[anti-abuse-wg] Spam from provider Timeweb/Russia AS9123 - and they just ignore me

Hey Javier,

the thing is, I don't receive spam, I receive emails about their address range sending spam and using my domain as the sender.

I think through SPF, DKIM and DNSSEC I have gotten everything out of today's specifications.

This provider just doesn't want to accept DMARC reports. This is for me just denying facts.

Cheers,

Martin

> On 25. May 2020, at 16:17, Javier Martín <javier.martin at centrored.net> wrote:
> 
> Dear Martin.
> Welcome to our daily world, we are sending all spamming ips to the blackhole in our router.
> Kind regards.
> Javier
>> Sobre 25/05/2020 16:15:10, Martin Wilhelmi <mnin at mnin.de> escribió:
>> 
>> Hey everyone,
>> 
>> I have a conflict with a provider from Russia "Timeweb" AS9123. It seems to be hosting a customer who sends spam and uses one of my domains as sender.
>> 
>> I got the information via DMARC, RFC 7489 with several mails. This provider has an abuse email address. After I contacted them, they analyzed my domain, complained about the header of the automatic DMARC e-mail from mail.ru <http://mail.ru/>, because there an internal host distributes it and uses an internal IP address 10/8 according to RFC 1918 and so on.
>> 
>> Apparently one does not want to do anything and requests one of these e-mails classified as spam sent to @mail.ru.
>> 
>> But this is not provided for in the DMARC protocol, which the provider does not 'believe’.
>> 
>> This means I continue to receive emails from Russia telling me that my domain is being used by their host to send spam. And the provider writes me many e-mails telling me that I have to provide correct facts and that nothing else will be done.
>> 
>> Because DMARC emails are not facts and cannot be used as evidence.
>> 
>> Do you have any idea how to deal with this?
>> 
>> I have received 11 DMARC emails from mail.ru <http://mail.ru/> regarding this host. I have attached last one here with header:
>> 
>> Return-Path: <dmarc_support at corp.mail.ru <mailto:dmarc_support at corp.mail.ru>>
>> Delivered-To: mnin at mnin.de <mailto:mnin at mnin.de>
>> Received: from mail.mnin.de ([xxxx])
>> 	by mail.mnin.de with LMTP
>> 	id yedWJNMKx14sDAAAuS6XVA
>> 	(envelope-from <dmarc_support at corp.mail.ru>)
>> 	for <mnin at mnin.de>; Fri, 22 May 2020 01:12:19 +0200
>> Received: from relay7.m.smailru.net (relay7.m.smailru.net [94.100.178.51])
>> 	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
>> 	(No client certificate requested)
>> 	by mail.mnin.de (Postcow) with ESMTPS id 6D59868509C
>> 	for <mnin at mnin.de>; Fri, 22 May 2020 01:12:18 +0200 (CEST)
>> DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=corp.mail.ru; s=mail;
>> 	h=Date:Message-ID:To:From:Subject:MIME-Version:Content-Type; bh=DMqnfyeB+D0YjhIdtRipG66iEqaOVRHns+l07FJTLbw=;
>> 	b=k6PdTMpn2SHfn7HO4jdOto6jxVRnOLsCsFLz0Lp87ytUyQL7ifwnze/LC/xQlDQ1hLpkHdM/sM8RFDgusUQYtL4e7/Zkmln4vsjgPvsW6go/YK7hvaeQBKMKgDSXqTlTXqm7BUyXOU4g9wByuAWUM0UpOM+3lrgHzm7d/Fil5IU=;
>> Received: from [10.161.4.115] (port=48176 helo=60)
>> 	by relay7.m.smailru.net with esmtp (envelope-from <dmarc_support at corp.mail.ru>)
>> 	id 1jbuMI-0007Kr-2n
>> 	for mnin at mnin.de; Fri, 22 May 2020 02:12:14 +0300
>> Content-Type: multipart/mixed; boundary="===============1678280035031557895=="
>> MIME-Version: 1.0
>> Subject: Report Domain: mnin.de; Submitter: Mail.Ru;
>>  Report-ID: 25590927945792699841590019200
>> From: dmarc_support at corp.mail.ru
>> To: mnin at mnin.de
>> Message-ID: <dmarc-1590102734 at corp.mail.ru>
>> Date: Fri, 22 May 2020 02:12:14 +0300
>> Auto-Submitted: auto-generated
>> ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mnin.de;
>> 	s=dkim; t=1590102738;
>> 	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
>> 	 to:to:cc:mime-version:mime-version:content-type:content-type:
>> 	 dkim-signature; bh=DMqnfyeB+D0YjhIdtRipG66iEqaOVRHns+l07FJTLbw=;
>> 	b=YpE4Z5u3l+mzLxsH+2Qbd39KekLCXa2jbbIrdnDxvgNFS6zvl4zKq33jQ/7fs5KkJEB0Xc
>> 	VCRT+1keQ9x/+a0tp6IMMUKE1elcOp6LHbBzTXCZYcgylnhbmb/JrCgAUI67KzXJlLn4o4
>> 	pxToLIR5HD58dGeler0v2GTby5si8GUfczS2mM4QAvxJHDSZ8GqTE359H8HTmXUXGBQRb+
>> 	0RVhhOzYxwmusEpWvuMcXYm4oZ7V+eKNuv12N5xCAbaWaqen37v1M53j0pu1vYoUSQBgOa
>> 	dv3UgtOSdPxj8wVI5OzpY6ZVKtfSqyTXW5dV+8yfZUSe1Zpm/UPOO5eaqyUnpw==
>> ARC-Seal: i=1; s=dkim; d=mnin.de; t=1590102738; a=rsa-sha256; cv=none;
>> 	b=keiIRdDt35e1bk6toEJdITgagC1CXQE81NoMoM8T19TBM9LFU4zudqRg73qPYgGkqvXqqI
>> 	Te3Z+AC+CZp9bxfqIOrm2xSE8fNfZEKYhl5fB59sen9/m1rwiZznvvbNcBCJMpytYyDAbg
>> 	l74M2uJVfvrUAoAbMF8dweJV/SANBC2K6eKs1r9nRu5DrCEcicWKNLxWbvZ7Q/TccUGgeZ
>> 	VCyYvxqc0m5U7wZqK/32Sgf1EpWAjkXpC5eTMxH73FfrIkpPQa8v5ag6qKMP+GRk8B3GO1
>> 	eQxsci0l3eATOMFFeEAW/QkSB+ur5f2bPEraluEN5VD4iwWzd2tBGmbcT0ZKaw==
>> ARC-Authentication-Results: i=1;
>> 	mail.mnin.de;
>> 	dkim=pass header.d=corp.mail.ru header.s=mail header.b=k6PdTMpn;
>> 	spf=pass (mail.mnin.de: domain of dmarc_support at corp.mail.ru designates 94.100.178.51 as permitted sender) smtp.mailfrom=dmarc_support at corp.mail.ru
>> X-Last-TLS-Session-Version: TLSv1.2
>> Authentication-Results: mail.mnin.de;
>> 	dkim=pass header.d=corp.mail.ru header.s=mail header.b=k6PdTMpn;
>> 	dmarc=pass (policy=reject) header.from=corp.mail.ru;
>> 	spf=pass (mail.mnin.de: domain of dmarc_support at corp.mail.ru designates 94.100.178.51 as permitted sender) smtp.mailfrom=dmarc_support at corp.mail.ru
>> 
>> --===============1678280035031557895==
>> MIME-Version: 1.0
>> Content-Type: text/plain; charset="utf-8"
>> Content-Transfer-Encoding: base64
>> 
>> VGhpcyBpcyBhbiBhZ2dyZWdhdGUgcmVwb3J0IGZyb20gTWFpbC5SdS4=
>> 
>> --===============1678280035031557895==
>> Content-Type: application/gzip
>> MIME-Version: 1.0
>> Content-Transfer-Encoding: base64
>> Content-Disposition: attachment;
>>  filename="mail.ru!mnin.de!1590019200!1590105600.xml.gz"
>> 
>> H4sICM4Kx14C/21haWwucnUhbW5pbi5kZSExNTkwMDE5MjAwITE1OTAxMDU2MDAueG1sAIVTQXKk
>> MAy85xW5zSkYqDADW4qzH9jLfsDlscXgCtgu22Szv48MYUJqKpULlpqW6JYFPL9N4/0rhmicfTpU
>> RXm4R6ucNvbydJhT/9Aenvkd9Ij6LNULh4DehSQmTFLLJDm4cBFWTsj/SDMWf2dgVwRwIozrSQYl
>> 4uxz5W/lgi8yXgTirgzAtxSkUM4mqZIwtnd8SMn/YmzA8Upn+XzICBXeVmzajOZ103RlV5+6x+bU
>> 1ceuax8rQsqqq8sS2CcRyASKIO2F5J7xYizfE1cE0OoFrsrmmOGcA9uXspu5eDca9V/4+TyaOGD+
>> lCP9lk/W2EIj1a85SP1iJh6ArQHI6PslzSd4bp0ltucQt5gC8CrxKovJAT1vPheQRp1P949K3RwU
>> CuN51bZFXTfF6VRUx5Z6Xd+AcrOlpsDWYLOAr3KcyWu2YKJ30STalg8pewQW/T1dEuGLlexgzRcv
>> 7LYjW+QZjTaZ3tAichhQagyiD276HNYeBPaFL+c0iIBxHlP80LDNmqrTkBcGw7Ju28gjjqiSC1wT
>> g8RtKaxtuJcx5jtdkr2ZHxsr55FPWSa1XZJveq4D+aqdbXfGrj/cO84BW+uiAwAA
>> --===============1678280035031557895==--
>> 
>> Decompressed xml is:
>> 
>> <?xml version='1.0' encoding='utf-8'?>
>> <feedback><report_metadata><org_name>Mail.Ru</org_name><email>dmarc_support at corp.mail.ru <mailto:dmarc_support at corp.mail.ru></email><extra_contact_info>http://help.mail.ru/mail-help</extra_contact_info><report_id>25590927945792699841590019200</report_id><date_range><begin>1590019200</begin><end>1590105600</end></date_range></report_metadata><policy_published><domain>mnin.de</domain><adkim>r</adkim><aspf>r</aspf><p>none</p><sp>none</sp><pct>100</pct></policy_published><record><row><source_ip>188.225.77.168</source_ip><count>1</count><policy_evaluated><disposition>none</disposition><dkim>fail</dkim><spf>fail</spf></policy_evaluated></row><identifiers><header_from>mnin.de</header_from></identifiers><auth_results><dkim><domain>ninthhelper.ru</domain><selector>dnin</selector><result>pass</result></dkim><spf><domain>ninthhelper.ru</domain><scope>mfrom</scope><result>pass</result></spf></auth_results></record></feedback>
>> 
>> 
>> Cheers,
>> 
>> Martin
>> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </ripe/mail/archives/anti-abuse-wg/attachments/20200525/0886be7c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: </ripe/mail/archives/anti-abuse-wg/attachments/20200525/0886be7c/attachment.sig>