Multiple Domains, multiple IP's

keat63

Well-Known Member
Nov 20, 2014
1,854
226
93
cPanel Access Level
Root Administrator
I have one user who's plaqued with spam from .ICU domians.
I've been using 'filter by domain' to block these, and today i've started blocking subnets on the firewall.
How can they do this, multiple domain names from multiple IP's.
Surely this can't be cost effective for them, which makes me think, are these credentials genuine or somehow spoofed.

Code:
2020-02-19 21:48:46 H=(helpclimate.icu) [213.142.151.145]:3182 F=<[email protected]> rejected RCPT <[email protected]>: Sender domain is banned
2020-02-19 22:20:28 H=(fasttube.icu) [213.142.151.146]:57097 F=<[email protected]> rejected RCPT <[email protected]>: Sender domain is banned
2020-02-19 22:51:39 H=(perfumeslow.icu) [213.142.151.147]:21410 F=<[email protected]> rejected RCPT <[email protected]>: Sender domain is banned
2020-02-19 23:29:50 H=(oppositeerror.icu) [213.142.151.148]:35639 F=<[email protected]> rejected RCPT <[email protected]>: Sender domain is banned
2020-02-19 23:51:19 H=(devoteduck.icu) [213.142.151.149]:11916 F=<[email protected]> rejected RCPT <[email protected]>: Sender domain is banned
2020-02-20 01:21:54 H=(recycleshame.icu) [213.142.151.151]:25350 F=<[email protected]> rejected RCPT <[email protected]>: Sender domain is banned
2020-02-20 02:08:35 H=(affectweapon.icu) [213.142.151.152]:28537 F=<[email protected]> rejected RCPT <[email protected]>: Sender domain is banned
2020-02-20 02:31:24 H=(monthform.icu) [213.142.151.153]:44637 F=<[email protected]> rejected RCPT <[email protected]>: Sender domain is banned
2020-02-20 03:06:32 H=(leafarise.icu) [213.142.151.154]:56263 F=<[email protected]> rejected RCPT <[email protected]>: Sender domain is banned
2020-02-20 03:31:55 H=(gateadmit.icu) [213.142.151.155]:26745 F=<[email protected]> rejected RCPT <[email protected]>: Sender domain is banned
2020-02-20 03:47:49 H=(wearretiree.icu) [213.142.151.156]:64954 F=<[email protected]> rejected RCPT <[email protected]>: Sender domain is banned
2020-02-20 04:03:14 H=(filmage.icu) [213.142.151.157]:10633 F=<[email protected]> rejected RCPT <[email protected]>: Sender domain is banned
2020-02-20 04:38:57 H=(poolcultural.icu) [213.142.151.159]:44280 F=<[email protected]> rejected RCPT <[email protected]>: Sender domain is banned
2020-02-20 12:27:32 H=(remaindeprive.icu) [84.54.14.131]:24724 F=<[email protected]> rejected RCPT <[email protected]>: Sender domain is banned
2020-02-20 14:06:51 H=(minoritygutter.icu) [84.54.14.132]:62560 F=<[email protected]> rejected RCPT <[email protected]>: Sender domain is banned
2020-02-20 14:50:42 H=(rushsodium.icu) [84.54.14.133]:26665 F=<[email protected]> rejected RCPT <[email protected]>: Sender domain is banned
2020-02-20 15:14:42 H=(crossfreight.icu) [84.54.14.134]:9775 F=<[email protected]> rejected RCPT <[email protected]>: Sender domain is banned
2020-02-20 15:47:46 H=(fibremeeting.icu) [84.54.14.136]:29504 F=<[email protected]> rejected RCPT <[email protected]>: Sender domain is banned
2020-02-20 16:14:52 H=(fibremeeting.icu) [84.54.14.136]:43946 F=<[email protected]> rejected RCPT <[email protected]>: Sender domain is banned
2020-02-20 16:48:42 H=(attackprice.icu) [84.54.14.137]:9701 F=<[email protected]> rejected RCPT <[email protected]>: Sender domain is banned
2020-02-20 17:37:19 H=(voicedirty.icu) [84.54.14.138]:20417 F=<[email protected]dirty.icu> rejected RCPT <[email protected]>: Sender domain is banned
2020-02-20 18:09:43 H=(ejectdivide.icu) [84.54.14.139]:26293 F=<[email protected]> rejected RCPT <[email protected]>: Sender domain is banned
2020-02-20 18:48:07 H=(pursuitneck.icu) [84.54.14.140]:35910 F=<[email protected]> rejected RCPT <[email protected]>: Sender domain is banned
2020-02-20 19:29:25 H=(commandtreaty.icu) [84.54.14.141]:24971 F=<[email protected]> rejected RCPT <[email protected]>: Sender domain is banned
2020-02-20 20:03:49 H=(wealthclothes.icu) [84.54.14.142]:49918 F=<[email protected]> rejected RCPT <[email protected]>: Sender domain is banned
2020-02-20 23:01:58 H=(spincoach.icu) [89.43.78.115]:46674 F=<[email protected]> rejected RCPT <[email protected]>: Sender domain is banned
2020-02-20 23:50:07 H=(creepminority.icu) [89.43.78.116]:44327 F=<[email protected]> rejected RCPT <[email protected]>: Sender domain is banned
2020-02-21 00:28:55 H=(mildbudget.icu) [89.43.78.117]:50336 F=<[email protected]> rejected RCPT <[email protected]>: Sender domain is banned
2020-02-21 01:10:44 H=(soilpackage.icu) [89.43.78.118]:3409 F=<[email protected]> rejected RCPT <[email protected]>: Sender domain is banned
2020-02-21 01:54:59 H=(jacketancestor.icu) [89.43.78.119]:6353 F=<[email protected]> rejected RCPT <[email protected]>: Sender domain is banned
2020-02-21 02:40:57 H=(abortionbolt.icu) [89.43.78.120]:28036 F=<[email protected]> rejected RCPT <[email protected]>: Sender domain is banned
2020-02-21 03:29:52 H=(burialcower.icu) [89.43.78.121]:41804 F=<[email protected]> rejected RCPT <[email protected]>: Sender domain is banned
2020-02-21 04:02:54 H=(peelstate.icu) [89.43.78.122]:15586 F=<[email protected]> rejected RCPT <[email protected]>: Sender domain is banned
2020-02-21 04:48:21 H=(jealousexcuse.icu) [89.43.78.123]:60307 F=<[email protected]> rejected RCPT <[email protected]>: Sender domain is banned
2020-02-21 07:38:19 H=(storyeaux.icu) [193.31.117.183]:47694 F=<[email protected]> rejected RCPT <[email protected]>: Sender domain is banned
2020-02-21 08:58:15 H=(leashesdrum.icu) [193.31.117.184]:38166 F=<[email protected]> rejected RCPT <[email protected]>: Sender domain is banned
2020-02-21 09:41:02 H=(snakepeel.icu) [193.31.117.182]:35395 F=<[email protected]> rejected RCPT <[email protected]>: Sender domain is banned
2020-02-21 10:21:12 H=(tractwest.icu) [193.31.117.185]:45450 F=<[email protected]> rejected RCPT <[email protected]>: Sender domain is banned
2020-02-21 10:46:18 H=(pardonpalm.icu) [193.31.117.186]:57250 F=<[email protected]> rejected RCPT <[email protected]>: Sender domain is banned
2020-02-21 11:54:56 H=(momenttube.icu) [193.31.117.187]:58206 F=<[email protected]> rejected RCPT <[email protected]>: Sender domain is banned
2020-02-21 12:42:31 H=(billaid.icu) [193.31.117.189]:61877 F=<[email protected]> rejected RCPT <[email protected]>: Sender domain is banned
2020-02-21 13:23:47 H=(acutemean.icu) [193.31.117.190]:33480 F=<[email protected]> rejected RCPT <[email protected]>: Sender domain is banned
2020-02-21 14:01:47 H=(swarmcat.icu) [193.31.117.191]:3844 F=<[email protected]> rejected RCPT <[email protected]>: Sender domain is banned
2020-02-21 14:38:54 H=(modulerear.icu) [193.31.117.192]:50630 F=<[email protected]> rejected RCPT <[email protected]>: Sender domain is banned
2020-02-21 17:15:02 H=(templegive.icu) [193.31.117.195]:49609 F=<[email protected]> rejected RCPT <[email protected]>: Sender domain is banned
2020-02-21 18:03:20 H=(toolerscore.icu) [193.31.117.196]:29797 F=<[email protected]> rejected RCPT <[email protected]>: Sender domain is banned
 

keat63

Well-Known Member
Nov 20, 2014
1,854
226
93
cPanel Access Level
Root Administrator
I found ICU domains for sale for as little as £0.70p, so I can see how they can cycle through domains.
I checked a number of those domains, they were all registered the same day, so probably not enough time to appear on RBL's,

But how can they cycle through all those IP's.
Note how they are all sequential.