Subject: Re: [anti-abuse-wg] Reporting abuse to OVH -- don't bother
From: "Fi Shing" <phishing@storey.xxx>
Date: 2/13/20 3:26 pm
To: "anti-abuse-wg@ripe.net" <anti-abuse-wg@ripe.net>
All OVH and DigitalOcean abuse reports must be submitted via the abuse reporting forms on the website, or they won't be actioned:
https://www.ovh.com/world/abuse/
https://www.digitalocean.com/company/contact/abuse/
--------- Original Message ---------
Subject: Re: [anti-abuse-wg] Reporting abuse to OVH -- don't bother
From: "Alessandro Vesely" <vesely@tana.it>
Date: 2/12/20 11:16 pm
To: "anti-abuse-wg@ripe.net" <anti-abuse-wg@ripe.net>
On Wed 12/Feb/2020 09:51:22 +0100 Ronald F. Guilmette wrote:
> The RIPE WHOIS data base says that the abose contact for AS16276 is
> abuse@ovh.net.
>
> It would appear thet the folks at OVH haven't yet quite figured how
> this whole email thing works.
>
> Give them time. Another decade or two and they should have it down pat.
+1, X-VR-SPAMCAUSE looks particularly appealing...
Best
Ale
-------- Forwarded Message --------
Subject: failure notice
Date: 12 Feb 2020 06:18:04 +0200
From: MAILER-DAEMON@mx1.ovh.net
To: abuse@tana.it
Hi. This is the qmail-send program at mx1.ovh.net.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
<ovh.net-abuse@ovh.net>:
user does not exist, but will deliver to /homez.12/vpopmail/domains/ovh.net/abuse/
can not open new email file errno=2 file=/homez.12/vpopmail/domains/ovh.net/abuse/Maildir/tmp/1581481084.9867.mail660.ha.ovh.net,S=4191
system error
--- Below this line is a copy of the message.
Return-Path: <abuse@tana.it>
Received: from localhost (HELO queue) (127.0.0.1)
by localhost with SMTP; 12 Feb 2020 06:18:04 +0200
Received: from unknown (HELO output25.mail.ovh.net) (10.108.117.188)
by mail660.ha.ovh.net with AES256-GCM-SHA384 encrypted SMTP; 12 Feb 2020 06:18:04 +0200
Received: from vr26.mail.ovh.net (unknown [10.101.8.26])
by out25.mail.ovh.net (Postfix) with ESMTP id 48HRFm0K5Sz7P6Fd8
for <abuse@ovh.net>; Wed, 12 Feb 2020 04:18:04 +0000 (UTC)
Received: from in14.mail.ovh.net (unknown [10.101.4.14])
by vr26.mail.ovh.net (Postfix) with ESMTP id 48HRFf6fgNzrQV85
for <abuse@ovh.net>; Wed, 12 Feb 2020 04:17:58 +0000 (UTC)
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=62.94.243.226; helo=wmail.tana.it; envelope-from=abuse@tana.it; receiver=abuse@ovh.net Authentication-Results: in14.mail.ovh.net;
dkim=pass (1152-bit key; unprotected) header.d=tana.it header.i=@tana.it header.b="DSzDkiE5";
dkim-atps=neutral
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226])
by in14.mail.ovh.net (Postfix) with ESMTPS id 48HRFf5rYcz1qqm5
for <abuse@ovh.net>; Wed, 12 Feb 2020 04:17:58 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
(uid 1000)
by wmail.tana.it with local
id 00000000005DC0BE.000000005E437C70.00006938; Wed, 12 Feb 2020 05:17:51 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta;
t=1581481072; bh=hqA0axQ0F0EZuKcuD4BJM7lec22phleodccLJFRo7js=;
l=1187; h=From:To:Date;
b=DSzDkiE5M2E2RHdufCjt/pvL8szxXfCQCiPcYrJMYxbHDSM6/qNrHDy0JZwW3HfQG
jvGk5T7PlE7c6dBvfNjmQl2Z0yTpvjOVufBM6xGVi3WEzkPUb2Wpr0b6oW/Ptan3/d
d81pOjTCPaAxOXfx0G1t5PpotLEo0P48qxyNPtkGYVZoMp7kdUev7jtac9Jcq
Authentication-Results: tana.it; auth=pass (details omitted)
X-mmdbcountrylookup: FR
From: "tana.it" <abuse@tana.it>
To: abuse@ovh.net
Date: Wed, 12 Feb 2020 05:17:51 +0100
Subject: Mail server abuse by 188.165.221.36 on 11 February 2020
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Auto-Response-Suppress: DR, OOF, AutoReply
Message-ID: <courier.000000005E437C6F.00006938@wmail.tana.it>
X-Ovh-Remote: 62.94.243.226 (wmail.tana.it)
X-Ovh-Tracer-Id: 8968355709213900626
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 50
X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedugedrieeggdeifecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecuogfvvgigthfqnhhlhidqqdetfeejfedqtdegucdlhedtmdenucfjughrpefhvfffufggtgfgsehtjedttddttdejnecuhfhrohhmpedfthgrnhgrrdhithdfuceorggsuhhsvgesthgrnhgrrdhitheqnecuffhomhgrihhnpehtrghnrgdrihhtpdhrihhpvgdrnhgvthenucfkphepiedvrdelgedrvdegfedrvddvieenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhhouggvpehsmhhtphdphhgvlhhopehinhdugedrmhgrihhlrdhovhhhrdhnvghtpdhinhgvthepiedvrdelgedrvdegfedrvddviedpmhgrihhlfhhrohhmpegrsghushgvsehtrghnrgdrihhtpdhrtghpthhtoheprggsuhhsvgesohhvhhdrnhgvth
X-Ovh-Spam-Status: OK
X-Ovh-Spam-Reason: vr: OK; dkim: disabled; spf: disabled
X-Ovh-Message-Type: OK
Dear Abuse Team
The following abusive behavior from IP address under your constituency
188.165.221.36 has been detected:
2020-02-11 11:39:25 CET, 188.165.221.36, old decay: 86400, prob: 34.72%, SMTP auth dictionary attack
188.165.221.36 was caught 102 times since Fri May 18 01:42:13 2018
original data from the mail log:
2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[58534]
2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[62026]
2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[63198]
2020-02-11 11:39:25 CET courieresmtpd: started,ip=[188.165.221.36],port=[58743]
2020-02-11 11:39:25 CET courieresmtpd: started,ip=[188.165.221.36],port=[50520]
2020-02-11 11:39:25 CET courieresmtpd: error,relay=188.165.221.36,port=58743,msg="535 Authentication failed.",cmd: AUTH LOGIN 42D117A2.9F10013D