Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.mail.misc > #867

Re: SPF? DKIM? spammers can do them too

From David Ritz <dritz@mindspring.com>
Newsgroups comp.mail.misc, news.admin.net-abuse.email
Subject Re: SPF? DKIM? spammers can do them too
Date 2016-10-14 15:21 -0500
Organization SpamBusters!
Message-ID <alpine.OSX.2.20.1610141455570.69265@mako.ath.cx> (permalink)
References <87vax8xfdm.fsf@violet.siamics.net> <alpine.OSX.2.20.1610072041240.6800@mako.ath.cx> <87twce6crf.fsf@violet.siamics.net>

Cross-posted to 2 groups.

Show all headers | View raw

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Friday, 14 October 2016 17:50 -0000, 
 in article <87twce6crf.fsf@violet.siamics.net>, 
 Ivan Shmakov <ivan@siamics.net> wrote:

> David Ritz <dritz@mindspring.com> writes:

> [...]

>> I stripped out the domain names and sorted by unique IP addresses. 
>> By looking at the source IPs, one begins to see clearer patterns.

> [...]

>> route:          194.67.208.0/20
>> descr:          MAROSNET Telecommunication Company Network
>> origin:         AS48666

>   Yes.  That was the reason I've tried to contact their abuse@ 
>   department earlier.

>> My observations suggest that MAROSNET Telecommunication Company 
>> Network is running some large scale snowshoe spam hosting services.

>   Given the sheer number of IPs, and also that my prior email 
>   resulted in no response, that doesn't sound all that unlikely.

There was a reason I included all of the upstream routes announcing 
AS48666: AS9002, AS12389 and AS20485.  Directing your complaints 
upstream, for recalcitrant spam-hosts, is a fairly common and 
sometimes useful technique.

$ whois -h whois.ripe.net -- -B\ AS9002 | grep -i abuse
% Abuse contact for 'AS9002' is 'abuse@retn.net'
remarks:        SPAM and security issues          abuse at retn.net
abuse-c:        RCD1-RIPE
remarks:        trouble:      SPAM and Network security issues:    abuse@retn.net
abuse-mailbox:  abuse@retn.net

$ whois -h whois.ripe.net -- -B\ AS12389 | grep -i abuse
% Abuse contact for 'AS12389' is 'abuse@rt.ru'
abuse-c:        RTNC-RIPE
abuse-mailbox:  ripe@rt.ru
abuse-mailbox:  abuse@rt.ru

$ whois -h whois.ripe.net -- -B\ AS20485 | grep -i abuse
% Abuse contact for 'AS20485' is 'abuse@ttk.ru'
abuse-c:        KTTK-RIPE
remarks:        Spam & Abuse: abuse@ttk.ru
remarks:        Please use abuse@ttk.ru e-mail address
remarks:        for spam and abuse complaints.
abuse-mailbox:  abuse@ttk.ru

>   Thus, I've ended up blocking 185.58.204.0/22, 193.124.176.0/20 
>   about last Saturday, and now added 185.125.216.0/22, 
>   185.87.48.0/22, 193.124.176.0/20 and 194.67.196.0/22, too, to my 
>   ipset(8) configuration.

>   As for the blacklists, I should note that I actually refer to 
>   several in my MTA configuration, although they're used strictly to 
>   decide whether to use graylisting or not.  And indeed, some of 
>   this spam I receive matches the DNSbls I employ, but then ends up 
>   passing the "graylist" test successfully.  (Thus suggesting the 
>   use of a "full-weight" MTA at the remote; which is, hopefully, 
>   means some cycles are wasted trying to connect to my firewalled 
>   MX.)

I don't know whether you're using UCEProtect among your DNSbls.  
History suggests their level one (1) listings accurately list spam 
sources, with a particular emphasis on spam hitting European 
locations.  dnsbl-1.uceprotect.net may be a useful addition for your 
purposes. dnsbl-2.uceprotect.net makes a statement about the immediate 
net-neighborhood.  dnsbl-3.uceprotect.net makes yet broader 
statements.

>   On the other hand, some of the messages come from the addresses 
>   /not/ yet blacklisted at the time of delivery.  Perhaps the 
>   chances could be improved by querying more blacklists for the 
>   sender IP, though.

>   Once again, there's the data for the past two weeks.

Thanks, Ivan.

> 2016W41   hdyuhpi@artel-site.ru [193.124.180.126]
>   qiluc@pampersklub.ru [185.125.216.105]
>   xjqhkx@mpeg-imx.ru [193.124.182.45]
>   xjld@jclan.ru [185.125.216.249]
>   jrefn@cybernsk.ru [194.67.196.156]
>   qnwdsl@kbidea.ru [194.67.196.163]
>   wapeptz@cybernsk.ru [194.67.196.156]
>   qqgbk@avtotera.ru [185.125.217.100]
>   jlotfa@vakpk.ru [193.124.190.246]
>   meiah@goward.ru [185.125.216.210]
>   lphcpx@ostankinomedia.ru [193.124.189.173]
>   uepowel@rti-travel.ru [185.87.51.68]
>   imyasa@mig-spb.ru [185.87.51.23]
>   ebeor@ostankinomedia.ru [193.124.189.173]

> 2016W40   nzbhuf@sarvtb.ru [185.58.205.96]
>   hlkkn@proteus-spb.ru [194.67.208.8]
>   rerxboy@kaminfo.ru [193.124.176.209]
>   jaqxujp@r-vl.ru [185.58.206.163]
>   njlcyy@sab-moskau.ru [193.124.190.134]
>   feud@taxi-five.ru [185.58.206.232]
>   pslvslw@uralgsm.ru [185.117.155.168]
>   yukl@nordmor.ru [193.124.181.229]
>   rgmcmxo@whdent.ru [193.124.184.229]
>   itely@whdent.ru [193.124.184.229]
>   vdnu@02info.ru [185.87.49.127]
>   mnweeg@agcher.ru [193.124.183.150]
>   wdoet@fanabe.ru [193.124.181.9]
>   pvv@vapnyar.ru [194.67.197.50]

 # Routes transiting through or originating from AS 48666 :
 
 31.148.99.0/24      from AS: 48666 (upstreams: 12389 9002), 
 91.202.232.0/22     from AS: 48666 (upstreams: 12389 9002), 
 93.170.123.0/24     from AS: 48666 (upstreams: 12389 9002), 
 94.142.136.0/24     from AS: 48666 (upstreams: 12389 9002), 
 94.142.136.0/21     from AS: 48666 (upstreams: 12389 9002), 
 94.142.137.0/24     from AS: 48666 (upstreams: 12389 9002), 
 94.142.143.0/24     from AS: 48666 (upstreams: 12389 9002), 
 95.46.114.0/24      from AS: 48666 (upstreams: 12389 9002), 
 154.16.205.0/24     from AS: 48666 (upstreams: 9002 20485), 
 185.5.248.0/22      from AS: 48666 (upstreams: 12389 9002), 
 185.58.204.0/22     from AS: 48666 (upstreams: 12389 9002), 
 185.87.48.0/22      from AS: 48666 (upstreams: 12389 9002), 
 185.117.152.0/22    from AS: 48666 (upstreams: 12389 9002), 
 185.125.216.0/22    from AS: 48666 (upstreams: 12389 9002), 
 185.125.228.0/22    from AS: 48666 (upstreams: 12389 9002), 
 193.106.96.0/22     from AS: 48666 (upstreams: 12389 9002), 
 193.124.176.0/20    from AS: 48666 (upstreams: 12389 9002), 
 194.67.192.0/23     from AS: 48666 (upstreams: 12389 9002), 
 194.67.194.0/24     from AS: 48666 (upstreams: 12389 9002), 
 194.67.196.0/22     from AS: 48666 (upstreams: 12389 9002), 
 194.67.200.0/21     from AS: 48666 (upstreams: 12389 9002), 
 194.67.208.0/20     from AS: 48666 (upstreams: 12389 9002), 
 
 
 ----------end of routes for AS 48666 -----------

- -- 
David Ritz <dritz@mindspring.com>
 Be kind to animals; kiss a shark.

-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAlgBPmcACgkQUrwpmRoS3uv5dgCfceUOzBatKwE2j1mt1xKz1ADZ
rHMAn1p8qN+obaNnKFoq8GqtiwBGEHFq
=3d/b
-----END PGP SIGNATURE-----

Back to comp.mail.misc | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

SPF? DKIM? spammers can do them too Ivan Shmakov <ivan@siamics.net> - 2016-10-04 16:12 +0000
  Re: SPF? DKIM? spammers can do them too David Ritz <dritz@mindspring.com> - 2016-10-05 19:29 -0500
    Re: SPF? DKIM? spammers can do them too Ivan Shmakov <ivan@siamics.net> - 2016-10-07 16:55 +0000
      Re: SPF? DKIM? spammers can do them too David Ritz <dritz@mindspring.com> - 2016-10-07 20:29 -0500
  Re: SPF? DKIM? spammers can do them too David Ritz <dritz@mindspring.com> - 2016-10-07 20:53 -0500
    Re: SPF? DKIM? spammers can do them too David Ritz <dritz@mindspring.com> - 2016-10-07 21:09 -0500
    Re: SPF? DKIM? spammers can do them too Ivan Shmakov <ivan@siamics.net> - 2016-10-14 17:50 +0000
      Re: SPF? DKIM? spammers can do them too David Ritz <dritz@mindspring.com> - 2016-10-14 15:21 -0500
        spam from MAROSNET (AS48666) networks Ivan Shmakov <ivan@siamics.net> - 2016-10-19 15:35 +0000
          spam from MAROSNET (AS48666) and GMHOST-NET (AS201094) networks Ivan Shmakov <ivan@siamics.net> - 2016-11-10 17:10 +0000

csiph-web