This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/anti-abuse-wg@ripe.net/
[anti-abuse-wg] Spam from provider Timeweb/Russia AS9123 - and they just ignore me
- Previous message (by thread): [anti-abuse-wg] Spam from provider Timeweb/Russia AS9123 - and they just ignore me
- Next message (by thread): [anti-abuse-wg] Spam from provider Timeweb/Russia AS9123 - and they just ignore me
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Martin Wilhelmi
mnin at mnin.de
Mon May 25 16:25:00 CEST 2020
Hey Javier, the thing is, I don't receive spam, I receive emails about their address range sending spam and using my domain as the sender. I think through SPF, DKIM and DNSSEC I have gotten everything out of today's specifications. This provider just doesn't want to accept DMARC reports. This is for me just denying facts. Cheers, Martin > On 25. May 2020, at 16:17, Javier Martín <javier.martin at centrored.net> wrote: > > Dear Martin. > Welcome to our daily world, we are sending all spamming ips to the blackhole in our router. > Kind regards. > Javier >> Sobre 25/05/2020 16:15:10, Martin Wilhelmi <mnin at mnin.de> escribió: >> >> Hey everyone, >> >> I have a conflict with a provider from Russia "Timeweb" AS9123. It seems to be hosting a customer who sends spam and uses one of my domains as sender. >> >> I got the information via DMARC, RFC 7489 with several mails. This provider has an abuse email address. After I contacted them, they analyzed my domain, complained about the header of the automatic DMARC e-mail from mail.ru <http://mail.ru/>, because there an internal host distributes it and uses an internal IP address 10/8 according to RFC 1918 and so on. >> >> Apparently one does not want to do anything and requests one of these e-mails classified as spam sent to @mail.ru. >> >> But this is not provided for in the DMARC protocol, which the provider does not 'believe’. >> >> This means I continue to receive emails from Russia telling me that my domain is being used by their host to send spam. And the provider writes me many e-mails telling me that I have to provide correct facts and that nothing else will be done. >> >> Because DMARC emails are not facts and cannot be used as evidence. >> >> Do you have any idea how to deal with this? >> >> I have received 11 DMARC emails from mail.ru <http://mail.ru/> regarding this host. I have attached last one here with header: >> >> Return-Path: <dmarc_support at corp.mail.ru <mailto:dmarc_support at corp.mail.ru>> >> Delivered-To: mnin at mnin.de <mailto:mnin at mnin.de> >> Received: from mail.mnin.de ([xxxx]) >> by mail.mnin.de with LMTP >> id yedWJNMKx14sDAAAuS6XVA >> (envelope-from <dmarc_support at corp.mail.ru>) >> for <mnin at mnin.de>; Fri, 22 May 2020 01:12:19 +0200 >> Received: from relay7.m.smailru.net (relay7.m.smailru.net [94.100.178.51]) >> (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) >> (No client certificate requested) >> by mail.mnin.de (Postcow) with ESMTPS id 6D59868509C >> for <mnin at mnin.de>; Fri, 22 May 2020 01:12:18 +0200 (CEST) >> DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=corp.mail.ru; s=mail; >> h=Date:Message-ID:To:From:Subject:MIME-Version:Content-Type; bh=DMqnfyeB+D0YjhIdtRipG66iEqaOVRHns+l07FJTLbw=; >> b=k6PdTMpn2SHfn7HO4jdOto6jxVRnOLsCsFLz0Lp87ytUyQL7ifwnze/LC/xQlDQ1hLpkHdM/sM8RFDgusUQYtL4e7/Zkmln4vsjgPvsW6go/YK7hvaeQBKMKgDSXqTlTXqm7BUyXOU4g9wByuAWUM0UpOM+3lrgHzm7d/Fil5IU=; >> Received: from [10.161.4.115] (port=48176 helo=60) >> by relay7.m.smailru.net with esmtp (envelope-from <dmarc_support at corp.mail.ru>) >> id 1jbuMI-0007Kr-2n >> for mnin at mnin.de; Fri, 22 May 2020 02:12:14 +0300 >> Content-Type: multipart/mixed; boundary="===============1678280035031557895==" >> MIME-Version: 1.0 >> Subject: Report Domain: mnin.de; Submitter: Mail.Ru; >> Report-ID: 25590927945792699841590019200 >> From: dmarc_support at corp.mail.ru >> To: mnin at mnin.de >> Message-ID: <dmarc-1590102734 at corp.mail.ru> >> Date: Fri, 22 May 2020 02:12:14 +0300 >> Auto-Submitted: auto-generated >> ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mnin.de; >> s=dkim; t=1590102738; >> h=from:from:reply-to:subject:subject:date:date:message-id:message-id: >> to:to:cc:mime-version:mime-version:content-type:content-type: >> dkim-signature; bh=DMqnfyeB+D0YjhIdtRipG66iEqaOVRHns+l07FJTLbw=; >> b=YpE4Z5u3l+mzLxsH+2Qbd39KekLCXa2jbbIrdnDxvgNFS6zvl4zKq33jQ/7fs5KkJEB0Xc >> VCRT+1keQ9x/+a0tp6IMMUKE1elcOp6LHbBzTXCZYcgylnhbmb/JrCgAUI67KzXJlLn4o4 >> pxToLIR5HD58dGeler0v2GTby5si8GUfczS2mM4QAvxJHDSZ8GqTE359H8HTmXUXGBQRb+ >> 0RVhhOzYxwmusEpWvuMcXYm4oZ7V+eKNuv12N5xCAbaWaqen37v1M53j0pu1vYoUSQBgOa >> dv3UgtOSdPxj8wVI5OzpY6ZVKtfSqyTXW5dV+8yfZUSe1Zpm/UPOO5eaqyUnpw== >> ARC-Seal: i=1; s=dkim; d=mnin.de; t=1590102738; a=rsa-sha256; cv=none; >> b=keiIRdDt35e1bk6toEJdITgagC1CXQE81NoMoM8T19TBM9LFU4zudqRg73qPYgGkqvXqqI >> Te3Z+AC+CZp9bxfqIOrm2xSE8fNfZEKYhl5fB59sen9/m1rwiZznvvbNcBCJMpytYyDAbg >> l74M2uJVfvrUAoAbMF8dweJV/SANBC2K6eKs1r9nRu5DrCEcicWKNLxWbvZ7Q/TccUGgeZ >> VCyYvxqc0m5U7wZqK/32Sgf1EpWAjkXpC5eTMxH73FfrIkpPQa8v5ag6qKMP+GRk8B3GO1 >> eQxsci0l3eATOMFFeEAW/QkSB+ur5f2bPEraluEN5VD4iwWzd2tBGmbcT0ZKaw== >> ARC-Authentication-Results: i=1; >> mail.mnin.de; >> dkim=pass header.d=corp.mail.ru header.s=mail header.b=k6PdTMpn; >> spf=pass (mail.mnin.de: domain of dmarc_support at corp.mail.ru designates 94.100.178.51 as permitted sender) smtp.mailfrom=dmarc_support at corp.mail.ru >> X-Last-TLS-Session-Version: TLSv1.2 >> Authentication-Results: mail.mnin.de; >> dkim=pass header.d=corp.mail.ru header.s=mail header.b=k6PdTMpn; >> dmarc=pass (policy=reject) header.from=corp.mail.ru; >> spf=pass (mail.mnin.de: domain of dmarc_support at corp.mail.ru designates 94.100.178.51 as permitted sender) smtp.mailfrom=dmarc_support at corp.mail.ru >> >> --===============1678280035031557895== >> MIME-Version: 1.0 >> Content-Type: text/plain; charset="utf-8" >> Content-Transfer-Encoding: base64 >> >> VGhpcyBpcyBhbiBhZ2dyZWdhdGUgcmVwb3J0IGZyb20gTWFpbC5SdS4= >> >> --===============1678280035031557895== >> Content-Type: application/gzip >> MIME-Version: 1.0 >> Content-Transfer-Encoding: base64 >> Content-Disposition: attachment; >> filename="mail.ru!mnin.de!1590019200!1590105600.xml.gz" >> >> H4sICM4Kx14C/21haWwucnUhbW5pbi5kZSExNTkwMDE5MjAwITE1OTAxMDU2MDAueG1sAIVTQXKk >> MAy85xW5zSkYqDADW4qzH9jLfsDlscXgCtgu22Szv48MYUJqKpULlpqW6JYFPL9N4/0rhmicfTpU >> RXm4R6ucNvbydJhT/9Aenvkd9Ij6LNULh4DehSQmTFLLJDm4cBFWTsj/SDMWf2dgVwRwIozrSQYl >> 4uxz5W/lgi8yXgTirgzAtxSkUM4mqZIwtnd8SMn/YmzA8Upn+XzICBXeVmzajOZ103RlV5+6x+bU >> 1ceuax8rQsqqq8sS2CcRyASKIO2F5J7xYizfE1cE0OoFrsrmmOGcA9uXspu5eDca9V/4+TyaOGD+ >> lCP9lk/W2EIj1a85SP1iJh6ArQHI6PslzSd4bp0ltucQt5gC8CrxKovJAT1vPheQRp1P949K3RwU >> CuN51bZFXTfF6VRUx5Z6Xd+AcrOlpsDWYLOAr3KcyWu2YKJ30STalg8pewQW/T1dEuGLlexgzRcv >> 7LYjW+QZjTaZ3tAichhQagyiD276HNYeBPaFL+c0iIBxHlP80LDNmqrTkBcGw7Ju28gjjqiSC1wT >> g8RtKaxtuJcx5jtdkr2ZHxsr55FPWSa1XZJveq4D+aqdbXfGrj/cO84BW+uiAwAA >> --===============1678280035031557895==-- >> >> Decompressed xml is: >> >> <?xml version='1.0' encoding='utf-8'?> >> <feedback><report_metadata><org_name>Mail.Ru</org_name><email>dmarc_support at corp.mail.ru <mailto:dmarc_support at corp.mail.ru></email><extra_contact_info>http://help.mail.ru/mail-help</extra_contact_info><report_id>25590927945792699841590019200</report_id><date_range><begin>1590019200</begin><end>1590105600</end></date_range></report_metadata><policy_published><domain>mnin.de</domain><adkim>r</adkim><aspf>r</aspf><p>none</p><sp>none</sp><pct>100</pct></policy_published><record><row><source_ip>188.225.77.168</source_ip><count>1</count><policy_evaluated><disposition>none</disposition><dkim>fail</dkim><spf>fail</spf></policy_evaluated></row><identifiers><header_from>mnin.de</header_from></identifiers><auth_results><dkim><domain>ninthhelper.ru</domain><selector>dnin</selector><result>pass</result></dkim><spf><domain>ninthhelper.ru</domain><scope>mfrom</scope><result>pass</result></spf></auth_results></record></feedback> >> >> >> Cheers, >> >> Martin >> -------------- next part -------------- An HTML attachment was scrubbed... URL: </ripe/mail/archives/anti-abuse-wg/attachments/20200525/0886be7c/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: Message signed with OpenPGP URL: </ripe/mail/archives/anti-abuse-wg/attachments/20200525/0886be7c/attachment.sig>
- Previous message (by thread): [anti-abuse-wg] Spam from provider Timeweb/Russia AS9123 - and they just ignore me
- Next message (by thread): [anti-abuse-wg] Spam from provider Timeweb/Russia AS9123 - and they just ignore me
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]