[anti-abuse-wg] And of course the Australian lady hits the spam button...

2020-02-13 Thread Alessandro Vesely 
Every time I send a message to this list, I receive Dina's complaint from 
Yahoo! feedback loop.

I tried to reach Yahoo's FBL in order to convince them that the proper action 
to take when a mailing list message is reported as spam is to unsubscribe the 
user from the reported mailing list.  I didn't succeed.

I wrote to anti-abuse-wg-ow...@ripe.net, maybe they could unsubscribe Dina 
Williams.  They replied that "the RIPE NCC is not responsible for any form of 
spamming, hacking or phishing."

I think I'm not the only poster subscribed to Yahoo's FBL.  Do you get reports 
like the following too?


Best
Ale

 Forwarded Message 
Subject: FW:Re: [anti-abuse-wg] Reporting abuse to OVH -- don't bother
Date: Wed, 12 Feb 2020 17:10:08 +0100
From: Yahoo! Mail AntiSpam Feedback 
To: ab...@tana.it

This is an email abuse report for an email message from tana.it on Wed, 12 Feb 
2020 12:16:59 +


 Feedback-Report 
Feedback-Type: abuse
User-Agent: Yahoo!-Mail-Feedback/2.0
Version: 0.1
Original-Mail-From: 
Original-Rcpt-To: dinaswilli...@yahoo.com
Received-Date: Wed, 12 Feb 2020 12:16:59 +
Reported-Domain: tana.it
Authentication-Results: authentication result string is not available


 Reported Message 
Subject: Re: [anti-abuse-wg] Reporting abuse to OVH -- don't bother
Date: Wed, 12 Feb 2020 13:16:36 +0100
From: Alessandro Vesely 
To: anti-abuse-wg@ripe.net

On Wed 12/Feb/2020 09:51:22 +0100 Ronald F. Guilmette wrote:
> The RIPE WHOIS data base says that the abose contact for AS16276 is
> ab...@ovh.net.
> 
> It would appear thet the folks at OVH haven't yet quite figured how
> this whole email thing works.
> 
> Give them time.  Another decade or two and they should have it down pat.


+1, X-VR-SPAMCAUSE looks particularly appealing...

Best
Ale

[... Forwarded Message elided ...]

Re: [anti-abuse-wg] Reporting abuse to OVH -- don't bother

2020-02-13 Thread Alessandro Vesely 
On Thu 13/Feb/2020 05:26:10 +0100 Fi Shing wrote:
> All OVH and DigitalOcean abuse reports must be submitted via the abuse
> reporting forms on the website, or they won't be actioned:
>  
> https://www.ovh.com/world/abuse/
>  
> https://www.digitalocean.com/company/contact/abuse/


I'm unable to post to each abuse team specific web form.  I collect abusive
behavior from the firewall log during an end-of-day cron, and notify that to
the addresses I find using RDAP, in the hope that it can be useful to the users
paying for presumably infected hosts.

I skip reporting to countries like CN RU VN EG LA BY KE IR AZ BN and the like,
where Internet is not free, afraid to cause more harm than good.  In addition,
I have a skip list where I add bouncing addresses like ab...@ovh.net.  Some
times I report invalid WHOIS data to the relevant RIR, before adding an address
to that list.

I feel like sharing this spirit because of a recent discussion about validation
of abuse-mailboxes, and the obligation to publish one.


> At the moment, the resource holder can:
> 
> ignore it due to funding issues,
> ignore it due to lazyness,
> ignore it due to criminal influence,
> ignore it due to language barrier,
> be forced to ignore it due to DDoS style email flooding,
> be forced to ignore it due to the size of the resource holdings (because 
> of the sheer volume of complaints made to them due to the size of their 
> network),
> be forced to ignore it due to a glitch which they are unaware of,


Of course they can.  Once I received an auto-reply saying the abuse "team" was
on holidays at the time.  That's ok, live and let leave.  If everyone do just
the best they can (not more), it'd be probably enough.


Best
Ale
--

Re: [anti-abuse-wg] Reporting abuse to OVH -- don't bother

2020-02-13 Thread JORDI PALET MARTINEZ via anti-abuse-wg 
Tried that also, and doesn't work for OVH, for Digital Ocean some times.

 

Regards,

Jordi

@jordipalet

 

 

 

El 13/2/20 5:27, "anti-abuse-wg en nombre de Fi Shing" 
 escribió:

 

All OVH and DigitalOcean abuse reports must be submitted via the abuse 
reporting forms on the website, or they won't be actioned:

 

https://www.ovh.com/world/abuse/

 

https://www.digitalocean.com/company/contact/abuse/

 

 

- Original Message - 

Subject: Re: [anti-abuse-wg] Reporting abuse to OVH -- don't bother
From: "Alessandro Vesely" 
Date: 2/12/20 11:16 pm
To: "anti-abuse-wg@ripe.net" 

On Wed 12/Feb/2020 09:51:22 +0100 Ronald F. Guilmette wrote:
> The RIPE WHOIS data base says that the abose contact for AS16276 is
> ab...@ovh.net.
> 
> It would appear thet the folks at OVH haven't yet quite figured how
> this whole email thing works.
> 
> Give them time. Another decade or two and they should have it down pat.


+1, X-VR-SPAMCAUSE looks particularly appealing...

Best
Ale



 Forwarded Message 
Subject: failure notice
Date: 12 Feb 2020 06:18:04 +0200
From: mailer-dae...@mx1.ovh.net
To: ab...@tana.it

Hi. This is the qmail-send program at mx1.ovh.net.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

:
user does not exist, but will deliver to 
/homez.12/vpopmail/domains/ovh.net/abuse/
can not open new email file errno=2 
file=/homez.12/vpopmail/domains/ovh.net/abuse/Maildir/tmp/1581481084.9867.mail660.ha.ovh.net,S=4191
system error

--- Below this line is a copy of the message.

Return-Path: 
Received: from localhost (HELO queue) (127.0.0.1)
by localhost with SMTP; 12 Feb 2020 06:18:04 +0200
Received: from unknown (HELO output25.mail.ovh.net) (10.108.117.188)
by mail660.ha.ovh.net with AES256-GCM-SHA384 encrypted SMTP; 12 Feb 2020 
06:18:04 +0200
Received: from vr26.mail.ovh.net (unknown [10.101.8.26])
by out25.mail.ovh.net (Postfix) with ESMTP id 48HRFm0K5Sz7P6Fd8
for ; Wed, 12 Feb 2020 04:18:04 + (UTC)
Received: from in14.mail.ovh.net (unknown [10.101.4.14])
by vr26.mail.ovh.net (Postfix) with ESMTP id 48HRFf6fgNzrQV85
for ; Wed, 12 Feb 2020 04:17:58 + (UTC)
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=62.94.243.226; 
helo=wmail.tana.it; envelope-from=ab...@tana.it; receiver=ab...@ovh.net 
Authentication-Results: in14.mail.ovh.net;
dkim=pass (1152-bit key; unprotected) header.d=tana.it header.i=@tana.it 
header.b="DSzDkiE5";
dkim-atps=neutral
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226])
by in14.mail.ovh.net (Postfix) with ESMTPS id 48HRFf5rYcz1qqm5
for ; Wed, 12 Feb 2020 04:17:58 + (UTC)
Received: from localhost (localhost [127.0.0.1])
(uid 1000)
by wmail.tana.it with local
id 005DC0BE.5E437C70.6938; Wed, 12 Feb 2020 05:17:51 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta;
t=1581481072; bh=hqA0axQ0F0EZuKcuD4BJM7lec22phleodccLJFRo7js=;
l=1187; h=From:To:Date;
b=DSzDkiE5M2E2RHdufCjt/pvL8szxXfCQCiPcYrJMYxbHDSM6/qNrHDy0JZwW3HfQG
jvGk5T7PlE7c6dBvfNjmQl2Z0yTpvjOVufBM6xGVi3WEzkPUb2Wpr0b6oW/Ptan3/d
d81pOjTCPaAxOXfx0G1t5PpotLEo0P48qxyNPtkGYVZoMp7kdUev7jtac9Jcq
Authentication-Results: tana.it; auth=pass (details omitted)
X-mmdbcountrylookup: FR
From: "tana.it" 
To: ab...@ovh.net
Date: Wed, 12 Feb 2020 05:17:51 +0100
Subject: Mail server abuse by 188.165.221.36 on 11 February 2020
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Auto-Response-Suppress: DR, OOF, AutoReply
Message-ID: 
X-Ovh-Remote: 62.94.243.226 (wmail.tana.it)
X-Ovh-Tracer-Id: 8968355709213900626
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 50
X-VR-SPAMCAUSE: 
gggruggvucftvghtrhhoucdtuddrgedugedrieeggdeifecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecuogfvvgigthfqnhhlhidqqdetfeejfedqtdegucdlhedtmdenucfjughrpefhvfffufggtgfgsehtjedttddttdejnecuhfhrohhmpedfthgrnhgrrdhithdfuceorggsuhhsvgesthgrnhgrrdhitheqnecuffhomhgrihhnpehtrghnrgdrihhtpdhrihhpvgdrnhgvthenucfkphepiedvrdelgedrvdegfedrvddvieenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhhouggvpehsmhhtphdphhgvlhhopehinhdugedrmhgrihhlrdhovhhhrdhnvghtpdhinhgvthepiedvrdelgedrvdegfedrvddviedpmhgrihhlfhhrohhmpegrsghushgvsehtrghnrgdrihhtpdhrtghpthhtoheprggsuhhsvgesohhvhhdrnhgvth
X-Ovh-Spam-Status: OK
X-Ovh-Spam-Reason: vr: OK; dkim: disabled; spf: disabled
X-Ovh-Message-Type: OK

Dear Abuse Team

The following abusive behavior from IP address under your constituency
188.165.221.36 has been detected:

2020-02-11 11:39:25 CET, 188.165.221.36, old decay: 86400, prob: 34.72%, SMTP 
auth dictionary attack

188.165.221.36 was caught 102 times since Fri May 18 01:42:13 2018

original data from the mail log:
2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[58534]
2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[62026]
2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165