Hello, welcome to the Tuesday, February 22nd, 22nd, 22nd, 22 edition of the Sands and at Storm

Center's Stormcast. My name is Johannes Ulrich, and then I'm recording from Jacksonville, Florida.

Quick note today from Diddy about his honeypot, seeing a lot of email directed at a username, at, and then an IP address.

That's a common way to look for open mail relays.

Turns out it's not really used much, but it actually works and it's standard compliant to use

an IP address instead of a domain name in the email and the result will be that your mail server

will just connect to that IP address directly. Aside from making sure that you're not running

an open mail relay and luckily I don't actually see a ton of them out there these days at least

less than there used to be.

If you do have to validate email addresses,

make sure you don't allow an IP address as a host name.

It's often abused, but technically valid. So a lot of functions that just check if an email address is formatted correctly,

will accept this format.

And Trent Micro has an interesting blog post with details about an operation that they're calling

SMS phone verified account services.

What this is all about is it's yet another way how an attacker is able to monetize

access to a compromised Android phone. And this really only works in Android based on some of the

sandboxing done in iOS. So essentially the way this works is a phone is infected and then the phone

registers itself with the malicious SMS phone verified account service or a PVA service.

And that phone is now being made available as a temporary phone number that attackers are able to use

to, for example, register for services that require that you provide a valid phone number.

You may have seen this where you do register for, let's say, webmail service or something like this, but you do have to provide

...