/qf3v1+TqYUztzaCW8IDF5+zcPKgOuclT3UwmtQtVGSXW/4ABkNKEw7Wtb9nl
6wjDQ/0acN9tVQIDAQAB"

_dmarc.chatorbay.xyz.	1	IN	TXT	"v=DMARC1; p=reject; adkim=s; aspf=s;"

kantiflow.xyz.	1	IN	TXT	"v=spf1 ip4:8.8.8.8 a:mail.google.com -all"

dkim._domainkey.kantiflow.xyz.	1	IN	TXT	"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEA1eBjN/F7Gnn7srYPNfr9LEY9fYZZgnE77oKeCer50LVeD7NsgNgX06eg92+J3Fg2RDv
P+hDBxwdognEkLB6EMPsGqdAJaccS2dm69hyLBLZF7Xa2V/tMq+nR2x69vJGbWQFsP+1zjPE/Lw25gUTzlDQCRF
TCss+bls+t3S25qmUo2dMFqUeS+7DPPt2BK8wAOACG1Oj/YYSf74XvvL4gTaywml4iXyQbsp9+M5/gTGBVYdy8X
WXYXtZLAeOTfvmqpkLOs7IC7Z6/qf3v1+TqYUztzaCW8IDF5+zcPKgOuclT3UwmtQtVGSXW/4ABkNKEw7Wtb9nl
6wjDQ/0acN9tVQIDAQAB"

_dmarc.kantiflow.xyz.	1	IN	TXT	"v=DMARC1; p=reject; adkim=s; aspf=s;"

==================
CONCLUSIONS
==================

Properly configured mail servers rejecting SPF and DMARC mismatches should now see no further spam from 
chatorbay.xyz, and kantiflow.xyz.

Threatworks will be monitoring backscatter from the previously active mail spam originating from these 
domains, as well as DMARC reports to see individual domain volume. 

==================
ACKNOWLEDGMENTS
==================

Ryan Sheffield (Threatworks) - Threatworks.net
Calvin Judy (Swiftnode) - Swiftnode.com

Any questions regarding this incident report, should be sent to research@threatworks.net.