This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/anti-abuse-wg@ripe.net/
[anti-abuse-wg] Spam from provider Timeweb/Russia AS9123 - and they just ignore me
- Previous message (by thread): [anti-abuse-wg] Spam from provider Timeweb/Russia AS9123 - and they just ignore me
- Next message (by thread): [anti-abuse-wg] Spam from provider Timeweb/Russia AS9123 - and they just ignore me
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Serge Droz
serge.droz at first.org
Mon May 25 16:19:08 CEST 2020
Hi Martin Have you tried t contact RU-CERT: https://www.cert.ru/en/about.shtml They often are quite helpful. Best Serge On 25.05.20 16:09, Martin Wilhelmi wrote: > Hey everyone, > > I have a conflict with a provider from Russia "Timeweb" AS9123. It seems > to be hosting a customer who sends spam and uses one of my domains as > sender. > > I got the information via DMARC, RFC 7489 with several mails. This > provider has an abuse email address. After I contacted them, they > analyzed my domain, complained about the header of the automatic DMARC > e-mail from mail.ru <http://mail.ru>, because there an internal host > distributes it and uses an internal IP address 10/8 according to RFC > 1918 and so on. > > Apparently one does not want to do anything and requests one of these > e-mails classified as spam sent to @mail.ru. > > But this is not provided for in the DMARC protocol, which the provider > does not 'believe’. > > This means I continue to receive emails from Russia telling me that my > domain is being used by their host to send spam. And the provider writes > me many e-mails telling me that I have to provide correct facts and that > nothing else will be done. > > Because DMARC emails are not facts and cannot be used as evidence. > > Do you have any idea how to deal with this? > > I have received 11 DMARC emails from mail.ru <http://mail.ru> regarding > this host. I have attached last one here with header: > > Return-Path: <dmarc_support at corp.mail.ru > <mailto:dmarc_support at corp.mail.ru>> > Delivered-To: mnin at mnin.de <mailto:mnin at mnin.de> > Received: from mail.mnin.de ([xxxx]) > by mail.mnin.de with LMTP > id yedWJNMKx14sDAAAuS6XVA > (envelope-from <dmarc_support at corp.mail.ru>) > for <mnin at mnin.de>; Fri, 22 May 2020 01:12:19 +0200 > Received: from relay7.m.smailru.net (relay7.m.smailru.net [94.100.178.51]) > (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) > (No client certificate requested) > by mail.mnin.de (Postcow) with ESMTPS id 6D59868509C > for <mnin at mnin.de>; Fri, 22 May 2020 01:12:18 +0200 (CEST) > DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; > d=corp.mail.ru; s=mail; > h=Date:Message-ID:To:From:Subject:MIME-Version:Content-Type; > bh=DMqnfyeB+D0YjhIdtRipG66iEqaOVRHns+l07FJTLbw=; > b=k6PdTMpn2SHfn7HO4jdOto6jxVRnOLsCsFLz0Lp87ytUyQL7ifwnze/LC/xQlDQ1hLpkHdM/sM8RFDgusUQYtL4e7/Zkmln4vsjgPvsW6go/YK7hvaeQBKMKgDSXqTlTXqm7BUyXOU4g9wByuAWUM0UpOM+3lrgHzm7d/Fil5IU=; > Received: from [10.161.4.115] (port=48176 helo=60) > by relay7.m.smailru.net with esmtp (envelope-from > <dmarc_support at corp.mail.ru>) > id 1jbuMI-0007Kr-2n > for mnin at mnin.de; Fri, 22 May 2020 02:12:14 +0300 > Content-Type: multipart/mixed; > boundary="===============1678280035031557895==" > MIME-Version: 1.0 > Subject: Report Domain: mnin.de; Submitter: Mail.Ru; > Report-ID: 25590927945792699841590019200 > From: dmarc_support at corp.mail.ru > To: mnin at mnin.de > Message-ID: <dmarc-1590102734 at corp.mail.ru> > Date: Fri, 22 May 2020 02:12:14 +0300 > Auto-Submitted: auto-generated > ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mnin.de; > s=dkim; t=1590102738; > h=from:from:reply-to:subject:subject:date:date:message-id:message-id: > to:to:cc:mime-version:mime-version:content-type:content-type: > dkim-signature; bh=DMqnfyeB+D0YjhIdtRipG66iEqaOVRHns+l07FJTLbw=; > b=YpE4Z5u3l+mzLxsH+2Qbd39KekLCXa2jbbIrdnDxvgNFS6zvl4zKq33jQ/7fs5KkJEB0Xc > VCRT+1keQ9x/+a0tp6IMMUKE1elcOp6LHbBzTXCZYcgylnhbmb/JrCgAUI67KzXJlLn4o4 > pxToLIR5HD58dGeler0v2GTby5si8GUfczS2mM4QAvxJHDSZ8GqTE359H8HTmXUXGBQRb+ > 0RVhhOzYxwmusEpWvuMcXYm4oZ7V+eKNuv12N5xCAbaWaqen37v1M53j0pu1vYoUSQBgOa > dv3UgtOSdPxj8wVI5OzpY6ZVKtfSqyTXW5dV+8yfZUSe1Zpm/UPOO5eaqyUnpw== > ARC-Seal: i=1; s=dkim; d=mnin.de; t=1590102738; a=rsa-sha256; cv=none; > b=keiIRdDt35e1bk6toEJdITgagC1CXQE81NoMoM8T19TBM9LFU4zudqRg73qPYgGkqvXqqI > Te3Z+AC+CZp9bxfqIOrm2xSE8fNfZEKYhl5fB59sen9/m1rwiZznvvbNcBCJMpytYyDAbg > l74M2uJVfvrUAoAbMF8dweJV/SANBC2K6eKs1r9nRu5DrCEcicWKNLxWbvZ7Q/TccUGgeZ > VCyYvxqc0m5U7wZqK/32Sgf1EpWAjkXpC5eTMxH73FfrIkpPQa8v5ag6qKMP+GRk8B3GO1 > eQxsci0l3eATOMFFeEAW/QkSB+ur5f2bPEraluEN5VD4iwWzd2tBGmbcT0ZKaw== > ARC-Authentication-Results: i=1; > mail.mnin.de; > dkim=pass header.d=corp.mail.ru header.s=mail header.b=k6PdTMpn; > spf=pass (mail.mnin.de: domain of dmarc_support at corp.mail.ru designates > 94.100.178.51 as permitted sender) smtp.mailfrom=dmarc_support at corp.mail.ru > X-Last-TLS-Session-Version: TLSv1.2 > Authentication-Results: mail.mnin.de; > dkim=pass header.d=corp.mail.ru header.s=mail header.b=k6PdTMpn; > dmarc=pass (policy=reject) header.from=corp.mail.ru; > spf=pass (mail.mnin.de: domain of dmarc_support at corp.mail.ru designates > 94.100.178.51 as permitted sender) smtp.mailfrom=dmarc_support at corp.mail.ru > > --===============1678280035031557895== > MIME-Version: 1.0 > Content-Type: text/plain; charset="utf-8" > Content-Transfer-Encoding: base64 > > VGhpcyBpcyBhbiBhZ2dyZWdhdGUgcmVwb3J0IGZyb20gTWFpbC5SdS4= > > --===============1678280035031557895== > Content-Type: application/gzip > MIME-Version: 1.0 > Content-Transfer-Encoding: base64 > Content-Disposition: attachment; > filename="mail.ru!mnin.de!1590019200!1590105600.xml.gz" > > H4sICM4Kx14C/21haWwucnUhbW5pbi5kZSExNTkwMDE5MjAwITE1OTAxMDU2MDAueG1sAIVTQXKk > MAy85xW5zSkYqDADW4qzH9jLfsDlscXgCtgu22Szv48MYUJqKpULlpqW6JYFPL9N4/0rhmicfTpU > RXm4R6ucNvbydJhT/9Aenvkd9Ij6LNULh4DehSQmTFLLJDm4cBFWTsj/SDMWf2dgVwRwIozrSQYl > 4uxz5W/lgi8yXgTirgzAtxSkUM4mqZIwtnd8SMn/YmzA8Upn+XzICBXeVmzajOZ103RlV5+6x+bU > 1ceuax8rQsqqq8sS2CcRyASKIO2F5J7xYizfE1cE0OoFrsrmmOGcA9uXspu5eDca9V/4+TyaOGD+ > lCP9lk/W2EIj1a85SP1iJh6ArQHI6PslzSd4bp0ltucQt5gC8CrxKovJAT1vPheQRp1P949K3RwU > CuN51bZFXTfF6VRUx5Z6Xd+AcrOlpsDWYLOAr3KcyWu2YKJ30STalg8pewQW/T1dEuGLlexgzRcv > 7LYjW+QZjTaZ3tAichhQagyiD276HNYeBPaFL+c0iIBxHlP80LDNmqrTkBcGw7Ju28gjjqiSC1wT > g8RtKaxtuJcx5jtdkr2ZHxsr55FPWSa1XZJveq4D+aqdbXfGrj/cO84BW+uiAwAA > --===============1678280035031557895==-- > > Decompressed xml is: > > <?xml version='1.0' encoding='utf-8'?> > <feedback><report_metadata><org_name>Mail.Ru</org_name><email>dmarc_support at corp.mail.ru > <mailto:dmarc_support at corp.mail.ru></email><extra_contact_info>http://help.mail.ru/mail-help</extra_contact_info><report_id>25590927945792699841590019200</report_id><date_range><begin>1590019200</begin><end>1590105600</end></date_range></report_metadata><policy_published><domain>mnin.de</domain><adkim>r</adkim><aspf>r</aspf><p>none</p><sp>none</sp><pct>100</pct></policy_published><record><row><source_ip>188.225.77.168</source_ip><count>1</count><policy_evaluated><disposition>none</disposition><dkim>fail</dkim><spf>fail</spf></policy_evaluated></row><identifiers><header_from>mnin.de</header_from></identifiers><auth_results><dkim><domain>ninthhelper.ru</domain><selector>dnin</selector><result>pass</result></dkim><spf><domain>ninthhelper.ru</domain><scope>mfrom</scope><result>pass</result></spf></auth_results></record></feedback> > > > Cheers, > > Martin > -- Dr. Serge Droz Chair of the FIRST Board of Directors https://www.first.org -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: </ripe/mail/archives/anti-abuse-wg/attachments/20200525/429f1173/attachment.sig>
- Previous message (by thread): [anti-abuse-wg] Spam from provider Timeweb/Russia AS9123 - and they just ignore me
- Next message (by thread): [anti-abuse-wg] Spam from provider Timeweb/Russia AS9123 - and they just ignore me
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]