Oddly specific botnet

Whoever once had the address "mim@mcom.com" has a vast and extremely enthusiastic botnet trying to crack their password on mcom.com's (nonexistent) IMAP server, from 20,000+ unique IPs in the last 30 days.

Never give up hope, it might work some day!

Though I am impressed by the IP space they control, I guess.

Previously, previously, previously, previously, previously.

Tags: , , , , , ,

9 Responses:

  1. Zygo says:

    That's some long-game thinking there...

    "The statistical likelihood is that other civilisations will arise. There will one day be an IMAP server at mcom.com. Until then, there will be a short delay."

    My inner grumpy sysadmin wants a honeypot set up so we can find out what the botnet will do if it ever remembers what its password was.

  2. Ben says:

    You're not a little tempted to set up an account to receive mail at that address so that you can get the crypto wallet password reset email that they're trying to steal?

  3. dzm says:

    The email addy seems to be the PoC for several domain records. I wonder if the bot has no real interest in that address other than in the respect that they're trying to hijack some derelict domains.

    • jwz says:

      What domains?

      • dzm says:

        Superficial searching tells me these two:


        There may be others out there too.

        • March says:

          Out of curiosity, I had a further look into this. We've also got things like ayaresabea.com etc. There's 11 domains that are using it, none of which are particularly meaningful. But interestingly, they've all been registered in the last 3 years!
          There's a commonality, though: A lot of the domains have been registered by variations of the name "Kofi Manny Ofosu". Now, if you go and have a look at Linkedin, there does so happen to be a guy with a company called "mimdigital" in Ghana, whichis like an SEO/web development thing. One wonders if he's accidentally registered some domains with an email it turns out he no longer controls.

  4. asan102 says:

    At the time of your last update on mcom.com it seemed AOathL-hoo was still hosting customer webmail at this domain, I guess that's no longer the case? Or was that bad information?

    • jwz says:

      I am hosting home.mcom.com and mosaic.mcom.com. They still have control of mcom.com and www.mcom.com. I have no idea what they are doing with those.

  • Previously