The reported IP was identified as a BadBot, engaging in harmful activities such as unauthorized web scraping and data mining.

This IP belongs to Cigna.

We linked the IP to numerous attacks using RM adware, causing regular system interruptions.

The IP attempted to use the POP3 server to relay spam.

It was flagged initiating reflective (DRDoS) attacks, intending to exhaust our server resources.

This IP belongs to Amazon.

It launched a botnet to infiltrate our Apache-DDoS service.

It repeatedly tried to inject malicious script code into the system via appending it to an email body.

This particular IP tried to perform an unauthorized system configuration change.

This IP belongs to Fannie Mae.

This IP belongs to Cigna.

It pushed humongous quantities of spam emails through our server, aiming to congest our email services.

A large number of requests from a single user agent, suggesting an automated process.

It attempted to perform a Teardrop attack on the SSH server.

Participated in the notorious Water Torture attack to overload our DNS servers.

Dear Sirs, We have received the SPAM and fishing message bellow. Please undertake the necessary to stop such messages in the future. Thanks in advance, -- Angel Stanev Managing Director Armex Trade Ltd. 20, Y. Gagarin Str. 154A/ 68, 1113 Sofia, BULGARIA tel. +359-2-8730038, 9715030, 8708395, 8732964 fax. +359-2-8730323 e-mail:office@armextrade.com office.armextrade@gmail.com skype: armextrade Return-Path: <support@bandagemauricular.com> Delivered-To: office@armextrade.com Received: from armextrade.com [164.138.218.177] by Storage with POP3 (fetchmail-6.4.13) for <office@localhost> (single-drop); Mon, 30 Sep 2024 16:03:09 +0300 (EEST) Received: from neva.superhosting.bg by neva.superhosting.bg with LMTP id gIIYCIyh+mZZcQIApdfJQw (envelope-from <support@bandagemauricular.com>) for <office@armextrade.com>; Mon, 30 Sep 2024 16:03:08 +0300 Return-path: <support@bandagemauricular.com> Envelope-to: office@armextrade.com Delivery-date: Mon, 30 Sep 2024 16:03:08 +0300 Received: from aiolos.a2web4.srv.br ([187.108.198.140]:37358) by neva.superhosting.bg with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96.2) (envelope-from <support@bandagemauricular.com>) id 1svG3L-000nRr-1Y for office@armextrade.com; Mon, 30 Sep 2024 16:03:08 +0300 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=bandagemauricular.com; s=default; h=Content-Transfer-Encoding:Content-Type: MIME-Version:Message-ID:Reply-To:From:Date:Subject:To:Sender:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=TKoZBQi8uzYIYMd8EBGDLaml6UgLE4KPgz80wL2IsDU=; b=Vf3NtJZGKIpdBNP/chSgFBnkKn +yiMPhYJS3nSHnUc5gaEJhbWXzd22/fhvXUsqIXnd8XEFVCXFVVjmiQA/4v/VusZShpKajEvXRKs9 SWQUMbg2OFz4JRT1sfX9DBKJgnnajcGIWGarTe9hhgy4dPwmCsjTqMBhiWFoLIrHs09fc+W8I7b uSI75LjHcBxpeAdOFvkfjb8w/JBtDgwSCV71DMR7ocUkxLMFVMLRLezCcoJso/qM7h8P/fR+AzIhP C+9v1v7El3o0iIjaqNj7mlGYWLsJ4qDemNUqqFUpi/Yjcv1vFPcqZYHoT++RpXBec3X9c1LwDMIz6 NeoyRBgw==; Received: from porta789 by aiolos.a2web4.srv.br with local (Exim 4.96.2) (envelope-from <support@bandagemauricular.com>) id 1svG3G-0001w9-1i for office@armextrade.com; Mon, 30 Sep 2024 10:02:58 -0300 To: office@armextrade.com Subject: Action Required: Confirm Your Continued Use of Roundcube Email X-PHP-Script: bandagemauricular.com/quota/index.php for 212.102.60.133 X-PHP-Originating-Script: 1006:index.php Date: Mon, 30 Sep 2024 13:02:58 +0000 From: Roundcube Email Security Notification Alert <support@bandagemauricular.com> Reply-To: roundcubeemailcontrolunit@roundcubeitunit.online Message-ID: <17410b0ca1bf26b46ac3704a1e2412c8@bandagemauricular.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="b1_17410b0ca1bf26b46ac3704a1e2412c8" Content-Transfer-Encoding: 8bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - aiolos.a2web4.srv.br X-AntiAbuse: Original Domain - armextrade.com X-AntiAbuse: Originator/Caller UID/GID - [1006 983] / [47 12] X-AntiAbuse: Sender Address Domain - bandagemauricular.com X-Get-Message-Sender-Via: aiolos.a2web4.srv.br: authenticated_id: porta789/from_h X-Authenticated-Sender: aiolos.a2web4.srv.br: support@bandagemauricular.com X-Source: X-Source-Args: /usr/sbin/httpd -k start X-Source-Dir: portaldaginasticalaboral.com.br:/public_html/bandagemauricular.com/quota X-Spam-Status: No, score=2.3 X-Spam-Score: 23 X-Spam-Bar: ++ X-Ham-Report: Spam detection software, running on the system "neva.superhosting.bg", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see root@localhost for details. Content preview: Dear office,We hope this message finds you well.As part of our ongoing efforts to ensure that we provide the best possible email service, we are reaching out to confirm your continued interest in usin [...] Content analysis details: (2.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: roundcube.net] 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [187.108.198.140 listed in sa-accredit.habeas.com] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [187.108.198.140 listed in bl.score.senderscore.com] 0.0 T_SPF_PERMERROR SPF: test of record failed (permerror) 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 2.5 PHP_SCRIPT Sent by PHP script X-Spam-Flag: NO This is a multi-part message in MIME format.

This IP belongs to General Motors.

This malicious IP was reported for trying to inject malicious scripts into the VoIP server, potentially to disrupt its operation or steal data.

This IP belongs to Slack.

Multiple login attempts using common or easily guessable passwords (like 'password123', 'admin', etc.).

The IP made multiple requests with the same Proxy-Authorization header.

This IP was seen scanning for open ports and vulnerabilities, a common reconnaissance activity before launching attacks.

Repeated failed attempts to access application interfaces or ports that are typically not open to the public.

The IP address has been involved in distributing adware to our server systems.

This IP belongs to PepsiCo.