[anti-abuse-wg] Spam from provider Timeweb/Russia AS9123 - and they just ignore me
- Previous message (by thread): [anti-abuse-wg] Spam from provider Timeweb/Russia AS9123 - and they just ignore me
- Next message (by thread): [anti-abuse-wg] Spam from provider Timeweb/Russia AS9123 - and they just ignore me
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Martin Wilhelmi
mnin at mnin.de
Mon May 25 16:25:00 CEST 2020
Hey Javier, the thing is, I don't receive spam, I receive emails about their address range sending spam and using my domain as the sender. I think through SPF, DKIM and DNSSEC I have gotten everything out of today's specifications. This provider just doesn't want to accept DMARC reports. This is for me just denying facts. Cheers, Martin > On 25. May 2020, at 16:17, Javier Martín <javier.martin at centrored.net> wrote: > > Dear Martin. > Welcome to our daily world, we are sending all spamming ips to the blackhole in our router. > Kind regards. > Javier >> Sobre 25/05/2020 16:15:10, Martin Wilhelmi <mnin at mnin.de> escribió: >> >> Hey everyone, >> >> I have a conflict with a provider from Russia "Timeweb" AS9123. It seems to be hosting a customer who sends spam and uses one of my domains as sender. >> >> I got the information via DMARC, RFC 7489 with several mails. This provider has an abuse email address. After I contacted them, they analyzed my domain, complained about the header of the automatic DMARC e-mail from mail.ru <http://mail.ru/>, because there an internal host distributes it and uses an internal IP address 10/8 according to RFC 1918 and so on. >> >> Apparently one does not want to do anything and requests one of these e-mails classified as spam sent to @mail.ru. >> >> But this is not provided for in the DMARC protocol, which the provider does not 'believe’. >> >> This means I continue to receive emails from Russia telling me that my domain is being used by their host to send spam. And the provider writes me many e-mails telling me that I have to provide correct facts and that nothing else will be done. >> >> Because DMARC emails are not facts and cannot be used as evidence. >> >> Do you have any idea how to deal with this? >> >> I have received 11 DMARC emails from mail.ru <http://mail.ru/> regarding this host. I have attached last one here with header: >> >> Return-Path: <dmarc_support at corp.mail.ru <mailto:dmarc_support at corp.mail.ru>> >> Delivered-To: mnin at mnin.de <mailto:mnin at mnin.de> >> Received: from mail.mnin.de ([xxxx]) >> by mail.mnin.de with LMTP >> id yedWJNMKx14sDAAAuS6XVA >> (envelope-from <dmarc_support at corp.mail.ru>) >> for <mnin at mnin.de>; Fri, 22 May 2020 01:12:19 +0200 >> Received: from relay7.m.smailru.net (relay7.m.smailru.net [94.100.178.51]) >> (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) >> (No client certificate requested) >> by mail.mnin.de (Postcow) with ESMTPS id 6D59868509C >> for <mnin at mnin.de>; Fri, 22 May 2020 01:12:18 +0200 (CEST) >> DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=corp.mail.ru; s=mail; >> h=Date:Message-ID:To:From:Subject:MIME-Version:Content-Type; bh=DMqnfyeB+D0YjhIdtRipG66iEqaOVRHns+l07FJTLbw=; >> b=k6PdTMpn2SHfn7HO4jdOto6jxVRnOLsCsFLz0Lp87ytUyQL7ifwnze/LC/xQlDQ1hLpkHdM/sM8RFDgusUQYtL4e7/Zkmln4vsjgPvsW6go/YK7hvaeQBKMKgDSXqTlTXqm7BUyXOU4g9wByuAWUM0UpOM+3lrgHzm7d/Fil5IU=; >> Received: from [10.161.4.115] (port=48176 helo=60) >> by relay7.m.smailru.net with esmtp (envelope-from <dmarc_support at corp.mail.ru>) >> id 1jbuMI-0007Kr-2n >> for mnin at mnin.de; Fri, 22 May 2020 02:12:14 +0300 >> Content-Type: multipart/mixed; boundary="===============1678280035031557895==" >> MIME-Version: 1.0 >> Subject: Report Domain: mnin.de; Submitter: Mail.Ru; >> Report-ID: 25590927945792699841590019200 >> From: dmarc_support at corp.mail.ru >> To: mnin at mnin.de >> Message-ID: <dmarc-1590102734 at corp.mail.ru> >> Date: Fri, 22 May 2020 02:12:14 +0300 >> Auto-Submitted: auto-generated >> ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mnin.de; >> s=dkim; t=1590102738; >> h=from:from:reply-to:subject:subject:date:date:message-id:message-id: >> to:to:cc:mime-version:mime-version:content-type:content-type: >> dkim-signature; bh=DMqnfyeB+D0YjhIdtRipG66iEqaOVRHns+l07FJTLbw=; >> b=YpE4Z5u3l+mzLxsH+2Qbd39KekLCXa2jbbIrdnDxvgNFS6zvl4zKq33jQ/7fs5KkJEB0Xc >> VCRT+1keQ9x/+a0tp6IMMUKE1elcOp6LHbBzTXCZYcgylnhbmb/JrCgAUI67KzXJlLn4o4 >> pxToLIR5HD58dGeler0v2GTby5si8GUfczS2mM4QAvxJHDSZ8GqTE359H8HTmXUXGBQRb+ >> 0RVhhOzYxwmusEpWvuMcXYm4oZ7V+eKNuv12N5xCAbaWaqen37v1M53j0pu1vYoUSQBgOa >> dv3UgtOSdPxj8wVI5OzpY6ZVKtfSqyTXW5dV+8yfZUSe1Zpm/UPOO5eaqyUnpw== >> ARC-Seal: i=1; s=dkim; d=mnin.de; t=1590102738; a=rsa-sha256; cv=none; >> b=keiIRdDt35e1bk6toEJdITgagC1CXQE81NoMoM8T19TBM9LFU4zudqRg73qPYgGkqvXqqI >> Te3Z+AC+CZp9bxfqIOrm2xSE8fNfZEKYhl5fB59sen9/m1rwiZznvvbNcBCJMpytYyDAbg >> l74M2uJVfvrUAoAbMF8dweJV/SANBC2K6eKs1r9nRu5DrCEcicWKNLxWbvZ7Q/TccUGgeZ >> VCyYvxqc0m5U7wZqK/32Sgf1EpWAjkXpC5eTMxH73FfrIkpPQa8v5ag6qKMP+GRk8B3GO1 >> eQxsci0l3eATOMFFeEAW/QkSB+ur5f2bPEraluEN5VD4iwWzd2tBGmbcT0ZKaw== >> ARC-Authentication-Results: i=1; >> mail.mnin.de; >> dkim=pass header.d=corp.mail.ru header.s=mail header.b=k6PdTMpn; >> spf=pass (mail.mnin.de: domain of dmarc_support at corp.mail.ru designates 94.100.178.51 as permitted sender) smtp.mailfrom=dmarc_support at corp.mail.ru >> X-Last-TLS-Session-Version: TLSv1.2 >> Authentication-Results: mail.mnin.de; >> dkim=pass header.d=corp.mail.ru header.s=mail header.b=k6PdTMpn; >> dmarc=pass (policy=reject) header.from=corp.mail.ru; >> spf=pass (mail.mnin.de: domain of dmarc_support at corp.mail.ru designates 94.100.178.51 as permitted sender) smtp.mailfrom=dmarc_support at corp.mail.ru >> >> --===============1678280035031557895== >> MIME-Version: 1.0 >> Content-Type: text/plain; charset="utf-8" >> Content-Transfer-Encoding: base64 >> >> VGhpcyBpcyBhbiBhZ2dyZWdhdGUgcmVwb3J0IGZyb20gTWFpbC5SdS4= >> >> --===============1678280035031557895== >> Content-Type: application/gzip >> MIME-Version: 1.0 >> Content-Transfer-Encoding: base64 >> Content-Disposition: attachment; >> filename="mail.ru!mnin.de!1590019200!1590105600.xml.gz" >> >> H4sICM4Kx14C/21haWwucnUhbW5pbi5kZSExNTkwMDE5MjAwITE1OTAxMDU2MDAueG1sAIVTQXKk >> MAy85xW5zSkYqDADW4qzH9jLfsDlscXgCtgu22Szv48MYUJqKpULlpqW6JYFPL9N4/0rhmicfTpU >> RXm4R6ucNvbydJhT/9Aenvkd9Ij6LNULh4DehSQmTFLLJDm4cBFWTsj/SDMWf2dgVwRwIozrSQYl >> 4uxz5W/lgi8yXgTirgzAtxSkUM4mqZIwtnd8SMn/YmzA8Upn+XzICBXeVmzajOZ103RlV5+6x+bU >> 1ceuax8rQsqqq8sS2CcRyASKIO2F5J7xYizfE1cE0OoFrsrmmOGcA9uXspu5eDca9V/4+TyaOGD+ >> lCP9lk/W2EIj1a85SP1iJh6ArQHI6PslzSd4bp0ltucQt5gC8CrxKovJAT1vPheQRp1P949K3RwU >> CuN51bZFXTfF6VRUx5Z6Xd+AcrOlpsDWYLOAr3KcyWu2YKJ30STalg8pewQW/T1dEuGLlexgzRcv >> 7LYjW+QZjTaZ3tAichhQagyiD276HNYeBPaFL+c0iIBxHlP80LDNmqrTkBcGw7Ju28gjjqiSC1wT >> g8RtKaxtuJcx5jtdkr2ZHxsr55FPWSa1XZJveq4D+aqdbXfGrj/cO84BW+uiAwAA >> --===============1678280035031557895==-- >> >> Decompressed xml is: >> >> <?xml version='1.0' encoding='utf-8'?> >> <feedback><report_metadata><org_name>Mail.Ru</org_name><email>dmarc_support at corp.mail.ru <mailto:dmarc_support at corp.mail.ru></email><extra_contact_info>http://help.mail.ru/mail-help</extra_contact_info><report_id>25590927945792699841590019200</report_id><date_range><begin>1590019200</begin><end>1590105600</end></date_range></report_metadata><policy_published><domain>mnin.de</domain><adkim>r</adkim><aspf>r</aspf><p>none</p><sp>none</sp><pct>100</pct></policy_published><record><row><source_ip>188.225.77.168</source_ip><count>1</count><policy_evaluated><disposition>none</disposition><dkim>fail</dkim><spf>fail</spf></policy_evaluated></row><identifiers><header_from>mnin.de</header_from></identifiers><auth_results><dkim><domain>ninthhelper.ru</domain><selector>dnin</selector><result>pass</result></dkim><spf><domain>ninthhelper.ru</domain><scope>mfrom</scope><result>pass</result></spf></auth_results></record></feedback> >> >> >> Cheers, >> >> Martin >> -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.ripe.net/ripe/mail/archives/anti-abuse-wg/attachments/20200525/0886be7c/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: Message signed with OpenPGP URL: <https://lists.ripe.net/ripe/mail/archives/anti-abuse-wg/attachments/20200525/0886be7c/attachment.sig>
- Previous message (by thread): [anti-abuse-wg] Spam from provider Timeweb/Russia AS9123 - and they just ignore me
- Next message (by thread): [anti-abuse-wg] Spam from provider Timeweb/Russia AS9123 - and they just ignore me
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]