XPost: alt.spam, alt.spam.sightings

To put it short, for about a month, I see a new kind of spam
coming to (strangely) just one of my (many) mailboxes. This one
has DKIM-Signature: (and DomainKey-Signature:) headers in place,
comes from domains with SPF and MX DNS records properly set up,
and, overall, apart from its "unsolicited nature," looks just
like legitimate email. (IPs and MAIL FROM: data shown below.)

There're some characteristics common to all these messages,
however, hinting at possible "common origin" (be it person,
organization, or specific software used.) For instance:

* all the Message-ID: headers follow the same [0-9A-F]{32}@HOST
pattern;

* the domains are all under the "ru" ccTLD, and all registered
via NETHOUSE-RU; also, most were created February or March
this year, but some (r-vl.ru, sarvtb.ru, sm-1.ru,
taxi-five.ru) are just a few days old, created on 2016-10-01;

* all the IPs the messages come from belong to MAROSNET.

I've sent a letter last week reporting the issue to abuse at
marosnet dot ru (per the Whois data), but yet to see any
response.

Meanwhile, I've configured the firewall to drop any traffic from
the addresses in question (but also log incoming TCP "SYN"
connection attempt packets.)

For those interested, the IPs and MAIL FROM: data is as follows
(per ISO week.)

$ gawk '! /\sid=[0-9A-Z]{32}@/ { next; }
1 {
"date +%GW%V --date=" $1 "T" $2 | getline key;
save[key] = save[key] "\t" $5 " " $7 "\n";
}
END {
PROCINFO["sorted_in"] = "@ind_str_desc";
for (key in save) { print key "\t" save[key]; }
}' /var/log/exim...
2016W40 nzbhuf@sarvtb.ru [185.58.205.96]
hlkkn@proteus-spb.ru [194.67.208.8]
rerxboy@kaminfo.ru [193.124.176.209]
jaqxujp@r-vl.ru [185.58.206.163]
njlcyy@sab-moskau.ru [193.124.190.134]
feud@taxi-five.ru [185.58.206.232]

2016W39 bcswvsv@network-asp.ru [194.67.208.143]
yyl@sinex-real.ru [194.67.208.219]
sstyqp@network-asp.ru [194.67.208.143]
yqe@karaaltyn.ru [194.67.210.159]
qbinq@cameraforme.ru [185.87.48.186]
maq@lagorta.ru [193.124.191.224]
szzliot@sinex-real.ru [194.67.208.219]
iuqdjn@intra-m.ru [94.142.141.60]
jkety@eureka-service.ru [193.124.186.253]
vvpxww@karaaltyn.ru [194.67.210.159]
gylay@sirius-87.ru [194.67.208.224]
lhhg@eureka-service.ru [193.124.186.253]
rgi@sinex-real.ru [194.67.208.219]
qhtlw@karaaltyn.ru [194.67.210.159]
uavvf@cameraforme.ru [185.87.48.186]
bue@network-asp.ru [194.67.208.143]
jmpdlx@lambdafsu.ru [193.124.189.172]
tgan@biomedex.ru [193.124.189.192]
zxxemip@kaminfo.ru [193.124.176.209]
mnvi@lambdafsu.ru [193.124.189.172]
lcsktjt@sab-moskau.ru [193.124.190.134]
swsxv@securityprint.ru [185.5.248.60]
vbqd@sm-1.ru [185.58.206.76]
kxrjc@ghtersale.ru [194.67.208.7]

2016W38 pvtll@mtvigroup.ru [194.67.208.216]
cpdve@php-art.ru [194.67.209.151]
lhona@sirius-87.ru [194.67.208.224]
hqphzjp@lagorta.ru [193.124.191.224]
mewmb@cristallgrad.ru [185.87.48.131]
dxb@php-art.ru [194.67.209.151]
zadh@lagorta.ru [193.124.191.224]

2016W37 bct@butovo-net.ru [194.67.210.18]
tjlwhlp@carveryachts.ru [85.93.145.29]
orgf@butovo-net.ru [194.67.210.18]
luaj@olympus-team.ru [194.67.209.7]
fagvf@polexpack.ru [194.67.208.220]
cxjqyrw@polexpack.ru [194.67.208.220]
uyhtz@siae.ru [194.67.209.56]
mlfpawb@delst.ru [194.67.208.249]
jgt@php-art.ru [194.67.209.151]
fakeb@instaltek.ru [194.67.208.232]

2016W36 vziykt@tyumfair.ru [194.67.208.60]
rvn@fordlimo.ru [194.67.208.50]
kqeoin@r-c-g.ru [194.67.208.101]
vkf@e-dvd.ru [194.67.210.222]
mwodhs@lk-prom.ru [194.67.211.17]
otpqos@avtobogatir.ru [194.67.210.2]

--
FSF associate member #7257 58F8 0F47 53F5 2EB2 F6A5 8916 3013 B6A0 230E 334A

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: news.admin.net-abuse.email

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[ news.admin.net-abuse.email added to cross-post ]
[ alt.spam stripped as group only sees spam, spam, spam and more spam ]
[ alt.spam.sightings stripped as bogus (newgrouped by Jamie Baillie) ]
[ <ftp://ftp.isc.org/pub/usenet/control/alt/alt.spam.sightings.gz> ]
[ posted and mailed ]

On Tuesday, 04 October 2016 16:12 -0000,
in article <87vax8xfdm.fsf@violet.siamics.net>,
Ivan Shmakov <ivan@siamics.net> wrote:

To put it short, for about a month, I see a new kind of spam
coming to (strangely) just one of my (many) mailboxes. This one
has DKIM-Signature: (and DomainKey-Signature:) headers in place,
comes from domains with SPF and MX DNS records properly set up,
and, overall, apart from its "unsolicited nature," looks just
like legitimate email. (IPs and MAIL FROM: data shown below.)

Neither SPF nor DKIM say anything about whether mail is unsolicited
and bulk. These are forgery abatement measures. The only things
which might be determined from SPF and DKIM is whether or not mail
originated via a sender allowed host; nothing more, nothing less.

There're some characteristics common to all these messages,
however, hinting at possible "common origin" (be it person,
organization, or specific software used.) For instance:

* all the Message-ID: headers follow the same [0-9A-F]{32}@HOST
pattern;

* the domains are all under the "ru" ccTLD, and all registered
via NETHOUSE-RU; also, most were created February or March
this year, but some (r-vl.ru, sarvtb.ru, sm-1.ru,
taxi-five.ru) are just a few days old, created on 2016-10-01;

* all the IPs the messages come from belong to MAROSNET.

I've sent a letter last week reporting the issue to abuse at
marosnet dot ru (per the Whois data), but yet to see any
response.

Meanwhile, I've configured the firewall to drop any traffic from
the addresses in question (but also log incoming TCP "SYN"
connection attempt packets.)

For those interested, the IPs and MAIL FROM: data is as follows
(per ISO week.)

$ gawk '! /\sid=[0-9A-Z]{32}@/ { next; }
1 {
"date +%GW%V --date=" $1 "T" $2 | getline key;
save[key] = save[key] "\t" $5 " " $7 "\n";
}
END {
PROCINFO["sorted_in"] = "@ind_str_desc";
for (key in save) { print key "\t" save[key]; }
}' /var/log/exim...

2016W40 nzbhuf@sarvtb.ru [185.58.205.96]
hlkkn@proteus-spb.ru [194.67.208.8]
rerxboy@kaminfo.ru [193.124.176.209]
jaqxujp@r-vl.ru [185.58.206.163]
njlcyy@sab-moskau.ru [193.124.190.134]
feud@taxi-five.ru [185.58.206.232]

2016W39 bcswvsv@network-asp.ru [194.67.208.143]
yyl@sinex-real.ru [194.67.208.219]
sstyqp@network-asp.ru [194.67.208.143]
yqe@karaaltyn.ru [194.67.210.159]
qbinq@cameraforme.ru [185.87.48.186]
maq@lagorta.ru [193.124.191.224]
szzliot@sinex-real.ru [194.67.208.219]
iuqdjn@intra-m.ru [94.142.141.60]
jkety@eureka-service.ru [193.124.186.253]
vvpxww@karaaltyn.ru [194.67.210.159]
gylay@sirius-87.ru [194.67.208.224]
lhhg@eureka-service.ru [193.124.186.253]
rgi@sinex-real.ru [194.67.208.219]
qhtlw@karaaltyn.ru [194.67.210.159]
uavvf@cameraforme.ru [185.87.48.186]
bue@network-asp.ru [194.67.208.143]
jmpdlx@lambdafsu.ru [193.124.189.172]
tgan@biomedex.ru [193.124.189.192]
zxxemip@kaminfo.ru [193.124.176.209]
mnvi@lambdafsu.ru [193.124.189.172]
lcsktjt@sab-moskau.ru [193.124.190.134]
swsxv@securityprint.ru [185.5.248.60]
vbqd@sm-1.ru [185.58.206.76]
kxrjc@ghtersale.ru [194.67.208.7]

2016W38 pvtll@mtvigroup.ru [194.67.208.216]
cpdve@php-art.ru [194.67.209.151]
lhona@sirius-87.ru [194.67.208.224]
hqphzjp@lagorta.ru [193.124.191.224]
mewmb@cristallgrad.ru [185.87.48.131]
dxb@php-art.ru [194.67.209.151]
zadh@lagorta.ru [193.124.191.224]

2016W37 bct@butovo-net.ru [194.67.210.18]
tjlwhlp@carveryachts.ru [85.93.145.29]
orgf@butovo-net.ru [194.67.210.18]
luaj@olympus-team.ru [194.67.209.7]
fagvf@polexpack.ru [194.67.208.220]
cxjqyrw@polexpack.ru [194.67.208.220]
uyhtz@siae.ru [194.67.209.56]
mlfpawb@delst.ru [194.67.208.249]
jgt@php-art.ru [194.67.209.151]
fakeb@instaltek.ru [194.67.208.232]

2016W36 vziykt@tyumfair.ru [194.67.208.60]
rvn@fordlimo.ru [194.67.208.50]
kqeoin@r-c-g.ru [194.67.208.101]
vkf@e-dvd.ru [194.67.210.222]
mwodhs@lk-prom.ru [194.67.211.17]
otpqos@avtobogatir.ru [194.67.210.2]

Of those host I checked, which still resolve, most are listed by the
psbl.org, barracudacentral.org and/or uceprotect.net DNSbls, with a
smattering of SBLCSS (snowshoe) and Spamcop listings. All indicate
the IP addresses you list are spam sources, where SPF and DKIM say
that the sending domain is authorized to send via these spammer
controled, dirty IP addresses.

- --
David Ritz <dritz@mindspring.com>
Be kind to animals; kiss a shark.

-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAlf1mtwACgkQUrwpmRoS3uuG1gCghmkOMFAsvgbZkboHB/787EVN zI0AoMjLXCG7JjBq/+TS0WOTr8Zy2v2p
=8wK6
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: news.admin.net-abuse.email

David Ritz <dritz@mindspring.com> writes:
Ivan Shmakov <ivan@siamics.net> wrote:

[Be warned of a few off-topic bits below.]

[ news.admin.net-abuse.email added to cross-post ]
[ alt.spam stripped as group only sees spam, spam, spam and more spam ]

While I understand the evil of sending spam to a high S/N ratio
group, the above seems to suggest there's something wrong with
doing it the other way around. Which is especially strange
given that (a) n.a.n.email's own S/N doesn't seem all that high,
and (b) alt.spam occasionally sees a legitimate message, too
(say, news:o2avsbphgb19dna8fv03b9r79i3dh6qace@4ax.com.)

(... And also (c) apparently, Aioe blocks crossposts to n.a.n.e;
presumably due to ongoing abuse?)

[ alt.spam.sightings stripped as bogus (newgrouped by Jamie Baillie) ]
[ <ftp://ftp.isc.org/pub/usenet/control/alt/alt.spam.sightings.gz> ]

FTP is pretty much obsolete. For one thing, requiring two
TCP connections per "session" means trouble passing them through
Tor, NAT, SOCKS, etc. And having three separate transfer modes
(at the least) doesn't help interoperability, either.

That said, the same resource is available via HTTP, too:

http://ftp.isc.org/pub/usenet/control/alt/alt.spam.sightings.gz

[ posted and mailed ]

Why?

To put it short, for about a month, I see a new kind of spam coming
to (strangely) just one of my (many) mailboxes. This one has
DKIM-Signature: (and DomainKey-Signature:) headers in place, comes
from domains with SPF and MX DNS records properly set up, and,
overall, apart from its "unsolicited nature," looks just like
legitimate email. (IPs and MAIL FROM: data shown below.)

Neither SPF nor DKIM say anything about whether mail is unsolicited
and bulk. These are forgery abatement measures. The only things
which might be determined from SPF and DKIM is whether or not mail originated via a sender allowed host; nothing more, nothing less.

Yes. Still, both somehow get advertised as "counter-spam"
measures.

Not that they fail to work that way: my logs have some
occurrences of the SPF check yielding a "negative" result, thus
allowing to reject the incoming message outright. Looks like a
must for the DNS domains not meant to be used for email at all.

That said, being able to confirm that the message indeed comes
from a genuine spam-only domain doesn't seem all that helpful.

[...]

Of those host I checked, which still resolve, most are listed by the psbl.org, barracudacentral.org and/or uceprotect.net DNSbls, with a smattering of SBLCSS (snowshoe) and Spamcop listings. All indicate
the IP addresses you list are spam sources,

ACK, thanks for the pointers.

where SPF and DKIM say that the sending domain is authorized to send
via these spammer controlled, dirty IP addresses.

... For those interested, here's an update for this week.

2016W40 nzbhuf@sarvtb.ru [185.58.205.96]
hlkkn@proteus-spb.ru [194.67.208.8]
rerxboy@kaminfo.ru [193.124.176.209]
jaqxujp@r-vl.ru [185.58.206.163]
njlcyy@sab-moskau.ru [193.124.190.134]
feud@taxi-five.ru [185.58.206.232]
pslvslw@uralgsm.ru [185.117.155.168]
yukl@nordmor.ru [193.124.181.229]
rgmcmxo@whdent.ru [193.124.184.229]
itely@whdent.ru [193.124.184.229]
vdnu@02info.ru [185.87.49.127]
mnweeg@agcher.ru [193.124.183.150]
wdoet@fanabe.ru [193.124.181.9]

FWIW, I hope that whatever software they use to distribute spam
is /not/ parallelized. That way, the failure of my MTA to
produce any TCP response whatsoever (thanks to the plain -j DROP
in the iptables' INPUT chain) would result in at least some 30 s
delay (that is: their TCP connection timeout) before the next
address in the list is tried.

--
FSF associate member #7257 58F8 0F47 53F5 2EB2 F6A5 8916 3013 B6A0 230E 334A

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: news.admin.net-abuse.email

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday, 04 October 2016 16:12 -0000,
in article <87vax8xfdm.fsf@violet.siamics.net>,
Ivan Shmakov <ivan@siamics.net> wrote:

[...]

2016W40 nzbhuf@sarvtb.ru [185.58.205.96]

[...]

2016W39 bcswvsv@network-asp.ru [194.67.208.143]

[...]

2016W38 pvtll@mtvigroup.ru [194.67.208.216]

[...]

2016W37 bct@butovo-net.ru [194.67.210.18]

[...]

2016W36 vziykt@tyumfair.ru [194.67.208.60]

[...]

Ivan,

I stripped out the domain names and sorted by unique IP addresses. By
looking at the source IPs, one begins to see clearer paterns.

85.93.145.29
route: 85.93.144.0/20
descr: SPACENET-RU-144-20
origin: AS34300

94.142.141.60
route: 94.142.136.0/21
descr: MAROSNET Telecommunication Company Network
origin: AS48666

185.5.248.60
route: 185.5.248.0/22
descr: MAROSNET Telecommunication Company Network
origin: AS48666

185.58.205.96
route: 185.58.204.0/22
descr: MAROSNET Telecommunication Company Network
origin: AS48666

185.58.206.76
185.58.206.163
185.58.206.232
route: 185.58.204.0/22
descr: MAROSNET Telecommunication Company Network
origin: AS48666

185.87.48.131
185.87.48.186
route: 185.87.48.0/22
descr: MAROSNET Telecommunication Company Network
origin: AS48666

193.124.176.209
route: 193.124.176.0/20
descr: MAROSNET Telecommunication Company Network
origin: AS48666

193.124.186.253
193.124.189.172
193.124.189.192
193.124.190.134
193.124.191.224
route: 193.124.176.0/20
descr: MAROSNET Telecommunication Company Network
origin: AS48666

194.67.208.7
194.67.208.8
194.67.208.50
194.67.208.60
194.67.208.101
194.67.208.143
194.67.208.216
194.67.208.219
194.67.208.220
194.67.208.224
194.67.208.232
194.67.208.249
194.67.209.7
194.67.209.56
194.67.209.151
194.67.210.2
194.67.210.18
194.67.210.159
194.67.210.222
194.67.211.17
route: 194.67.208.0/20
descr: MAROSNET Telecommunication Company Network
origin: AS48666

My observations suggest that MAROSNET Telecommunication Company
Network is running some large scale snowshoe spam hosting services.

- --
David Ritz <dritz@mindspring.com>
Be kind to animals; kiss a shark.

-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAlf4UYcACgkQUrwpmRoS3uvSWwCg+Zwx1BYS3m3vGi25kZnFurTu +nUAoLbZ/2tq/O5tjLk6Ak23Gf63dkBc
=fBVp
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: news.admin.net-abuse.email

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Friday, 07 October 2016 16:55 -0000,
in article <87twco6qvm.fsf@violet.siamics.net>,
Ivan Shmakov <ivan@siamics.net> wrote:

David Ritz <dritz@mindspring.com> writes:

Ivan Shmakov <ivan@siamics.net> wrote:

[Be warned of a few off-topic bits below.]

[ news.admin.net-abuse.email added to cross-post ]
[ alt.spam stripped as group only sees spam, spam, spam and more spam ]

While I understand the evil of sending spam to a high S/N ratio
group, the above seems to suggest there's something wrong with
doing it the other way around. Which is especially strange given
that (a) n.a.n.email's own S/N doesn't seem all that high, and (b)
alt.spam occasionally sees a legitimate message, too (say,
news:o2avsbphgb19dna8fv03b9r79i3dh6qace@4ax.com.)

See <news:alpine.OSX.2.20.1609071541261.17513@mako.ath.cx> (<http://al.howardknight.net/msgid.cgi?ID=147588564000>).

Per my recollection, that makes two (2) legitimate posts to alt.spam,
within the past four to five years.

(... And also (c) apparently, Aioe blocks crossposts to n.a.n.e;
presumably due to ongoing abuse?)

Paolo has his hands full, in running an open NNTP server, while
attempting to minimize actual net-abuse. Disallowing cross-posts to
certain groups is one option to which he may turn.

[ alt.spam.sightings stripped as bogus (newgrouped by Jamie Baillie) ]
[ <ftp://ftp.isc.org/pub/usenet/control/alt/alt.spam.sightings.gz> ]

FTP is pretty much obsolete. For one thing, requiring two
TCP connections per "session" means trouble passing them through
Tor, NAT, SOCKS, etc. And having three separate transfer modes
(at the least) doesn't help interoperability, either.

That said, the same resource is available via HTTP, too:

http://ftp.isc.org/pub/usenet/control/alt/alt.spam.sightings.gz

Thanks, I've updated lynx_bookmarks.html accordingly.

[ posted and mailed ]

Why?

You're the one posting to (d) a bogus newsgroup
(alt.spam.sightings[*]), which has seen a total of eighty two (82)
posts, since it was created with a bogus cmsg message, from an
habitual network abuser, nearly eight (8) years ago; (e) alt.spam, a
newsgroup in which posters use Usenet as a write only medium, in which
one is lucky to find anything even close to topical more than one a
decade; and (f) comp.mail.misc, which is a group with so little
traffic, I wanted to make sure you at least saw my response. Within
the past year or so, most posts to comp.mail.misc are Italian mission
spam.

To put it short, for about a month, I see a new kind of spam
coming to (strangely) just one of my (many) mailboxes. This one
has DKIM-Signature: (and DomainKey-Signature:) headers in place,
comes from domains with SPF and MX DNS records properly set up,
and, overall, apart from its "unsolicited nature," looks just like
legitimate email. (IPs and MAIL FROM: data shown below.)

Neither SPF nor DKIM say anything about whether mail is unsolicited
and bulk. These are forgery abatement measures. The only things
which might be determined from SPF and DKIM is whether or not mail
originated via a sender allowed host; nothing more, nothing less.

Yes. Still, both somehow get advertised as "counter-spam"
measures.

To the best of my knowledge, both SPF and DKIM counter spam which uses
forged sender information. It has no effect on anything else.

See <https://wordtothewise.com/?s=SPF>
<https://wordtothewise.com/?s=DKIM>
<https://wordtothewise.com/?s=DMARC>

Not that they fail to work that way: my logs have some occurrences
of the SPF check yielding a "negative" result, thus allowing to
reject the incoming message outright. Looks like a must for the
DNS domains not meant to be used for email at all.

That said, being able to confirm that the message indeed comes
from a genuine spam-only domain doesn't seem all that helpful.

That said, being able to confirm that the message comes form IP
addresses which are sending spam, using an unlimited number of domain
names, may be highly useful. That is where DNSbls come into play.

[...]

Of those host I checked, which still resolve, most are listed by the
psbl.org, barracudacentral.org and/or uceprotect.net DNSbls, with a
smattering of SBLCSS (snowshoe) and Spamcop listings. All indicate
the IP addresses you list are spam sources,

ACK, thanks for the pointers.

where SPF and DKIM say that the sending domain is authorized to send
via these spammer controlled, dirty IP addresses.

... For those interested, here's an update for this week.

2016W40 nzbhuf@sarvtb.ru [185.58.205.96]

185.58.205.96 sarvtb.ru : psbl.surriel.com : BLOCKED (127.0.0.2)
Listed in PSBL, see http://psbl.org/listing?ip=185.58.205.96 185.58.205.96 sarvtb.ru : dnsbl-1.uceprotect.net : BLOCKED (127.0.0.2)
IP 185.58.205.96 is UCEPROTECT-Level 1 listed. See
http://www.uceprotect.net/rblcheck.php?ipr=185.58.205.96

hlkkn@proteus-spb.ru [194.67.208.8]

194.67.208.8 proteus-spb.ru : psbl.surriel.com : BLOCKED (127.0.0.2)
Listed in PSBL, see http://psbl.org/listing?ip=194.67.208.8 194.67.208.8 proteus-spb.ru : dnsbl-1.uceprotect.net : BLOCKED
(127.0.0.2)
IP 194.67.208.8 is UCEPROTECT-Level 1 listed. See
http://www.uceprotect.net/rblcheck.php?ipr=194.67.208.8

rerxboy@kaminfo.ru [193.124.176.209]

193.124.176.209 kaminfo.ru : psbl.surriel.com : BLOCKED (127.0.0.2)
Listed in PSBL, see http://psbl.org/listing?ip=193.124.176.209 193.124.176.209 kaminfo.ru : dnsbl.sorbs.net : BLOCKED (127.0.0.6)
Currently Sending Spam See:
http://www.sorbs.net/lookup.shtml?193.124.176.209
193.124.176.209 kaminfo.ru : dnsbl-1.uceprotect.net : BLOCKED
(127.0.0.2)
IP 193.124.176.209 is UCEPROTECT-Level 1 listed. See
http://www.uceprotect.net/rblcheck.php?ipr=193.124.176.209

jaqxujp@r-vl.ru [185.58.206.163]

185.58.206.163 r-vl.ru : psbl.surriel.com : BLOCKED (127.0.0.2)
Listed in PSBL, see http://psbl.org/listing?ip=185.58.206.163 185.58.206.163 r-vl.ru : dnsbl-1.uceprotect.net : BLOCKED (127.0.0.2)
IP 185.58.206.163 is UCEPROTECT-Level 1 listed. See
http://www.uceprotect.net/rblcheck.php?ipr=185.58.206.163

njlcyy@sab-moskau.ru [193.124.190.134]

193.124.190.134 sab-moskau.ru : psbl.surriel.com : BLOCKED (127.0.0.2)
Listed in PSBL, see http://psbl.org/listing?ip=193.124.190.134 193.124.190.134 sab-moskau.ru : dnsbl.sorbs.net : BLOCKED (127.0.0.6)
Currently Sending Spam See:
http://www.sorbs.net/lookup.shtml?193.124.190.134
193.124.190.134 sab-moskau.ru : dnsbl-1.uceprotect.net : BLOCKED
(127.0.0.2)
IP 193.124.190.134 is UCEPROTECT-Level 1 listed. See
http://www.uceprotect.net/rblcheck.php?ipr=193.124.190.134

feud@taxi-five.ru [185.58.206.232]

185.58.206.232 taxi-five.ru : zen.spamhaus.org : BLOCKED (127.0.0.3)
https://www.spamhaus.org/sbl/query/SBLCSS
185.58.206.232 taxi-five.ru : dnsbl-1.uceprotect.net : BLOCKED
(127.0.0.2)
IP 185.58.206.232 is UCEPROTECT-Level 1 listed. See
http://www.uceprotect.net/rblcheck.php?ipr=185.58.206.232

pslvslw@uralgsm.ru [185.117.155.168]

185.117.155.168 uralgsm.ru : dnsbl-1.uceprotect.net : BLOCKED
(127.0.0.2)
IP 185.117.155.168 is UCEPROTECT-Level 1 listed. See
http://www.uceprotect.net/rblcheck.php?ipr=185.117.155.168

yukl@nordmor.ru [193.124.181.229]

193.124.181.229 nordmor.ru : zen.spamhaus.org : BLOCKED (127.0.0.3)
https://www.spamhaus.org/sbl/query/SBLCSS
193.124.181.229 nordmor.ru : psbl.surriel.com : BLOCKED (127.0.0.2)
Listed in PSBL, see http://psbl.org/listing?ip=193.124.181.229 193.124.181.229 nordmor.ru : dnsbl.sorbs.net : BLOCKED (127.0.0.6)
Currently Sending Spam See:
http://www.sorbs.net/lookup.shtml?193.124.181.229
193.124.181.229 nordmor.ru : dnsbl-1.uceprotect.net : BLOCKED
(127.0.0.2)
IP 193.124.181.229 is UCEPROTECT-Level 1 listed. See
http://www.uceprotect.net/rblcheck.php?ipr=193.124.181.229

rgmcmxo@whdent.ru [193.124.184.229]

193.124.184.229 whdent.ru : zen.spamhaus.org : BLOCKED (127.0.0.3)
https://www.spamhaus.org/sbl/query/SBLCSS
193.124.184.229 whdent.ru : psbl.surriel.com : BLOCKED (127.0.0.2)
Listed in PSBL, see http://psbl.org/listing?ip=193.124.184.229 193.124.184.229 whdent.ru : ix.dnsbl.manitu.net : BLOCKED (127.0.0.2)
Your e-mail service was detected by mail.ixlab.de (NiX Spam) as
spamming at Fri, 07 Oct 2016 23:39:23 +0200. Your admin
should visit
http://www.dnsbl.manitu.net/lookup.php?value=193.124.184.229 193.124.184.229 whdent.ru : dnsbl.sorbs.net : BLOCKED (127.0.0.6)
Currently Sending Spam See:
http://www.sorbs.net/lookup.shtml?193.124.184.229
193.124.184.229 whdent.ru : dnsbl-1.uceprotect.net : BLOCKED
(127.0.0.2)
IP 193.124.184.229 is UCEPROTECT-Level 1 listed. See
http://www.uceprotect.net/rblcheck.php?ipr=193.124.184.229

itely@whdent.ru [193.124.184.229]

193.124.184.229 whdent.ru : zen.spamhaus.org : BLOCKED (127.0.0.3)
https://www.spamhaus.org/sbl/query/SBLCSS
193.124.184.229 whdent.ru : psbl.surriel.com : BLOCKED (127.0.0.2)
Listed in PSBL, see http://psbl.org/listing?ip=193.124.184.229 193.124.184.229 whdent.ru : ix.dnsbl.manitu.net : BLOCKED (127.0.0.2)
Your e-mail service was detected by mail.ixlab.de (NiX Spam) as
spamming at Fri, 07 Oct 2016 23:39:23 +0200. Your admin
should visit
http://www.dnsbl.manitu.net/lookup.php?value=193.124.184.229 193.124.184.229 whdent.ru : dnsbl.sorbs.net : BLOCKED (127.0.0.6)
Currently Sending Spam See:
http://www.sorbs.net/lookup.shtml?193.124.184.229
193.124.184.229 whdent.ru : dnsbl-1.uceprotect.net : BLOCKED
(127.0.0.2)
IP 193.124.184.229 is UCEPROTECT-Level 1 listed. See
http://www.uceprotect.net/rblcheck.php?ipr=193.124.184.229

vdnu@02info.ru [185.87.49.127]

185.87.49.127 02info.ru : zen.spamhaus.org : BLOCKED (127.0.0.3)
https://www.spamhaus.org/sbl/query/SBLCSS
185.87.49.127 02info.ru : bl.spamcop.net : BLOCKED (127.0.0.2)
Blocked - see http://www.spamcop.net/bl.shtml?185.87.49.127
185.87.49.127 02info.ru : psbl.surriel.com : BLOCKED (127.0.0.2)
Listed in PSBL, see http://psbl.org/listing?ip=185.87.49.127
185.87.49.127 02info.ru : ix.dnsbl.manitu.net : BLOCKED (127.0.0.2)
Your e-mail service was detected by test.port25.me (NiX Spam) as
spamming at Fri, 07 Oct 2016 20:25:53 +0200. Your admin
should visit
http://www.dnsbl.manitu.net/lookup.php?value=185.87.49.127 185.87.49.127 02info.ru : dnsbl.sorbs.net : BLOCKED (127.0.0.6)
Currently Sending Spam See:
http://www.sorbs.net/lookup.shtml?185.87.49.127
185.87.49.127 02info.ru : dnsbl-1.uceprotect.net : BLOCKED (127.0.0.2)
IP 185.87.49.127 is UCEPROTECT-Level 1 listed. See
http://www.uceprotect.net/rblcheck.php?ipr=185.87.49.127

mnweeg@agcher.ru [193.124.183.150]

193.124.183.150 agcher.ru : zen.spamhaus.org : BLOCKED (127.0.0.3)
https://www.spamhaus.org/sbl/query/SBLCSS
193.124.183.150 agcher.ru : psbl.surriel.com : BLOCKED (127.0.0.2)
Listed in PSBL, see http://psbl.org/listing?ip=193.124.183.150 193.124.183.150 agcher.ru : dnsbl.sorbs.net : BLOCKED (127.0.0.6)
Currently Sending Spam See:
http://www.sorbs.net/lookup.shtml?193.124.183.150
193.124.183.150 agcher.ru : dnsbl-1.uceprotect.net : BLOCKED (127.0.0.2)
IP 193.124.183.150 is UCEPROTECT-Level 1 listed. See
http://www.uceprotect.net/rblcheck.php?ipr=193.124.183.150

wdoet@fanabe.ru [193.124.181.9]

193.124.181.9 fanabe.ru : zen.spamhaus.org : BLOCKED (127.0.0.3)
https://www.spamhaus.org/sbl/query/SBLCSS
193.124.181.9 fanabe.ru : bl.spamcop.net : BLOCKED (127.0.0.2)
Blocked - see http://www.spamcop.net/bl.shtml?193.124.181.9
193.124.181.9 fanabe.ru : psbl.surriel.com : BLOCKED (127.0.0.2)
Listed in PSBL, see http://psbl.org/listing?ip=193.124.181.9
193.124.181.9 fanabe.ru : dnsbl.sorbs.net : BLOCKED (127.0.0.6)
Currently Sending Spam See:
http://www.sorbs.net/lookup.shtml?193.124.181.9
193.124.181.9 fanabe.ru : dnsbl-1.uceprotect.net : BLOCKED (127.0.0.2)
IP 193.124.181.9 is UCEPROTECT-Level 1 listed. See
http://www.uceprotect.net/rblcheck.php?ipr=193.124.181.9

FWIW, I hope that whatever software they use to distribute spam
is /not/ parallelized. That way, the failure of my MTA to
produce any TCP response whatsoever (thanks to the plain -j DROP
in the iptables' INPUT chain) would result in at least some 30 s
delay (that is: their TCP connection timeout) before the next
address in the list is tried.

HTH.

[*] alt.spam.sighting is not on the active lists of four out of the
six NNTP service to which I subscribe, suggesting that it appears only
on servers running largely on autopilot.

- --
David Ritz <dritz@mindspring.com>
Be kind to animals; kiss a shark.

-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAlf4S+oACgkQUrwpmRoS3uu9MwCgtw6pEYgdgQLRnsQ2TtRhIawJ a6MAmwbFVCqdzzCNrFIeok/W2MWyOBqa
=nzKg
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: news.admin.net-abuse.email

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Friday, 07 October 2016 20:53 -0500,
in article <alpine.OSX.2.20.1610072041240.6800@mako.ath.cx>,
David Ritz <dritz@mindspring.com> wrote:

Ivan,

I stripped out the domain names and sorted by unique IP addresses. By looking at the source IPs, one begins to see clearer paterns.

85.93.145.29
route: 85.93.144.0/20
descr: SPACENET-RU-144-20
origin: AS34300

94.142.141.60
route: 94.142.136.0/21
descr: MAROSNET Telecommunication Company Network
origin: AS48666

[...]

route: 194.67.208.0/20
descr: MAROSNET Telecommunication Company Network
origin: AS48666

My observations suggest that MAROSNET Telecommunication Company
Network is running some large scale snowshoe spam hosting services.

$ route-leecher.pl 48666
# Randomly selected router route-server.exodus.net
# router route-server.exodus.net not responding, retrying with router route-server.gblx.net
# Using router route-server.gblx.net
# Logging into router route-server.gblx.net
# using command: sh ip bg reg ^.*_48666_.*$
# Routes transiting through or originating from AS 48666 :

31.148.99.0/24 from AS: 48666 (upstreams: 12389 9002),
91.202.232.0/22 from AS: 48666 (upstreams: 12389 9002),
93.170.123.0/24 from AS: 48666 (upstreams: 12389 9002),
94.142.136.0/24 from AS: 48666 (upstreams: 12389 9002),
94.142.136.0/21 from AS: 48666 (upstreams: 12389 9002),
94.142.137.0/24 from AS: 48666 (upstreams: 12389 9002),
94.142.143.0/24 from AS: 48666 (upstreams: 12389 9002),
95.46.114.0/24 from AS: 48666 (upstreams: 12389 9002),
154.16.205.0/24 from AS: 48666 (upstreams: 9002 20485),
185.5.248.0/22 from AS: 48666 (upstreams: 12389 9002),
185.58.204.0/22 from AS: 48666 (upstreams: 12389 9002),
185.87.48.0/22 from AS: 48666 (upstreams: 12389 9002),
185.117.152.0/22 from AS: 48666 (upstreams: 12389 9002),
185.125.216.0/22 from AS: 48666 (upstreams: 12389 9002),
185.125.228.0/22 from AS: 48666 (upstreams: 12389 9002),
193.106.96.0/22 from AS: 48666 (upstreams: 12389 9002),
193.124.176.0/20 from AS: 48666 (upstreams: 12389 9002),
194.67.192.0/23 from AS: 48666 (upstreams: 12389 9002),
194.67.194.0/24 from AS: 48666 (upstreams: 12389 9002),
194.67.196.0/22 from AS: 48666 (upstreams: 12389 9002),
194.67.200.0/21 from AS: 48666 (upstreams: 12389 9002),
194.67.208.0/20 from AS: 48666 (upstreams: 12389 9002),


----------end of routes for AS 48666 -----------

$ whois -h whois.radb.net AS48666
aut-num: AS48666
as-name: AS-MAROSNET
descr: Moscow, Russia
org: ORG-MTCL1-RIPE
remarks:
remarks: ------------------------------------
remarks: MAROSNET Routing Policy
remarks: ------------------------------------
remarks:
remarks: TTK
import: from AS20485 action pref=100; accept ANY
export: to AS20485 announce AS-MAROSNET
mp-import: afi ipv6.unicast from AS20485 action pref=100; accept
ANY
mp-export: afi ipv6.unicast to AS20485 announce AS-MAROSNET
remarks:
remarks: RETN
import: from AS9002 action pref=100; accept ANY
export: to AS9002 announce AS-MAROSNET
mp-import: afi ipv6.unicast from AS9002 action pref=100; accept
ANY
mp-export: afi ipv6.unicast to AS9002 announce AS-MAROSNET
remarks:
remarks: MSK-IX
import: from AS8631 action pref=100; accept ANY
export: to AS8631 announce AS-MAROSNET
mp-import: afi ipv6.unicast from AS8631 action pref=100; accept
ANY
mp-export: afi ipv6.unicast to AS8631 announce AS-MAROSNET
remarks:
remarks: DATA-IX
import: from AS50952 action pref=100; accept ANY
export: to AS50952 announce AS-MAROSNET
mp-import: afi ipv6.unicast from AS50952 action pref=100; accept
ANY
mp-export: afi ipv6.unicast to AS50952 announce AS-MAROSNET
remarks:
remarks: CLOUD-IX
import: from AS29076 action pref=100; accept ANY
export: to AS29076 announce AS-MAROSNET
mp-import: afi ipv6.unicast from AS29076 action pref=100; accept
ANY
mp-export: afi ipv6.unicast to AS29076 announce AS-MAROSNET
remarks:
remarks: W-IX
import: from AS50384 action pref=100; accept ANY
export: to AS50384 announce AS-MAROSNET
mp-import: afi ipv6.unicast from AS50384 action pref=100; accept
ANY
mp-export: afi ipv6.unicast to AS50384 announce AS-MAROSNET
remarks:
remarks: ROSTELECOM
import: from AS12389 action pref=100; accept ANY
export: to AS50384 announce AS-MAROSNET
mp-import: afi ipv6.unicast from AS12389 action pref=100; accept
ANY
mp-export: afi ipv6.unicast to AS12389 announce AS-MAROSNET

- --
David Ritz <dritz@mindspring.com>
Be kind to animals; kiss a shark.

-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAlf4VVUACgkQUrwpmRoS3us9QQCfSTa/nHSpV92NW1ytiY1mMnyh LmcAniHbQq6ZcGGXOchUJWDaNWfGTaLR
=lsQy
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: news.admin.net-abuse.email

David Ritz <dritz@mindspring.com> writes:

[...]

I stripped out the domain names and sorted by unique IP addresses.
By looking at the source IPs, one begins to see clearer paterns.

[...]

route: 194.67.208.0/20
descr: MAROSNET Telecommunication Company Network
origin: AS48666

Yes. That was the reason I've tried to contact their abuse@
department earlier.

My observations suggest that MAROSNET Telecommunication Company
Network is running some large scale snowshoe spam hosting services.

Given the sheer number of IPs, and also that my prior email
resulted in no response, that doesn't sound all that unlikely.

Thus, I've ended up blocking 185.58.204.0/22, 193.124.176.0/20
about last Saturday, and now added 185.125.216.0/22,
185.87.48.0/22, 193.124.176.0/20 and 194.67.196.0/22, too, to my
ipset(8) configuration.

As for the blacklists, I should note that I actually refer to
several in my MTA configuration, although they're used strictly
to decide whether to use graylisting or not. And indeed, some
of this spam I receive matches the DNSbls I employ, but then
ends up passing the "graylist" test successfully. (Thus
suggesting the use of a "full-weight" MTA at the remote; which
is, hopefully, means some cycles are wasted trying to connect to
my firewalled MX.)

On the other hand, some of the messages come from the addresses
/not/ yet blacklisted at the time of delivery. Perhaps the
chances could be improved by querying more blacklists for the
sender IP, though.

Once again, there's the data for the past two weeks.

2016W41 hdyuhpi@artel-site.ru [193.124.180.126]
qiluc@pampersklub.ru [185.125.216.105]
xjqhkx@mpeg-imx.ru [193.124.182.45]
xjld@jclan.ru [185.125.216.249]
jrefn@cybernsk.ru [194.67.196.156]
qnwdsl@kbidea.ru [194.67.196.163]
wapeptz@cybernsk.ru [194.67.196.156]
qqgbk@avtotera.ru [185.125.217.100]
jlotfa@vakpk.ru [193.124.190.246]
meiah@goward.ru [185.125.216.210]
lphcpx@ostankinomedia.ru [193.124.189.173]
uepowel@rti-travel.ru [185.87.51.68]
imyasa@mig-spb.ru [185.87.51.23]
ebeor@ostankinomedia.ru [193.124.189.173]

2016W40 nzbhuf@sarvtb.ru [185.58.205.96]
hlkkn@proteus-spb.ru [194.67.208.8]
rerxboy@kaminfo.ru [193.124.176.209]
jaqxujp@r-vl.ru [185.58.206.163]
njlcyy@sab-moskau.ru [193.124.190.134]
feud@taxi-five.ru [185.58.206.232]
pslvslw@uralgsm.ru [185.117.155.168]
yukl@nordmor.ru [193.124.181.229]
rgmcmxo@whdent.ru [193.124.184.229]
itely@whdent.ru [193.124.184.229]
vdnu@02info.ru [185.87.49.127]
mnweeg@agcher.ru [193.124.183.150]
wdoet@fanabe.ru [193.124.181.9]
pvv@vapnyar.ru [194.67.197.50]

--
FSF associate member #7257 58F8 0F47 53F5 2EB2 F6A5 8916 3013 B6A0 230E 334A

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: news.admin.net-abuse.email

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Friday, 14 October 2016 17:50 -0000,
in article <87twce6crf.fsf@violet.siamics.net>,
Ivan Shmakov <ivan@siamics.net> wrote:

David Ritz <dritz@mindspring.com> writes:

[...]

I stripped out the domain names and sorted by unique IP addresses.
By looking at the source IPs, one begins to see clearer patterns.

[...]

route: 194.67.208.0/20
descr: MAROSNET Telecommunication Company Network
origin: AS48666

Yes. That was the reason I've tried to contact their abuse@
department earlier.

My observations suggest that MAROSNET Telecommunication Company
Network is running some large scale snowshoe spam hosting services.

Given the sheer number of IPs, and also that my prior email
resulted in no response, that doesn't sound all that unlikely.

There was a reason I included all of the upstream routes announcing
AS48666: AS9002, AS12389 and AS20485. Directing your complaints
upstream, for recalcitrant spam-hosts, is a fairly common and
sometimes useful technique.

$ whois -h whois.ripe.net -- -B\ AS9002 | grep -i abuse
% Abuse contact for 'AS9002' is 'abuse@retn.net'
remarks: SPAM and security issues abuse at retn.net
abuse-c: RCD1-RIPE
remarks: trouble: SPAM and Network security issues: abuse@retn.net
abuse-mailbox: abuse@retn.net

$ whois -h whois.ripe.net -- -B\ AS12389 | grep -i abuse
% Abuse contact for 'AS12389' is 'abuse@rt.ru'
abuse-c: RTNC-RIPE
abuse-mailbox: ripe@rt.ru
abuse-mailbox: abuse@rt.ru

$ whois -h whois.ripe.net -- -B\ AS20485 | grep -i abuse
% Abuse contact for 'AS20485' is 'abuse@ttk.ru'
abuse-c: KTTK-RIPE
remarks: Spam & Abuse: abuse@ttk.ru
remarks: Please use abuse@ttk.ru e-mail address
remarks: for spam and abuse complaints.
abuse-mailbox: abuse@ttk.ru

Thus, I've ended up blocking 185.58.204.0/22, 193.124.176.0/20
about last Saturday, and now added 185.125.216.0/22,
185.87.48.0/22, 193.124.176.0/20 and 194.67.196.0/22, too, to my
ipset(8) configuration.

As for the blacklists, I should note that I actually refer to
several in my MTA configuration, although they're used strictly to
decide whether to use graylisting or not. And indeed, some of
this spam I receive matches the DNSbls I employ, but then ends up
passing the "graylist" test successfully. (Thus suggesting the
use of a "full-weight" MTA at the remote; which is, hopefully,
means some cycles are wasted trying to connect to my firewalled
MX.)

I don't know whether you're using UCEProtect among your DNSbls.
History suggests their level one (1) listings accurately list spam
sources, with a particular emphasis on spam hitting European
locations. dnsbl-1.uceprotect.net may be a useful addition for your
purposes. dnsbl-2.uceprotect.net makes a statement about the immediate net-neighborhood. dnsbl-3.uceprotect.net makes yet broader
statements.

On the other hand, some of the messages come from the addresses
/not/ yet blacklisted at the time of delivery. Perhaps the
chances could be improved by querying more blacklists for the
sender IP, though.

Once again, there's the data for the past two weeks.

Thanks, Ivan.

2016W41 hdyuhpi@artel-site.ru [193.124.180.126]
qiluc@pampersklub.ru [185.125.216.105]
xjqhkx@mpeg-imx.ru [193.124.182.45]
xjld@jclan.ru [185.125.216.249]
jrefn@cybernsk.ru [194.67.196.156]
qnwdsl@kbidea.ru [194.67.196.163]
wapeptz@cybernsk.ru [194.67.196.156]
qqgbk@avtotera.ru [185.125.217.100]
jlotfa@vakpk.ru [193.124.190.246]
meiah@goward.ru [185.125.216.210]
lphcpx@ostankinomedia.ru [193.124.189.173]
uepowel@rti-travel.ru [185.87.51.68]
imyasa@mig-spb.ru [185.87.51.23]
ebeor@ostankinomedia.ru [193.124.189.173]

2016W40 nzbhuf@sarvtb.ru [185.58.205.96]
hlkkn@proteus-spb.ru [194.67.208.8]
rerxboy@kaminfo.ru [193.124.176.209]
jaqxujp@r-vl.ru [185.58.206.163]
njlcyy@sab-moskau.ru [193.124.190.134]
feud@taxi-five.ru [185.58.206.232]
pslvslw@uralgsm.ru [185.117.155.168]
yukl@nordmor.ru [193.124.181.229]
rgmcmxo@whdent.ru [193.124.184.229]
itely@whdent.ru [193.124.184.229]
vdnu@02info.ru [185.87.49.127]
mnweeg@agcher.ru [193.124.183.150]
wdoet@fanabe.ru [193.124.181.9]
pvv@vapnyar.ru [194.67.197.50]

# Routes transiting through or originating from AS 48666 :

31.148.99.0/24 from AS: 48666 (upstreams: 12389 9002),
91.202.232.0/22 from AS: 48666 (upstreams: 12389 9002),
93.170.123.0/24 from AS: 48666 (upstreams: 12389 9002),
94.142.136.0/24 from AS: 48666 (upstreams: 12389 9002),
94.142.136.0/21 from AS: 48666 (upstreams: 12389 9002),
94.142.137.0/24 from AS: 48666 (upstreams: 12389 9002),
94.142.143.0/24 from AS: 48666 (upstreams: 12389 9002),
95.46.114.0/24 from AS: 48666 (upstreams: 12389 9002),
154.16.205.0/24 from AS: 48666 (upstreams: 9002 20485),
185.5.248.0/22 from AS: 48666 (upstreams: 12389 9002),
185.58.204.0/22 from AS: 48666 (upstreams: 12389 9002),
185.87.48.0/22 from AS: 48666 (upstreams: 12389 9002),
185.117.152.0/22 from AS: 48666 (upstreams: 12389 9002),
185.125.216.0/22 from AS: 48666 (upstreams: 12389 9002),
185.125.228.0/22 from AS: 48666 (upstreams: 12389 9002),
193.106.96.0/22 from AS: 48666 (upstreams: 12389 9002),
193.124.176.0/20 from AS: 48666 (upstreams: 12389 9002),
194.67.192.0/23 from AS: 48666 (upstreams: 12389 9002),
194.67.194.0/24 from AS: 48666 (upstreams: 12389 9002),
194.67.196.0/22 from AS: 48666 (upstreams: 12389 9002),
194.67.200.0/21 from AS: 48666 (upstreams: 12389 9002),
194.67.208.0/20 from AS: 48666 (upstreams: 12389 9002),


----------end of routes for AS 48666 -----------

- --
David Ritz <dritz@mindspring.com>
Be kind to animals; kiss a shark.

-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAlgBPmcACgkQUrwpmRoS3uv5dgCfceUOzBatKwE2j1mt1xKz1ADZ rHMAn1p8qN+obaNnKFoq8GqtiwBGEHFq
=3d/b
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: news.admin.net-abuse.email

David Ritz <dritz@mindspring.com> writes:
On Friday, 14 October 2016 17:50 -0000, Ivan Shmakov wrote:
David Ritz <dritz@mindspring.com> writes:

[...]

My observations suggest that MAROSNET Telecommunication Company
Network is running some large scale snowshoe spam hosting services.

Given the sheer number of IPs, and also that my prior email resulted
in no response, that doesn't sound all that unlikely.

There was a reason I included all of the upstream routes announcing
AS48666: AS9002, AS12389 and AS20485. Directing your complaints
upstream, for recalcitrant spam-hosts, is a fairly common and
sometimes useful technique.

ACK, thanks.

(Hope that showing all the IPs there that ended up being in some
well-known DNSbls will help.)

[...]

Thus, I've ended up blocking 185.58.204.0/22, 193.124.176.0/20 about
last Saturday, and now added 185.125.216.0/22, 185.87.48.0/22,
193.124.176.0/20 and 194.67.196.0/22, too, to my ipset(8)
configuration.

I've decided that -j DROP for whole networks may be a tad too
severe a measure, and introduced a separate -j REJECT blacklist
for that purpose instead, like:

## ipset create dropemall hash:ip timeout $((0x100000))
## ipset create rejectnet hash:net timeout $((0x400000))
-A INPUT -m set --match-set dropemall src -j DROPEMALL
-A INPUT -m set --match-set rejectnet src -j REJECTNET
-A DROPEMALL -m limit --limit 13/min -j LOG
-A DROPEMALL -j DROP
-A REJECTNET -m limit --limit 13/min -j LOG
-A REJECTNET -j REJECT --reject-with icmp-admin-prohibited
## And similarly for ip6tables(8), with icmp6-adm-prohibited

As for the blacklists, I should note that I actually refer to
several in my MTA configuration, although they're used strictly to
decide whether to use graylisting or not. And indeed, some of this
spam I receive matches the DNSbls I employ, but then ends up passing
the "graylist" test successfully. (Thus suggesting the use of a
"full-weight" MTA at the remote; which is, hopefully, means some
cycles are wasted trying to connect to my firewalled MX.)

I don't know whether you're using UCEProtect among your DNSbls.
History suggests their level one (1) listings accurately list spam
sources, with a particular emphasis on spam hitting European
locations. dnsbl-1.uceprotect.net may be a useful addition for your purposes. dnsbl-2.uceprotect.net makes a statement about the
immediate net-neighborhood. dnsbl-3.uceprotect.net makes yet broader statements.

ACK, thanks; will try them later.

[...]

# Routes transiting through or originating from AS 48666 :

31.148.99.0/24 from AS: 48666 (upstreams: 12389 9002),
91.202.232.0/22 from AS: 48666 (upstreams: 12389 9002),
93.170.123.0/24 from AS: 48666 (upstreams: 12389 9002),
94.142.136.0/24 from AS: 48666 (upstreams: 12389 9002),
94.142.136.0/21 from AS: 48666 (upstreams: 12389 9002),
94.142.137.0/24 from AS: 48666 (upstreams: 12389 9002),
94.142.143.0/24 from AS: 48666 (upstreams: 12389 9002),
95.46.114.0/24 from AS: 48666 (upstreams: 12389 9002),
154.16.205.0/24 from AS: 48666 (upstreams: 9002 20485),

All the unwanted mail I saw before came from the 13 networks
below, which I've thus added to my 'rejectnet' set:

185.5.248.0/22 from AS: 48666 (upstreams: 12389 9002),
185.58.204.0/22 from AS: 48666 (upstreams: 12389 9002),
185.87.48.0/22 from AS: 48666 (upstreams: 12389 9002),
185.117.152.0/22 from AS: 48666 (upstreams: 12389 9002),
185.125.216.0/22 from AS: 48666 (upstreams: 12389 9002),

185.125.228.0/22 from AS: 48666 (upstreams: 12389 9002),

... except for this one above, which seems to be home to two of
the three MAROSNET's own MXes:

mail.marosnet.ru. IN A 94.142.136.5
mx1.marosnet.ru. IN A 185.125.229.7
mx2.marosnet.ru. IN A 185.125.229.19

193.106.96.0/22 from AS: 48666 (upstreams: 12389 9002),
193.124.176.0/20 from AS: 48666 (upstreams: 12389 9002),
194.67.192.0/23 from AS: 48666 (upstreams: 12389 9002),
194.67.194.0/24 from AS: 48666 (upstreams: 12389 9002),
194.67.196.0/22 from AS: 48666 (upstreams: 12389 9002),
194.67.200.0/21 from AS: 48666 (upstreams: 12389 9002),
194.67.208.0/20 from AS: 48666 (upstreams: 12389 9002),

... So far, only a single message got through the filter
(one from 94.142.140.44, boedze@vector2000.ru), and the
following IPs (which I've happily added to the 'dropemall'
ipset(8) list where missing) have shown up kern.log:

185.117.153.120 basf-rus.ru.
185.117.154.30 kogorta-k.ru.
185.125.216.210 goward.ru.
185.87.51.68 rti-travel.ru.
193.124.176.209 kaminfo.ru.
193.124.180.126 artel-site.ru.
193.124.180.206 gtp-ufa.ru.
193.124.181.229 nordmor.ru.
193.124.182.45 mpeg-imx.ru.
193.124.183.150 agcher.ru.
193.124.184.229 whdent.ru.
193.124.186.205 google.com. 2016-10-16 22:33:39 UTC
193.124.189.173 ostankinomedia.ru.
193.124.190.246 vakpk.ru.
193.124.190.38 sale-4u.ru.
194.67.210.202 threeality.ru.

Now, 193.124.186.205 looks suspicious, as it shows up only once,
and I could hardly believe that such a PTR record would be used
by someone who has purchased that many of "valid" domains for
pretty much spam-only purposes.

Finally, the "unwanted correspondence" list for the last week
got five another entries, ending up as follows.

2016W41 hdyuhpi@artel-site.ru [193.124.180.126]
qiluc@pampersklub.ru [185.125.216.105]
xjqhkx@mpeg-imx.ru [193.124.182.45]
xjld@jclan.ru [185.125.216.249]
jrefn@cybernsk.ru [194.67.196.156]
qnwdsl@kbidea.ru [194.67.196.163]
wapeptz@cybernsk.ru [194.67.196.156]
qqgbk@avtotera.ru [185.125.217.100]
jlotfa@vakpk.ru [193.124.190.246]
meiah@goward.ru [185.125.216.210]
lphcpx@ostankinomedia.ru [193.124.189.173]
uepowel@rti-travel.ru [185.87.51.68]
imyasa@mig-spb.ru [185.87.51.23]
ebeor@ostankinomedia.ru [193.124.189.173]
sbd@ooo-angara.ru [193.124.190.212]
xjdokr@vakpk.ru [193.124.190.246]
ivyrg@goward.ru [185.125.216.210]
spdsrz@sale-4u.ru [193.124.190.38]
orf@tu134.ru [185.117.152.30]

--
FSF associate member #7257 58F8 0F47 53F5 2EB2 F6A5 8916 3013 B6A0 230E 334A

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)