f



SPF? DKIM? spammers can do them too

	To put it short, for about a month, I see a new kind of spam
	coming to (strangely) just one of my (many) mailboxes.  This one
	has DKIM-Signature: (and DomainKey-Signature:) headers in place,
	comes from domains with SPF and MX DNS records properly set up,
	and, overall, apart from its "unsolicited nature," looks just
	like legitimate email.  (IPs and MAIL FROM: data shown below.)

	There're some characteristics common to all these messages,
	however, hinting at possible "common origin" (be it person,
	organization, or specific software used.)  For instance:

	* all the Message-ID: headers follow the same [0-9A-F]{32}@HOST
	  pattern;

	* the domains are all under the "ru" ccTLD, and all registered
	  via NETHOUSE-RU; also, most were created February or March
	  this year, but some (r-vl.ru, sarvtb.ru, sm-1.ru,
	  taxi-five.ru) are just a few days old, created on 2016-10-01;

	* all the IPs the messages come from belong to MAROSNET.

	I've sent a letter last week reporting the issue to abuse at
	marosnet dot ru (per the Whois data), but yet to see any
	response.

	Meanwhile, I've configured the firewall to drop any traffic from
	the addresses in question (but also log incoming TCP "SYN"
	connection attempt packets.)

	For those interested, the IPs and MAIL FROM: data is as follows
	(per ISO week.)

$ gawk '! /\sid=[0-9A-Z]{32}@/ { next; }
        1 {
            "date +%GW%V --date=" $1 "T" $2 | getline key;
            save[key] = save[key] "\t" $5 " " $7 "\n";
        }
        END {
            PROCINFO["sorted_in"] = "@ind_str_desc";
            for (key in save) { print key "\t" save[key]; }
        }'  /var/log/exim... 
2016W40	nzbhuf@sarvtb.ru [185.58.205.96]
	hlkkn@proteus-spb.ru [194.67.208.8]
	rerxboy@kaminfo.ru [193.124.176.209]
	jaqxujp@r-vl.ru [185.58.206.163]
	njlcyy@sab-moskau.ru [193.124.190.134]
	feud@taxi-five.ru [185.58.206.232]

2016W39	bcswvsv@network-asp.ru [194.67.208.143]
	yyl@sinex-real.ru [194.67.208.219]
	sstyqp@network-asp.ru [194.67.208.143]
	yqe@karaaltyn.ru [194.67.210.159]
	qbinq@cameraforme.ru [185.87.48.186]
	maq@lagorta.ru [193.124.191.224]
	szzliot@sinex-real.ru [194.67.208.219]
	iuqdjn@intra-m.ru [94.142.141.60]
	jkety@eureka-service.ru [193.124.186.253]
	vvpxww@karaaltyn.ru [194.67.210.159]
	gylay@sirius-87.ru [194.67.208.224]
	lhhg@eureka-service.ru [193.124.186.253]
	rgi@sinex-real.ru [194.67.208.219]
	qhtlw@karaaltyn.ru [194.67.210.159]
	uavvf@cameraforme.ru [185.87.48.186]
	bue@network-asp.ru [194.67.208.143]
	jmpdlx@lambdafsu.ru [193.124.189.172]
	tgan@biomedex.ru [193.124.189.192]
	zxxemip@kaminfo.ru [193.124.176.209]
	mnvi@lambdafsu.ru [193.124.189.172]
	lcsktjt@sab-moskau.ru [193.124.190.134]
	swsxv@securityprint.ru [185.5.248.60]
	vbqd@sm-1.ru [185.58.206.76]
	kxrjc@ghtersale.ru [194.67.208.7]

2016W38	pvtll@mtvigroup.ru [194.67.208.216]
	cpdve@php-art.ru [194.67.209.151]
	lhona@sirius-87.ru [194.67.208.224]
	hqphzjp@lagorta.ru [193.124.191.224]
	mewmb@cristallgrad.ru [185.87.48.131]
	dxb@php-art.ru [194.67.209.151]
	zadh@lagorta.ru [193.124.191.224]

2016W37	bct@butovo-net.ru [194.67.210.18]
	tjlwhlp@carveryachts.ru [85.93.145.29]
	orgf@butovo-net.ru [194.67.210.18]
	luaj@olympus-team.ru [194.67.209.7]
	fagvf@polexpack.ru [194.67.208.220]
	cxjqyrw@polexpack.ru [194.67.208.220]
	uyhtz@siae.ru [194.67.209.56]
	mlfpawb@delst.ru [194.67.208.249]
	jgt@php-art.ru [194.67.209.151]
	fakeb@instaltek.ru [194.67.208.232]

2016W36	vziykt@tyumfair.ru [194.67.208.60]
	rvn@fordlimo.ru [194.67.208.50]
	kqeoin@r-c-g.ru [194.67.208.101]
	vkf@e-dvd.ru [194.67.210.222]
	mwodhs@lk-prom.ru [194.67.211.17]
	otpqos@avtobogatir.ru [194.67.210.2]

-- 
FSF associate member #7257  58F8 0F47 53F5 2EB2 F6A5  8916 3013 B6A0 230E 334A

0
Ivan
10/4/2016 4:12:21 PM
comp.mail.misc 4531 articles. 0 followers. Post Follow

9 Replies
435 Views

Similar Articles

[PageSpeed] 0

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[ news.admin.net-abuse.email added to cross-post                      ]
[ alt.spam stripped as group only sees spam, spam, spam and more spam ]
[ alt.spam.sightings stripped as bogus (newgrouped by Jamie Baillie)  ]
[ <ftp://ftp.isc.org/pub/usenet/control/alt/alt.spam.sightings.gz>    ]
[ posted and mailed                                                   ]

On Tuesday, 04 October 2016 16:12 -0000, 
 in article <87vax8xfdm.fsf@violet.siamics.net>, 
 Ivan Shmakov <ivan@siamics.net> wrote:

>   To put it short, for about a month, I see a new kind of spam
>   coming to (strangely) just one of my (many) mailboxes.  This one
>   has DKIM-Signature: (and DomainKey-Signature:) headers in place,
>   comes from domains with SPF and MX DNS records properly set up,
>   and, overall, apart from its "unsolicited nature," looks just
>   like legitimate email.  (IPs and MAIL FROM: data shown below.)

Neither SPF nor DKIM say anything about whether mail is unsolicited 
and bulk.  These are forgery abatement measures.  The only things 
which might be determined from SPF and DKIM is whether or not mail 
originated via a sender allowed host; nothing more, nothing less.

>   There're some characteristics common to all these messages,
>   however, hinting at possible "common origin" (be it person,
>   organization, or specific software used.)  For instance:
> 
>   * all the Message-ID: headers follow the same [0-9A-F]{32}@HOST
>     pattern;
> 
>   * the domains are all under the "ru" ccTLD, and all registered
>     via NETHOUSE-RU; also, most were created February or March
>     this year, but some (r-vl.ru, sarvtb.ru, sm-1.ru,
>     taxi-five.ru) are just a few days old, created on 2016-10-01;
> 
>   * all the IPs the messages come from belong to MAROSNET.
> 
>   I've sent a letter last week reporting the issue to abuse at
>   marosnet dot ru (per the Whois data), but yet to see any
>   response.
> 
>   Meanwhile, I've configured the firewall to drop any traffic from
>   the addresses in question (but also log incoming TCP "SYN"
>   connection attempt packets.)
> 
>   For those interested, the IPs and MAIL FROM: data is as follows
>   (per ISO week.)
> 
> $ gawk '! /\sid=[0-9A-Z]{32}@/ { next; }
>         1 {
>             "date +%GW%V --date=" $1 "T" $2 | getline key;
>             save[key] = save[key] "\t" $5 " " $7 "\n";
>         }
>         END {
>             PROCINFO["sorted_in"] = "@ind_str_desc";
>             for (key in save) { print key "\t" save[key]; }
>         }'  /var/log/exim... 
> 
> 2016W40   nzbhuf@sarvtb.ru [185.58.205.96]
>   hlkkn@proteus-spb.ru [194.67.208.8]
>   rerxboy@kaminfo.ru [193.124.176.209]
>   jaqxujp@r-vl.ru [185.58.206.163]
>   njlcyy@sab-moskau.ru [193.124.190.134]
>   feud@taxi-five.ru [185.58.206.232]
> 
> 2016W39   bcswvsv@network-asp.ru [194.67.208.143]
>   yyl@sinex-real.ru [194.67.208.219]
>   sstyqp@network-asp.ru [194.67.208.143]
>   yqe@karaaltyn.ru [194.67.210.159]
>   qbinq@cameraforme.ru [185.87.48.186]
>   maq@lagorta.ru [193.124.191.224]
>   szzliot@sinex-real.ru [194.67.208.219]
>   iuqdjn@intra-m.ru [94.142.141.60]
>   jkety@eureka-service.ru [193.124.186.253]
>   vvpxww@karaaltyn.ru [194.67.210.159]
>   gylay@sirius-87.ru [194.67.208.224]
>   lhhg@eureka-service.ru [193.124.186.253]
>   rgi@sinex-real.ru [194.67.208.219]
>   qhtlw@karaaltyn.ru [194.67.210.159]
>   uavvf@cameraforme.ru [185.87.48.186]
>   bue@network-asp.ru [194.67.208.143]
>   jmpdlx@lambdafsu.ru [193.124.189.172]
>   tgan@biomedex.ru [193.124.189.192]
>   zxxemip@kaminfo.ru [193.124.176.209]
>   mnvi@lambdafsu.ru [193.124.189.172]
>   lcsktjt@sab-moskau.ru [193.124.190.134]
>   swsxv@securityprint.ru [185.5.248.60]
>   vbqd@sm-1.ru [185.58.206.76]
>   kxrjc@ghtersale.ru [194.67.208.7]
> 
> 2016W38   pvtll@mtvigroup.ru [194.67.208.216]
>   cpdve@php-art.ru [194.67.209.151]
>   lhona@sirius-87.ru [194.67.208.224]
>   hqphzjp@lagorta.ru [193.124.191.224]
>   mewmb@cristallgrad.ru [185.87.48.131]
>   dxb@php-art.ru [194.67.209.151]
>   zadh@lagorta.ru [193.124.191.224]
> 
> 2016W37   bct@butovo-net.ru [194.67.210.18]
>   tjlwhlp@carveryachts.ru [85.93.145.29]
>   orgf@butovo-net.ru [194.67.210.18]
>   luaj@olympus-team.ru [194.67.209.7]
>   fagvf@polexpack.ru [194.67.208.220]
>   cxjqyrw@polexpack.ru [194.67.208.220]
>   uyhtz@siae.ru [194.67.209.56]
>   mlfpawb@delst.ru [194.67.208.249]
>   jgt@php-art.ru [194.67.209.151]
>   fakeb@instaltek.ru [194.67.208.232]
> 
> 2016W36   vziykt@tyumfair.ru [194.67.208.60]
>   rvn@fordlimo.ru [194.67.208.50]
>   kqeoin@r-c-g.ru [194.67.208.101]
>   vkf@e-dvd.ru [194.67.210.222]
>   mwodhs@lk-prom.ru [194.67.211.17]
>   otpqos@avtobogatir.ru [194.67.210.2]

Of those host I checked, which still resolve, most are listed by the 
psbl.org, barracudacentral.org and/or uceprotect.net DNSbls, with a 
smattering of SBLCSS (snowshoe) and Spamcop listings.  All indicate 
the IP addresses you list are spam sources, where SPF and DKIM say 
that the sending domain is authorized to send via these spammer 
controled, dirty IP addresses.

- -- 
David Ritz <dritz@mindspring.com>
 Be kind to animals; kiss a shark.

-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAlf1mtwACgkQUrwpmRoS3uuG1gCghmkOMFAsvgbZkboHB/787EVN
zI0AoMjLXCG7JjBq/+TS0WOTr8Zy2v2p
=8wK6
-----END PGP SIGNATURE-----
0
David
10/6/2016 12:29:15 AM
>>>>> David Ritz <dritz@mindspring.com> writes:
>>>>> Ivan Shmakov <ivan@siamics.net> wrote:

	[Be warned of a few off-topic bits below.]

 > [ news.admin.net-abuse.email added to cross-post ]
 > [ alt.spam stripped as group only sees spam, spam, spam and more spam ]

	While I understand the evil of sending spam to a high S/N ratio
	group, the above seems to suggest there's something wrong with
	doing it the other way around.  Which is especially strange
	given that (a) n.a.n.email's own S/N doesn't seem all that high,
	and (b) alt.spam occasionally sees a legitimate message, too
	(say, news:o2avsbphgb19dna8fv03b9r79i3dh6qace@4ax.com.)

	(... And also (c) apparently, Aioe blocks crossposts to n.a.n.e;
	presumably due to ongoing abuse?)

 > [ alt.spam.sightings stripped as bogus (newgrouped by Jamie Baillie) ]
 > [ <ftp://ftp.isc.org/pub/usenet/control/alt/alt.spam.sightings.gz> ]

	FTP is pretty much obsolete.  For one thing, requiring two
	TCP connections per "session" means trouble passing them through
	Tor, NAT, SOCKS, etc.  And having three separate transfer modes
	(at the least) doesn't help interoperability, either.

	That said, the same resource is available via HTTP, too:

    http://ftp.isc.org/pub/usenet/control/alt/alt.spam.sightings.gz

 > [ posted and mailed ]

	Why?

 >> To put it short, for about a month, I see a new kind of spam coming
 >> to (strangely) just one of my (many) mailboxes.  This one has
 >> DKIM-Signature: (and DomainKey-Signature:) headers in place, comes
 >> from domains with SPF and MX DNS records properly set up, and,
 >> overall, apart from its "unsolicited nature," looks just like
 >> legitimate email.  (IPs and MAIL FROM: data shown below.)

 > Neither SPF nor DKIM say anything about whether mail is unsolicited
 > and bulk.  These are forgery abatement measures.  The only things
 > which might be determined from SPF and DKIM is whether or not mail
 > originated via a sender allowed host; nothing more, nothing less.

	Yes.  Still, both somehow get advertised as "counter-spam"
	measures.

	Not that they fail to work that way: my logs have some
	occurrences of the SPF check yielding a "negative" result, thus
	allowing to reject the incoming message outright.  Looks like a
	must for the DNS domains not meant to be used for email at all.

	That said, being able to confirm that the message indeed comes
	from a genuine spam-only domain doesn't seem all that helpful.

[...]

 > Of those host I checked, which still resolve, most are listed by the
 > psbl.org, barracudacentral.org and/or uceprotect.net DNSbls, with a
 > smattering of SBLCSS (snowshoe) and Spamcop listings.  All indicate
 > the IP addresses you list are spam sources,

	ACK, thanks for the pointers.

 > where SPF and DKIM say that the sending domain is authorized to send
 > via these spammer controlled, dirty IP addresses.

	... For those interested, here's an update for this week.

2016W40	nzbhuf@sarvtb.ru [185.58.205.96]
	hlkkn@proteus-spb.ru [194.67.208.8]
	rerxboy@kaminfo.ru [193.124.176.209]
	jaqxujp@r-vl.ru [185.58.206.163]
	njlcyy@sab-moskau.ru [193.124.190.134]
	feud@taxi-five.ru [185.58.206.232]
	pslvslw@uralgsm.ru [185.117.155.168]
	yukl@nordmor.ru [193.124.181.229]
	rgmcmxo@whdent.ru [193.124.184.229]
	itely@whdent.ru [193.124.184.229]
	vdnu@02info.ru [185.87.49.127]
	mnweeg@agcher.ru [193.124.183.150]
	wdoet@fanabe.ru [193.124.181.9]

	FWIW, I hope that whatever software they use to distribute spam
	is /not/ parallelized.  That way, the failure of my MTA to
	produce any TCP response whatsoever (thanks to the plain -j DROP
	in the iptables' INPUT chain) would result in at least some 30 s
	delay (that is: their TCP connection timeout) before the next
	address in the list is tried.

-- 
FSF associate member #7257  58F8 0F47 53F5 2EB2 F6A5  8916 3013 B6A0 230E 334A
0
Ivan
10/7/2016 4:55:09 PM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Friday, 07 October 2016 16:55 -0000, 
 in article <87twco6qvm.fsf@violet.siamics.net>, 
 Ivan Shmakov <ivan@siamics.net> wrote:

>> David Ritz <dritz@mindspring.com> writes:

>>> Ivan Shmakov <ivan@siamics.net> wrote:

>   [Be warned of a few off-topic bits below.]

>> [ news.admin.net-abuse.email added to cross-post ]
>> [ alt.spam stripped as group only sees spam, spam, spam and more spam ]

>   While I understand the evil of sending spam to a high S/N ratio 
>   group, the above seems to suggest there's something wrong with 
>   doing it the other way around.  Which is especially strange given 
>   that (a) n.a.n.email's own S/N doesn't seem all that high, and (b) 
>   alt.spam occasionally sees a legitimate message, too (say, 
>   news:o2avsbphgb19dna8fv03b9r79i3dh6qace@4ax.com.)

See <news:alpine.OSX.2.20.1609071541261.17513@mako.ath.cx>
(<http://al.howardknight.net/msgid.cgi?ID=147588564000>).

Per my recollection, that makes two (2) legitimate posts to alt.spam, 
within the past four to five years.

>   (... And also (c) apparently, Aioe blocks crossposts to n.a.n.e;
>   presumably due to ongoing abuse?)

Paolo has his hands full, in running an open NNTP server, while 
attempting to minimize actual net-abuse.  Disallowing cross-posts to 
certain groups is one option to which he may turn.

>> [ alt.spam.sightings stripped as bogus (newgrouped by Jamie Baillie) ]
>> [ <ftp://ftp.isc.org/pub/usenet/control/alt/alt.spam.sightings.gz> ]

>   FTP is pretty much obsolete.  For one thing, requiring two
>   TCP connections per "session" means trouble passing them through
>   Tor, NAT, SOCKS, etc.  And having three separate transfer modes
>   (at the least) doesn't help interoperability, either.

>   That said, the same resource is available via HTTP, too:

>     http://ftp.isc.org/pub/usenet/control/alt/alt.spam.sightings.gz

Thanks, I've updated lynx_bookmarks.html accordingly.

>> [ posted and mailed ]

>   Why?

You're the one posting to (d) a bogus newsgroup 
(alt.spam.sightings[*]), which has seen a total of eighty two (82) 
posts, since it was created with a bogus cmsg message, from an 
habitual network abuser, nearly eight (8) years ago; (e) alt.spam, a 
newsgroup in which posters use Usenet as a write only medium, in which 
one is lucky to find anything even close to topical more than one a 
decade; and (f) comp.mail.misc, which is a group with so little 
traffic, I wanted to make sure you at least saw my response.  Within 
the past year or so, most posts to comp.mail.misc are Italian mission 
spam.

>>> To put it short, for about a month, I see a new kind of spam 
>>> coming to (strangely) just one of my (many) mailboxes.  This one 
>>> has DKIM-Signature: (and DomainKey-Signature:) headers in place, 
>>> comes from domains with SPF and MX DNS records properly set up, 
>>> and, overall, apart from its "unsolicited nature," looks just like 
>>> legitimate email.  (IPs and MAIL FROM: data shown below.)

>> Neither SPF nor DKIM say anything about whether mail is unsolicited 
>> and bulk.  These are forgery abatement measures.  The only things 
>> which might be determined from SPF and DKIM is whether or not mail 
>> originated via a sender allowed host; nothing more, nothing less.

>   Yes.  Still, both somehow get advertised as "counter-spam" 
>   measures.

To the best of my knowledge, both SPF and DKIM counter spam which uses 
forged sender information.  It has no effect on anything else.

See <https://wordtothewise.com/?s=SPF>
    <https://wordtothewise.com/?s=DKIM>
    <https://wordtothewise.com/?s=DMARC>

>   Not that they fail to work that way: my logs have some occurrences 
>   of the SPF check yielding a "negative" result, thus allowing to 
>   reject the incoming message outright.  Looks like a must for the 
>   DNS domains not meant to be used for email at all.

>   That said, being able to confirm that the message indeed comes 
>   from a genuine spam-only domain doesn't seem all that helpful.

That said, being able to confirm that the message comes form IP 
addresses which are sending spam, using an unlimited number of domain 
names, may be highly useful.  That is where DNSbls come into play.

> [...]

>> Of those host I checked, which still resolve, most are listed by the
>> psbl.org, barracudacentral.org and/or uceprotect.net DNSbls, with a
>> smattering of SBLCSS (snowshoe) and Spamcop listings.  All indicate
>> the IP addresses you list are spam sources,

>   ACK, thanks for the pointers.

>> where SPF and DKIM say that the sending domain is authorized to send
>> via these spammer controlled, dirty IP addresses.

>   ... For those interested, here's an update for this week.

> 2016W40   nzbhuf@sarvtb.ru [185.58.205.96]
185.58.205.96 sarvtb.ru : psbl.surriel.com : BLOCKED (127.0.0.2)
	Listed in PSBL, see http://psbl.org/listing?ip=185.58.205.96
185.58.205.96 sarvtb.ru : dnsbl-1.uceprotect.net : BLOCKED (127.0.0.2)
    IP 185.58.205.96 is UCEPROTECT-Level 1 listed. See
        http://www.uceprotect.net/rblcheck.php?ipr=185.58.205.96

>   hlkkn@proteus-spb.ru [194.67.208.8]
194.67.208.8 proteus-spb.ru : psbl.surriel.com : BLOCKED (127.0.0.2)
	Listed in PSBL, see http://psbl.org/listing?ip=194.67.208.8
194.67.208.8 proteus-spb.ru : dnsbl-1.uceprotect.net : BLOCKED
    (127.0.0.2)
    IP 194.67.208.8 is UCEPROTECT-Level 1 listed. See
        http://www.uceprotect.net/rblcheck.php?ipr=194.67.208.8

>   rerxboy@kaminfo.ru [193.124.176.209]
193.124.176.209 kaminfo.ru : psbl.surriel.com : BLOCKED (127.0.0.2)
    Listed in PSBL, see http://psbl.org/listing?ip=193.124.176.209
193.124.176.209 kaminfo.ru : dnsbl.sorbs.net : BLOCKED (127.0.0.6)
    Currently Sending Spam See:
        http://www.sorbs.net/lookup.shtml?193.124.176.209
193.124.176.209 kaminfo.ru : dnsbl-1.uceprotect.net : BLOCKED
    (127.0.0.2)
    IP 193.124.176.209 is UCEPROTECT-Level 1 listed. See
        http://www.uceprotect.net/rblcheck.php?ipr=193.124.176.209

>   jaqxujp@r-vl.ru [185.58.206.163]
185.58.206.163 r-vl.ru : psbl.surriel.com : BLOCKED (127.0.0.2)
	Listed in PSBL, see http://psbl.org/listing?ip=185.58.206.163
185.58.206.163 r-vl.ru : dnsbl-1.uceprotect.net : BLOCKED (127.0.0.2)
    IP 185.58.206.163 is UCEPROTECT-Level 1 listed. See
        http://www.uceprotect.net/rblcheck.php?ipr=185.58.206.163

>   njlcyy@sab-moskau.ru [193.124.190.134]
193.124.190.134 sab-moskau.ru : psbl.surriel.com : BLOCKED (127.0.0.2)
	Listed in PSBL, see http://psbl.org/listing?ip=193.124.190.134
193.124.190.134 sab-moskau.ru : dnsbl.sorbs.net : BLOCKED (127.0.0.6)
    Currently Sending Spam See:
        http://www.sorbs.net/lookup.shtml?193.124.190.134
193.124.190.134 sab-moskau.ru : dnsbl-1.uceprotect.net : BLOCKED
    (127.0.0.2)
    IP 193.124.190.134 is UCEPROTECT-Level 1 listed. See
        http://www.uceprotect.net/rblcheck.php?ipr=193.124.190.134

>   feud@taxi-five.ru [185.58.206.232]
185.58.206.232 taxi-five.ru : zen.spamhaus.org : BLOCKED (127.0.0.3)
	https://www.spamhaus.org/sbl/query/SBLCSS
185.58.206.232 taxi-five.ru : dnsbl-1.uceprotect.net : BLOCKED
    (127.0.0.2)
    IP 185.58.206.232 is UCEPROTECT-Level 1 listed. See
        http://www.uceprotect.net/rblcheck.php?ipr=185.58.206.232

>   pslvslw@uralgsm.ru [185.117.155.168]
185.117.155.168 uralgsm.ru : dnsbl-1.uceprotect.net : BLOCKED
    (127.0.0.2)
    IP 185.117.155.168 is UCEPROTECT-Level 1 listed. See
        http://www.uceprotect.net/rblcheck.php?ipr=185.117.155.168

>   yukl@nordmor.ru [193.124.181.229]
193.124.181.229 nordmor.ru : zen.spamhaus.org : BLOCKED (127.0.0.3)
    https://www.spamhaus.org/sbl/query/SBLCSS
193.124.181.229 nordmor.ru : psbl.surriel.com : BLOCKED (127.0.0.2)
    Listed in PSBL, see http://psbl.org/listing?ip=193.124.181.229
193.124.181.229 nordmor.ru : dnsbl.sorbs.net : BLOCKED (127.0.0.6)
    Currently Sending Spam See:
        http://www.sorbs.net/lookup.shtml?193.124.181.229
193.124.181.229 nordmor.ru : dnsbl-1.uceprotect.net : BLOCKED
    (127.0.0.2)
    IP 193.124.181.229 is UCEPROTECT-Level 1 listed. See
        http://www.uceprotect.net/rblcheck.php?ipr=193.124.181.229

>   rgmcmxo@whdent.ru [193.124.184.229]
193.124.184.229 whdent.ru : zen.spamhaus.org : BLOCKED (127.0.0.3)
    https://www.spamhaus.org/sbl/query/SBLCSS
193.124.184.229 whdent.ru : psbl.surriel.com : BLOCKED (127.0.0.2)
    Listed in PSBL, see http://psbl.org/listing?ip=193.124.184.229
193.124.184.229 whdent.ru : ix.dnsbl.manitu.net : BLOCKED (127.0.0.2)
    Your e-mail service was detected by mail.ixlab.de (NiX Spam) as
        spamming at Fri, 07 Oct 2016 23:39:23 +0200. Your admin
        should visit
        http://www.dnsbl.manitu.net/lookup.php?value=193.124.184.229
193.124.184.229 whdent.ru : dnsbl.sorbs.net : BLOCKED (127.0.0.6)
    Currently Sending Spam See:
        http://www.sorbs.net/lookup.shtml?193.124.184.229
193.124.184.229 whdent.ru : dnsbl-1.uceprotect.net : BLOCKED
    (127.0.0.2)
    IP 193.124.184.229 is UCEPROTECT-Level 1 listed. See
        http://www.uceprotect.net/rblcheck.php?ipr=193.124.184.229

>   itely@whdent.ru [193.124.184.229]
193.124.184.229 whdent.ru : zen.spamhaus.org : BLOCKED (127.0.0.3)
	https://www.spamhaus.org/sbl/query/SBLCSS
193.124.184.229 whdent.ru : psbl.surriel.com : BLOCKED (127.0.0.2)
	Listed in PSBL, see http://psbl.org/listing?ip=193.124.184.229
193.124.184.229 whdent.ru : ix.dnsbl.manitu.net : BLOCKED (127.0.0.2)
    Your e-mail service was detected by mail.ixlab.de (NiX Spam) as
        spamming at Fri, 07 Oct 2016 23:39:23 +0200. Your admin
        should visit
        http://www.dnsbl.manitu.net/lookup.php?value=193.124.184.229
193.124.184.229 whdent.ru : dnsbl.sorbs.net : BLOCKED (127.0.0.6)
    Currently Sending Spam See:
        http://www.sorbs.net/lookup.shtml?193.124.184.229
193.124.184.229 whdent.ru : dnsbl-1.uceprotect.net : BLOCKED
    (127.0.0.2)
    IP 193.124.184.229 is UCEPROTECT-Level 1 listed. See
        http://www.uceprotect.net/rblcheck.php?ipr=193.124.184.229

>   vdnu@02info.ru [185.87.49.127]
185.87.49.127 02info.ru : zen.spamhaus.org : BLOCKED (127.0.0.3)
    https://www.spamhaus.org/sbl/query/SBLCSS
185.87.49.127 02info.ru : bl.spamcop.net : BLOCKED (127.0.0.2)
    Blocked - see http://www.spamcop.net/bl.shtml?185.87.49.127
185.87.49.127 02info.ru : psbl.surriel.com : BLOCKED (127.0.0.2)
    Listed in PSBL, see http://psbl.org/listing?ip=185.87.49.127
185.87.49.127 02info.ru : ix.dnsbl.manitu.net : BLOCKED (127.0.0.2)
    Your e-mail service was detected by test.port25.me (NiX Spam) as
        spamming at Fri, 07 Oct 2016 20:25:53 +0200. Your admin
        should visit
        http://www.dnsbl.manitu.net/lookup.php?value=185.87.49.127
185.87.49.127 02info.ru : dnsbl.sorbs.net : BLOCKED (127.0.0.6)
    Currently Sending Spam See:
        http://www.sorbs.net/lookup.shtml?185.87.49.127
185.87.49.127 02info.ru : dnsbl-1.uceprotect.net : BLOCKED (127.0.0.2)
    IP 185.87.49.127 is UCEPROTECT-Level 1 listed. See
        http://www.uceprotect.net/rblcheck.php?ipr=185.87.49.127

>   mnweeg@agcher.ru [193.124.183.150]
193.124.183.150 agcher.ru : zen.spamhaus.org : BLOCKED (127.0.0.3)
    https://www.spamhaus.org/sbl/query/SBLCSS
193.124.183.150 agcher.ru : psbl.surriel.com : BLOCKED (127.0.0.2)
    Listed in PSBL, see http://psbl.org/listing?ip=193.124.183.150
193.124.183.150 agcher.ru : dnsbl.sorbs.net : BLOCKED (127.0.0.6)
    Currently Sending Spam See:
        http://www.sorbs.net/lookup.shtml?193.124.183.150
193.124.183.150 agcher.ru : dnsbl-1.uceprotect.net : BLOCKED (127.0.0.2)
    IP 193.124.183.150 is UCEPROTECT-Level 1 listed. See
        http://www.uceprotect.net/rblcheck.php?ipr=193.124.183.150

>   wdoet@fanabe.ru [193.124.181.9]
193.124.181.9 fanabe.ru : zen.spamhaus.org : BLOCKED (127.0.0.3)
    https://www.spamhaus.org/sbl/query/SBLCSS
193.124.181.9 fanabe.ru : bl.spamcop.net : BLOCKED (127.0.0.2)
    Blocked - see http://www.spamcop.net/bl.shtml?193.124.181.9
193.124.181.9 fanabe.ru : psbl.surriel.com : BLOCKED (127.0.0.2)
    Listed in PSBL, see http://psbl.org/listing?ip=193.124.181.9
193.124.181.9 fanabe.ru : dnsbl.sorbs.net : BLOCKED (127.0.0.6)
    Currently Sending Spam See:
        http://www.sorbs.net/lookup.shtml?193.124.181.9
193.124.181.9 fanabe.ru : dnsbl-1.uceprotect.net : BLOCKED (127.0.0.2)
    IP 193.124.181.9 is UCEPROTECT-Level 1 listed. See
        http://www.uceprotect.net/rblcheck.php?ipr=193.124.181.9

>   FWIW, I hope that whatever software they use to distribute spam
>   is /not/ parallelized.  That way, the failure of my MTA to
>   produce any TCP response whatsoever (thanks to the plain -j DROP
>   in the iptables' INPUT chain) would result in at least some 30 s
>   delay (that is: their TCP connection timeout) before the next
>   address in the list is tried.

HTH.

[*] alt.spam.sighting is not on the active lists of four out of the 
six NNTP service to which I subscribe, suggesting that it appears only 
on servers running largely on autopilot.

- -- 
David Ritz <dritz@mindspring.com>
 Be kind to animals; kiss a shark.

-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAlf4S+oACgkQUrwpmRoS3uu9MwCgtw6pEYgdgQLRnsQ2TtRhIawJ
a6MAmwbFVCqdzzCNrFIeok/W2MWyOBqa
=nzKg
-----END PGP SIGNATURE-----
0
David
10/8/2016 1:29:13 AM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday, 04 October 2016 16:12 -0000, 
 in article <87vax8xfdm.fsf@violet.siamics.net>, 
 Ivan Shmakov <ivan@siamics.net> wrote:

[...]
> 2016W40   nzbhuf@sarvtb.ru [185.58.205.96]
[...]
> 2016W39   bcswvsv@network-asp.ru [194.67.208.143]
[...]
> 2016W38   pvtll@mtvigroup.ru [194.67.208.216]
[...]
> 2016W37   bct@butovo-net.ru [194.67.210.18]
[...]
> 2016W36   vziykt@tyumfair.ru [194.67.208.60]
[...]

Ivan,

I stripped out the domain names and sorted by unique IP addresses.  By 
looking at the source IPs, one begins to see clearer paterns.

85.93.145.29
route:          85.93.144.0/20
descr:          SPACENET-RU-144-20
origin:         AS34300

94.142.141.60
route:          94.142.136.0/21
descr:          MAROSNET Telecommunication Company Network
origin:         AS48666

185.5.248.60
route:          185.5.248.0/22
descr:          MAROSNET Telecommunication Company Network
origin:         AS48666

185.58.205.96
route:          185.58.204.0/22
descr:          MAROSNET Telecommunication Company Network
origin:         AS48666

185.58.206.76
185.58.206.163
185.58.206.232
route:          185.58.204.0/22
descr:          MAROSNET Telecommunication Company Network
origin:         AS48666

185.87.48.131
185.87.48.186
route:          185.87.48.0/22
descr:          MAROSNET Telecommunication Company Network
origin:         AS48666

193.124.176.209
route:          193.124.176.0/20
descr:          MAROSNET Telecommunication Company Network
origin:         AS48666

193.124.186.253
193.124.189.172
193.124.189.192
193.124.190.134
193.124.191.224
route:          193.124.176.0/20
descr:          MAROSNET Telecommunication Company Network
origin:         AS48666

194.67.208.7
194.67.208.8
194.67.208.50
194.67.208.60
194.67.208.101
194.67.208.143
194.67.208.216
194.67.208.219
194.67.208.220
194.67.208.224
194.67.208.232
194.67.208.249
194.67.209.7
194.67.209.56
194.67.209.151
194.67.210.2
194.67.210.18
194.67.210.159
194.67.210.222
194.67.211.17
route:          194.67.208.0/20
descr:          MAROSNET Telecommunication Company Network
origin:         AS48666

My observations suggest that MAROSNET Telecommunication Company 
Network is running some large scale snowshoe spam hosting services.

- -- 
David Ritz <dritz@mindspring.com>
 Be kind to animals; kiss a shark.

-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAlf4UYcACgkQUrwpmRoS3uvSWwCg+Zwx1BYS3m3vGi25kZnFurTu
+nUAoLbZ/2tq/O5tjLk6Ak23Gf63dkBc
=fBVp
-----END PGP SIGNATURE-----
0
David
10/8/2016 1:53:10 AM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Friday, 07 October 2016 20:53 -0500, 
 in article <alpine.OSX.2.20.1610072041240.6800@mako.ath.cx>, 
 David Ritz <dritz@mindspring.com> wrote:

> Ivan,

> I stripped out the domain names and sorted by unique IP addresses.  By 
> looking at the source IPs, one begins to see clearer paterns.

> 85.93.145.29
> route:          85.93.144.0/20
> descr:          SPACENET-RU-144-20
> origin:         AS34300

> 94.142.141.60
> route:          94.142.136.0/21
> descr:          MAROSNET Telecommunication Company Network
> origin:         AS48666
[...]
> route:          194.67.208.0/20
> descr:          MAROSNET Telecommunication Company Network
> origin:         AS48666

> My observations suggest that MAROSNET Telecommunication Company 
> Network is running some large scale snowshoe spam hosting services.

 $ route-leecher.pl 48666
 # Randomly selected router route-server.exodus.net
 # router route-server.exodus.net not responding, retrying with router route-server.gblx.net
 # Using router route-server.gblx.net
 # Logging into router route-server.gblx.net
 # using command: sh ip bg reg ^.*_48666_.*$
 # Routes transiting through or originating from AS 48666 :
 
 31.148.99.0/24 from AS: 48666 (upstreams: 12389 9002), 
 91.202.232.0/22    from AS: 48666 (upstreams: 12389 9002), 
 93.170.123.0/24    from AS: 48666 (upstreams: 12389 9002), 
 94.142.136.0/24    from AS: 48666 (upstreams: 12389 9002), 
 94.142.136.0/21    from AS: 48666 (upstreams: 12389 9002), 
 94.142.137.0/24    from AS: 48666 (upstreams: 12389 9002), 
 94.142.143.0/24    from AS: 48666 (upstreams: 12389 9002), 
 95.46.114.0/24     from AS: 48666 (upstreams: 12389 9002), 
 154.16.205.0/24    from AS: 48666 (upstreams: 9002 20485), 
 185.5.248.0/22     from AS: 48666 (upstreams: 12389 9002), 
 185.58.204.0/22    from AS: 48666 (upstreams: 12389 9002), 
 185.87.48.0/22     from AS: 48666 (upstreams: 12389 9002), 
 185.117.152.0/22   from AS: 48666 (upstreams: 12389 9002), 
 185.125.216.0/22   from AS: 48666 (upstreams: 12389 9002), 
 185.125.228.0/22   from AS: 48666 (upstreams: 12389 9002), 
 193.106.96.0/22    from AS: 48666 (upstreams: 12389 9002), 
 193.124.176.0/20   from AS: 48666 (upstreams: 12389 9002), 
 194.67.192.0/23    from AS: 48666 (upstreams: 12389 9002), 
 194.67.194.0/24    from AS: 48666 (upstreams: 12389 9002), 
 194.67.196.0/22    from AS: 48666 (upstreams: 12389 9002), 
 194.67.200.0/21    from AS: 48666 (upstreams: 12389 9002), 
 194.67.208.0/20    from AS: 48666 (upstreams: 12389 9002), 
 
 
 ----------end of routes for AS 48666 -----------

$ whois -h whois.radb.net AS48666
aut-num:        AS48666
as-name:        AS-MAROSNET
descr:          Moscow, Russia
org:            ORG-MTCL1-RIPE
remarks:
remarks:        ------------------------------------
remarks:        MAROSNET Routing Policy
remarks:        ------------------------------------
remarks:
remarks:        TTK
import:         from AS20485 action pref=100; accept ANY
export:         to AS20485 announce AS-MAROSNET
mp-import:      afi ipv6.unicast from AS20485 action pref=100; accept 
ANY
mp-export:      afi ipv6.unicast to AS20485 announce AS-MAROSNET
remarks:
remarks:        RETN
import:         from AS9002 action pref=100; accept ANY
export:         to AS9002 announce AS-MAROSNET
mp-import:      afi ipv6.unicast from AS9002 action pref=100; accept 
ANY
mp-export:      afi ipv6.unicast to AS9002 announce AS-MAROSNET
remarks:
remarks:        MSK-IX
import:         from AS8631 action pref=100; accept ANY
export:         to AS8631 announce AS-MAROSNET
mp-import:      afi ipv6.unicast from AS8631 action pref=100; accept 
ANY
mp-export:      afi ipv6.unicast to AS8631 announce AS-MAROSNET
remarks:
remarks:        DATA-IX
import:         from AS50952 action pref=100; accept ANY
export:         to AS50952 announce AS-MAROSNET
mp-import:      afi ipv6.unicast from AS50952 action pref=100; accept 
ANY
mp-export:      afi ipv6.unicast to AS50952 announce AS-MAROSNET
remarks:
remarks:        CLOUD-IX
import:         from AS29076 action pref=100; accept ANY
export:         to AS29076 announce AS-MAROSNET
mp-import:      afi ipv6.unicast from AS29076 action pref=100; accept 
ANY
mp-export:      afi ipv6.unicast to AS29076 announce AS-MAROSNET
remarks:
remarks:        W-IX
import:         from AS50384 action pref=100; accept ANY
export:         to AS50384 announce AS-MAROSNET
mp-import:      afi ipv6.unicast from AS50384 action pref=100; accept 
ANY
mp-export:      afi ipv6.unicast to AS50384 announce AS-MAROSNET
remarks:
remarks:        ROSTELECOM
import:         from AS12389 action pref=100; accept ANY
export:         to AS50384 announce AS-MAROSNET
mp-import:      afi ipv6.unicast from AS12389 action pref=100; accept 
ANY
mp-export:      afi ipv6.unicast to AS12389 announce AS-MAROSNET

- -- 
David Ritz <dritz@mindspring.com>
 Be kind to animals; kiss a shark.

-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAlf4VVUACgkQUrwpmRoS3us9QQCfSTa/nHSpV92NW1ytiY1mMnyh
LmcAniHbQq6ZcGGXOchUJWDaNWfGTaLR
=lsQy
-----END PGP SIGNATURE-----
0
David
10/8/2016 2:09:25 AM
>>>>> David Ritz <dritz@mindspring.com> writes:

[...]

 > I stripped out the domain names and sorted by unique IP addresses.
 > By looking at the source IPs, one begins to see clearer paterns.

[...]

 > route:          194.67.208.0/20
 > descr:          MAROSNET Telecommunication Company Network
 > origin:         AS48666

	Yes.  That was the reason I've tried to contact their abuse@
	department earlier.

 > My observations suggest that MAROSNET Telecommunication Company
 > Network is running some large scale snowshoe spam hosting services.

	Given the sheer number of IPs, and also that my prior email
	resulted in no response, that doesn't sound all that unlikely.

	Thus, I've ended up blocking 185.58.204.0/22, 193.124.176.0/20
	about last Saturday, and now added 185.125.216.0/22,
	185.87.48.0/22, 193.124.176.0/20 and 194.67.196.0/22, too, to my
	ipset(8) configuration.

	As for the blacklists, I should note that I actually refer to
	several in my MTA configuration, although they're used strictly
	to decide whether to use graylisting or not.  And indeed, some
	of this spam I receive matches the DNSbls I employ, but then
	ends up passing the "graylist" test successfully.  (Thus
	suggesting the use of a "full-weight" MTA at the remote; which
	is, hopefully, means some cycles are wasted trying to connect to
	my firewalled MX.)

	On the other hand, some of the messages come from the addresses
	/not/ yet blacklisted at the time of delivery.  Perhaps the
	chances could be improved by querying more blacklists for the
	sender IP, though.

	Once again, there's the data for the past two weeks.

2016W41	hdyuhpi@artel-site.ru [193.124.180.126]
	qiluc@pampersklub.ru [185.125.216.105]
	xjqhkx@mpeg-imx.ru [193.124.182.45]
	xjld@jclan.ru [185.125.216.249]
	jrefn@cybernsk.ru [194.67.196.156]
	qnwdsl@kbidea.ru [194.67.196.163]
	wapeptz@cybernsk.ru [194.67.196.156]
	qqgbk@avtotera.ru [185.125.217.100]
	jlotfa@vakpk.ru [193.124.190.246]
	meiah@goward.ru [185.125.216.210]
	lphcpx@ostankinomedia.ru [193.124.189.173]
	uepowel@rti-travel.ru [185.87.51.68]
	imyasa@mig-spb.ru [185.87.51.23]
	ebeor@ostankinomedia.ru [193.124.189.173]

2016W40	nzbhuf@sarvtb.ru [185.58.205.96]
	hlkkn@proteus-spb.ru [194.67.208.8]
	rerxboy@kaminfo.ru [193.124.176.209]
	jaqxujp@r-vl.ru [185.58.206.163]
	njlcyy@sab-moskau.ru [193.124.190.134]
	feud@taxi-five.ru [185.58.206.232]
	pslvslw@uralgsm.ru [185.117.155.168]
	yukl@nordmor.ru [193.124.181.229]
	rgmcmxo@whdent.ru [193.124.184.229]
	itely@whdent.ru [193.124.184.229]
	vdnu@02info.ru [185.87.49.127]
	mnweeg@agcher.ru [193.124.183.150]
	wdoet@fanabe.ru [193.124.181.9]
	pvv@vapnyar.ru [194.67.197.50]

-- 
FSF associate member #7257  58F8 0F47 53F5 2EB2 F6A5  8916 3013 B6A0 230E 334A
0
Ivan
10/14/2016 5:50:28 PM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Friday, 14 October 2016 17:50 -0000, 
 in article <87twce6crf.fsf@violet.siamics.net>, 
 Ivan Shmakov <ivan@siamics.net> wrote:

> David Ritz <dritz@mindspring.com> writes:

> [...]

>> I stripped out the domain names and sorted by unique IP addresses. 
>> By looking at the source IPs, one begins to see clearer patterns.

> [...]

>> route:          194.67.208.0/20
>> descr:          MAROSNET Telecommunication Company Network
>> origin:         AS48666

>   Yes.  That was the reason I've tried to contact their abuse@ 
>   department earlier.

>> My observations suggest that MAROSNET Telecommunication Company 
>> Network is running some large scale snowshoe spam hosting services.

>   Given the sheer number of IPs, and also that my prior email 
>   resulted in no response, that doesn't sound all that unlikely.

There was a reason I included all of the upstream routes announcing 
AS48666: AS9002, AS12389 and AS20485.  Directing your complaints 
upstream, for recalcitrant spam-hosts, is a fairly common and 
sometimes useful technique.

$ whois -h whois.ripe.net -- -B\ AS9002 | grep -i abuse
% Abuse contact for 'AS9002' is 'abuse@retn.net'
remarks:        SPAM and security issues          abuse at retn.net
abuse-c:        RCD1-RIPE
remarks:        trouble:      SPAM and Network security issues:    abuse@retn.net
abuse-mailbox:  abuse@retn.net

$ whois -h whois.ripe.net -- -B\ AS12389 | grep -i abuse
% Abuse contact for 'AS12389' is 'abuse@rt.ru'
abuse-c:        RTNC-RIPE
abuse-mailbox:  ripe@rt.ru
abuse-mailbox:  abuse@rt.ru

$ whois -h whois.ripe.net -- -B\ AS20485 | grep -i abuse
% Abuse contact for 'AS20485' is 'abuse@ttk.ru'
abuse-c:        KTTK-RIPE
remarks:        Spam & Abuse: abuse@ttk.ru
remarks:        Please use abuse@ttk.ru e-mail address
remarks:        for spam and abuse complaints.
abuse-mailbox:  abuse@ttk.ru

>   Thus, I've ended up blocking 185.58.204.0/22, 193.124.176.0/20 
>   about last Saturday, and now added 185.125.216.0/22, 
>   185.87.48.0/22, 193.124.176.0/20 and 194.67.196.0/22, too, to my 
>   ipset(8) configuration.

>   As for the blacklists, I should note that I actually refer to 
>   several in my MTA configuration, although they're used strictly to 
>   decide whether to use graylisting or not.  And indeed, some of 
>   this spam I receive matches the DNSbls I employ, but then ends up 
>   passing the "graylist" test successfully.  (Thus suggesting the 
>   use of a "full-weight" MTA at the remote; which is, hopefully, 
>   means some cycles are wasted trying to connect to my firewalled 
>   MX.)

I don't know whether you're using UCEProtect among your DNSbls.  
History suggests their level one (1) listings accurately list spam 
sources, with a particular emphasis on spam hitting European 
locations.  dnsbl-1.uceprotect.net may be a useful addition for your 
purposes. dnsbl-2.uceprotect.net makes a statement about the immediate 
net-neighborhood.  dnsbl-3.uceprotect.net makes yet broader 
statements.

>   On the other hand, some of the messages come from the addresses 
>   /not/ yet blacklisted at the time of delivery.  Perhaps the 
>   chances could be improved by querying more blacklists for the 
>   sender IP, though.

>   Once again, there's the data for the past two weeks.

Thanks, Ivan.

> 2016W41   hdyuhpi@artel-site.ru [193.124.180.126]
>   qiluc@pampersklub.ru [185.125.216.105]
>   xjqhkx@mpeg-imx.ru [193.124.182.45]
>   xjld@jclan.ru [185.125.216.249]
>   jrefn@cybernsk.ru [194.67.196.156]
>   qnwdsl@kbidea.ru [194.67.196.163]
>   wapeptz@cybernsk.ru [194.67.196.156]
>   qqgbk@avtotera.ru [185.125.217.100]
>   jlotfa@vakpk.ru [193.124.190.246]
>   meiah@goward.ru [185.125.216.210]
>   lphcpx@ostankinomedia.ru [193.124.189.173]
>   uepowel@rti-travel.ru [185.87.51.68]
>   imyasa@mig-spb.ru [185.87.51.23]
>   ebeor@ostankinomedia.ru [193.124.189.173]

> 2016W40   nzbhuf@sarvtb.ru [185.58.205.96]
>   hlkkn@proteus-spb.ru [194.67.208.8]
>   rerxboy@kaminfo.ru [193.124.176.209]
>   jaqxujp@r-vl.ru [185.58.206.163]
>   njlcyy@sab-moskau.ru [193.124.190.134]
>   feud@taxi-five.ru [185.58.206.232]
>   pslvslw@uralgsm.ru [185.117.155.168]
>   yukl@nordmor.ru [193.124.181.229]
>   rgmcmxo@whdent.ru [193.124.184.229]
>   itely@whdent.ru [193.124.184.229]
>   vdnu@02info.ru [185.87.49.127]
>   mnweeg@agcher.ru [193.124.183.150]
>   wdoet@fanabe.ru [193.124.181.9]
>   pvv@vapnyar.ru [194.67.197.50]

 # Routes transiting through or originating from AS 48666 :
 
 31.148.99.0/24      from AS: 48666 (upstreams: 12389 9002), 
 91.202.232.0/22     from AS: 48666 (upstreams: 12389 9002), 
 93.170.123.0/24     from AS: 48666 (upstreams: 12389 9002), 
 94.142.136.0/24     from AS: 48666 (upstreams: 12389 9002), 
 94.142.136.0/21     from AS: 48666 (upstreams: 12389 9002), 
 94.142.137.0/24     from AS: 48666 (upstreams: 12389 9002), 
 94.142.143.0/24     from AS: 48666 (upstreams: 12389 9002), 
 95.46.114.0/24      from AS: 48666 (upstreams: 12389 9002), 
 154.16.205.0/24     from AS: 48666 (upstreams: 9002 20485), 
 185.5.248.0/22      from AS: 48666 (upstreams: 12389 9002), 
 185.58.204.0/22     from AS: 48666 (upstreams: 12389 9002), 
 185.87.48.0/22      from AS: 48666 (upstreams: 12389 9002), 
 185.117.152.0/22    from AS: 48666 (upstreams: 12389 9002), 
 185.125.216.0/22    from AS: 48666 (upstreams: 12389 9002), 
 185.125.228.0/22    from AS: 48666 (upstreams: 12389 9002), 
 193.106.96.0/22     from AS: 48666 (upstreams: 12389 9002), 
 193.124.176.0/20    from AS: 48666 (upstreams: 12389 9002), 
 194.67.192.0/23     from AS: 48666 (upstreams: 12389 9002), 
 194.67.194.0/24     from AS: 48666 (upstreams: 12389 9002), 
 194.67.196.0/22     from AS: 48666 (upstreams: 12389 9002), 
 194.67.200.0/21     from AS: 48666 (upstreams: 12389 9002), 
 194.67.208.0/20     from AS: 48666 (upstreams: 12389 9002), 
 
 
 ----------end of routes for AS 48666 -----------

- -- 
David Ritz <dritz@mindspring.com>
 Be kind to animals; kiss a shark.

-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAlgBPmcACgkQUrwpmRoS3uv5dgCfceUOzBatKwE2j1mt1xKz1ADZ
rHMAn1p8qN+obaNnKFoq8GqtiwBGEHFq
=3d/b
-----END PGP SIGNATURE-----
0
David
10/14/2016 8:21:58 PM
>>>>> David Ritz <dritz@mindspring.com> writes:
>>>>> On Friday, 14 October 2016 17:50 -0000, Ivan Shmakov wrote:
>>>>> David Ritz <dritz@mindspring.com> writes:

[...]

 >>> My observations suggest that MAROSNET Telecommunication Company
 >>> Network is running some large scale snowshoe spam hosting services.

 >> Given the sheer number of IPs, and also that my prior email resulted
 >> in no response, that doesn't sound all that unlikely.

 > There was a reason I included all of the upstream routes announcing
 > AS48666: AS9002, AS12389 and AS20485.  Directing your complaints
 > upstream, for recalcitrant spam-hosts, is a fairly common and
 > sometimes useful technique.

	ACK, thanks.

	(Hope that showing all the IPs there that ended up being in some
	well-known DNSbls will help.)

[...]

 >> Thus, I've ended up blocking 185.58.204.0/22, 193.124.176.0/20 about
 >> last Saturday, and now added 185.125.216.0/22, 185.87.48.0/22,
 >> 193.124.176.0/20 and 194.67.196.0/22, too, to my ipset(8)
 >> configuration.

	I've decided that -j DROP for whole networks may be a tad too
	severe a measure, and introduced a separate -j REJECT blacklist
	for that purpose instead, like:

## ipset create dropemall hash:ip  timeout $((0x100000))
## ipset create rejectnet hash:net timeout $((0x400000))
-A INPUT -m set --match-set dropemall src -j DROPEMALL
-A INPUT -m set --match-set rejectnet src -j REJECTNET
-A DROPEMALL -m limit --limit 13/min -j LOG
-A DROPEMALL -j DROP
-A REJECTNET -m limit --limit 13/min -j LOG
-A REJECTNET -j REJECT --reject-with icmp-admin-prohibited
## And similarly for ip6tables(8), with icmp6-adm-prohibited

 >> As for the blacklists, I should note that I actually refer to
 >> several in my MTA configuration, although they're used strictly to
 >> decide whether to use graylisting or not.  And indeed, some of this
 >> spam I receive matches the DNSbls I employ, but then ends up passing
 >> the "graylist" test successfully.  (Thus suggesting the use of a
 >> "full-weight" MTA at the remote; which is, hopefully, means some
 >> cycles are wasted trying to connect to my firewalled MX.)

 > I don't know whether you're using UCEProtect among your DNSbls.
 > History suggests their level one (1) listings accurately list spam
 > sources, with a particular emphasis on spam hitting European
 > locations.  dnsbl-1.uceprotect.net may be a useful addition for your
 > purposes. dnsbl-2.uceprotect.net makes a statement about the
 > immediate net-neighborhood.  dnsbl-3.uceprotect.net makes yet broader
 > statements.

	ACK, thanks; will try them later.

[...]

 > # Routes transiting through or originating from AS 48666 :
 
 > 31.148.99.0/24      from AS: 48666 (upstreams: 12389 9002), 
 > 91.202.232.0/22     from AS: 48666 (upstreams: 12389 9002), 
 > 93.170.123.0/24     from AS: 48666 (upstreams: 12389 9002), 
 > 94.142.136.0/24     from AS: 48666 (upstreams: 12389 9002), 
 > 94.142.136.0/21     from AS: 48666 (upstreams: 12389 9002), 
 > 94.142.137.0/24     from AS: 48666 (upstreams: 12389 9002), 
 > 94.142.143.0/24     from AS: 48666 (upstreams: 12389 9002), 
 > 95.46.114.0/24      from AS: 48666 (upstreams: 12389 9002), 
 > 154.16.205.0/24     from AS: 48666 (upstreams: 9002 20485), 

	All the unwanted mail I saw before came from the 13 networks
	below, which I've thus added to my 'rejectnet' set:

 > 185.5.248.0/22      from AS: 48666 (upstreams: 12389 9002), 
 > 185.58.204.0/22     from AS: 48666 (upstreams: 12389 9002), 
 > 185.87.48.0/22      from AS: 48666 (upstreams: 12389 9002), 
 > 185.117.152.0/22    from AS: 48666 (upstreams: 12389 9002), 
 > 185.125.216.0/22    from AS: 48666 (upstreams: 12389 9002), 

 > 185.125.228.0/22    from AS: 48666 (upstreams: 12389 9002), 

	... except for this one above, which seems to be home to two of
	the three MAROSNET's own MXes:

mail.marosnet.ru.	IN	A	94.142.136.5
mx1.marosnet.ru.	IN	A	185.125.229.7
mx2.marosnet.ru.	IN	A	185.125.229.19

 > 193.106.96.0/22     from AS: 48666 (upstreams: 12389 9002), 
 > 193.124.176.0/20    from AS: 48666 (upstreams: 12389 9002), 
 > 194.67.192.0/23     from AS: 48666 (upstreams: 12389 9002), 
 > 194.67.194.0/24     from AS: 48666 (upstreams: 12389 9002), 
 > 194.67.196.0/22     from AS: 48666 (upstreams: 12389 9002), 
 > 194.67.200.0/21     from AS: 48666 (upstreams: 12389 9002), 
 > 194.67.208.0/20     from AS: 48666 (upstreams: 12389 9002), 

	... So far, only a single message got through the filter
	(one from 94.142.140.44, boedze@vector2000.ru), and the
	following IPs (which I've happily added to the 'dropemall'
	ipset(8) list where missing) have shown up kern.log:

    185.117.153.120	basf-rus.ru.
    185.117.154.30	kogorta-k.ru.
    185.125.216.210	goward.ru.
    185.87.51.68	rti-travel.ru.
    193.124.176.209	kaminfo.ru.
    193.124.180.126	artel-site.ru.
    193.124.180.206	gtp-ufa.ru.
    193.124.181.229	nordmor.ru.
    193.124.182.45	mpeg-imx.ru.
    193.124.183.150	agcher.ru.
    193.124.184.229	whdent.ru.
    193.124.186.205	google.com.		2016-10-16 22:33:39 UTC
    193.124.189.173	ostankinomedia.ru.
    193.124.190.246	vakpk.ru.
    193.124.190.38	sale-4u.ru.
    194.67.210.202	threeality.ru.

	Now, 193.124.186.205 looks suspicious, as it shows up only once,
	and I could hardly believe that such a PTR record would be used
	by someone who has purchased that many of "valid" domains for
	pretty much spam-only purposes.

	Finally, the "unwanted correspondence" list for the last week
	got five another entries, ending up as follows.

2016W41	hdyuhpi@artel-site.ru [193.124.180.126]
	qiluc@pampersklub.ru [185.125.216.105]
	xjqhkx@mpeg-imx.ru [193.124.182.45]
	xjld@jclan.ru [185.125.216.249]
	jrefn@cybernsk.ru [194.67.196.156]
	qnwdsl@kbidea.ru [194.67.196.163]
	wapeptz@cybernsk.ru [194.67.196.156]
	qqgbk@avtotera.ru [185.125.217.100]
	jlotfa@vakpk.ru [193.124.190.246]
	meiah@goward.ru [185.125.216.210]
	lphcpx@ostankinomedia.ru [193.124.189.173]
	uepowel@rti-travel.ru [185.87.51.68]
	imyasa@mig-spb.ru [185.87.51.23]
	ebeor@ostankinomedia.ru [193.124.189.173]
	sbd@ooo-angara.ru [193.124.190.212]
	xjdokr@vakpk.ru [193.124.190.246]
	ivyrg@goward.ru [185.125.216.210]
	spdsrz@sale-4u.ru [193.124.190.38]
	orf@tu134.ru [185.117.152.30]

-- 
FSF associate member #7257  58F8 0F47 53F5 2EB2 F6A5  8916 3013 B6A0 230E 334A
0
Ivan
10/19/2016 3:35:54 PM
>>>>> Ivan Shmakov <ivan@siamics.net> writes:

[...]

 > All the unwanted mail I saw before came from the 13 networks below,
 > which I've thus added to my 'rejectnet' set:

 >> 185.5.248.0/22 from AS: 48666 (upstreams: 12389 9002),
 >> 185.58.204.0/22 from AS: 48666 (upstreams: 12389 9002),
 >> 185.87.48.0/22 from AS: 48666 (upstreams: 12389 9002),
 >> 185.117.152.0/22 from AS: 48666 (upstreams: 12389 9002),
 >> 185.125.216.0/22 from AS: 48666 (upstreams: 12389 9002),
 >> 193.106.96.0/22 from AS: 48666 (upstreams: 12389 9002),
 >> 193.124.176.0/20 from AS: 48666 (upstreams: 12389 9002),
 >> 194.67.192.0/23 from AS: 48666 (upstreams: 12389 9002),
 >> 194.67.194.0/24 from AS: 48666 (upstreams: 12389 9002),
 >> 194.67.196.0/22 from AS: 48666 (upstreams: 12389 9002),
 >> 194.67.200.0/21 from AS: 48666 (upstreams: 12389 9002),
 >> 194.67.208.0/20 from AS: 48666 (upstreams: 12389 9002),

	This has worked quite well until yesterday, when I've got yet
	another message, this time from 95.46.99.0/24 (AS201094), very
	similar to those I was getting from the MAROSNET networks.

	I've mailed abuse at gmhost dot com dot ua, but seen no reply as
	of yet.  The hosts were thus added to my 'dropemall' set; while
	the network (/24) made it straight to 'rejectnet'.

2016W45	dbjc@009msk.ru [95.46.99.232]
	jsvj@give-gift.ru [95.46.99.233]

	FTR, there were a couple more messages with similar Message-ID:
	values (/^[0-9A-Z]{32}@/) that came from other networks; namely:

2016W44	aaasj800i1d3@sr.incl.ne.jp [219.121.225.37]
2016W42	lihong@mail.tjnu.edu.cn [202.113.96.4]

	And just in the case someone gets curious, here's a partial
	list of IPv4 addresses that were recently denied access to
	TCP port 25 at my MX, in reverse chronological order.

## IPv4 	days	rDNS
94.142.140.44	0	vector2000.ru.
193.124.180.212	0	alpaper.ru.
194.67.198.162	0	raskat-servis.ru.
194.67.198.174	0	mmaweb.ru.
194.67.198.180	0	news40.ru.
194.67.213.188	0	kama-pv.ru.
194.67.213.192	0	lesaltai.ru.
185.58.205.61	1	wapmag.ru.
194.67.198.169	1	100euro.ru.
194.67.213.187	1	teko-pskov.ru.
194.67.213.190	1	fenecair.ru.
194.67.199.166	2	gazon72.ru.
194.67.213.189	2	ra-mart.ru.
185.5.250.180	3	warfilm.ru.
194.67.199.162	3	mmtours.ru.
185.87.48.120	7	sks26.ru.
185.87.48.203	7	mp3mw.ru.
185.87.51.60	7	flat-ice.ru.
193.124.183.150	7	free.marosnet.net.
194.67.213.186	7	tono-int.ru.
185.5.250.20	8	market-ur.ru.
193.124.181.229	8	free.marosnet.net.
194.67.198.197	8	da-lite.ru.
194.67.210.197	8	btforum.ru.
194.67.210.202	8	threeality.ru.
194.67.210.205	8	brook-bond.ru.
194.67.211.112	8	f-plast.ru.
194.67.212.211	8	dialint.ru.
194.67.212.188	9	gummail.ru.
194.67.213.191	9	ecc-inok.ru.

[...]

-- 
FSF associate member #7257  np. Dream Raga -- Jami Sieber  3013 B6A0 230E 334A
0
Ivan
11/10/2016 5:10:23 PM
Reply: