Reporting abuse to OVH -- don't bother
The RIPE WHOIS data base says that the abose contact for AS16276 is abuse@ovh.net. It would appear thet the folks at OVH haven't yet quite figured how this whole email thing works. Give them time. Another decade or two and they should have it down pat. ------- Forwarded Message Date: 12 Feb 2020 10:26:23 +0200 From: MAILER-DAEMON@mx1.ovh.net To: rfg@tristatelogic.com Subject: failure notice Hi. This is the qmail-send program at mx1.ovh.net. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. <ovh.net-abuse@ovh.net>: user does not exist, but will deliver to /homez.12/vpopmail/domains/ovh.net/abu se/ can not open new email file errno=2 file=/homez.12/vpopmail/domains/ovh.net/abu se/Maildir/tmp/1581495983.28582.mail141.ha.ovh.net,S=10651 system error - --- Below this line is a copy of the message. Return-Path: <rfg@tristatelogic.com> Received: from localhost (HELO queue) (127.0.0.1) by localhost with SMTP; 12 Feb 2020 10:26:23 +0200 Received: from unknown (HELO output55.mail.ovh.net) (10.108.98.118) by mail141.ha.ovh.net with AES256-GCM-SHA384 encrypted SMTP; 12 Feb 2020 10:2 6:23 +0200 Received: from vr15.mail.ovh.net (unknown [10.101.8.15]) by out55.mail.ovh.net (Postfix) with ESMTP id 48HXmH0nz4z7SwqFq for <abuse@ovh.net>; Wed, 12 Feb 2020 08:26:23 +0000 (UTC) Received: from in32.mail.ovh.net (unknown [10.101.4.32]) by vr15.mail.ovh.net (Postfix) with ESMTP id 48HXm96hlfz1DGZD for <abuse@ovh.net>; Wed, 12 Feb 2020 08:26:17 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=69.62.255.118; helo= outgoing.tristatelogic.com; envelope-from=rfg@tristatelogic.com; receiver=abuse @ovh.net Authentication-Results: in32.mail.ovh.net; dkim=none; dkim-atps=neutral Received: from outgoing.tristatelogic.com (segfault.tristatelogic.com [69.62.25 5.118]) by in32.mail.ovh.net (Postfix) with ESMTP id 48HXm91ZjszZ0l2m for <abuse@ovh.net>; Wed, 12 Feb 2020 08:26:16 +0000 (UTC) Received: by segfault.tristatelogic.com (Postfix, from userid 1237) id 5A1884E69A; Wed, 12 Feb 2020 00:26:10 -0800 (PST) From: "Ronald F. Guilmette" <rfg@tristatelogic.com> To: abuse@ovh.net Cc: spamreports@tristatelogic.com Subject: Spam from your network (AS16276): [54.39.173.134] Date: 12 Feb 2020 00:26:10 -0800 X-Rfg-Spam-Report: (AS16276): [54.39.173.134] Message-Id: <20200212082610.5A1884E69A@segfault.tristatelogic.com> X-Ovh-Remote: 69.62.255.118 (segfault.tristatelogic.com) X-Ovh-Tracer-Id: 13162051389114427986 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 0 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedugedrieeggdduudehucetufdoteggode trfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecuhedttd enucenucfjughrpefhvffusedttddttddttddtnecuhfhrohhmpedftfhonhgrlhguucfhrdcuifhui hhlmhgvthhtvgdfuceorhhfghesthhrihhsthgrthgvlhhoghhitgdrtghomheqnecuffhomhgrihhn peguihhgihhtrghlvggsohhokhifrhhithhinhhgrdgtohhmpdhiphdqheegqdefledqudejfedrnhg vthdpthhrihhsthgrthgvlhhoghhitgdrtghomhdpghhoohhglhgvuhhsvghrtghonhhtvghnthdrtg homhdpohhvhhdrtggrpdhvihguvghorghnihhmrghtihhonhhnvghtfihorhhkrdgtohhmnecukfhpp eeiledriedvrddvheehrdduudeknecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmohgu vgepshhmthhppdhhvghlohepihhnfedvrdhmrghilhdrohhvhhdrnhgvthdpihhnvghtpeeiledried vrddvheehrdduudekpdhmrghilhhfrhhomheprhhfghesthhrihhsthgrthgvlhhoghhitgdrtghomh dprhgtphhtthhopegrsghushgvsehovhhhrdhnvght X-Ovh-Spam-Status: OK X-Ovh-Spam-Reason: vr: OK; dkim: disabled; spf: disabled X-Ovh-Message-Type: OK I have received the email spam message which is appended below from your network, AS16276. I did not request this spam, and I have had no prior contact with the sender. Indeed, I do not even know the sender, and I do not know how the sender even acquired my email address. Please terminate this spamming from your network immediately. Thank you for your assistance in this matter. ========================================================================= Return-Path: <no-reply@craig.digitalebookwriting.com> X-Original-To: rfg-dynadot@tristatelogic.com Delivered-To: rfg-dynadot@tristatelogic.com Received: from craig.digitalebookwriting.com (ip134.ip-54-39-173.net [54.39.173 .134]) by segfault.tristatelogic.com (Postfix) with ESMTP id 391A44E68A for <rfg-dynadot@tristatelogic.com>; Thu, 30 Jan 2020 09:25:09 -0800 (P ST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=craig.digitalebookwriting.com; s=default; h=Message-ID:Date:Content-T ype: Subject:To:Reply-To:From:MIME-Version:Sender:Cc:Content-Transfer-Encodi ng: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Arc hive; bh=G73Y84vFDgG+jBeFAVpzuuyKr+8smk3J4l/NIzyP9C4=; b=tCn5obRIaLbJNpqABwp FNHbHR OXQwDJeK7/0PlQ+mSB2UL6WPrfiATe7chmWgIBAn44xXMWeo77fOIn8Eu1FQ5hC37rugcpO B0I9Ja /FJynsra3Z2/5oW49syyroNwHTbWWuMj1Hex7gmcQqYJnNx9kXzJN/NpmNhAXCzKzkm+V4Y pFVOOk ztAMw00kteJ//Ce7HaLkjP9bk8iru/bKOj82qivbeq3l9PLhqAsNQzOwuGYGxYjlpzZD8h8 UKSlZ2 JFnDmDUdhaVnAB+7jgj/Rez0k+sgXAiqhJjhCvGg029pQVwqx26G769BKvRfJ5KtVGor8Tn PcLZLE eICxMNI+w==; Received: from 181.187.230.35.bc.googleusercontent.com ([35.230.187.181]:56055) by vps235889.vps.ovh.ca with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA3 84:256) (Exim 4.92) (envelope-from <no-reply@craig.digitalebookwriting.com>) id 1ixDYy-0001qe-36 for rfg-dynadot@tristatelogic.com; Thu, 30 Jan 2020 18:25:08 +0100 MIME-Version: 1.0 From: "Mark Cooper" <no-reply@craig.digitalebookwriting.com> Reply-To: Sales@videoanimationnetwork.com To: rfg-dynadot@tristatelogic.com Subject: Looking for a different kind of animation, long duration, short deadli ne or 3D teaser? Content-Type: multipart/alternative; boundary="----=_NextPart_001_3CF9_5F600D02.73CC25D2" X-Mailer: Smart_Send_4_3_3 Date: Thu, 30 Jan 2020 17:25:07 +0000 Message-ID: <3704410922576318115204@sb02> X-AntiAbuse: This header was added to track abuse, please include it with any a buse report X-AntiAbuse: Primary Hostname - vps235889.vps.ovh.ca X-AntiAbuse: Original Domain - tristatelogic.com X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - craig.digitalebookwriting.com X-Get-Message-Sender-Via: vps235889.vps.ovh.ca: authenticated_id: no-reply@crai g.digitalebookwriting.com X-Authenticated-Sender: vps235889.vps.ovh.ca: no-reply@craig.digitalebookwritin g.com X-Source: X-Source-Args: X-Source-Dir: - ------=_NextPart_001_3CF9_5F600D02.73CC25D2 Content-Type: text/plain; charset="windows-1252" Content-Transfer-Encoding: quoted-printable Hello Subscribers, 2D animations are a great and simple way to convey a message to your prospe= cts or add a little bit of extra effort in your branding strategy. 2D anima= tions come in handy from marketing, business prospecting, training videos f= or employees or summarizing your business history. We use expert animators = to deliver the best results each time. Here's how we always achieve to exceed our clients' expectations: - Creative Brief - Scriptwriting - Storyboarding - Voiceover and Animation Deliberately Design Custom Explainer Video Packages For All Ranges: a). Basic Videos (Text & image Compilation) b). Premium Videos (Whiteboard & Motion Graphic Animation) c). Delux Videos (Ultimate 2D Animation) Reverse Upto 70% Discount, Click Here to Lock this Deal Now! Industries We've Served, (The diverse nature of our clients have extended o= ur expertise in various fields like): Real Estate | Finance | Health Care | Marketing | Sports We take pride in our systematic methodology that ensures that each project = is given its due importance and is professionally executed from initiation = to delivery. Let's Get Started/Speak With Us, Click-Here =20 Best Regards, Mark C. | Animation Consultant Video Animationnet Work To receive no further emails, please click here or reply to this email with= "HELP" in the Subject line. - ------=_NextPart_001_3CF9_5F600D02.73CC25D2 Content-Type: text/html; charset="windows-1252" Content-Transfer-Encoding: quoted-printable <head>=0A =0A<meta http-equiv=3D"Content-Type" content=3D"text/html; chars= et=3Dwindows-1252"> =0A<meta name=3D"GENERATOR" content=3D"MSHTML 11.00.96= 00.19597"></head> =0A<body>=0A<p><font face=3D"Verdana, Arial, Helvetica, s= ans-serif" size=3D"2">Hello =0ASubscribers,</font></p>=0A<p><font face=3D"= Verdana, Arial, Helvetica, sans-serif" size=3D"2">2D animations are =0A a g= reat and simple way to convey a message to your prospects or add a little = =0A bit of extra effort in your branding strategy. 2D animations come in h= andy =0Afrom marketing, business prospecting, training videos for employee= s or =0Asummarizing your business history. We use expert animators to deli= ver the best =0Aresults each time.</font></p>=0A<p><font face=3D"Verdana, = Arial, Helvetica, sans-serif" size=3D"2"><strong>Here's =0Ahow we always a= chieve to exceed our clients' expectations:</strong></font></p>=0A<p><font = face=3D"Verdana, Arial, Helvetica, sans-serif" size=3D"2"><strong> = =0A - Creative Brief<br> - Scriptwriting<br> = ; - =0AStoryboarding<br> - Voiceover and Animation</strong></= font></p>=0A<p><font face=3D"Verdana, Arial, Helvetica, sans-serif" size=3D= "2"><strong>Deliberately Design Custom Explainer Video Packages For All = =0ARanges:</strong></font></p>=0A<p><font face=3D"Verdana, Arial, Helvetica= , sans-serif" size=3D"2"> a). =0A <strong>Basic Videos</stron= g> (Text & image Compilation)<br> =0Ab). <strong>Premium V= ideos</strong> (Whiteboard & Motion Graphic =0AAnimation)<br> &n= bsp; c).<strong> Delux Videos</strong> (Ultimate 2D =0AAnimation)</font></= p>=0A<p><font face=3D"Verdana, Arial, Helvetica, sans-serif" size=3D"2"><st= rong>Reverse =0AUpto 70% Discount, <a href=3D"https://videoanimationnetwor= k.com/">Click Here</a> to =0ALock this Deal Now!</strong></font></p>=0A<p>= <font face=3D"Verdana, Arial, Helvetica, sans-serif" size=3D"2"><strong>Ind= ustries We've Served,</strong> (The diverse nature of our =0Aclients have = extended our expertise in various fields like):</font></p>=0A<p><font face= =3D"Verdana, Arial, Helvetica, sans-serif" size=3D"2"> =0A<str= ong>Real Estate | Finance | Health Care | Marketing | =0ASports</strong></= font></p>=0A<p><br><font face=3D"Verdana, Arial, Helvetica, sans-serif" siz= e=3D"2">We take pride =0A in our systematic methodology that ensures that e= ach project is given its due =0Aimportance and is professionally executed = from initiation to =0Adelivery.</font></p>=0A<p><font face=3D"Verdana, Ari= al, Helvetica, sans-serif" size=3D"2"><strong>Let's Get =0A Started/Speak W= ith Us, <a href=3D"https://videoanimationnetwork.com/">Click-Here</a></stro= ng></font></p>=0A<p><font face=3D"Verdana, Arial, Helvetica, sans-serif" si= ze=3D"2"> <br><font size=3D"1"><strong>Best Regards,<br>Mark C. |= =0AAnimation Consultant<br><font face=3D"Verdana, Arial, Helvetica, sans-= serif" size=3D"1">Video Animationnet Work</font></strong></font></font></p>= =0A<p><br><font face=3D"Verdana, Arial, Helvetica, sans-serif" size=3D"1">T= o receive no =0A further emails, please click here or reply to this email w= ith =0A<strong>"HELP"</strong> in the Subject line.</font></p>=0A</body> - ------=_NextPart_001_3CF9_5F600D02.73CC25D2-- ------- End of Forwarded Message
On Wed 12/Feb/2020 09:51:22 +0100 Ronald F. Guilmette wrote:
The RIPE WHOIS data base says that the abose contact for AS16276 is abuse@ovh.net.
It would appear thet the folks at OVH haven't yet quite figured how this whole email thing works.
Give them time. Another decade or two and they should have it down pat.
+1, X-VR-SPAMCAUSE looks particularly appealing... Best Ale -------- Forwarded Message -------- Subject: failure notice Date: 12 Feb 2020 06:18:04 +0200 From: MAILER-DAEMON@mx1.ovh.net To: abuse@tana.it Hi. This is the qmail-send program at mx1.ovh.net. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. <ovh.net-abuse@ovh.net>: user does not exist, but will deliver to /homez.12/vpopmail/domains/ovh.net/abuse/ can not open new email file errno=2 file=/homez.12/vpopmail/domains/ovh.net/abuse/Maildir/tmp/1581481084.9867.mail660.ha.ovh.net,S=4191 system error --- Below this line is a copy of the message. Return-Path: <abuse@tana.it> Received: from localhost (HELO queue) (127.0.0.1) by localhost with SMTP; 12 Feb 2020 06:18:04 +0200 Received: from unknown (HELO output25.mail.ovh.net) (10.108.117.188) by mail660.ha.ovh.net with AES256-GCM-SHA384 encrypted SMTP; 12 Feb 2020 06:18:04 +0200 Received: from vr26.mail.ovh.net (unknown [10.101.8.26]) by out25.mail.ovh.net (Postfix) with ESMTP id 48HRFm0K5Sz7P6Fd8 for <abuse@ovh.net>; Wed, 12 Feb 2020 04:18:04 +0000 (UTC) Received: from in14.mail.ovh.net (unknown [10.101.4.14]) by vr26.mail.ovh.net (Postfix) with ESMTP id 48HRFf6fgNzrQV85 for <abuse@ovh.net>; Wed, 12 Feb 2020 04:17:58 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=62.94.243.226; helo=wmail.tana.it; envelope-from=abuse@tana.it; receiver=abuse@ovh.net Authentication-Results: in14.mail.ovh.net; dkim=pass (1152-bit key; unprotected) header.d=tana.it header.i=@tana.it header.b="DSzDkiE5"; dkim-atps=neutral Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) by in14.mail.ovh.net (Postfix) with ESMTPS id 48HRFf5rYcz1qqm5 for <abuse@ovh.net>; Wed, 12 Feb 2020 04:17:58 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) (uid 1000) by wmail.tana.it with local id 00000000005DC0BE.000000005E437C70.00006938; Wed, 12 Feb 2020 05:17:51 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1581481072; bh=hqA0axQ0F0EZuKcuD4BJM7lec22phleodccLJFRo7js=; l=1187; h=From:To:Date; b=DSzDkiE5M2E2RHdufCjt/pvL8szxXfCQCiPcYrJMYxbHDSM6/qNrHDy0JZwW3HfQG jvGk5T7PlE7c6dBvfNjmQl2Z0yTpvjOVufBM6xGVi3WEzkPUb2Wpr0b6oW/Ptan3/d d81pOjTCPaAxOXfx0G1t5PpotLEo0P48qxyNPtkGYVZoMp7kdUev7jtac9Jcq Authentication-Results: tana.it; auth=pass (details omitted) X-mmdbcountrylookup: FR From: "tana.it" <abuse@tana.it> To: abuse@ovh.net Date: Wed, 12 Feb 2020 05:17:51 +0100 Subject: Mail server abuse by 188.165.221.36 on 11 February 2020 Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Auto-Response-Suppress: DR, OOF, AutoReply Message-ID: <courier.000000005E437C6F.00006938@wmail.tana.it> X-Ovh-Remote: 62.94.243.226 (wmail.tana.it) X-Ovh-Tracer-Id: 8968355709213900626 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 50 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedugedrieeggdeifecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecuogfvvgigthfqnhhlhidqqdetfeejfedqtdegucdlhedtmdenucfjughrpefhvfffufggtgfgsehtjedttddttdejnecuhfhrohhmpedfthgrnhgrrdhithdfuceorggsuhhsvgesthgrnhgrrdhitheqnecuffhomhgrihhnpehtrghnrgdrihhtpdhrihhpvgdrnhgvthenucfkphepiedvrdelgedrvdegfedrvddvieenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhhouggvpehsmhhtphdphhgvlhhopehinhdugedrmhgrihhlrdhovhhhrdhnvghtpdhinhgvthepiedvrdelgedrvdegfedrvddviedpmhgrihhlfhhrohhmpegrsghushgvsehtrghnrgdrihhtpdhrtghpthhtoheprggsuhhsvgesohhvhhdrnhgvth X-Ovh-Spam-Status: OK X-Ovh-Spam-Reason: vr: OK; dkim: disabled; spf: disabled X-Ovh-Message-Type: OK Dear Abuse Team The following abusive behavior from IP address under your constituency 188.165.221.36 has been detected: 2020-02-11 11:39:25 CET, 188.165.221.36, old decay: 86400, prob: 34.72%, SMTP auth dictionary attack 188.165.221.36 was caught 102 times since Fri May 18 01:42:13 2018 original data from the mail log: 2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[58534] 2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[62026] 2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[63198] 2020-02-11 11:39:25 CET courieresmtpd: started,ip=[188.165.221.36],port=[58743] 2020-02-11 11:39:25 CET courieresmtpd: started,ip=[188.165.221.36],port=[50520] 2020-02-11 11:39:25 CET courieresmtpd: error,relay=188.165.221.36,port=58743,msg="535 Authentication failed.",cmd: AUTH LOGIN 42D117A2.9F10013D
Alessandro, The abuse notification below, is absolutely terrible: it only highlights the OVH IP that was used, however it completely fails to identify the IP/hostname that was "attacked", no action (other than forward the notice to the user of the IP) can be taken. Please in the future include all relevant data in you abuse notice. (src+dst ip are relevant!) Thx.-- IDGARA | Alex de Joode | alex@idgara.nl | +31651108221 | Skype:adejoode On Wed, 12-02-2020 13h 16min, Alessandro Vesely <vesely@tana.it> wrote:>
Dear Abuse Team
The following abusive behavior from IP address under your constituency 188.165.221.36 has been detected:
2020-02-11 11:39:25 CET, 188.165.221.36, old decay: 86400, prob: 34.72%, SMTP auth dictionary attack
188.165.221.36 was caught 102 times since Fri May 18 01:42:13 2018
original data from the mail log: 2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[58534] 2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[62026] 2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[63198] 2020-02-11 11:39:25 CET courieresmtpd: started,ip=[188.165.221.36],port=[58743] 2020-02-11 11:39:25 CET courieresmtpd: started,ip=[188.165.221.36],port=[50520] 2020-02-11 11:39:25 CET courieresmtpd: error,relay=188.165.221.36,port=58743,msg="535 Authentication failed.",cmd: AUTH LOGIN 42D117A2.9F10013D
Hi all. This one of the abuse emails that cries out to heaven. There is an idiot who does not stop attacking us and does not answer the abuse email. Someone knows what to do in this cases? RIPE said that is nothing to do because there is not a "return from their server" to our email. This provider is full of spam, we banned all theirs ips. https://en.asytech.cn/check-ip/89.248.160.193 [https://en.asytech.cn/check-ip/89.248.160.193] https://ipinfo.io/AS202425 [https://ipinfo.io/AS202425] It is very striking how a Seychelles provider with a new AS number can spam without limits. Kind regards. Javier Sobre 12/02/2020 18:44:24, Alex de Joode <alex@idgara.nl> escribió: Alessandro, The abuse notification below, is absolutely terrible: it only highlights the OVH IP that was used, however it completely fails to identify the IP/hostname that was "attacked", no action (other than forward the notice to the user of the IP) can be taken. Please in the future include all relevant data in you abuse notice. (src+dst ip are relevant!) Thx. -- IDGARA | Alex de Joode | alex@idgara.nl | +31651108221 | Skype:adejoode On Wed, 12-02-2020 13h 16min, Alessandro Vesely <vesely@tana.it> wrote: Dear Abuse Team The following abusive behavior from IP address under your constituency 188.165.221.36 has been detected: 2020-02-11 11:39:25 CET, 188.165.221.36, old decay: 86400, prob: 34.72%, SMTP auth dictionary attack 188.165.221.36 was caught 102 times since Fri May 18 01:42:13 2018 original data from the mail log: 2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[58534] 2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[62026] 2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[63198] 2020-02-11 11:39:25 CET courieresmtpd: started,ip=[188.165.221.36],port=[58743] 2020-02-11 11:39:25 CET courieresmtpd: started,ip=[188.165.221.36],port=[50520] 2020-02-11 11:39:25 CET courieresmtpd: error,relay=188.165.221.36,port=58743,msg="535 Authentication failed.",cmd: AUTH LOGIN 42D117A2.9F10013D
IPVolume/Incrediserv, are the new incantation of 'Ecatel'. 'Good luck' (try to peer with them and throttle the bw/ to 28k8 modem speed, lessens the impact somewhat).-- IDGARA | Alex de Joode | alex@idgara.nl | +31651108221 | Skype:adejoode On Wed, 12-02-2020 18h 50min, Javier Martín <javier.martin@centrored.net> wrote:
Hi all. This one of the abuse emails that cries out to heaven. There is an idiot who does not stop attacking us and does not answer the abuse email. Someone knows what to do in this cases? RIPE said that is nothing to do because there is not a "return from their server" to our email. This provider is full of spam, we banned all theirs ips. https://en.asytech.cn/check-ip/89.248.160.193
It is very striking how a Seychelles provider with a new AS number can spam without limits. Kind regards. Javier
Sobre 12/02/2020 18:44:24, Alex de Joode <alex@idgara.nl> escribió: Alessandro,
The abuse notification below, is absolutely terrible: it only highlights the OVH IP that was used, however it completely fails to identify the IP/hostname that was "attacked", no action (other than forward the notice to the user of the IP) can be taken.
Please in the future include all relevant data in you abuse notice. (src+dst ip are relevant!)
Thx.-- IDGARA | Alex de Joode | alex@idgara.nl | +31651108221 | Skype:adejoode
On Wed, 12-02-2020 13h 16min, Alessandro Vesely <vesely@tana.it> wrote:>
Dear Abuse Team
The following abusive behavior from IP address under your constituency 188.165.221.36 has been detected:
2020-02-11 11:39:25 CET, 188.165.221.36, old decay: 86400, prob: 34.72%, SMTP auth dictionary attack
188.165.221.36 was caught 102 times since Fri May 18 01:42:13 2018
original data from the mail log: 2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[58534] 2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[62026] 2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[63198] 2020-02-11 11:39:25 CET courieresmtpd: started,ip=[188.165.221.36],port=[58743] 2020-02-11 11:39:25 CET courieresmtpd: started,ip=[188.165.221.36],port=[50520] 2020-02-11 11:39:25 CET courieresmtpd: error,relay=188.165.221.36,port=58743,msg="535 Authentication failed.",cmd: AUTH LOGIN 42D117A2.9F10013D
In my experience, OVH is one of the larger worlwide host of spammers, DDoS, intrusion attempts (SIP, SSH, IMAP, SMTP, etc., etc.), etc., together with cloudstar.is. Any criminal action you can think off … sure a IPs from OVH or Cloudstar are involved! I’m sure there are many other, but in my own case, this is the major %. I’m fighting with them every other day, they never do *anything* despite having provided logs, demonstrations of GDPR abuse, etc., etc. For some reason, it looks to me that most of the so called “email marketing” companies (or databases), which to me are all criminal companies (because it is clear that they keep breaking GDPR and many other rules every other day), using OVH (and sometimes other DCs), are from France. May be their DPA is not doing anything or maybe nobody is complaining “enough” to them. Regards, Jordi @jordipalet El 12/2/20 18:51, "anti-abuse-wg en nombre de Javier Martín" <anti-abuse-wg-bounces@ripe.net en nombre de javier.martin@centrored.net> escribió: Hi all. This one of the abuse emails that cries out to heaven. There is an idiot who does not stop attacking us and does not answer the abuse email. Someone knows what to do in this cases? RIPE said that is nothing to do because there is not a "return from their server" to our email. This provider is full of spam, we banned all theirs ips. https://en.asytech.cn/check-ip/89.248.160.193 https://ipinfo.io/AS202425 It is very striking how a Seychelles provider with a new AS number can spam without limits. Kind regards. Javier Sobre 12/02/2020 18:44:24, Alex de Joode <alex@idgara.nl> escribió: Alessandro, The abuse notification below, is absolutely terrible: it only highlights the OVH IP that was used, however it completely fails to identify the IP/hostname that was "attacked", no action (other than forward the notice to the user of the IP) can be taken. Please in the future include all relevant data in you abuse notice. (src+dst ip are relevant!) Thx. -- IDGARA | Alex de Joode | alex@idgara.nl | +31651108221 | Skype:adejoode On Wed, 12-02-2020 13h 16min, Alessandro Vesely <vesely@tana.it> wrote: Dear Abuse Team The following abusive behavior from IP address under your constituency 188.165.221.36 has been detected: 2020-02-11 11:39:25 CET, 188.165.221.36, old decay: 86400, prob: 34.72%, SMTP auth dictionary attack 188.165.221.36 was caught 102 times since Fri May 18 01:42:13 2018 original data from the mail log: 2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[58534] 2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[62026] 2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[63198] 2020-02-11 11:39:25 CET courieresmtpd: started,ip=[188.165.221.36],port=[58743] 2020-02-11 11:39:25 CET courieresmtpd: started,ip=[188.165.221.36],port=[50520] 2020-02-11 11:39:25 CET courieresmtpd: error,relay=188.165.221.36,port=58743,msg="535 Authentication failed.",cmd: AUTH LOGIN 42D117A2.9F10013D ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
Hi, On Wed 12/Feb/2020 18:43:54 +0100 Alex de Joode wrote:
The abuse notification below, is absolutely terrible: it only highlights the OVH IP that was used, however it completely fails to identify the IP/hostname that was "attacked", no action (other than forward the notice to the user of the IP) can be taken.
Yes, the user of the IP is the one who should take care. I don't think an actual (paying) user would waste resources on such desperate dictionary attacks. So, the host must be 0wned, and needs cleanup.
Please in the future include all relevant data in you abuse notice. (src+dst ip are relevant!)
Src+port are already there. The destination IP is indirectly mentioned in a sort of (stripped off[*]) legend which explains which host, what firewall, and similar details. Best Ale -- [*] I'd publish it if I were sure it's bullet proof. Until it's fully vetted, some obscurity sounds more secure ;-)
On Wed, 12-02-2020 13h 16min, Alessandro Vesely <vesely@tana.it> wrote:
Dear Abuse Team
The following abusive behavior from IP address under your constituency 188.165.221.36 has been detected:
2020-02-11 11:39:25 CET, 188.165.221.36, old decay: 86400, prob: 34.72%, SMTP auth dictionary attack
188.165.221.36 was caught 102 times since Fri May 18 01:42:13 2018
original data from the mail log: 2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[58534] 2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[62026] 2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[63198] 2020-02-11 11:39:25 CET courieresmtpd: started,ip=[188.165.221.36],port=[58743] 2020-02-11 11:39:25 CET courieresmtpd: started,ip=[188.165.221.36],port=[50520] 2020-02-11 11:39:25 CET courieresmtpd: error,relay=188.165.221.36,port=58743,msg="535 Authentication failed.",cmd: AUTH LOGIN 42D117A2.9F10013D
All OVH and DigitalOcean abuse reports must be submitted via the abuse reporting forms on the website, or they won't be actioned: https://www.ovh.com/world/abuse/ https://www.digitalocean.com/company/contact/abuse/ --------- Original Message --------- Subject: Re: [anti-abuse-wg] Reporting abuse to OVH -- don't bother From: "Alessandro Vesely" <vesely@tana.it> Date: 2/12/20 11:16 pm To: "anti-abuse-wg@ripe.net" <anti-abuse-wg@ripe.net> On Wed 12/Feb/2020 09:51:22 +0100 Ronald F. Guilmette wrote:
The RIPE WHOIS data base says that the abose contact for AS16276 is abuse@ovh.net.
It would appear thet the folks at OVH haven't yet quite figured how this whole email thing works.
Give them time. Another decade or two and they should have it down pat.
+1, X-VR-SPAMCAUSE looks particularly appealing... Best Ale -------- Forwarded Message -------- Subject: failure notice Date: 12 Feb 2020 06:18:04 +0200 From: MAILER-DAEMON@mx1.ovh.net To: abuse@tana.it Hi. This is the qmail-send program at mx1.ovh.net. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. <ovh.net-abuse@ovh.net>: user does not exist, but will deliver to /homez.12/vpopmail/domains/ovh.net/abuse/ can not open new email file errno=2 file=/homez.12/vpopmail/domains/ovh.net/abuse/Maildir/tmp/1581481084.9867.mail660.ha.ovh.net,S=4191 system error --- Below this line is a copy of the message. Return-Path: <abuse@tana.it> Received: from localhost (HELO queue) (127.0.0.1) by localhost with SMTP; 12 Feb 2020 06:18:04 +0200 Received: from unknown (HELO output25.mail.ovh.net) (10.108.117.188) by mail660.ha.ovh.net with AES256-GCM-SHA384 encrypted SMTP; 12 Feb 2020 06:18:04 +0200 Received: from vr26.mail.ovh.net (unknown [10.101.8.26]) by out25.mail.ovh.net (Postfix) with ESMTP id 48HRFm0K5Sz7P6Fd8 for <abuse@ovh.net>; Wed, 12 Feb 2020 04:18:04 +0000 (UTC) Received: from in14.mail.ovh.net (unknown [10.101.4.14]) by vr26.mail.ovh.net (Postfix) with ESMTP id 48HRFf6fgNzrQV85 for <abuse@ovh.net>; Wed, 12 Feb 2020 04:17:58 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=62.94.243.226; helo=wmail.tana.it; envelope-from=abuse@tana.it; receiver=abuse@ovh.net Authentication-Results: in14.mail.ovh.net; dkim=pass (1152-bit key; unprotected) header.d=tana.it header.i=@tana.it header.b="DSzDkiE5"; dkim-atps=neutral Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) by in14.mail.ovh.net (Postfix) with ESMTPS id 48HRFf5rYcz1qqm5 for <abuse@ovh.net>; Wed, 12 Feb 2020 04:17:58 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) (uid 1000) by wmail.tana.it with local id 00000000005DC0BE.000000005E437C70.00006938; Wed, 12 Feb 2020 05:17:51 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1581481072; bh=hqA0axQ0F0EZuKcuD4BJM7lec22phleodccLJFRo7js=; l=1187; h=From:To:Date; b=DSzDkiE5M2E2RHdufCjt/pvL8szxXfCQCiPcYrJMYxbHDSM6/qNrHDy0JZwW3HfQG jvGk5T7PlE7c6dBvfNjmQl2Z0yTpvjOVufBM6xGVi3WEzkPUb2Wpr0b6oW/Ptan3/d d81pOjTCPaAxOXfx0G1t5PpotLEo0P48qxyNPtkGYVZoMp7kdUev7jtac9Jcq Authentication-Results: tana.it; auth=pass (details omitted) X-mmdbcountrylookup: FR From: "tana.it" <abuse@tana.it> To: abuse@ovh.net Date: Wed, 12 Feb 2020 05:17:51 +0100 Subject: Mail server abuse by 188.165.221.36 on 11 February 2020 Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Auto-Response-Suppress: DR, OOF, AutoReply Message-ID: <courier.000000005E437C6F.00006938@wmail.tana.it> X-Ovh-Remote: 62.94.243.226 (wmail.tana.it) X-Ovh-Tracer-Id: 8968355709213900626 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 50 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedugedrieeggdeifecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecuogfvvgigthfqnhhlhidqqdetfeejfedqtdegucdlhedtmdenucfjughrpefhvfffufggtgfgsehtjedttddttdejnecuhfhrohhmpedfthgrnhgrrdhithdfuceorggsuhhsvgesthgrnhgrrdhitheqnecuffhomhgrihhnpehtrghnrgdrihhtpdhrihhpvgdrnhgvthenucfkphepiedvrdelgedrvdegfedrvddvieenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhhouggvpehsmhhtphdphhgvlhhopehinhdugedrmhgrihhlrdhovhhhrdhnvghtpdhinhgvthepiedvrdelgedrvdegfedrvddviedpmhgrihhlfhhrohhmpegrsghushgvsehtrghnrgdrihhtpdhrtghpthhtoheprggsuhhsvgesohhvhhdrnhgvth X-Ovh-Spam-Status: OK X-Ovh-Spam-Reason: vr: OK; dkim: disabled; spf: disabled X-Ovh-Message-Type: OK Dear Abuse Team The following abusive behavior from IP address under your constituency 188.165.221.36 has been detected: 2020-02-11 11:39:25 CET, 188.165.221.36, old decay: 86400, prob: 34.72%, SMTP auth dictionary attack 188.165.221.36 was caught 102 times since Fri May 18 01:42:13 2018 original data from the mail log: 2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[58534] 2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[62026] 2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[63198] 2020-02-11 11:39:25 CET courieresmtpd: started,ip=[188.165.221.36],port=[58743] 2020-02-11 11:39:25 CET courieresmtpd: started,ip=[188.165.221.36],port=[50520] 2020-02-11 11:39:25 CET courieresmtpd: error,relay=188.165.221.36,port=58743,msg="535 Authentication failed.",cmd: AUTH LOGIN 42D117A2.9F10013D
This is one of the reasons that in a responsible world, where responsible RIR etc exist, the following would occur: + A ticket is generated via email or form submission when a complaint is made to an abuse desk, + this ticket requires a user to confirm the email address provided by clicking on a link in the email (if the user doesn't confirm the email address, the complaint is deleted) + if the complaint ticket is not actioned, or not actioned properly, the user can escalate it to the RIR, + if the RIR finds the complaint to be valid, then the resource holder pays to the RIR the costs incurred by the RIR to investigate the matter, At the moment, the resource holder can: + ignore it due to funding issues, + ignore it due to lazyness, + ignore it due to criminal influence, + ignore it due to language barrier, + be forced to ignore it due to DDoS style email flooding, + be forced to ignore it due to the size of the resource holdings (because of the sheer volume of complaints made to them due to the size of their network), + be forced to ignore it due to a glitch which they are unaware of, etc etc etc --------- Original Message --------- Subject: Re: [anti-abuse-wg] Reporting abuse to OVH -- don't bother From: "Fi Shing" <phishing@storey.xxx> Date: 2/13/20 3:26 pm To: "anti-abuse-wg@ripe.net" <anti-abuse-wg@ripe.net> All OVH and DigitalOcean abuse reports must be submitted via the abuse reporting forms on the website, or they won't be actioned: https://www.ovh.com/world/abuse/ https://www.digitalocean.com/company/contact/abuse/ --------- Original Message --------- Subject: Re: [anti-abuse-wg] Reporting abuse to OVH -- don't bother From: "Alessandro Vesely" <vesely@tana.it> Date: 2/12/20 11:16 pm To: "anti-abuse-wg@ripe.net" <anti-abuse-wg@ripe.net> On Wed 12/Feb/2020 09:51:22 +0100 Ronald F. Guilmette wrote:
The RIPE WHOIS data base says that the abose contact for AS16276 is abuse@ovh.net.
It would appear thet the folks at OVH haven't yet quite figured how this whole email thing works.
Give them time. Another decade or two and they should have it down pat.
+1, X-VR-SPAMCAUSE looks particularly appealing... Best Ale -------- Forwarded Message -------- Subject: failure notice Date: 12 Feb 2020 06:18:04 +0200 From: MAILER-DAEMON@mx1.ovh.net To: abuse@tana.it Hi. This is the qmail-send program at mx1.ovh.net. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. <ovh.net-abuse@ovh.net>: user does not exist, but will deliver to /homez.12/vpopmail/domains/ovh.net/abuse/ can not open new email file errno=2 file=/homez.12/vpopmail/domains/ovh.net/abuse/Maildir/tmp/1581481084.9867.mail660.ha.ovh.net,S=4191 system error --- Below this line is a copy of the message. Return-Path: <abuse@tana.it> Received: from localhost (HELO queue) (127.0.0.1) by localhost with SMTP; 12 Feb 2020 06:18:04 +0200 Received: from unknown (HELO output25.mail.ovh.net) (10.108.117.188) by mail660.ha.ovh.net with AES256-GCM-SHA384 encrypted SMTP; 12 Feb 2020 06:18:04 +0200 Received: from vr26.mail.ovh.net (unknown [10.101.8.26]) by out25.mail.ovh.net (Postfix) with ESMTP id 48HRFm0K5Sz7P6Fd8 for <abuse@ovh.net>; Wed, 12 Feb 2020 04:18:04 +0000 (UTC) Received: from in14.mail.ovh.net (unknown [10.101.4.14]) by vr26.mail.ovh.net (Postfix) with ESMTP id 48HRFf6fgNzrQV85 for <abuse@ovh.net>; Wed, 12 Feb 2020 04:17:58 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=62.94.243.226; helo=wmail.tana.it; envelope-from=abuse@tana.it; receiver=abuse@ovh.net Authentication-Results: in14.mail.ovh.net; dkim=pass (1152-bit key; unprotected) header.d=tana.it header.i=@tana.it header.b="DSzDkiE5"; dkim-atps=neutral Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) by in14.mail.ovh.net (Postfix) with ESMTPS id 48HRFf5rYcz1qqm5 for <abuse@ovh.net>; Wed, 12 Feb 2020 04:17:58 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) (uid 1000) by wmail.tana.it with local id 00000000005DC0BE.000000005E437C70.00006938; Wed, 12 Feb 2020 05:17:51 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1581481072; bh=hqA0axQ0F0EZuKcuD4BJM7lec22phleodccLJFRo7js=; l=1187; h=From:To:Date; b=DSzDkiE5M2E2RHdufCjt/pvL8szxXfCQCiPcYrJMYxbHDSM6/qNrHDy0JZwW3HfQG jvGk5T7PlE7c6dBvfNjmQl2Z0yTpvjOVufBM6xGVi3WEzkPUb2Wpr0b6oW/Ptan3/d d81pOjTCPaAxOXfx0G1t5PpotLEo0P48qxyNPtkGYVZoMp7kdUev7jtac9Jcq Authentication-Results: tana.it; auth=pass (details omitted) X-mmdbcountrylookup: FR From: "tana.it" <abuse@tana.it> To: abuse@ovh.net Date: Wed, 12 Feb 2020 05:17:51 +0100 Subject: Mail server abuse by 188.165.221.36 on 11 February 2020 Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Auto-Response-Suppress: DR, OOF, AutoReply Message-ID: <courier.000000005E437C6F.00006938@wmail.tana.it> X-Ovh-Remote: 62.94.243.226 (wmail.tana.it) X-Ovh-Tracer-Id: 8968355709213900626 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 50 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedugedrieeggdeifecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecuogfvvgigthfqnhhlhidqqdetfeejfedqtdegucdlhedtmdenucfjughrpefhvfffufggtgfgsehtjedttddttdejnecuhfhrohhmpedfthgrnhgrrdhithdfuceorggsuhhsvgesthgrnhgrrdhitheqnecuffhomhgrihhnpehtrghnrgdrihhtpdhrihhpvgdrnhgvthenucfkphepiedvrdelgedrvdegfedrvddvieenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhhouggvpehsmhhtphdphhgvlhhopehinhdugedrmhgrihhlrdhovhhhrdhnvghtpdhinhgvthepiedvrdelgedrvdegfedrvddviedpmhgrihhlfhhrohhmpegrsghushgvsehtrghnrgdrihhtpdhrtghpthhtoheprggsuhhsvgesohhvhhdrnhgvth X-Ovh-Spam-Status: OK X-Ovh-Spam-Reason: vr: OK; dkim: disabled; spf: disabled X-Ovh-Message-Type: OK Dear Abuse Team The following abusive behavior from IP address under your constituency 188.165.221.36 has been detected: 2020-02-11 11:39:25 CET, 188.165.221.36, old decay: 86400, prob: 34.72%, SMTP auth dictionary attack 188.165.221.36 was caught 102 times since Fri May 18 01:42:13 2018 original data from the mail log: 2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[58534] 2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[62026] 2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[63198] 2020-02-11 11:39:25 CET courieresmtpd: started,ip=[188.165.221.36],port=[58743] 2020-02-11 11:39:25 CET courieresmtpd: started,ip=[188.165.221.36],port=[50520] 2020-02-11 11:39:25 CET courieresmtpd: error,relay=188.165.221.36,port=58743,msg="535 Authentication failed.",cmd: AUTH LOGIN 42D117A2.9F10013D
Tried that also, and doesn't work for OVH, for Digital Ocean some times. Regards, Jordi @jordipalet El 13/2/20 5:27, "anti-abuse-wg en nombre de Fi Shing" <anti-abuse-wg-bounces@ripe.net en nombre de phishing@storey.xxx> escribió: All OVH and DigitalOcean abuse reports must be submitted via the abuse reporting forms on the website, or they won't be actioned: https://www.ovh.com/world/abuse/ https://www.digitalocean.com/company/contact/abuse/ --------- Original Message --------- Subject: Re: [anti-abuse-wg] Reporting abuse to OVH -- don't bother From: "Alessandro Vesely" <vesely@tana.it> Date: 2/12/20 11:16 pm To: "anti-abuse-wg@ripe.net" <anti-abuse-wg@ripe.net> On Wed 12/Feb/2020 09:51:22 +0100 Ronald F. Guilmette wrote:
The RIPE WHOIS data base says that the abose contact for AS16276 is abuse@ovh.net.
It would appear thet the folks at OVH haven't yet quite figured how this whole email thing works.
Give them time. Another decade or two and they should have it down pat.
+1, X-VR-SPAMCAUSE looks particularly appealing... Best Ale -------- Forwarded Message -------- Subject: failure notice Date: 12 Feb 2020 06:18:04 +0200 From: MAILER-DAEMON@mx1.ovh.net To: abuse@tana.it Hi. This is the qmail-send program at mx1.ovh.net. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. <ovh.net-abuse@ovh.net>: user does not exist, but will deliver to /homez.12/vpopmail/domains/ovh.net/abuse/ can not open new email file errno=2 file=/homez.12/vpopmail/domains/ovh.net/abuse/Maildir/tmp/1581481084.9867.mail660.ha.ovh.net,S=4191 system error --- Below this line is a copy of the message. Return-Path: <abuse@tana.it> Received: from localhost (HELO queue) (127.0.0.1) by localhost with SMTP; 12 Feb 2020 06:18:04 +0200 Received: from unknown (HELO output25.mail.ovh.net) (10.108.117.188) by mail660.ha.ovh.net with AES256-GCM-SHA384 encrypted SMTP; 12 Feb 2020 06:18:04 +0200 Received: from vr26.mail.ovh.net (unknown [10.101.8.26]) by out25.mail.ovh.net (Postfix) with ESMTP id 48HRFm0K5Sz7P6Fd8 for <abuse@ovh.net>; Wed, 12 Feb 2020 04:18:04 +0000 (UTC) Received: from in14.mail.ovh.net (unknown [10.101.4.14]) by vr26.mail.ovh.net (Postfix) with ESMTP id 48HRFf6fgNzrQV85 for <abuse@ovh.net>; Wed, 12 Feb 2020 04:17:58 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=62.94.243.226; helo=wmail.tana.it; envelope-from=abuse@tana.it; receiver=abuse@ovh.net Authentication-Results: in14.mail.ovh.net; dkim=pass (1152-bit key; unprotected) header.d=tana.it header.i=@tana.it header.b="DSzDkiE5"; dkim-atps=neutral Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) by in14.mail.ovh.net (Postfix) with ESMTPS id 48HRFf5rYcz1qqm5 for <abuse@ovh.net>; Wed, 12 Feb 2020 04:17:58 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) (uid 1000) by wmail.tana.it with local id 00000000005DC0BE.000000005E437C70.00006938; Wed, 12 Feb 2020 05:17:51 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1581481072; bh=hqA0axQ0F0EZuKcuD4BJM7lec22phleodccLJFRo7js=; l=1187; h=From:To:Date; b=DSzDkiE5M2E2RHdufCjt/pvL8szxXfCQCiPcYrJMYxbHDSM6/qNrHDy0JZwW3HfQG jvGk5T7PlE7c6dBvfNjmQl2Z0yTpvjOVufBM6xGVi3WEzkPUb2Wpr0b6oW/Ptan3/d d81pOjTCPaAxOXfx0G1t5PpotLEo0P48qxyNPtkGYVZoMp7kdUev7jtac9Jcq Authentication-Results: tana.it; auth=pass (details omitted) X-mmdbcountrylookup: FR From: "tana.it" <abuse@tana.it> To: abuse@ovh.net Date: Wed, 12 Feb 2020 05:17:51 +0100 Subject: Mail server abuse by 188.165.221.36 on 11 February 2020 Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Auto-Response-Suppress: DR, OOF, AutoReply Message-ID: <courier.000000005E437C6F.00006938@wmail.tana.it> X-Ovh-Remote: 62.94.243.226 (wmail.tana.it) X-Ovh-Tracer-Id: 8968355709213900626 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 50 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedugedrieeggdeifecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecuogfvvgigthfqnhhlhidqqdetfeejfedqtdegucdlhedtmdenucfjughrpefhvfffufggtgfgsehtjedttddttdejnecuhfhrohhmpedfthgrnhgrrdhithdfuceorggsuhhsvgesthgrnhgrrdhitheqnecuffhomhgrihhnpehtrghnrgdrihhtpdhrihhpvgdrnhgvthenucfkphepiedvrdelgedrvdegfedrvddvieenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhhouggvpehsmhhtphdphhgvlhhopehinhdugedrmhgrihhlrdhovhhhrdhnvghtpdhinhgvthepiedvrdelgedrvdegfedrvddviedpmhgrihhlfhhrohhmpegrsghushgvsehtrghnrgdrihhtpdhrtghpthhtoheprggsuhhsvgesohhvhhdrnhgvth X-Ovh-Spam-Status: OK X-Ovh-Spam-Reason: vr: OK; dkim: disabled; spf: disabled X-Ovh-Message-Type: OK Dear Abuse Team The following abusive behavior from IP address under your constituency 188.165.221.36 has been detected: 2020-02-11 11:39:25 CET, 188.165.221.36, old decay: 86400, prob: 34.72%, SMTP auth dictionary attack 188.165.221.36 was caught 102 times since Fri May 18 01:42:13 2018 original data from the mail log: 2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[58534] 2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[62026] 2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[63198] 2020-02-11 11:39:25 CET courieresmtpd: started,ip=[188.165.221.36],port=[58743] 2020-02-11 11:39:25 CET courieresmtpd: started,ip=[188.165.221.36],port=[50520] 2020-02-11 11:39:25 CET courieresmtpd: error,relay=188.165.221.36,port=58743,msg="535 Authentication failed.",cmd: AUTH LOGIN 42D117A2.9F10013D ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
On Thu 13/Feb/2020 05:26:10 +0100 Fi Shing wrote:
All OVH and DigitalOcean abuse reports must be submitted via the abuse reporting forms on the website, or they won't be actioned: https://www.ovh.com/world/abuse/ https://www.digitalocean.com/company/contact/abuse/
I'm unable to post to each abuse team specific web form. I collect abusive behavior from the firewall log during an end-of-day cron, and notify that to the addresses I find using RDAP, in the hope that it can be useful to the users paying for presumably infected hosts. I skip reporting to countries like CN RU VN EG LA BY KE IR AZ BN and the like, where Internet is not free, afraid to cause more harm than good. In addition, I have a skip list where I add bouncing addresses like abuse@ovh.net. Some times I report invalid WHOIS data to the relevant RIR, before adding an address to that list. I feel like sharing this spirit because of a recent discussion about validation of abuse-mailboxes, and the obligation to publish one.
At the moment, the resource holder can:
ignore it due to funding issues, ignore it due to lazyness, ignore it due to criminal influence, ignore it due to language barrier, be forced to ignore it due to DDoS style email flooding, be forced to ignore it due to the size of the resource holdings (because of the sheer volume of complaints made to them due to the size of their network), be forced to ignore it due to a glitch which they are unaware of,
Of course they can. Once I received an auto-reply saying the abuse "team" was on holidays at the time. That's ok, live and let leave. If everyone do just the best they can (not more), it'd be probably enough. Best Ale --
participants (6)
-
Alessandro Vesely -
Alex de Joode -
Fi Shing -
Javier Martín -
JORDI PALET MARTINEZ -
Ronald F. Guilmette