Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.mail.misc > #868

spam from MAROSNET (AS48666) networks

From Ivan Shmakov <ivan@siamics.net>
Newsgroups comp.mail.misc, news.admin.net-abuse.email
Subject spam from MAROSNET (AS48666) networks
Date 2016-10-19 15:35 +0000
Organization A noiseless patient Spider
Message-ID <87r37c4ahx.fsf_-_@violet.siamics.net> (permalink)
References <87vax8xfdm.fsf@violet.siamics.net> <alpine.OSX.2.20.1610072041240.6800@mako.ath.cx> <87twce6crf.fsf@violet.siamics.net> <alpine.OSX.2.20.1610141455570.69265@mako.ath.cx>

Cross-posted to 2 groups.

Show all headers | View raw

>>>>> David Ritz <dritz@mindspring.com> writes:
>>>>> On Friday, 14 October 2016 17:50 -0000, Ivan Shmakov wrote:
>>>>> David Ritz <dritz@mindspring.com> writes:

[...]

 >>> My observations suggest that MAROSNET Telecommunication Company
 >>> Network is running some large scale snowshoe spam hosting services.

 >> Given the sheer number of IPs, and also that my prior email resulted
 >> in no response, that doesn't sound all that unlikely.

 > There was a reason I included all of the upstream routes announcing
 > AS48666: AS9002, AS12389 and AS20485.  Directing your complaints
 > upstream, for recalcitrant spam-hosts, is a fairly common and
 > sometimes useful technique.

	ACK, thanks.

	(Hope that showing all the IPs there that ended up being in some
	well-known DNSbls will help.)

[...]

 >> Thus, I've ended up blocking 185.58.204.0/22, 193.124.176.0/20 about
 >> last Saturday, and now added 185.125.216.0/22, 185.87.48.0/22,
 >> 193.124.176.0/20 and 194.67.196.0/22, too, to my ipset(8)
 >> configuration.

	I've decided that -j DROP for whole networks may be a tad too
	severe a measure, and introduced a separate -j REJECT blacklist
	for that purpose instead, like:

## ipset create dropemall hash:ip  timeout $((0x100000))
## ipset create rejectnet hash:net timeout $((0x400000))
-A INPUT -m set --match-set dropemall src -j DROPEMALL
-A INPUT -m set --match-set rejectnet src -j REJECTNET
-A DROPEMALL -m limit --limit 13/min -j LOG
-A DROPEMALL -j DROP
-A REJECTNET -m limit --limit 13/min -j LOG
-A REJECTNET -j REJECT --reject-with icmp-admin-prohibited
## And similarly for ip6tables(8), with icmp6-adm-prohibited

 >> As for the blacklists, I should note that I actually refer to
 >> several in my MTA configuration, although they're used strictly to
 >> decide whether to use graylisting or not.  And indeed, some of this
 >> spam I receive matches the DNSbls I employ, but then ends up passing
 >> the "graylist" test successfully.  (Thus suggesting the use of a
 >> "full-weight" MTA at the remote; which is, hopefully, means some
 >> cycles are wasted trying to connect to my firewalled MX.)

 > I don't know whether you're using UCEProtect among your DNSbls.
 > History suggests their level one (1) listings accurately list spam
 > sources, with a particular emphasis on spam hitting European
 > locations.  dnsbl-1.uceprotect.net may be a useful addition for your
 > purposes. dnsbl-2.uceprotect.net makes a statement about the
 > immediate net-neighborhood.  dnsbl-3.uceprotect.net makes yet broader
 > statements.

	ACK, thanks; will try them later.

[...]

 > # Routes transiting through or originating from AS 48666 :
 
 > 31.148.99.0/24      from AS: 48666 (upstreams: 12389 9002), 
 > 91.202.232.0/22     from AS: 48666 (upstreams: 12389 9002), 
 > 93.170.123.0/24     from AS: 48666 (upstreams: 12389 9002), 
 > 94.142.136.0/24     from AS: 48666 (upstreams: 12389 9002), 
 > 94.142.136.0/21     from AS: 48666 (upstreams: 12389 9002), 
 > 94.142.137.0/24     from AS: 48666 (upstreams: 12389 9002), 
 > 94.142.143.0/24     from AS: 48666 (upstreams: 12389 9002), 
 > 95.46.114.0/24      from AS: 48666 (upstreams: 12389 9002), 
 > 154.16.205.0/24     from AS: 48666 (upstreams: 9002 20485), 

	All the unwanted mail I saw before came from the 13 networks
	below, which I've thus added to my 'rejectnet' set:

 > 185.5.248.0/22      from AS: 48666 (upstreams: 12389 9002), 
 > 185.58.204.0/22     from AS: 48666 (upstreams: 12389 9002), 
 > 185.87.48.0/22      from AS: 48666 (upstreams: 12389 9002), 
 > 185.117.152.0/22    from AS: 48666 (upstreams: 12389 9002), 
 > 185.125.216.0/22    from AS: 48666 (upstreams: 12389 9002), 

 > 185.125.228.0/22    from AS: 48666 (upstreams: 12389 9002), 

	... except for this one above, which seems to be home to two of
	the three MAROSNET's own MXes:

mail.marosnet.ru.	IN	A	94.142.136.5
mx1.marosnet.ru.	IN	A	185.125.229.7
mx2.marosnet.ru.	IN	A	185.125.229.19

 > 193.106.96.0/22     from AS: 48666 (upstreams: 12389 9002), 
 > 193.124.176.0/20    from AS: 48666 (upstreams: 12389 9002), 
 > 194.67.192.0/23     from AS: 48666 (upstreams: 12389 9002), 
 > 194.67.194.0/24     from AS: 48666 (upstreams: 12389 9002), 
 > 194.67.196.0/22     from AS: 48666 (upstreams: 12389 9002), 
 > 194.67.200.0/21     from AS: 48666 (upstreams: 12389 9002), 
 > 194.67.208.0/20     from AS: 48666 (upstreams: 12389 9002), 

	... So far, only a single message got through the filter
	(one from 94.142.140.44, boedze@vector2000.ru), and the
	following IPs (which I've happily added to the 'dropemall'
	ipset(8) list where missing) have shown up kern.log:

    185.117.153.120	basf-rus.ru.
    185.117.154.30	kogorta-k.ru.
    185.125.216.210	goward.ru.
    185.87.51.68	rti-travel.ru.
    193.124.176.209	kaminfo.ru.
    193.124.180.126	artel-site.ru.
    193.124.180.206	gtp-ufa.ru.
    193.124.181.229	nordmor.ru.
    193.124.182.45	mpeg-imx.ru.
    193.124.183.150	agcher.ru.
    193.124.184.229	whdent.ru.
    193.124.186.205	google.com.		2016-10-16 22:33:39 UTC
    193.124.189.173	ostankinomedia.ru.
    193.124.190.246	vakpk.ru.
    193.124.190.38	sale-4u.ru.
    194.67.210.202	threeality.ru.

	Now, 193.124.186.205 looks suspicious, as it shows up only once,
	and I could hardly believe that such a PTR record would be used
	by someone who has purchased that many of "valid" domains for
	pretty much spam-only purposes.

	Finally, the "unwanted correspondence" list for the last week
	got five another entries, ending up as follows.

2016W41	hdyuhpi@artel-site.ru [193.124.180.126]
	qiluc@pampersklub.ru [185.125.216.105]
	xjqhkx@mpeg-imx.ru [193.124.182.45]
	xjld@jclan.ru [185.125.216.249]
	jrefn@cybernsk.ru [194.67.196.156]
	qnwdsl@kbidea.ru [194.67.196.163]
	wapeptz@cybernsk.ru [194.67.196.156]
	qqgbk@avtotera.ru [185.125.217.100]
	jlotfa@vakpk.ru [193.124.190.246]
	meiah@goward.ru [185.125.216.210]
	lphcpx@ostankinomedia.ru [193.124.189.173]
	uepowel@rti-travel.ru [185.87.51.68]
	imyasa@mig-spb.ru [185.87.51.23]
	ebeor@ostankinomedia.ru [193.124.189.173]
	sbd@ooo-angara.ru [193.124.190.212]
	xjdokr@vakpk.ru [193.124.190.246]
	ivyrg@goward.ru [185.125.216.210]
	spdsrz@sale-4u.ru [193.124.190.38]
	orf@tu134.ru [185.117.152.30]

-- 
FSF associate member #7257  58F8 0F47 53F5 2EB2 F6A5  8916 3013 B6A0 230E 334A

Back to comp.mail.misc | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

SPF? DKIM? spammers can do them too Ivan Shmakov <ivan@siamics.net> - 2016-10-04 16:12 +0000
  Re: SPF? DKIM? spammers can do them too David Ritz <dritz@mindspring.com> - 2016-10-05 19:29 -0500
    Re: SPF? DKIM? spammers can do them too Ivan Shmakov <ivan@siamics.net> - 2016-10-07 16:55 +0000
      Re: SPF? DKIM? spammers can do them too David Ritz <dritz@mindspring.com> - 2016-10-07 20:29 -0500
  Re: SPF? DKIM? spammers can do them too David Ritz <dritz@mindspring.com> - 2016-10-07 20:53 -0500
    Re: SPF? DKIM? spammers can do them too David Ritz <dritz@mindspring.com> - 2016-10-07 21:09 -0500
    Re: SPF? DKIM? spammers can do them too Ivan Shmakov <ivan@siamics.net> - 2016-10-14 17:50 +0000
      Re: SPF? DKIM? spammers can do them too David Ritz <dritz@mindspring.com> - 2016-10-14 15:21 -0500
        spam from MAROSNET (AS48666) networks Ivan Shmakov <ivan@siamics.net> - 2016-10-19 15:35 +0000
          spam from MAROSNET (AS48666) and GMHOST-NET (AS201094) networks Ivan Shmakov <ivan@siamics.net> - 2016-11-10 17:10 +0000

csiph-web