Re: [anti-abuse-wg] Reporting abuse to OVH -- don't bother

[Alessandro Vesely]

On Wed 12/Feb/2020 09:51:22 +0100 Ronald F. Guilmette wrote:
> The RIPE WHOIS data base says that the abose contact for AS16276 is
> ab...@ovh.net.
> 
> It would appear thet the folks at OVH haven't yet quite figured how
> this whole email thing works.
> 
> Give them time.  Another decade or two and they should have it down pat.


+1, X-VR-SPAMCAUSE looks particularly appealing...

Best
Ale



-------- Forwarded Message --------
Subject: failure notice
Date: 12 Feb 2020 06:18:04 +0200
From: mailer-dae...@mx1.ovh.net
To: ab...@tana.it

Hi. This is the qmail-send program at mx1.ovh.net.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<ovh.net-ab...@ovh.net>:
user does not exist, but will deliver to 
/homez.12/vpopmail/domains/ovh.net/abuse/
can not open new email file errno=2 
file=/homez.12/vpopmail/domains/ovh.net/abuse/Maildir/tmp/1581481084.9867.mail660.ha.ovh.net,S=4191
system error

--- Below this line is a copy of the message.

Return-Path: <ab...@tana.it>
Received: from localhost (HELO queue) (127.0.0.1)
        by localhost with SMTP; 12 Feb 2020 06:18:04 +0200
Received: from unknown (HELO output25.mail.ovh.net) (10.108.117.188)
  by mail660.ha.ovh.net with AES256-GCM-SHA384 encrypted SMTP; 12 Feb 2020 
06:18:04 +0200
Received: from vr26.mail.ovh.net (unknown [10.101.8.26])
        by out25.mail.ovh.net (Postfix) with ESMTP id 48HRFm0K5Sz7P6Fd8
        for <ab...@ovh.net>; Wed, 12 Feb 2020 04:18:04 +0000 (UTC)
Received: from in14.mail.ovh.net (unknown [10.101.4.14])
        by vr26.mail.ovh.net (Postfix) with ESMTP id 48HRFf6fgNzrQV85
        for <ab...@ovh.net>; Wed, 12 Feb 2020 04:17:58 +0000 (UTC)
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=62.94.243.226; 
helo=wmail.tana.it; envelope-from=ab...@tana.it; receiver=ab...@ovh.net 
Authentication-Results: in14.mail.ovh.net;
        dkim=pass (1152-bit key; unprotected) header.d=tana.it 
header.i=@tana.it header.b="DSzDkiE5";
        dkim-atps=neutral
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226])
        by in14.mail.ovh.net (Postfix) with ESMTPS id 48HRFf5rYcz1qqm5
        for <ab...@ovh.net>; Wed, 12 Feb 2020 04:17:58 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
  (uid 1000)
  by wmail.tana.it with local
  id 00000000005DC0BE.000000005E437C70.00006938; Wed, 12 Feb 2020 05:17:51 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta;
        t=1581481072; bh=hqA0axQ0F0EZuKcuD4BJM7lec22phleodccLJFRo7js=;
        l=1187; h=From:To:Date;
        b=DSzDkiE5M2E2RHdufCjt/pvL8szxXfCQCiPcYrJMYxbHDSM6/qNrHDy0JZwW3HfQG
         jvGk5T7PlE7c6dBvfNjmQl2Z0yTpvjOVufBM6xGVi3WEzkPUb2Wpr0b6oW/Ptan3/d
         d81pOjTCPaAxOXfx0G1t5PpotLEo0P48qxyNPtkGYVZoMp7kdUev7jtac9Jcq
Authentication-Results: tana.it; auth=pass (details omitted)
X-mmdbcountrylookup: FR
From: "tana.it" <ab...@tana.it>
To: ab...@ovh.net
Date: Wed, 12 Feb 2020 05:17:51 +0100
Subject: Mail server abuse by 188.165.221.36 on 11 February 2020
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Auto-Response-Suppress: DR, OOF, AutoReply
Message-ID: <courier.000000005e437c6f.00006...@wmail.tana.it>
X-Ovh-Remote: 62.94.243.226 (wmail.tana.it)
X-Ovh-Tracer-Id: 8968355709213900626
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 50
X-VR-SPAMCAUSE: 
gggruggvucftvghtrhhoucdtuddrgedugedrieeggdeifecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecuogfvvgigthfqnhhlhidqqdetfeejfedqtdegucdlhedtmdenucfjughrpefhvfffufggtgfgsehtjedttddttdejnecuhfhrohhmpedfthgrnhgrrdhithdfuceorggsuhhsvgesthgrnhgrrdhitheqnecuffhomhgrihhnpehtrghnrgdrihhtpdhrihhpvgdrnhgvthenucfkphepiedvrdelgedrvdegfedrvddvieenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhhouggvpehsmhhtphdphhgvlhhopehinhdugedrmhgrihhlrdhovhhhrdhnvghtpdhinhgvthepiedvrdelgedrvdegfedrvddviedpmhgrihhlfhhrohhmpegrsghushgvsehtrghnrgdrihhtpdhrtghpthhtoheprggsuhhsvgesohhvhhdrnhgvth
X-Ovh-Spam-Status: OK
X-Ovh-Spam-Reason: vr: OK; dkim: disabled; spf: disabled
X-Ovh-Message-Type: OK

Dear Abuse Team

The following abusive behavior from IP address under your constituency
188.165.221.36 has been detected:

    2020-02-11 11:39:25 CET, 188.165.221.36, old decay: 86400, prob: 34.72%, 
SMTP auth dictionary attack

188.165.221.36 was caught 102 times since Fri May 18 01:42:13 2018

original data from the mail log:
    2020-02-11 11:39:05 CET courieresmtpd: 
started,ip=[188.165.221.36],port=[58534]
    2020-02-11 11:39:05 CET courieresmtpd: 
started,ip=[188.165.221.36],port=[62026]
    2020-02-11 11:39:05 CET courieresmtpd: 
started,ip=[188.165.221.36],port=[63198]
    2020-02-11 11:39:25 CET courieresmtpd: 
started,ip=[188.165.221.36],port=[58743]
    2020-02-11 11:39:25 CET courieresmtpd: 
started,ip=[188.165.221.36],port=[50520]
    2020-02-11 11:39:25 CET courieresmtpd: 
error,relay=188.165.221.36,port=58743,msg="535 Authentication failed.",cmd: 
AUTH LOGIN 42D117A2.9F10013D