Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.mail.misc > #866

Re: SPF? DKIM? spammers can do them too

From Ivan Shmakov <ivan@siamics.net>
Newsgroups comp.mail.misc, news.admin.net-abuse.email
Subject Re: SPF? DKIM? spammers can do them too
Date 2016-10-14 17:50 +0000
Organization A noiseless patient Spider
Message-ID <87twce6crf.fsf@violet.siamics.net> (permalink)
References <87vax8xfdm.fsf@violet.siamics.net> <alpine.OSX.2.20.1610072041240.6800@mako.ath.cx>

Cross-posted to 2 groups.

Show all headers | View raw

>>>>> David Ritz <dritz@mindspring.com> writes:

[...]

 > I stripped out the domain names and sorted by unique IP addresses.
 > By looking at the source IPs, one begins to see clearer paterns.

[...]

 > route:          194.67.208.0/20
 > descr:          MAROSNET Telecommunication Company Network
 > origin:         AS48666

	Yes.  That was the reason I've tried to contact their abuse@
	department earlier.

 > My observations suggest that MAROSNET Telecommunication Company
 > Network is running some large scale snowshoe spam hosting services.

	Given the sheer number of IPs, and also that my prior email
	resulted in no response, that doesn't sound all that unlikely.

	Thus, I've ended up blocking 185.58.204.0/22, 193.124.176.0/20
	about last Saturday, and now added 185.125.216.0/22,
	185.87.48.0/22, 193.124.176.0/20 and 194.67.196.0/22, too, to my
	ipset(8) configuration.

	As for the blacklists, I should note that I actually refer to
	several in my MTA configuration, although they're used strictly
	to decide whether to use graylisting or not.  And indeed, some
	of this spam I receive matches the DNSbls I employ, but then
	ends up passing the "graylist" test successfully.  (Thus
	suggesting the use of a "full-weight" MTA at the remote; which
	is, hopefully, means some cycles are wasted trying to connect to
	my firewalled MX.)

	On the other hand, some of the messages come from the addresses
	/not/ yet blacklisted at the time of delivery.  Perhaps the
	chances could be improved by querying more blacklists for the
	sender IP, though.

	Once again, there's the data for the past two weeks.

2016W41	hdyuhpi@artel-site.ru [193.124.180.126]
	qiluc@pampersklub.ru [185.125.216.105]
	xjqhkx@mpeg-imx.ru [193.124.182.45]
	xjld@jclan.ru [185.125.216.249]
	jrefn@cybernsk.ru [194.67.196.156]
	qnwdsl@kbidea.ru [194.67.196.163]
	wapeptz@cybernsk.ru [194.67.196.156]
	qqgbk@avtotera.ru [185.125.217.100]
	jlotfa@vakpk.ru [193.124.190.246]
	meiah@goward.ru [185.125.216.210]
	lphcpx@ostankinomedia.ru [193.124.189.173]
	uepowel@rti-travel.ru [185.87.51.68]
	imyasa@mig-spb.ru [185.87.51.23]
	ebeor@ostankinomedia.ru [193.124.189.173]

2016W40	nzbhuf@sarvtb.ru [185.58.205.96]
	hlkkn@proteus-spb.ru [194.67.208.8]
	rerxboy@kaminfo.ru [193.124.176.209]
	jaqxujp@r-vl.ru [185.58.206.163]
	njlcyy@sab-moskau.ru [193.124.190.134]
	feud@taxi-five.ru [185.58.206.232]
	pslvslw@uralgsm.ru [185.117.155.168]
	yukl@nordmor.ru [193.124.181.229]
	rgmcmxo@whdent.ru [193.124.184.229]
	itely@whdent.ru [193.124.184.229]
	vdnu@02info.ru [185.87.49.127]
	mnweeg@agcher.ru [193.124.183.150]
	wdoet@fanabe.ru [193.124.181.9]
	pvv@vapnyar.ru [194.67.197.50]

-- 
FSF associate member #7257  58F8 0F47 53F5 2EB2 F6A5  8916 3013 B6A0 230E 334A

Back to comp.mail.misc | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

SPF? DKIM? spammers can do them too Ivan Shmakov <ivan@siamics.net> - 2016-10-04 16:12 +0000
  Re: SPF? DKIM? spammers can do them too David Ritz <dritz@mindspring.com> - 2016-10-05 19:29 -0500
    Re: SPF? DKIM? spammers can do them too Ivan Shmakov <ivan@siamics.net> - 2016-10-07 16:55 +0000
      Re: SPF? DKIM? spammers can do them too David Ritz <dritz@mindspring.com> - 2016-10-07 20:29 -0500
  Re: SPF? DKIM? spammers can do them too David Ritz <dritz@mindspring.com> - 2016-10-07 20:53 -0500
    Re: SPF? DKIM? spammers can do them too David Ritz <dritz@mindspring.com> - 2016-10-07 21:09 -0500
    Re: SPF? DKIM? spammers can do them too Ivan Shmakov <ivan@siamics.net> - 2016-10-14 17:50 +0000
      Re: SPF? DKIM? spammers can do them too David Ritz <dritz@mindspring.com> - 2016-10-14 15:21 -0500
        spam from MAROSNET (AS48666) networks Ivan Shmakov <ivan@siamics.net> - 2016-10-19 15:35 +0000
          spam from MAROSNET (AS48666) and GMHOST-NET (AS201094) networks Ivan Shmakov <ivan@siamics.net> - 2016-11-10 17:10 +0000

csiph-web