Re: [anti-abuse-wg] Reporting abuse to OVH -- don't bother
All OVH and DigitalOcean abuse reports must be submitted via the abuse reporting forms on the website, or they won't be actioned: https://www.ovh.com/world/abuse/ https://www.digitalocean.com/company/contact/abuse/ - Original Message - Subject: Re: [anti-abuse-wg] Reporting abuse to OVH -- don't bother From: "Alessandro Vesely" Date: 2/12/20 11:16 pm To: "anti-abuse-wg@ripe.net" On Wed 12/Feb/2020 09:51:22 +0100 Ronald F. Guilmette wrote: > The RIPE WHOIS data base says that the abose contact for AS16276 is > ab...@ovh.net. > > It would appear thet the folks at OVH haven't yet quite figured how > this whole email thing works. > > Give them time. Another decade or two and they should have it down pat. +1, X-VR-SPAMCAUSE looks particularly appealing... Best Ale Forwarded Message Subject: failure notice Date: 12 Feb 2020 06:18:04 +0200 From: mailer-dae...@mx1.ovh.net To: ab...@tana.it Hi. This is the qmail-send program at mx1.ovh.net. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. : user does not exist, but will deliver to /homez.12/vpopmail/domains/ovh.net/abuse/ can not open new email file errno=2 file=/homez.12/vpopmail/domains/ovh.net/abuse/Maildir/tmp/1581481084.9867.mail660.ha.ovh.net,S=4191 system error --- Below this line is a copy of the message. Return-Path: Received: from localhost (HELO queue) (127.0.0.1) by localhost with SMTP; 12 Feb 2020 06:18:04 +0200 Received: from unknown (HELO output25.mail.ovh.net) (10.108.117.188) by mail660.ha.ovh.net with AES256-GCM-SHA384 encrypted SMTP; 12 Feb 2020 06:18:04 +0200 Received: from vr26.mail.ovh.net (unknown [10.101.8.26]) by out25.mail.ovh.net (Postfix) with ESMTP id 48HRFm0K5Sz7P6Fd8 for ; Wed, 12 Feb 2020 04:18:04 + (UTC) Received: from in14.mail.ovh.net (unknown [10.101.4.14]) by vr26.mail.ovh.net (Postfix) with ESMTP id 48HRFf6fgNzrQV85 for ; Wed, 12 Feb 2020 04:17:58 + (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=62.94.243.226; helo=wmail.tana.it; envelope-from=ab...@tana.it; receiver=ab...@ovh.net Authentication-Results: in14.mail.ovh.net; dkim=pass (1152-bit key; unprotected) header.d=tana.it header.i=@tana.it header.b="DSzDkiE5"; dkim-atps=neutral Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) by in14.mail.ovh.net (Postfix) with ESMTPS id 48HRFf5rYcz1qqm5 for ; Wed, 12 Feb 2020 04:17:58 + (UTC) Received: from localhost (localhost [127.0.0.1]) (uid 1000) by wmail.tana.it with local id 005DC0BE.5E437C70.6938; Wed, 12 Feb 2020 05:17:51 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1581481072; bh=hqA0axQ0F0EZuKcuD4BJM7lec22phleodccLJFRo7js=; l=1187; h=From:To:Date; b=DSzDkiE5M2E2RHdufCjt/pvL8szxXfCQCiPcYrJMYxbHDSM6/qNrHDy0JZwW3HfQG jvGk5T7PlE7c6dBvfNjmQl2Z0yTpvjOVufBM6xGVi3WEzkPUb2Wpr0b6oW/Ptan3/d d81pOjTCPaAxOXfx0G1t5PpotLEo0P48qxyNPtkGYVZoMp7kdUev7jtac9Jcq Authentication-Results: tana.it; auth=pass (details omitted) X-mmdbcountrylookup: FR From: "tana.it" To: ab...@ovh.net Date: Wed, 12 Feb 2020 05:17:51 +0100 Subject: Mail server abuse by 188.165.221.36 on 11 February 2020 Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Auto-Response-Suppress: DR, OOF, AutoReply Message-ID: X-Ovh-Remote: 62.94.243.226 (wmail.tana.it) X-Ovh-Tracer-Id: 8968355709213900626 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 50 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedugedrieeggdeifecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecuogfvvgigthfqnhhlhidqqdetfeejfedqtdegucdlhedtmdenucfjughrpefhvfffufggtgfgsehtjedttddttdejnecuhfhrohhmpedfthgrnhgrrdhithdfuceorggsuhhsvgesthgrnhgrrdhitheqnecuffhomhgrihhnpehtrghnrgdrihhtpdhrihhpvgdrnhgvthenucfkphepiedvrdelgedrvdegfedrvddvieenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhhouggvpehsmhhtphdphhgvlhhopehinhdugedrmhgrihhlrdhovhhhrdhnvghtpdhinhgvthepiedvrdelgedrvdegfedrvddviedpmhgrihhlfhhrohhmpegrsghushgvsehtrghnrgdrihhtpdhrtghpthhtoheprggsuhhsvgesohhvhhdrnhgvth X-Ovh-Spam-Status: OK X-Ovh-Spam-Reason: vr: OK; dkim: disabled; spf: disabled X-Ovh-Message-Type: OK Dear Abuse Team The following abusive behavior from IP address under your constituency 188.165.221.36 has been detected: 2020-02-11 11:39:25 CET, 188.165.221.36, old decay: 86400, prob: 34.72%, SMTP auth dictionary attack 188.165.221.36 was caught 102 times since Fri May 18 01:42:13 2018 original data from the mail log: 2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[58534] 2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[62026] 2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[63198] 2020-02-11 11:39:25 CET courieresmtpd:
Re: [anti-abuse-wg] Reporting abuse to OVH -- don't bother
Hi, On Wed 12/Feb/2020 18:43:54 +0100 Alex de Joode wrote: > > The abuse notification below, is absolutely terrible: it only highlights the > OVH IP that was used, however it completely fails to identify the IP/hostname > that was "attacked", no action (other than forward the notice to the user of > the IP) can be taken. Yes, the user of the IP is the one who should take care. I don't think an actual (paying) user would waste resources on such desperate dictionary attacks. So, the host must be 0wned, and needs cleanup. > Please in the future include all relevant data in you abuse notice. (src+dst > ip > are relevant!) Src+port are already there. The destination IP is indirectly mentioned in a sort of (stripped off[*]) legend which explains which host, what firewall, and similar details. Best Ale -- [*] I'd publish it if I were sure it's bullet proof. Until it's fully vetted, some obscurity sounds more secure ;-) > On Wed, 12-02-2020 13h 16min, Alessandro Vesely wrote: > > > Dear Abuse Team > > The following abusive behavior from IP address under your constituency > 188.165.221.36 has been detected: > > 2020-02-11 11:39:25 CET, 188.165.221.36, old decay: 86400, prob: 34.72%, > SMTP auth dictionary attack > > 188.165.221.36 was caught 102 times since Fri May 18 01:42:13 2018 > > original data from the mail log: > 2020-02-11 11:39:05 CET courieresmtpd: > started,ip=[188.165.221.36],port=[58534] > 2020-02-11 11:39:05 CET courieresmtpd: > started,ip=[188.165.221.36],port=[62026] > 2020-02-11 11:39:05 CET courieresmtpd: > started,ip=[188.165.221.36],port=[63198] > 2020-02-11 11:39:25 CET courieresmtpd: > started,ip=[188.165.221.36],port=[58743] > 2020-02-11 11:39:25 CET courieresmtpd: > started,ip=[188.165.221.36],port=[50520] > 2020-02-11 11:39:25 CET courieresmtpd: > error,relay=188.165.221.36,port=58743,msg="535 Authentication > failed.",cmd: > AUTH LOGIN 42D117A2.9F10013D > >
Re: [anti-abuse-wg] Reporting abuse to OVH -- don't bother
In my experience, OVH is one of the larger worlwide host of spammers, DDoS, intrusion attempts (SIP, SSH, IMAP, SMTP, etc., etc.), etc., together with cloudstar.is. Any criminal action you can think off … sure a IPs from OVH or Cloudstar are involved! I’m sure there are many other, but in my own case, this is the major %. I’m fighting with them every other day, they never do *anything* despite having provided logs, demonstrations of GDPR abuse, etc., etc. For some reason, it looks to me that most of the so called “email marketing” companies (or databases), which to me are all criminal companies (because it is clear that they keep breaking GDPR and many other rules every other day), using OVH (and sometimes other DCs), are from France. May be their DPA is not doing anything or maybe nobody is complaining “enough” to them. Regards, Jordi @jordipalet El 12/2/20 18:51, "anti-abuse-wg en nombre de Javier Martín" escribió: Hi all. This one of the abuse emails that cries out to heaven. There is an idiot who does not stop attacking us and does not answer the abuse email. Someone knows what to do in this cases? RIPE said that is nothing to do because there is not a "return from their server" to our email. This provider is full of spam, we banned all theirs ips. https://en.asytech.cn/check-ip/89.248.160.193 https://ipinfo.io/AS202425 It is very striking how a Seychelles provider with a new AS number can spam without limits. Kind regards. Javier Sobre 12/02/2020 18:44:24, Alex de Joode escribió: Alessandro, The abuse notification below, is absolutely terrible: it only highlights the OVH IP that was used, however it completely fails to identify the IP/hostname that was "attacked", no action (other than forward the notice to the user of the IP) can be taken. Please in the future include all relevant data in you abuse notice. (src+dst ip are relevant!) Thx. -- IDGARA | Alex de Joode | a...@idgara.nl | +31651108221 | Skype:adejoode On Wed, 12-02-2020 13h 16min, Alessandro Vesely wrote: Dear Abuse Team The following abusive behavior from IP address under your constituency 188.165.221.36 has been detected: 2020-02-11 11:39:25 CET, 188.165.221.36, old decay: 86400, prob: 34.72%, SMTP auth dictionary attack 188.165.221.36 was caught 102 times since Fri May 18 01:42:13 2018 original data from the mail log: 2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[58534] 2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[62026] 2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[63198] 2020-02-11 11:39:25 CET courieresmtpd: started,ip=[188.165.221.36],port=[58743] 2020-02-11 11:39:25 CET courieresmtpd: started,ip=[188.165.221.36],port=[50520] 2020-02-11 11:39:25 CET courieresmtpd: error,relay=188.165.221.36,port=58743,msg="535 Authentication failed.",cmd: AUTH LOGIN 42D117A2.9F10013D ** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
Re: [anti-abuse-wg] Reporting abuse to OVH -- don't bother
IPVolume/Incrediserv, are the new incantation of 'Ecatel'. 'Good luck' (try to peer with them and throttle the bw/ to 28k8 modem speed, lessens the impact somewhat).-- IDGARA | Alex de Joode | a...@idgara.nl | +31651108221 | Skype:adejoode On Wed, 12-02-2020 18h 50min, Javier Martín wrote: > Hi all. This one of the abuse emails that cries out to heaven. There is an idiot who does not stop attacking us and does not answer the abuse email. Someone knows what to do in this cases? RIPE said that is nothing to do because there is not a "return from their server" to our email. This provider is full of spam, we banned all theirs ips. https://en.asytech.cn/check-ip/89.248.160.193 > https://ipinfo.io/AS202425 > It is very striking how a Seychelles provider with a new AS number can spam without limits. Kind regards. Javier > Sobre 12/02/2020 18:44:24, Alex de Joode escribió: Alessandro, > The abuse notification below, is absolutely terrible: it only highlights the OVH IP that was used, however it completely fails to identify the IP/hostname that was "attacked", no action (other than forward the notice to the user of the IP) can be taken. > Please in the future include all relevant data in you abuse notice. (src+dst ip are relevant!) > > Thx.-- IDGARA | Alex de Joode | a...@idgara.nl | +31651108221 | Skype:adejoode > On Wed, 12-02-2020 13h 16min, Alessandro Vesely wrote:> > Dear Abuse Team > > The following abusive behavior from IP address under your constituency > 188.165.221.36 has been detected: > > 2020-02-11 11:39:25 CET, 188.165.221.36, old decay: 86400, prob: 34.72%, > SMTP auth dictionary attack > > 188.165.221.36 was caught 102 times since Fri May 18 01:42:13 2018 > > original data from the mail log: > 2020-02-11 11:39:05 CET courieresmtpd: > started,ip=[188.165.221.36],port=[58534] > 2020-02-11 11:39:05 CET courieresmtpd: > started,ip=[188.165.221.36],port=[62026] > 2020-02-11 11:39:05 CET courieresmtpd: > started,ip=[188.165.221.36],port=[63198] > 2020-02-11 11:39:25 CET courieresmtpd: > started,ip=[188.165.221.36],port=[58743] > 2020-02-11 11:39:25 CET courieresmtpd: > started,ip=[188.165.221.36],port=[50520] > 2020-02-11 11:39:25 CET courieresmtpd: > error,relay=188.165.221.36,port=58743,msg="535 Authentication failed.",cmd: > AUTH LOGIN 42D117A2.9F10013D > > >
Re: [anti-abuse-wg] Reporting abuse to OVH -- don't bother
Hi all. This one of the abuse emails that cries out to heaven. There is an idiot who does not stop attacking us and does not answer the abuse email. Someone knows what to do in this cases? RIPE said that is nothing to do because there is not a "return from their server" to our email. This provider is full of spam, we banned all theirs ips. https://en.asytech.cn/check-ip/89.248.160.193 [https://en.asytech.cn/check-ip/89.248.160.193] https://ipinfo.io/AS202425 [https://ipinfo.io/AS202425] It is very striking how a Seychelles provider with a new AS number can spam without limits. Kind regards. Javier Sobre 12/02/2020 18:44:24, Alex de Joode escribió: Alessandro, The abuse notification below, is absolutely terrible: it only highlights the OVH IP that was used, however it completely fails to identify the IP/hostname that was "attacked", no action (other than forward the notice to the user of the IP) can be taken. Please in the future include all relevant data in you abuse notice. (src+dst ip are relevant!) Thx. -- IDGARA | Alex de Joode | a...@idgara.nl | +31651108221 | Skype:adejoode On Wed, 12-02-2020 13h 16min, Alessandro Vesely wrote: Dear Abuse Team The following abusive behavior from IP address under your constituency 188.165.221.36 has been detected: 2020-02-11 11:39:25 CET, 188.165.221.36, old decay: 86400, prob: 34.72%, SMTP auth dictionary attack 188.165.221.36 was caught 102 times since Fri May 18 01:42:13 2018 original data from the mail log: 2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[58534] 2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[62026] 2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[63198] 2020-02-11 11:39:25 CET courieresmtpd: started,ip=[188.165.221.36],port=[58743] 2020-02-11 11:39:25 CET courieresmtpd: started,ip=[188.165.221.36],port=[50520] 2020-02-11 11:39:25 CET courieresmtpd: error,relay=188.165.221.36,port=58743,msg="535 Authentication failed.",cmd: AUTH LOGIN 42D117A2.9F10013D
Re: [anti-abuse-wg] Reporting abuse to OVH -- don't bother
Alessandro, The abuse notification below, is absolutely terrible: it only highlights the OVH IP that was used, however it completely fails to identify the IP/hostname that was "attacked", no action (other than forward the notice to the user of the IP) can be taken. Please in the future include all relevant data in you abuse notice. (src+dst ip are relevant!) Thx.-- IDGARA | Alex de Joode | a...@idgara.nl | +31651108221 | Skype:adejoode On Wed, 12-02-2020 13h 16min, Alessandro Vesely wrote:> > Dear Abuse Team > > The following abusive behavior from IP address under your constituency > 188.165.221.36 has been detected: > > 2020-02-11 11:39:25 CET, 188.165.221.36, old decay: 86400, prob: 34.72%, > SMTP auth dictionary attack > > 188.165.221.36 was caught 102 times since Fri May 18 01:42:13 2018 > > original data from the mail log: > 2020-02-11 11:39:05 CET courieresmtpd: > started,ip=[188.165.221.36],port=[58534] > 2020-02-11 11:39:05 CET courieresmtpd: > started,ip=[188.165.221.36],port=[62026] > 2020-02-11 11:39:05 CET courieresmtpd: > started,ip=[188.165.221.36],port=[63198] > 2020-02-11 11:39:25 CET courieresmtpd: > started,ip=[188.165.221.36],port=[58743] > 2020-02-11 11:39:25 CET courieresmtpd: > started,ip=[188.165.221.36],port=[50520] > 2020-02-11 11:39:25 CET courieresmtpd: > error,relay=188.165.221.36,port=58743,msg="535 Authentication failed.",cmd: > AUTH LOGIN 42D117A2.9F10013D > > >
Re: [anti-abuse-wg] Reporting abuse to OVH -- don't bother
On Wed 12/Feb/2020 09:51:22 +0100 Ronald F. Guilmette wrote: > The RIPE WHOIS data base says that the abose contact for AS16276 is > ab...@ovh.net. > > It would appear thet the folks at OVH haven't yet quite figured how > this whole email thing works. > > Give them time. Another decade or two and they should have it down pat. +1, X-VR-SPAMCAUSE looks particularly appealing... Best Ale Forwarded Message Subject: failure notice Date: 12 Feb 2020 06:18:04 +0200 From: mailer-dae...@mx1.ovh.net To: ab...@tana.it Hi. This is the qmail-send program at mx1.ovh.net. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. : user does not exist, but will deliver to /homez.12/vpopmail/domains/ovh.net/abuse/ can not open new email file errno=2 file=/homez.12/vpopmail/domains/ovh.net/abuse/Maildir/tmp/1581481084.9867.mail660.ha.ovh.net,S=4191 system error --- Below this line is a copy of the message. Return-Path: Received: from localhost (HELO queue) (127.0.0.1) by localhost with SMTP; 12 Feb 2020 06:18:04 +0200 Received: from unknown (HELO output25.mail.ovh.net) (10.108.117.188) by mail660.ha.ovh.net with AES256-GCM-SHA384 encrypted SMTP; 12 Feb 2020 06:18:04 +0200 Received: from vr26.mail.ovh.net (unknown [10.101.8.26]) by out25.mail.ovh.net (Postfix) with ESMTP id 48HRFm0K5Sz7P6Fd8 for ; Wed, 12 Feb 2020 04:18:04 + (UTC) Received: from in14.mail.ovh.net (unknown [10.101.4.14]) by vr26.mail.ovh.net (Postfix) with ESMTP id 48HRFf6fgNzrQV85 for ; Wed, 12 Feb 2020 04:17:58 + (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=62.94.243.226; helo=wmail.tana.it; envelope-from=ab...@tana.it; receiver=ab...@ovh.net Authentication-Results: in14.mail.ovh.net; dkim=pass (1152-bit key; unprotected) header.d=tana.it header.i=@tana.it header.b="DSzDkiE5"; dkim-atps=neutral Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) by in14.mail.ovh.net (Postfix) with ESMTPS id 48HRFf5rYcz1qqm5 for ; Wed, 12 Feb 2020 04:17:58 + (UTC) Received: from localhost (localhost [127.0.0.1]) (uid 1000) by wmail.tana.it with local id 005DC0BE.5E437C70.6938; Wed, 12 Feb 2020 05:17:51 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1581481072; bh=hqA0axQ0F0EZuKcuD4BJM7lec22phleodccLJFRo7js=; l=1187; h=From:To:Date; b=DSzDkiE5M2E2RHdufCjt/pvL8szxXfCQCiPcYrJMYxbHDSM6/qNrHDy0JZwW3HfQG jvGk5T7PlE7c6dBvfNjmQl2Z0yTpvjOVufBM6xGVi3WEzkPUb2Wpr0b6oW/Ptan3/d d81pOjTCPaAxOXfx0G1t5PpotLEo0P48qxyNPtkGYVZoMp7kdUev7jtac9Jcq Authentication-Results: tana.it; auth=pass (details omitted) X-mmdbcountrylookup: FR From: "tana.it" To: ab...@ovh.net Date: Wed, 12 Feb 2020 05:17:51 +0100 Subject: Mail server abuse by 188.165.221.36 on 11 February 2020 Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Auto-Response-Suppress: DR, OOF, AutoReply Message-ID: X-Ovh-Remote: 62.94.243.226 (wmail.tana.it) X-Ovh-Tracer-Id: 8968355709213900626 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 50 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedugedrieeggdeifecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecuogfvvgigthfqnhhlhidqqdetfeejfedqtdegucdlhedtmdenucfjughrpefhvfffufggtgfgsehtjedttddttdejnecuhfhrohhmpedfthgrnhgrrdhithdfuceorggsuhhsvgesthgrnhgrrdhitheqnecuffhomhgrihhnpehtrghnrgdrihhtpdhrihhpvgdrnhgvthenucfkphepiedvrdelgedrvdegfedrvddvieenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhhouggvpehsmhhtphdphhgvlhhopehinhdugedrmhgrihhlrdhovhhhrdhnvghtpdhinhgvthepiedvrdelgedrvdegfedrvddviedpmhgrihhlfhhrohhmpegrsghushgvsehtrghnrgdrihhtpdhrtghpthhtoheprggsuhhsvgesohhvhhdrnhgvth X-Ovh-Spam-Status: OK X-Ovh-Spam-Reason: vr: OK; dkim: disabled; spf: disabled X-Ovh-Message-Type: OK Dear Abuse Team The following abusive behavior from IP address under your constituency 188.165.221.36 has been detected: 2020-02-11 11:39:25 CET, 188.165.221.36, old decay: 86400, prob: 34.72%, SMTP auth dictionary attack 188.165.221.36 was caught 102 times since Fri May 18 01:42:13 2018 original data from the mail log: 2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[58534] 2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[62026] 2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[63198] 2020-02-11 11:39:25 CET courieresmtpd: started,ip=[188.165.221.36],port=[58743] 2020-02-11 11:39:25 CET courieresmtpd: started,ip=[188.165.221.36],port=[50520] 2020-02-11 11:39:25 CET courieresmtpd: error,relay=188.165.221.36,port=58743,msg="535 Authentication failed.",cmd: AUTH LOGIN 42D117A2.9F10013D
[anti-abuse-wg] Reporting abuse to OVH -- don't bother
The RIPE WHOIS data base says that the abose contact for AS16276 is ab...@ovh.net. It would appear thet the folks at OVH haven't yet quite figured how this whole email thing works. Give them time. Another decade or two and they should have it down pat. --- Forwarded Message Date:12 Feb 2020 10:26:23 +0200 From:mailer-dae...@mx1.ovh.net To: r...@tristatelogic.com Subject: failure notice Hi. This is the qmail-send program at mx1.ovh.net. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. : user does not exist, but will deliver to /homez.12/vpopmail/domains/ovh.net/abu se/ can not open new email file errno=2 file=/homez.12/vpopmail/domains/ovh.net/abu se/Maildir/tmp/1581495983.28582.mail141.ha.ovh.net,S=10651 system error - --- Below this line is a copy of the message. Return-Path: Received: from localhost (HELO queue) (127.0.0.1) by localhost with SMTP; 12 Feb 2020 10:26:23 +0200 Received: from unknown (HELO output55.mail.ovh.net) (10.108.98.118) by mail141.ha.ovh.net with AES256-GCM-SHA384 encrypted SMTP; 12 Feb 2020 10:2 6:23 +0200 Received: from vr15.mail.ovh.net (unknown [10.101.8.15]) by out55.mail.ovh.net (Postfix) with ESMTP id 48HXmH0nz4z7SwqFq for ; Wed, 12 Feb 2020 08:26:23 + (UTC) Received: from in32.mail.ovh.net (unknown [10.101.4.32]) by vr15.mail.ovh.net (Postfix) with ESMTP id 48HXm96hlfz1DGZD for ; Wed, 12 Feb 2020 08:26:17 + (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=69.62.255.118; helo= outgoing.tristatelogic.com; envelope-from=r...@tristatelogic.com; receiver=abuse @ovh.net Authentication-Results: in32.mail.ovh.net; dkim=none; dkim-atps=neutral Received: from outgoing.tristatelogic.com (segfault.tristatelogic.com [69.62.25 5.118]) by in32.mail.ovh.net (Postfix) with ESMTP id 48HXm91ZjszZ0l2m for ; Wed, 12 Feb 2020 08:26:16 + (UTC) Received: by segfault.tristatelogic.com (Postfix, from userid 1237) id 5A1884E69A; Wed, 12 Feb 2020 00:26:10 -0800 (PST) From: "Ronald F. Guilmette" To: ab...@ovh.net Cc: spamrepo...@tristatelogic.com Subject: Spam from your network (AS16276): [54.39.173.134] Date: 12 Feb 2020 00:26:10 -0800 X-Rfg-Spam-Report: (AS16276): [54.39.173.134] Message-Id: <20200212082610.5a1884e...@segfault.tristatelogic.com> X-Ovh-Remote: 69.62.255.118 (segfault.tristatelogic.com) X-Ovh-Tracer-Id: 13162051389114427986 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 0 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedugedrieeggdduudehucetufdoteggode trfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecuhedttd enucenucfjughrpefhvffusedttddttddttddtnecuhfhrohhmpedftfhonhgrlhguucfhrdcuifhui hhlmhgvthhtvgdfuceorhhfghesthhrihhsthgrthgvlhhoghhitgdrtghomheqnecuffhomhgrihhn peguihhgihhtrghlvggsohhokhifrhhithhinhhgrdgtohhmpdhiphdqheegqdefledqudejfedrnhg vthdpthhrihhsthgrthgvlhhoghhitgdrtghomhdpghhoohhglhgvuhhsvghrtghonhhtvghnthdrtg homhdpohhvhhdrtggrpdhvihguvghorghnihhmrghtihhonhhnvghtfihorhhkrdgtohhmnecukfhpp eeiledriedvrddvheehrdduudeknecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmohgu vgepshhmthhppdhhvghlohepihhnfedvrdhmrghilhdrohhvhhdrnhgvthdpihhnvghtpeeiledried vrddvheehrdduudekpdhmrghilhhfrhhomheprhhfghesthhrihhsthgrthgvlhhoghhitgdrtghomh dprhgtphhtthhopegrsghushgvsehovhhhrdhnvght X-Ovh-Spam-Status: OK X-Ovh-Spam-Reason: vr: OK; dkim: disabled; spf: disabled X-Ovh-Message-Type: OK I have received the email spam message which is appended below from your network, AS16276. I did not request this spam, and I have had no prior contact with the sender. Indeed, I do not even know the sender, and I do not know how the sender even acquired my email address. Please terminate this spamming from your network immediately. Thank you for your assistance in this matter. = Return-Path: X-Original-To: rfg-dyna...@tristatelogic.com Delivered-To: rfg-dyna...@tristatelogic.com Received: from craig.digitalebookwriting.com (ip134.ip-54-39-173.net [54.39.173 .134]) by segfault.tristatelogic.com (Postfix) with ESMTP id 391A44E68A for ; Thu, 30 Jan 2020 09:25:09 -0800 (P ST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=craig.digitalebookwriting.com; s=default; h=Message-ID:Date:Content-T ype: Subject:To:Reply-To:From:MIME-Version:Sender:Cc:Content-Transfer-Encodi ng: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Arc hive; bh=G73Y84vFDgG+jBeFAVpzuuyKr+8smk3J4l/NIzyP9C4=; b=tCn5obRIaLbJNpqABwp FNHbHR OXQwDJeK7/0PlQ+mSB2UL6WPrfiATe7chmWgIBAn44xXMWeo77fOIn8Eu1FQ5hC37rugcpO B0I9Ja /FJynsra3Z2/5oW49syyroNwHTbWWuMj1Hex7gmcQqYJnNx9kXzJN/NpmNhAXCzKzkm+V4Y pFVOOk