Re: Admissions application bot activity

[Amanda Williams <akwilliams () PITTSTATE EDU>]

No problem, thanks for the update.



Amanda Williams

IT Security Officer

Pittsburg State University

620.235.4657



Simple. Safe. Smart. You are receiving this email because you are a Pittsburg State University student, employee, or 
other University community member. If you have questions or concerns regarding the validity of this email, please 
contact the individual or department that sent this email, ITSecurity () pittstate edu , or Gorilla Geeks at 
620-235-4600<callto:620-235-4600>.

________________________________
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Steven Saine 
<steven.saine () RCCC EDU>
Sent: Tuesday, September 22, 2020 7:42 AM
To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Admissions application bot activity


Hi Amanda,

Sorry not to respond yesterday.  We had an outage disrupting a large part of our region and email was intermittent.  
Yes, these domains are part of the email address.  The information I’m sharing came from other Colleges within our 
system.  Here are some more bad domains.

jike.gq

xige.ga

ceke.cf

alfx.cf

dlyi.ml

prle.ga

mkle.gq

kriy.ga

aflm.cf

unlf.ga

nuyi.cf

mity.ml

jourrapide.com

suke.ml

sentf.ml

163.com

chacuo.net

For instance, with chacuo.net you may see applications with email addresses like this:



[cid:image001.png@01D690BC.4A23A630]











Steven B. Saine

Director of Information Security, Construction Management, and Audit

Rowan-Cabarrus Community College

1333 Jake Alexander Blvd.

Salisbury, NC 28146

Telephone:     (704) 216-3561

steven.saine () rccc edu<mailto:steven.saine () rccc edu>

helpdesk () rccc edu<mailto:helpdesk () rccc edu>



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Amanda Williams
Sent: Monday, September 21, 2020 5:14 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Admissions application bot activity



Hi Steven,



Do you know in what respect are these domains “identified”?  Meaning that the source IP address used by the “student” 
resolves to a DNS A (Address) Record in these domains?  They used these domains as the last part of an e-mail address 
while registering?  Any additional information would be great!



Thank you,



Amanda Williams

IT Security Officer

Pittsburg State University

620.235.4657





Simple. Safe. Smart. You are receiving this email because you are a Pittsburg State University student, employee, or 
other University community member. If you have questions or concerns regarding the validity of this email, please 
contact the individual or department that sent this email, ITSecurity () pittstate edu<mailto:ITSecurity () pittstate 
edu> , or Gorilla Geeks at 620-235-4600<callto:620-235-4600>.



________________________________

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> on behalf of Steven Saine <steven.saine () RCCC EDU<mailto:steven.saine () RCCC EDU>>
Sent: Monday, September 21, 2020 6:56 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> <SECURITY () LISTSERV EDUCAUSE 
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: Re: [SECURITY] Admissions application bot activity



Here is some information regarding fake applications that has been shared with us previously.  Not sure if it will help 
or not.  It was noticed fake applications were coming from these domains.



The ‘bad’ domains identified are:

•                     armyspy(dot)ga

•                     rhyta(dot)cf

•                     teleworm(dot)tk

•                     jourrapide(dot)gq

•                     dayrepa(dot)ml



Common conditions identified from the bad applications are:

•                     They're all allegedly new students, not matching with any existing Colleague records.

•                     They all list dates of birth in the year 1999, either 20 or 21 years old.

•                     They're all listed as male.

•                     They're all listed as residing in a state other than North Carolina.

•                     They're all listed as unemployed (not seeking).

•                     They all list personal enrichment as their educational goals.

•                     They all have the race and ethnicity left unlisted.

•                     Most tellingly, each of these fake applications lists a residency certification number (RCN) that 
either belongs to someone else entirely or isn't a real RCN, but it's always listed as a ten-digit number beginning 
with "1100" as if it was a real RCN.





Steven B. Saine

Director of Information Security, Construction Management, and Audit

Rowan-Cabarrus Community College

1333 Jake Alexander Blvd.

Salisbury, NC 28146

Telephone:     (704) 216-3561

steven.saine () rccc edu<mailto:steven.saine () rccc edu>

helpdesk () rccc edu<mailto:helpdesk () rccc edu>



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Czarapata, Paul (KCTCS)
Sent: Friday, September 18, 2020 5:46 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Admissions application bot activity



Dear colleagues,



Sorry for the cross-post, but we have a bit of a situation here at KCTCS.  We have been getting tens of thousands of 
fake admissions applications over the past 6 weeks.  We have re-captcha implemented and they are still getting through, 
but at such a pace there is no way a human can be doing it.  The network team is watching the IP addresses and 
blocking, but then they just pop up from somewhere else.  Our student team is working on a pin code process, but that's 
not ready yet.  We don't have an admissions application fee either, or that would likely stop them.  I was just curious 
if anyone else had seen this happening and if you have stopped it, what you did?



Thank you in advance - PC



______________________________________________________________________

Paul Czarapata, Ed.D.

Vice President/Chief Information Officer

Kentucky Community & Technical College System

300 North Main Street

Versailles, KY 40383

O: 859/256-3248



Your success equals our success.
[https://systemoffice.kctcs.edu/the_system_office/services_and_departments/marketing_and_digital_communications/brandguide/media/signature-logos/kctcs.jpg]

[https://attachments.office.net/owa/akwilliams%40pittstate.edu/service.svc/s/GetAttachmentThumbnail?id=AQMkAGZhM2NmZTFkLTlhNzktNDllMy1hMjM0LTVlNzYwMmYyZDM3MQBGAAADEkI9k7k6dEGVD3k%2BNEru4gcANTm4h3DLUEeoaf7FTtE%2F0gAAAgEPAAAANTm4h3DLUEeoaf7FTtE%2F0gAFdwy7IAA]<https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_pczarapata&d=DwMFAw&c=yW7i6Vsv6ZXp9FaTXPPdsQ&r=EvH8T5wYRt0eLcNCvDFq2AYlWeMQMykLeiDSPhbgCo8&m=R1rPsB4E9h5HIJm97B1zmQ9rSbAPwjdOlJPapqI1AZo&s=Uod4IU_795qPLsXizAHjBh8xMWfiimUn1atV3jLAkKQ&e=>
 
[https://attachments.office.net/owa/akwilliams%40pittstate.edu/service.svc/s/GetAttachmentThumbnail?id=AQMkAGZhM2NmZTFkLTlhNzktNDllMy1hMjM0LTVlNzYwMmYyZDM3MQBGAAADEkI9k7k6dEGVD3k%2BNEru4gcANTm4h3DLUEeoaf7FTtE%2F0gAAAgEPAAAANTm4h3DLUEeoaf7FTtE%2F0gAFdwy7IAA]
 
<https://urldefense.proofpoint.com/v2/url?u=https-3A__linkedin.com_in_pczarapata&d=DwMFAw&c=yW7i6Vsv6ZXp9FaTXPPdsQ&r=EvH8T5wYRt0eLcNCvDFq2AYlWeMQMykLeiDSPhbgCo8&m=R1rPsB4E9h5HIJm97B1zmQ9rSbAPwjdOlJPapqI1AZo&s=ZBPYZL9Im1pAG_qTPIw2PrmGdCsPHmz4wQw-s5ftpTs&e=>
  
[https://attachments.office.net/owa/akwilliams%40pittstate.edu/service.svc/s/GetAttachmentThumbnail?id=AQMkAGZhM2NmZTFkLTlhNzktNDllMy1hMjM0LTVlNzYwMmYyZDM3MQBGAAADEkI9k7k6dEGVD3k%2BNEru4gcANTm4h3DLUEeoaf7FTtE%2F0gAAAgEPAAAANTm4h3DLUEeoaf7FTtE%2F0gAFdwy7IAA]
 
<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.facebook.com_KCTCS&d=DwMFAw&c=yW7i6Vsv6ZXp9FaTXPPdsQ&r=EvH8T5wYRt0eLcNCvDFq2AYlWeMQMykLeiDSPhbgCo8&m=R1rPsB4E9h5HIJm97B1zmQ9rSbAPwjdOlJPapqI1AZo&s=Fiw5kNAmBOhzIHHLeRqkTtTYsSmo5roS9EkJ_SuvczA&e=>

Training and Learning 
Center<https://urldefense.proofpoint.com/v2/url?u=http-3A__kctcs.edu_tlc&d=DwMFAw&c=yW7i6Vsv6ZXp9FaTXPPdsQ&r=EvH8T5wYRt0eLcNCvDFq2AYlWeMQMykLeiDSPhbgCo8&m=R1rPsB4E9h5HIJm97B1zmQ9rSbAPwjdOlJPapqI1AZo&s=1KgQclU5CpTtGwvEZNPSaJk6zl5fRR-I-J5UnTtpufc&e=>
 | Technology Solutions Help 
Desk<https://urldefense.proofpoint.com/v2/url?u=http-3A__ithelpdesk.kctcs.edu_&d=DwMFAw&c=yW7i6Vsv6ZXp9FaTXPPdsQ&r=EvH8T5wYRt0eLcNCvDFq2AYlWeMQMykLeiDSPhbgCo8&m=R1rPsB4E9h5HIJm97B1zmQ9rSbAPwjdOlJPapqI1AZo&s=us2w0M5RQ6JAsIa0mXJ43i0hnX8yRYZY_JLB0idqAv8&e=>
 | Technology Communications 
Center<https://urldefense.proofpoint.com/v2/url?u=http-3A__kctcs.edu_tcc&d=DwMFAw&c=yW7i6Vsv6ZXp9FaTXPPdsQ&r=EvH8T5wYRt0eLcNCvDFq2AYlWeMQMykLeiDSPhbgCo8&m=R1rPsB4E9h5HIJm97B1zmQ9rSbAPwjdOlJPapqI1AZo&s=R0XVRVsoYnrc1E2qPVIsLee-qfn7aNRjF13GYsxWofs&e=>



**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_community&d=DwMFAw&c=yW7i6Vsv6ZXp9FaTXPPdsQ&r=EvH8T5wYRt0eLcNCvDFq2AYlWeMQMykLeiDSPhbgCo8&m=R1rPsB4E9h5HIJm97B1zmQ9rSbAPwjdOlJPapqI1AZo&s=bIAwa5LAU-0OKm-EB5CatP--FBMiI2dP6BsJfPo52fA&e=>

E-mail correspondence to and from this address may be subject to the North Carolina Public Records Law and may be 
disclosed to third parties by an authorized state official. (NCGS.Ch.132)

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_community&d=DwMF-g&c=yW7i6Vsv6ZXp9FaTXPPdsQ&r=EvH8T5wYRt0eLcNCvDFq2AYlWeMQMykLeiDSPhbgCo8&m=NVa9fiCQf7Y8jb0RILV3suyvZUCo30aZ2bjqqBPBje8&s=EB5BT0xoTdJsaEcxEdyWaH25OldOpMyr2LB_qrotobU&e=>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_community&d=DwMF-g&c=yW7i6Vsv6ZXp9FaTXPPdsQ&r=EvH8T5wYRt0eLcNCvDFq2AYlWeMQMykLeiDSPhbgCo8&m=NVa9fiCQf7Y8jb0RILV3suyvZUCo30aZ2bjqqBPBje8&s=EB5BT0xoTdJsaEcxEdyWaH25OldOpMyr2LB_qrotobU&e=>

E-mail correspondence to and from this address may be subject to the North Carolina Public Records Law and may be 
disclosed to third parties by an authorized state official. (NCGS.Ch.132)

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community