Hey everyone,

I have a conflict with a provider from Russia "Timeweb" AS9123. It seems to be hosting a customer who sends spam and uses one of my domains as sender.

I got the information via DMARC, RFC 7489 with several mails. This provider has an abuse email address. After I contacted them, they analyzed my domain, complained about the header of the automatic DMARC e-mail from mail.ru, because there an internal host distributes it and uses an internal IP address 10/8 according to RFC 1918 and so on.

Apparently one does not want to do anything and requests one of these e-mails classified as spam sent to @mail.ru.

But this is not provided for in the DMARC protocol, which the provider does not 'believe’.

This means I continue to receive emails from Russia telling me that my domain is being used by their host to send spam. And the provider writes me many e-mails telling me that I have to provide correct facts and that nothing else will be done.

Because DMARC emails are not facts and cannot be used as evidence.

Do you have any idea how to deal with this?

I have received 11 DMARC emails from mail.ru regarding this host. I have attached last one here with header:

Return-Path: <dmarc_support@corp.mail.ru>
Delivered-To: mnin@mnin.de
Received: from mail.mnin.de ([xxxx])
by mail.mnin.de with LMTP
id yedWJNMKx14sDAAAuS6XVA
(envelope-from <dmarc_support@corp.mail.ru>)
for <mnin@mnin.de>; Fri, 22 May 2020 01:12:19 +0200
Received: from relay7.m.smailru.net (relay7.m.smailru.net [94.100.178.51])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mail.mnin.de (Postcow) with ESMTPS id 6D59868509C
for <mnin@mnin.de>; Fri, 22 May 2020 01:12:18 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=corp.mail.ru; s=mail;
h=Date:Message-ID:To:From:Subject:MIME-Version:Content-Type; bh=DMqnfyeB+D0YjhIdtRipG66iEqaOVRHns+l07FJTLbw=;
b=k6PdTMpn2SHfn7HO4jdOto6jxVRnOLsCsFLz0Lp87ytUyQL7ifwnze/LC/xQlDQ1hLpkHdM/sM8RFDgusUQYtL4e7/Zkmln4vsjgPvsW6go/YK7hvaeQBKMKgDSXqTlTXqm7BUyXOU4g9wByuAWUM0UpOM+3lrgHzm7d/Fil5IU=;
Received: from [10.161.4.115] (port=48176 helo=60)
by relay7.m.smailru.net with esmtp (envelope-from <dmarc_support@corp.mail.ru>)
id 1jbuMI-0007Kr-2n
for mnin@mnin.de; Fri, 22 May 2020 02:12:14 +0300
Content-Type: multipart/mixed; boundary="===============1678280035031557895=="
MIME-Version: 1.0
Subject: Report Domain: mnin.de; Submitter: Mail.Ru;
 Report-ID: 25590927945792699841590019200
From: dmarc_support@corp.mail.ru
To: mnin@mnin.de
Message-ID: <dmarc-1590102734@corp.mail.ru>
Date: Fri, 22 May 2020 02:12:14 +0300
Auto-Submitted: auto-generated
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mnin.de;
s=dkim; t=1590102738;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 dkim-signature; bh=DMqnfyeB+D0YjhIdtRipG66iEqaOVRHns+l07FJTLbw=;
b=YpE4Z5u3l+mzLxsH+2Qbd39KekLCXa2jbbIrdnDxvgNFS6zvl4zKq33jQ/7fs5KkJEB0Xc
VCRT+1keQ9x/+a0tp6IMMUKE1elcOp6LHbBzTXCZYcgylnhbmb/JrCgAUI67KzXJlLn4o4
pxToLIR5HD58dGeler0v2GTby5si8GUfczS2mM4QAvxJHDSZ8GqTE359H8HTmXUXGBQRb+
0RVhhOzYxwmusEpWvuMcXYm4oZ7V+eKNuv12N5xCAbaWaqen37v1M53j0pu1vYoUSQBgOa
dv3UgtOSdPxj8wVI5OzpY6ZVKtfSqyTXW5dV+8yfZUSe1Zpm/UPOO5eaqyUnpw==
ARC-Seal: i=1; s=dkim; d=mnin.de; t=1590102738; a=rsa-sha256; cv=none;
b=keiIRdDt35e1bk6toEJdITgagC1CXQE81NoMoM8T19TBM9LFU4zudqRg73qPYgGkqvXqqI
Te3Z+AC+CZp9bxfqIOrm2xSE8fNfZEKYhl5fB59sen9/m1rwiZznvvbNcBCJMpytYyDAbg
l74M2uJVfvrUAoAbMF8dweJV/SANBC2K6eKs1r9nRu5DrCEcicWKNLxWbvZ7Q/TccUGgeZ
VCyYvxqc0m5U7wZqK/32Sgf1EpWAjkXpC5eTMxH73FfrIkpPQa8v5ag6qKMP+GRk8B3GO1
eQxsci0l3eATOMFFeEAW/QkSB+ur5f2bPEraluEN5VD4iwWzd2tBGmbcT0ZKaw==
ARC-Authentication-Results: i=1;
mail.mnin.de;
dkim=pass header.d=corp.mail.ru header.s=mail header.b=k6PdTMpn;
spf=pass (mail.mnin.de: domain of dmarc_support@corp.mail.ru designates 94.100.178.51 as permitted sender) smtp.mailfrom=dmarc_support@corp.mail.ru
X-Last-TLS-Session-Version: TLSv1.2
Authentication-Results: mail.mnin.de;
dkim=pass header.d=corp.mail.ru header.s=mail header.b=k6PdTMpn;
dmarc=pass (policy=reject) header.from=corp.mail.ru;
spf=pass (mail.mnin.de: domain of dmarc_support@corp.mail.ru designates 94.100.178.51 as permitted sender) smtp.mailfrom=dmarc_support@corp.mail.ru

--===============1678280035031557895==
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

VGhpcyBpcyBhbiBhZ2dyZWdhdGUgcmVwb3J0IGZyb20gTWFpbC5SdS4=

--===============1678280035031557895==
Content-Type: application/gzip
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
 filename="mail.ru!mnin.de!1590019200!1590105600.xml.gz"

H4sICM4Kx14C/21haWwucnUhbW5pbi5kZSExNTkwMDE5MjAwITE1OTAxMDU2MDAueG1sAIVTQXKk
MAy85xW5zSkYqDADW4qzH9jLfsDlscXgCtgu22Szv48MYUJqKpULlpqW6JYFPL9N4/0rhmicfTpU
RXm4R6ucNvbydJhT/9Aenvkd9Ij6LNULh4DehSQmTFLLJDm4cBFWTsj/SDMWf2dgVwRwIozrSQYl
4uxz5W/lgi8yXgTirgzAtxSkUM4mqZIwtnd8SMn/YmzA8Upn+XzICBXeVmzajOZ103RlV5+6x+bU
1ceuax8rQsqqq8sS2CcRyASKIO2F5J7xYizfE1cE0OoFrsrmmOGcA9uXspu5eDca9V/4+TyaOGD+
lCP9lk/W2EIj1a85SP1iJh6ArQHI6PslzSd4bp0ltucQt5gC8CrxKovJAT1vPheQRp1P949K3RwU
CuN51bZFXTfF6VRUx5Z6Xd+AcrOlpsDWYLOAr3KcyWu2YKJ30STalg8pewQW/T1dEuGLlexgzRcv
7LYjW+QZjTaZ3tAichhQagyiD276HNYeBPaFL+c0iIBxHlP80LDNmqrTkBcGw7Ju28gjjqiSC1wT
g8RtKaxtuJcx5jtdkr2ZHxsr55FPWSa1XZJveq4D+aqdbXfGrj/cO84BW+uiAwAA
--===============1678280035031557895==--

Decompressed xml is:

<?xml version='1.0' encoding='utf-8'?>
<feedback><report_metadata><org_name>Mail.Ru</org_name><email>dmarc_support@corp.mail.ru</email><extra_contact_info>http://help.mail.ru/mail-help</extra_contact_info><report_id>25590927945792699841590019200</report_id><date_range><begin>1590019200</begin><end>1590105600</end></date_range></report_metadata><policy_published><domain>mnin.de</domain><adkim>r</adkim><aspf>r</aspf><p>none</p><sp>none</sp><pct>100</pct></policy_published><record><row><source_ip>188.225.77.168</source_ip><count>1</count><policy_evaluated><disposition>none</disposition><dkim>fail</dkim><spf>fail</spf></policy_evaluated></row><identifiers><header_from>mnin.de</header_from></identifiers><auth_results><dkim><domain>ninthhelper.ru</domain><selector>dnin</selector><result>pass</result></dkim><spf><domain>ninthhelper.ru</domain><scope>mfrom</scope><result>pass</result></spf></auth_results></record></feedback>