Source of spoofed email forging From: @atsoho.com domain. Observed via aggregated DMARC RUA reports. ...
show moreSource of spoofed email forging From: @atsoho.com domain. Observed via aggregated DMARC RUA reports.
Between 2026-05-13 and 2026-05-17, this IP and 250+ neighbors in 193.239.154.0/24 (AS136038 HDTIDC LIMITED / AS136526 ALLCLOUD LIMITED) sent over 11,000 spoofed emails forging the From header as our domain "atsoho.com".
All messages fail SPF and DKIM authentication against atsoho.com (DMARC enforced: p=quarantine). Legitimate atsoho.com mail is sent exclusively from Google Workspace, SocketLabs, and XServer.
Reporting receivers (sample): Mail.Ru, Microsoft (Enterprise Outlook), seznam.cz, JCOM, au.com, Yahoo, GMO Pepabo, GMO Internet.
WHOIS abuse-mailbox ([email protected]) is non-functional (550 5.1.1 rejection). APNIC and RIPE NCC have been notified of the invalid abuse contact.
show less
Dec 13 16:27:57 hq postfix/smtpd[1186284]: NOQUEUE: reject: RCPT from unknown[193.239.154.87]: 554 5 ...
show moreDec 13 16:27:57 hq postfix/smtpd[1186284]: NOQUEUE: reject: RCPT from unknown[193.239.154.87]: 554 5.7.1 Client host 193.239.154.87 blocked using ZEN - see https://www.spamhaus.org/query/ip/193.239.154.87 for details; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<C202512121978139.local>
...
show less
Dec 8 02:43:18 server postfix/smtpd[3204613]: connect from unknown[193.239.154.87]
Dec 8 02:43:19 ...
show moreDec 8 02:43:18 server postfix/smtpd[3204613]: connect from unknown[193.239.154.87]
Dec 8 02:43:19 server postfix/smtpd[3204613]: NOQUEUE: reject: RCPT from unknown[193.239.154.87]: 554 5.7.1 Service unavailable; Client host [193.239.154.87] blocked using zen.spamhaus.org; Listed by DROP, see https://check.spamhaus.org/sbl/query/SBL520298 / Listed by CSS, see https://check.spamhaus.org/query/ip/193.239.154.87 / Listed by XBL, see https://check.spamhaus.org/query/ip/193.239.154.87 / Listed by SBL, see https://check.spamhaus.org/sbl/query/SBL520298; from=<> to=<[email protected]> proto=ESMTP helo=<C202512051889452.local>
...
show less