[anti-abuse-wg] Spam from provider Timeweb/Russia AS9123 - and they just ignore me

Hi Martin

Have you tried t contact RU-CERT: https://www.cert.ru/en/about.shtml

They often are quite helpful.

Best
Serge


On 25.05.20 16:09, Martin Wilhelmi wrote:
> Hey everyone,
> 
> I have a conflict with a provider from Russia "Timeweb" AS9123. It seems
> to be hosting a customer who sends spam and uses one of my domains as
> sender.
> 
> I got the information via DMARC, RFC 7489 with several mails. This
> provider has an abuse email address. After I contacted them, they
> analyzed my domain, complained about the header of the automatic DMARC
> e-mail from mail.ru <http://mail.ru>, because there an internal host
> distributes it and uses an internal IP address 10/8 according to RFC
> 1918 and so on.
> 
> Apparently one does not want to do anything and requests one of these
> e-mails classified as spam sent to @mail.ru.
> 
> But this is not provided for in the DMARC protocol, which the provider
> does not 'believe’.
> 
> This means I continue to receive emails from Russia telling me that my
> domain is being used by their host to send spam. And the provider writes
> me many e-mails telling me that I have to provide correct facts and that
> nothing else will be done.
> 
> Because DMARC emails are not facts and cannot be used as evidence.
> 
> Do you have any idea how to deal with this?
> 
> I have received 11 DMARC emails from mail.ru <http://mail.ru> regarding
> this host. I have attached last one here with header:
> 
> Return-Path: <dmarc_support at corp.mail.ru
> <mailto:dmarc_support at corp.mail.ru>>
> Delivered-To: mnin at mnin.de <mailto:mnin at mnin.de>
> Received: from mail.mnin.de ([xxxx])
> by mail.mnin.de with LMTP
> id yedWJNMKx14sDAAAuS6XVA
> (envelope-from <dmarc_support at corp.mail.ru>)
> for <mnin at mnin.de>; Fri, 22 May 2020 01:12:19 +0200
> Received: from relay7.m.smailru.net (relay7.m.smailru.net [94.100.178.51])
> (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
> (No client certificate requested)
> by mail.mnin.de (Postcow) with ESMTPS id 6D59868509C
> for <mnin at mnin.de>; Fri, 22 May 2020 01:12:18 +0200 (CEST)
> DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
> d=corp.mail.ru; s=mail;
> h=Date:Message-ID:To:From:Subject:MIME-Version:Content-Type;
> bh=DMqnfyeB+D0YjhIdtRipG66iEqaOVRHns+l07FJTLbw=;
> b=k6PdTMpn2SHfn7HO4jdOto6jxVRnOLsCsFLz0Lp87ytUyQL7ifwnze/LC/xQlDQ1hLpkHdM/sM8RFDgusUQYtL4e7/Zkmln4vsjgPvsW6go/YK7hvaeQBKMKgDSXqTlTXqm7BUyXOU4g9wByuAWUM0UpOM+3lrgHzm7d/Fil5IU=;
> Received: from [10.161.4.115] (port=48176 helo=60)
> by relay7.m.smailru.net with esmtp (envelope-from
> <dmarc_support at corp.mail.ru>)
> id 1jbuMI-0007Kr-2n
> for mnin at mnin.de; Fri, 22 May 2020 02:12:14 +0300
> Content-Type: multipart/mixed;
> boundary="===============1678280035031557895=="
> MIME-Version: 1.0
> Subject: Report Domain: mnin.de; Submitter: Mail.Ru;
>  Report-ID: 25590927945792699841590019200
> From: dmarc_support at corp.mail.ru
> To: mnin at mnin.de
> Message-ID: <dmarc-1590102734 at corp.mail.ru>
> Date: Fri, 22 May 2020 02:12:14 +0300
> Auto-Submitted: auto-generated
> ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mnin.de;
> s=dkim; t=1590102738;
> h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
>  to:to:cc:mime-version:mime-version:content-type:content-type:
>  dkim-signature; bh=DMqnfyeB+D0YjhIdtRipG66iEqaOVRHns+l07FJTLbw=;
> b=YpE4Z5u3l+mzLxsH+2Qbd39KekLCXa2jbbIrdnDxvgNFS6zvl4zKq33jQ/7fs5KkJEB0Xc
> VCRT+1keQ9x/+a0tp6IMMUKE1elcOp6LHbBzTXCZYcgylnhbmb/JrCgAUI67KzXJlLn4o4
> pxToLIR5HD58dGeler0v2GTby5si8GUfczS2mM4QAvxJHDSZ8GqTE359H8HTmXUXGBQRb+
> 0RVhhOzYxwmusEpWvuMcXYm4oZ7V+eKNuv12N5xCAbaWaqen37v1M53j0pu1vYoUSQBgOa
> dv3UgtOSdPxj8wVI5OzpY6ZVKtfSqyTXW5dV+8yfZUSe1Zpm/UPOO5eaqyUnpw==
> ARC-Seal: i=1; s=dkim; d=mnin.de; t=1590102738; a=rsa-sha256; cv=none;
> b=keiIRdDt35e1bk6toEJdITgagC1CXQE81NoMoM8T19TBM9LFU4zudqRg73qPYgGkqvXqqI
> Te3Z+AC+CZp9bxfqIOrm2xSE8fNfZEKYhl5fB59sen9/m1rwiZznvvbNcBCJMpytYyDAbg
> l74M2uJVfvrUAoAbMF8dweJV/SANBC2K6eKs1r9nRu5DrCEcicWKNLxWbvZ7Q/TccUGgeZ
> VCyYvxqc0m5U7wZqK/32Sgf1EpWAjkXpC5eTMxH73FfrIkpPQa8v5ag6qKMP+GRk8B3GO1
> eQxsci0l3eATOMFFeEAW/QkSB+ur5f2bPEraluEN5VD4iwWzd2tBGmbcT0ZKaw==
> ARC-Authentication-Results: i=1;
> mail.mnin.de;
> dkim=pass header.d=corp.mail.ru header.s=mail header.b=k6PdTMpn;
> spf=pass (mail.mnin.de: domain of dmarc_support at corp.mail.ru designates
> 94.100.178.51 as permitted sender) smtp.mailfrom=dmarc_support at corp.mail.ru
> X-Last-TLS-Session-Version: TLSv1.2
> Authentication-Results: mail.mnin.de;
> dkim=pass header.d=corp.mail.ru header.s=mail header.b=k6PdTMpn;
> dmarc=pass (policy=reject) header.from=corp.mail.ru;
> spf=pass (mail.mnin.de: domain of dmarc_support at corp.mail.ru designates
> 94.100.178.51 as permitted sender) smtp.mailfrom=dmarc_support at corp.mail.ru
> 
> --===============1678280035031557895==
> MIME-Version: 1.0
> Content-Type: text/plain; charset="utf-8"
> Content-Transfer-Encoding: base64
> 
> VGhpcyBpcyBhbiBhZ2dyZWdhdGUgcmVwb3J0IGZyb20gTWFpbC5SdS4=
> 
> --===============1678280035031557895==
> Content-Type: application/gzip
> MIME-Version: 1.0
> Content-Transfer-Encoding: base64
> Content-Disposition: attachment;
>  filename="mail.ru!mnin.de!1590019200!1590105600.xml.gz"
> 
> H4sICM4Kx14C/21haWwucnUhbW5pbi5kZSExNTkwMDE5MjAwITE1OTAxMDU2MDAueG1sAIVTQXKk
> MAy85xW5zSkYqDADW4qzH9jLfsDlscXgCtgu22Szv48MYUJqKpULlpqW6JYFPL9N4/0rhmicfTpU
> RXm4R6ucNvbydJhT/9Aenvkd9Ij6LNULh4DehSQmTFLLJDm4cBFWTsj/SDMWf2dgVwRwIozrSQYl
> 4uxz5W/lgi8yXgTirgzAtxSkUM4mqZIwtnd8SMn/YmzA8Upn+XzICBXeVmzajOZ103RlV5+6x+bU
> 1ceuax8rQsqqq8sS2CcRyASKIO2F5J7xYizfE1cE0OoFrsrmmOGcA9uXspu5eDca9V/4+TyaOGD+
> lCP9lk/W2EIj1a85SP1iJh6ArQHI6PslzSd4bp0ltucQt5gC8CrxKovJAT1vPheQRp1P949K3RwU
> CuN51bZFXTfF6VRUx5Z6Xd+AcrOlpsDWYLOAr3KcyWu2YKJ30STalg8pewQW/T1dEuGLlexgzRcv
> 7LYjW+QZjTaZ3tAichhQagyiD276HNYeBPaFL+c0iIBxHlP80LDNmqrTkBcGw7Ju28gjjqiSC1wT
> g8RtKaxtuJcx5jtdkr2ZHxsr55FPWSa1XZJveq4D+aqdbXfGrj/cO84BW+uiAwAA
> --===============1678280035031557895==--
> 
> Decompressed xml is:
> 
> <?xml version='1.0' encoding='utf-8'?>
> <feedback><report_metadata><org_name>Mail.Ru</org_name><email>dmarc_support at corp.mail.ru
> <mailto:dmarc_support at corp.mail.ru></email><extra_contact_info>http://help.mail.ru/mail-help</extra_contact_info><report_id>25590927945792699841590019200</report_id><date_range><begin>1590019200</begin><end>1590105600</end></date_range></report_metadata><policy_published><domain>mnin.de</domain><adkim>r</adkim><aspf>r</aspf><p>none</p><sp>none</sp><pct>100</pct></policy_published><record><row><source_ip>188.225.77.168</source_ip><count>1</count><policy_evaluated><disposition>none</disposition><dkim>fail</dkim><spf>fail</spf></policy_evaluated></row><identifiers><header_from>mnin.de</header_from></identifiers><auth_results><dkim><domain>ninthhelper.ru</domain><selector>dnin</selector><result>pass</result></dkim><spf><domain>ninthhelper.ru</domain><scope>mfrom</scope><result>pass</result></spf></auth_results></record></feedback>
> 
> 
> Cheers,
> 
> Martin
> 

-- 
Dr. Serge Droz
Chair of the FIRST Board of Directors
https://www.first.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: </ripe/mail/archives/anti-abuse-wg/attachments/20200525/429f1173/attachment.sig>