[anti-abuse-wg] bgprep.info

2020-05-25 Thread mohsen atiq 
Dear Sir,
Recently I developed a robot that collects reported IP lists from more than
160 resources and then tries to categorize and normalize these lists. Some
of these resources are highly reputed, and some of them are personal-lists.
I summarize the result in the https://bgprep.info/report web app. this tiny
app provides basic search and reporting functionality and a free, unlimited
rest API for researching purpose. Besides this, I maintain my database of
IP-Location and BGP AS-location.
Currently, the information is updated regularly every week, but I will try
to decrease the update interval. I am very eager to hear your feedback
about this app.
Please consider this information, and related data is entirely free and
remains free in the future.

Best regards.

Mohsen

Re: [anti-abuse-wg] Spam from provider Timeweb/Russia AS9123 - and they just ignore me

2020-05-25 Thread Martin Wilhelmi 
Hey Javier,

the thing is, I don't receive spam, I receive emails about their address range 
sending spam and using my domain as the sender.

I think through SPF, DKIM and DNSSEC I have gotten everything out of today's 
specifications.

This provider just doesn't want to accept DMARC reports. This is for me just 
denying facts.

Cheers,

Martin

> On 25. May 2020, at 16:17, Javier Martín  wrote:
> 
> Dear Martin.
> Welcome to our daily world, we are sending all spamming ips to the blackhole 
> in our router.
> Kind regards.
> Javier
>> Sobre 25/05/2020 16:15:10, Martin Wilhelmi  escribió:
>> 
>> Hey everyone,
>> 
>> I have a conflict with a provider from Russia "Timeweb" AS9123. It seems to 
>> be hosting a customer who sends spam and uses one of my domains as sender.
>> 
>> I got the information via DMARC, RFC 7489 with several mails. This provider 
>> has an abuse email address. After I contacted them, they analyzed my domain, 
>> complained about the header of the automatic DMARC e-mail from mail.ru 
>> , because there an internal host distributes it and uses an 
>> internal IP address 10/8 according to RFC 1918 and so on.
>> 
>> Apparently one does not want to do anything and requests one of these 
>> e-mails classified as spam sent to @mail.ru.
>> 
>> But this is not provided for in the DMARC protocol, which the provider does 
>> not 'believe’.
>> 
>> This means I continue to receive emails from Russia telling me that my 
>> domain is being used by their host to send spam. And the provider writes me 
>> many e-mails telling me that I have to provide correct facts and that 
>> nothing else will be done.
>> 
>> Because DMARC emails are not facts and cannot be used as evidence.
>> 
>> Do you have any idea how to deal with this?
>> 
>> I have received 11 DMARC emails from mail.ru  regarding 
>> this host. I have attached last one here with header:
>> 
>> Return-Path: mailto:dmarc_supp...@corp.mail.ru>>
>> Delivered-To: m...@mnin.de 
>> Received: from mail.mnin.de ([])
>>  by mail.mnin.de with LMTP
>>  id yedWJNMKx14sDAAAuS6XVA
>>  (envelope-from )
>>  for ; Fri, 22 May 2020 01:12:19 +0200
>> Received: from relay7.m.smailru.net (relay7.m.smailru.net [94.100.178.51])
>>  (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
>>  (No client certificate requested)
>>  by mail.mnin.de (Postcow) with ESMTPS id 6D59868509C
>>  for ; Fri, 22 May 2020 01:12:18 +0200 (CEST)
>> DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; 
>> d=corp.mail.ru; s=mail;
>>  h=Date:Message-ID:To:From:Subject:MIME-Version:Content-Type; 
>> bh=DMqnfyeB+D0YjhIdtRipG66iEqaOVRHns+l07FJTLbw=;
>>  
>> b=k6PdTMpn2SHfn7HO4jdOto6jxVRnOLsCsFLz0Lp87ytUyQL7ifwnze/LC/xQlDQ1hLpkHdM/sM8RFDgusUQYtL4e7/Zkmln4vsjgPvsW6go/YK7hvaeQBKMKgDSXqTlTXqm7BUyXOU4g9wByuAWUM0UpOM+3lrgHzm7d/Fil5IU=;
>> Received: from [10.161.4.115] (port=48176 helo=60)
>>  by relay7.m.smailru.net with esmtp (envelope-from 
>> )
>>  id 1jbuMI-0007Kr-2n
>>  for m...@mnin.de; Fri, 22 May 2020 02:12:14 +0300
>> Content-Type: multipart/mixed; 
>> boundary="===1678280035031557895=="
>> MIME-Version: 1.0
>> Subject: Report Domain: mnin.de; Submitter: Mail.Ru;
>>  Report-ID: 25590927945792699841590019200
>> From: dmarc_supp...@corp.mail.ru
>> To: m...@mnin.de
>> Message-ID: 
>> Date: Fri, 22 May 2020 02:12:14 +0300
>> Auto-Submitted: auto-generated
>> ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mnin.de;
>>  s=dkim; t=1590102738;
>>  h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
>>   to:to:cc:mime-version:mime-version:content-type:content-type:
>>   dkim-signature; bh=DMqnfyeB+D0YjhIdtRipG66iEqaOVRHns+l07FJTLbw=;
>>  b=YpE4Z5u3l+mzLxsH+2Qbd39KekLCXa2jbbIrdnDxvgNFS6zvl4zKq33jQ/7fs5KkJEB0Xc
>>  VCRT+1keQ9x/+a0tp6IMMUKE1elcOp6LHbBzTXCZYcgylnhbmb/JrCgAUI67KzXJlLn4o4
>>  pxToLIR5HD58dGeler0v2GTby5si8GUfczS2mM4QAvxJHDSZ8GqTE359H8HTmXUXGBQRb+
>>  0RVhhOzYxwmusEpWvuMcXYm4oZ7V+eKNuv12N5xCAbaWaqen37v1M53j0pu1vYoUSQBgOa
>>  dv3UgtOSdPxj8wVI5OzpY6ZVKtfSqyTXW5dV+8yfZUSe1Zpm/UPOO5eaqyUnpw==
>> ARC-Seal: i=1; s=dkim; d=mnin.de; t=1590102738; a=rsa-sha256; cv=none;
>>  b=keiIRdDt35e1bk6toEJdITgagC1CXQE81NoMoM8T19TBM9LFU4zudqRg73qPYgGkqvXqqI
>>  Te3Z+AC+CZp9bxfqIOrm2xSE8fNfZEKYhl5fB59sen9/m1rwiZznvvbNcBCJMpytYyDAbg
>>  l74M2uJVfvrUAoAbMF8dweJV/SANBC2K6eKs1r9nRu5DrCEcicWKNLxWbvZ7Q/TccUGgeZ
>>  VCyYvxqc0m5U7wZqK/32Sgf1EpWAjkXpC5eTMxH73FfrIkpPQa8v5ag6qKMP+GRk8B3GO1
>>  eQxsci0l3eATOMFFeEAW/QkSB+ur5f2bPEraluEN5VD4iwWzd2tBGmbcT0ZKaw==
>> ARC-Authentication-Results: i=1;
>>  mail.mnin.de;
>>  dkim=pass header.d=corp.mail.ru header.s=mail header.b=k6PdTMpn;
>>  spf=pass (mail.mnin.de: domain of dmarc_supp...@corp.mail.ru designates 
>> 94.100.178.51 as permitted sender) smtp.mailfrom=dmarc_supp...@corp.mail.ru
>> X-Last-TLS-Session-Version: TLSv1.2
>>

Re: [anti-abuse-wg] Spam from provider Timeweb/Russia AS9123 - and they just ignore me

2020-05-25 Thread Sergey Myasoedov via anti-abuse-wg 
Hi Martin,

Why did you set "p=none" in your DMARC policy? Why not reject or
quarantine?


--
Sergey

Monday, May 25, 2020, 4:09:14 PM, you wrote:

> Hey everyone,

> I have a conflict with a provider from Russia "Timeweb" AS9123.
> It seems to be hosting a customer who sends spam and uses one of my domains 
> as sender.

> I got the information via DMARC, RFC 7489 with several mails.
> This provider has an abuse email address. After I contacted them,
> they analyzed my domain, complained about the header of the
> automatic DMARC e-mail from mail.ru, because there an internal
> host distributes it and uses an internal IP address 10/8 according to RFC 
> 1918 and so on.

> Apparently one does not want to do anything and requests one of
> these e-mails classified as spam sent to @mail.ru.

> But this is not provided for in the DMARC protocol, which the provider does 
> not 'believe’.

> This means I continue to receive emails from Russia telling me
> that my domain is being used by their host to send spam. And the
> provider writes me many e-mails telling me that I have to provide
> correct facts and that nothing else will be done.

> Because DMARC emails are not facts and cannot be used as evidence.

> Do you have any idea how to deal with this?

> I have received 11 DMARC emails from mail.ru regarding this host.
> I have attached last one here with header:

> Return-Path: 
> Delivered-To: m...@mnin.de
> Received: from mail.mnin.de ([])
> by mail.mnin.de with LMTP
> id yedWJNMKx14sDAAAuS6XVA
> (envelope-from )
> for ; Fri, 22 May 2020 01:12:19 +0200
> Received: from relay7.m.smailru.net (relay7.m.smailru.net [94.100.178.51])
> (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
> (No client certificate requested)
> by mail.mnin.de (Postcow) with ESMTPS id 6D59868509C
> for ; Fri, 22 May 2020 01:12:18 +0200 (CEST)
> DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; 
> d=corp.mail.ru; s=mail;
>
> h=Date:Message-ID:To:From:Subject:MIME-Version:Content-Type;
> bh=DMqnfyeB+D0YjhIdtRipG66iEqaOVRHns+l07FJTLbw=;
>
> b=k6PdTMpn2SHfn7HO4jdOto6jxVRnOLsCsFLz0Lp87ytUyQL7ifwnze/LC/xQlDQ1hLpkHdM/sM8RFDgusUQYtL4e7/Zkmln4vsjgPvsW6go/YK7hvaeQBKMKgDSXqTlTXqm7BUyXOU4g9wByuAWUM0UpOM+3lrgHzm7d/Fil5IU=;
> Received: from [10.161.4.115] (port=48176 helo=60)
> by relay7.m.smailru.net with esmtp (envelope-from 
> )
> id 1jbuMI-0007Kr-2n
> for m...@mnin.de; Fri, 22 May 2020 02:12:14 +0300
> Content-Type: multipart/mixed;
> boundary="===1678280035031557895=="
> MIME-Version: 1.0
> Subject: Report Domain: mnin.de; Submitter: Mail.Ru;
>  Report-ID: 25590927945792699841590019200
> From: dmarc_supp...@corp.mail.ru
> To: m...@mnin.de
> Message-ID: 
> Date: Fri, 22 May 2020 02:12:14 +0300
> Auto-Submitted: auto-generated
> ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mnin.de;
> s=dkim; t=1590102738;
>
> h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
>  to:to:cc:mime-version:mime-version:content-type:content-type:
>  dkim-signature;
> bh=DMqnfyeB+D0YjhIdtRipG66iEqaOVRHns+l07FJTLbw=;
>
> b=YpE4Z5u3l+mzLxsH+2Qbd39KekLCXa2jbbIrdnDxvgNFS6zvl4zKq33jQ/7fs5KkJEB0Xc
>
> VCRT+1keQ9x/+a0tp6IMMUKE1elcOp6LHbBzTXCZYcgylnhbmb/JrCgAUI67KzXJlLn4o4
>
> pxToLIR5HD58dGeler0v2GTby5si8GUfczS2mM4QAvxJHDSZ8GqTE359H8HTmXUXGBQRb+
>
> 0RVhhOzYxwmusEpWvuMcXYm4oZ7V+eKNuv12N5xCAbaWaqen37v1M53j0pu1vYoUSQBgOa
>
> dv3UgtOSdPxj8wVI5OzpY6ZVKtfSqyTXW5dV+8yfZUSe1Zpm/UPOO5eaqyUnpw==
> ARC-Seal: i=1; s=dkim; d=mnin.de; t=1590102738; a=rsa-sha256; cv=none;
>
> b=keiIRdDt35e1bk6toEJdITgagC1CXQE81NoMoM8T19TBM9LFU4zudqRg73qPYgGkqvXqqI
>
> Te3Z+AC+CZp9bxfqIOrm2xSE8fNfZEKYhl5fB59sen9/m1rwiZznvvbNcBCJMpytYyDAbg
>
> l74M2uJVfvrUAoAbMF8dweJV/SANBC2K6eKs1r9nRu5DrCEcicWKNLxWbvZ7Q/TccUGgeZ
>
> VCyYvxqc0m5U7wZqK/32Sgf1EpWAjkXpC5eTMxH73FfrIkpPQa8v5ag6qKMP+GRk8B3GO1
>
> eQxsci0l3eATOMFFeEAW/QkSB+ur5f2bPEraluEN5VD4iwWzd2tBGmbcT0ZKaw==
> ARC-Authentication-Results: i=1;
> mail.mnin.de;
> dkim=pass header.d=corp.mail.ru header.s=mail header.b=k6PdTMpn;
> spf=pass (mail.mnin.de: domain of
> dmarc_supp...@corp.mail.ru designates 94.100.178.51 as permitted
> sender) smtp.mailfrom=dmarc_supp...@corp.mail.ru
> X-Last-TLS-Session-Version: TLSv1.2
> Authentication-Results: mail.mnin.de;
> dkim=pass header.d=corp.mail.ru header.s=mail header.b=k6PdTMpn;
> dmarc=pass (policy=reject) header.from=corp.mail.ru;
> spf=pass (mail.mnin.de: domain of
> dmarc_supp...@corp.mail.ru designates 94.100.178.51 as permitted
> sender) smtp.mailfrom=dmarc_supp...@corp.mail.ru

> --===1678280035031557895==
> MIME-Version: 1.0
> Content-Type: text/plain; charset="utf-8"
> Content-Transfer-Encoding: base64

> VGhpcyBpcyBhbiBhZ2dyZWdhdGUgcmVwb3J0IGZyb20gTWFpbC5SdS4=

> --===1678280035031557895==
> Content-Type: application/gzip
> MIME-Version: 1.0
>

Re: [anti-abuse-wg] Spam from provider Timeweb/Russia AS9123 - and they just ignore me

2020-05-25 Thread Serge Droz via anti-abuse-wg 
Hi Martin

Have you tried t contact RU-CERT: https://www.cert.ru/en/about.shtml

They often are quite helpful.

Best
Serge


On 25.05.20 16:09, Martin Wilhelmi wrote:
> Hey everyone,
> 
> I have a conflict with a provider from Russia "Timeweb" AS9123. It seems
> to be hosting a customer who sends spam and uses one of my domains as
> sender.
> 
> I got the information via DMARC, RFC 7489 with several mails. This
> provider has an abuse email address. After I contacted them, they
> analyzed my domain, complained about the header of the automatic DMARC
> e-mail from mail.ru , because there an internal host
> distributes it and uses an internal IP address 10/8 according to RFC
> 1918 and so on.
> 
> Apparently one does not want to do anything and requests one of these
> e-mails classified as spam sent to @mail.ru.
> 
> But this is not provided for in the DMARC protocol, which the provider
> does not 'believe’.
> 
> This means I continue to receive emails from Russia telling me that my
> domain is being used by their host to send spam. And the provider writes
> me many e-mails telling me that I have to provide correct facts and that
> nothing else will be done.
> 
> Because DMARC emails are not facts and cannot be used as evidence.
> 
> Do you have any idea how to deal with this?
> 
> I have received 11 DMARC emails from mail.ru  regarding
> this host. I have attached last one here with header:
> 
> Return-Path:  >
> Delivered-To: m...@mnin.de 
> Received: from mail.mnin.de ([])
> by mail.mnin.de with LMTP
> id yedWJNMKx14sDAAAuS6XVA
> (envelope-from )
> for ; Fri, 22 May 2020 01:12:19 +0200
> Received: from relay7.m.smailru.net (relay7.m.smailru.net [94.100.178.51])
> (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
> (No client certificate requested)
> by mail.mnin.de (Postcow) with ESMTPS id 6D59868509C
> for ; Fri, 22 May 2020 01:12:18 +0200 (CEST)
> DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
> d=corp.mail.ru; s=mail;
> h=Date:Message-ID:To:From:Subject:MIME-Version:Content-Type;
> bh=DMqnfyeB+D0YjhIdtRipG66iEqaOVRHns+l07FJTLbw=;
> b=k6PdTMpn2SHfn7HO4jdOto6jxVRnOLsCsFLz0Lp87ytUyQL7ifwnze/LC/xQlDQ1hLpkHdM/sM8RFDgusUQYtL4e7/Zkmln4vsjgPvsW6go/YK7hvaeQBKMKgDSXqTlTXqm7BUyXOU4g9wByuAWUM0UpOM+3lrgHzm7d/Fil5IU=;
> Received: from [10.161.4.115] (port=48176 helo=60)
> by relay7.m.smailru.net with esmtp (envelope-from
> )
> id 1jbuMI-0007Kr-2n
> for m...@mnin.de; Fri, 22 May 2020 02:12:14 +0300
> Content-Type: multipart/mixed;
> boundary="===1678280035031557895=="
> MIME-Version: 1.0
> Subject: Report Domain: mnin.de; Submitter: Mail.Ru;
>  Report-ID: 25590927945792699841590019200
> From: dmarc_supp...@corp.mail.ru
> To: m...@mnin.de
> Message-ID: 
> Date: Fri, 22 May 2020 02:12:14 +0300
> Auto-Submitted: auto-generated
> ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mnin.de;
> s=dkim; t=1590102738;
> h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
>  to:to:cc:mime-version:mime-version:content-type:content-type:
>  dkim-signature; bh=DMqnfyeB+D0YjhIdtRipG66iEqaOVRHns+l07FJTLbw=;
> b=YpE4Z5u3l+mzLxsH+2Qbd39KekLCXa2jbbIrdnDxvgNFS6zvl4zKq33jQ/7fs5KkJEB0Xc
> VCRT+1keQ9x/+a0tp6IMMUKE1elcOp6LHbBzTXCZYcgylnhbmb/JrCgAUI67KzXJlLn4o4
> pxToLIR5HD58dGeler0v2GTby5si8GUfczS2mM4QAvxJHDSZ8GqTE359H8HTmXUXGBQRb+
> 0RVhhOzYxwmusEpWvuMcXYm4oZ7V+eKNuv12N5xCAbaWaqen37v1M53j0pu1vYoUSQBgOa
> dv3UgtOSdPxj8wVI5OzpY6ZVKtfSqyTXW5dV+8yfZUSe1Zpm/UPOO5eaqyUnpw==
> ARC-Seal: i=1; s=dkim; d=mnin.de; t=1590102738; a=rsa-sha256; cv=none;
> b=keiIRdDt35e1bk6toEJdITgagC1CXQE81NoMoM8T19TBM9LFU4zudqRg73qPYgGkqvXqqI
> Te3Z+AC+CZp9bxfqIOrm2xSE8fNfZEKYhl5fB59sen9/m1rwiZznvvbNcBCJMpytYyDAbg
> l74M2uJVfvrUAoAbMF8dweJV/SANBC2K6eKs1r9nRu5DrCEcicWKNLxWbvZ7Q/TccUGgeZ
> VCyYvxqc0m5U7wZqK/32Sgf1EpWAjkXpC5eTMxH73FfrIkpPQa8v5ag6qKMP+GRk8B3GO1
> eQxsci0l3eATOMFFeEAW/QkSB+ur5f2bPEraluEN5VD4iwWzd2tBGmbcT0ZKaw==
> ARC-Authentication-Results: i=1;
> mail.mnin.de;
> dkim=pass header.d=corp.mail.ru header.s=mail header.b=k6PdTMpn;
> spf=pass (mail.mnin.de: domain of dmarc_supp...@corp.mail.ru designates
> 94.100.178.51 as permitted sender) smtp.mailfrom=dmarc_supp...@corp.mail.ru
> X-Last-TLS-Session-Version: TLSv1.2
> Authentication-Results: mail.mnin.de;
> dkim=pass header.d=corp.mail.ru header.s=mail header.b=k6PdTMpn;
> dmarc=pass (policy=reject) header.from=corp.mail.ru;
> spf=pass (mail.mnin.de: domain of dmarc_supp...@corp.mail.ru designates
> 94.100.178.51 as permitted sender) smtp.mailfrom=dmarc_supp...@corp.mail.ru
> 
> --===1678280035031557895==
> MIME-Version: 1.0
> Content-Type: text/plain; charset="utf-8"
> Content-Transfer-Encoding: base64
> 
> VGhpcyBpcyBhbiBhZ2dyZWdhdGUgcmVwb3J0IGZyb20gTWFpbC5SdS4=
> 
> --===1678280035031557895==
> Content-Type: application/gzip
> MIME-Version: 1.0
> Content-Transfer-Encoding: base64
> Content-Disposition:

Re: [anti-abuse-wg] Spam from provider Timeweb/Russia AS9123 - and they just ignore me

2020-05-25 Thread Javier Martín 
Dear Martin.
Welcome to our daily world, we are sending all spamming ips to the blackhole in 
our router.
Kind regards.
Javier
Sobre 25/05/2020 16:15:10, Martin Wilhelmi  escribió:
Hey everyone,

I have a conflict with a provider from Russia "Timeweb" AS9123. It seems to be 
hosting a customer who sends spam and uses one of my domains as sender.

I got the information via DMARC, RFC 7489 with several mails. This provider has 
an abuse email address. After I contacted them, they analyzed my domain, 
complained about the header of the automatic DMARC e-mail from mail.ru 
[http://mail.ru], because there an internal host distributes it and uses an 
internal IP address 10/8 according to RFC 1918 and so on.

Apparently one does not want to do anything and requests one of these e-mails 
classified as spam sent to @mail.ru.

But this is not provided for in the DMARC protocol, which the provider does not 
'believe’.

This means I continue to receive emails from Russia telling me that my domain 
is being used by their host to send spam. And the provider writes me many 
e-mails telling me that I have to provide correct facts and that nothing else 
will be done.

Because DMARC emails are not facts and cannot be used as evidence.

Do you have any idea how to deal with this?

I have received 11 DMARC emails from mail.ru [http://mail.ru] regarding this 
host. I have attached last one here with header:


Return-Path: mailto:dmarc_supp...@corp.mail.ru]>
Delivered-To: m...@mnin.de [mailto:m...@mnin.de]
Received: from mail.mnin.de ([])
by mail.mnin.de with LMTP
id yedWJNMKx14sDAAAuS6XVA
(envelope-from )
for ; Fri, 22 May 2020 01:12:19 +0200
Received: from relay7.m.smailru.net (relay7.m.smailru.net [94.100.178.51])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mail.mnin.de (Postcow) with ESMTPS id 6D59868509C
for ; Fri, 22 May 2020 01:12:18 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; 
d=corp.mail.ru; s=mail;
h=Date:Message-ID:To:From:Subject:MIME-Version:Content-Type; 
bh=DMqnfyeB+D0YjhIdtRipG66iEqaOVRHns+l07FJTLbw=;
b=k6PdTMpn2SHfn7HO4jdOto6jxVRnOLsCsFLz0Lp87ytUyQL7ifwnze/LC/xQlDQ1hLpkHdM/sM8RFDgusUQYtL4e7/Zkmln4vsjgPvsW6go/YK7hvaeQBKMKgDSXqTlTXqm7BUyXOU4g9wByuAWUM0UpOM+3lrgHzm7d/Fil5IU=;
Received: from [10.161.4.115] (port=48176 helo=60)
by relay7.m.smailru.net with esmtp (envelope-from )
id 1jbuMI-0007Kr-2n
for m...@mnin.de; Fri, 22 May 2020 02:12:14 +0300
Content-Type: multipart/mixed; boundary="===1678280035031557895=="
MIME-Version: 1.0
Subject: Report Domain: mnin.de; Submitter: Mail.Ru;
 Report-ID: 25590927945792699841590019200
From: dmarc_supp...@corp.mail.ru
To: m...@mnin.de
Message-ID: 
Date: Fri, 22 May 2020 02:12:14 +0300
Auto-Submitted: auto-generated
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mnin.de;
s=dkim; t=1590102738;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 dkim-signature; bh=DMqnfyeB+D0YjhIdtRipG66iEqaOVRHns+l07FJTLbw=;
b=YpE4Z5u3l+mzLxsH+2Qbd39KekLCXa2jbbIrdnDxvgNFS6zvl4zKq33jQ/7fs5KkJEB0Xc
VCRT+1keQ9x/+a0tp6IMMUKE1elcOp6LHbBzTXCZYcgylnhbmb/JrCgAUI67KzXJlLn4o4
pxToLIR5HD58dGeler0v2GTby5si8GUfczS2mM4QAvxJHDSZ8GqTE359H8HTmXUXGBQRb+
0RVhhOzYxwmusEpWvuMcXYm4oZ7V+eKNuv12N5xCAbaWaqen37v1M53j0pu1vYoUSQBgOa
dv3UgtOSdPxj8wVI5OzpY6ZVKtfSqyTXW5dV+8yfZUSe1Zpm/UPOO5eaqyUnpw==
ARC-Seal: i=1; s=dkim; d=mnin.de; t=1590102738; a=rsa-sha256; cv=none;
b=keiIRdDt35e1bk6toEJdITgagC1CXQE81NoMoM8T19TBM9LFU4zudqRg73qPYgGkqvXqqI
Te3Z+AC+CZp9bxfqIOrm2xSE8fNfZEKYhl5fB59sen9/m1rwiZznvvbNcBCJMpytYyDAbg
l74M2uJVfvrUAoAbMF8dweJV/SANBC2K6eKs1r9nRu5DrCEcicWKNLxWbvZ7Q/TccUGgeZ
VCyYvxqc0m5U7wZqK/32Sgf1EpWAjkXpC5eTMxH73FfrIkpPQa8v5ag6qKMP+GRk8B3GO1
eQxsci0l3eATOMFFeEAW/QkSB+ur5f2bPEraluEN5VD4iwWzd2tBGmbcT0ZKaw==
ARC-Authentication-Results: i=1;
mail.mnin.de;
dkim=pass header.d=corp.mail.ru header.s=mail header.b=k6PdTMpn;
spf=pass (mail.mnin.de: domain of dmarc_supp...@corp.mail.ru designates 
94.100.178.51 as permitted sender) smtp.mailfrom=dmarc_supp...@corp.mail.ru
X-Last-TLS-Session-Version: TLSv1.2
Authentication-Results: mail.mnin.de;
dkim=pass header.d=corp.mail.ru header.s=mail header.b=k6PdTMpn;
dmarc=pass (policy=reject) header.from=corp.mail.ru;
spf=pass (mail.mnin.de: domain of dmarc_supp...@corp.mail.ru designates 
94.100.178.51 as permitted sender) smtp.mailfrom=dmarc_supp...@corp.mail.ru

--===1678280035031557895==
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

VGhpcyBpcyBhbiBhZ2dyZWdhdGUgcmVwb3J0IGZyb20gTWFpbC5SdS4=

--===1678280035031557895==
Content-Type: application/gzip
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
 filename="mail.ru!mnin.de!1590019200!1590105600.xml.gz"

H4sICM4Kx14C/21haWwucnUhbW5pbi5kZSExNTkwMDE5MjAwITE1OTAxMDU2MDAueG1sAIVTQXKk

[anti-abuse-wg] Spam from provider Timeweb/Russia AS9123 - and they just ignore me

2020-05-25 Thread Martin Wilhelmi 
Hey everyone,

I have a conflict with a provider from Russia "Timeweb" AS9123. It seems to be 
hosting a customer who sends spam and uses one of my domains as sender.

I got the information via DMARC, RFC 7489 with several mails. This provider has 
an abuse email address. After I contacted them, they analyzed my domain, 
complained about the header of the automatic DMARC e-mail from mail.ru, because 
there an internal host distributes it and uses an internal IP address 10/8 
according to RFC 1918 and so on.

Apparently one does not want to do anything and requests one of these e-mails 
classified as spam sent to @mail.ru.

But this is not provided for in the DMARC protocol, which the provider does not 
'believe’.

This means I continue to receive emails from Russia telling me that my domain 
is being used by their host to send spam. And the provider writes me many 
e-mails telling me that I have to provide correct facts and that nothing else 
will be done.

Because DMARC emails are not facts and cannot be used as evidence.

Do you have any idea how to deal with this?

I have received 11 DMARC emails from mail.ru regarding this host. I have 
attached last one here with header:

Return-Path: 
Delivered-To: m...@mnin.de
Received: from mail.mnin.de ([])
by mail.mnin.de with LMTP
id yedWJNMKx14sDAAAuS6XVA
(envelope-from )
for ; Fri, 22 May 2020 01:12:19 +0200
Received: from relay7.m.smailru.net (relay7.m.smailru.net [94.100.178.51])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mail.mnin.de (Postcow) with ESMTPS id 6D59868509C
for ; Fri, 22 May 2020 01:12:18 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; 
d=corp.mail.ru; s=mail;
h=Date:Message-ID:To:From:Subject:MIME-Version:Content-Type; 
bh=DMqnfyeB+D0YjhIdtRipG66iEqaOVRHns+l07FJTLbw=;

b=k6PdTMpn2SHfn7HO4jdOto6jxVRnOLsCsFLz0Lp87ytUyQL7ifwnze/LC/xQlDQ1hLpkHdM/sM8RFDgusUQYtL4e7/Zkmln4vsjgPvsW6go/YK7hvaeQBKMKgDSXqTlTXqm7BUyXOU4g9wByuAWUM0UpOM+3lrgHzm7d/Fil5IU=;
Received: from [10.161.4.115] (port=48176 helo=60)
by relay7.m.smailru.net with esmtp (envelope-from 
)
id 1jbuMI-0007Kr-2n
for m...@mnin.de; Fri, 22 May 2020 02:12:14 +0300
Content-Type: multipart/mixed; boundary="===1678280035031557895=="
MIME-Version: 1.0
Subject: Report Domain: mnin.de; Submitter: Mail.Ru;
 Report-ID: 25590927945792699841590019200
From: dmarc_supp...@corp.mail.ru
To: m...@mnin.de
Message-ID: 
Date: Fri, 22 May 2020 02:12:14 +0300
Auto-Submitted: auto-generated
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mnin.de;
s=dkim; t=1590102738;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 dkim-signature; bh=DMqnfyeB+D0YjhIdtRipG66iEqaOVRHns+l07FJTLbw=;
b=YpE4Z5u3l+mzLxsH+2Qbd39KekLCXa2jbbIrdnDxvgNFS6zvl4zKq33jQ/7fs5KkJEB0Xc
VCRT+1keQ9x/+a0tp6IMMUKE1elcOp6LHbBzTXCZYcgylnhbmb/JrCgAUI67KzXJlLn4o4
pxToLIR5HD58dGeler0v2GTby5si8GUfczS2mM4QAvxJHDSZ8GqTE359H8HTmXUXGBQRb+
0RVhhOzYxwmusEpWvuMcXYm4oZ7V+eKNuv12N5xCAbaWaqen37v1M53j0pu1vYoUSQBgOa
dv3UgtOSdPxj8wVI5OzpY6ZVKtfSqyTXW5dV+8yfZUSe1Zpm/UPOO5eaqyUnpw==
ARC-Seal: i=1; s=dkim; d=mnin.de; t=1590102738; a=rsa-sha256; cv=none;
b=keiIRdDt35e1bk6toEJdITgagC1CXQE81NoMoM8T19TBM9LFU4zudqRg73qPYgGkqvXqqI
Te3Z+AC+CZp9bxfqIOrm2xSE8fNfZEKYhl5fB59sen9/m1rwiZznvvbNcBCJMpytYyDAbg
l74M2uJVfvrUAoAbMF8dweJV/SANBC2K6eKs1r9nRu5DrCEcicWKNLxWbvZ7Q/TccUGgeZ
VCyYvxqc0m5U7wZqK/32Sgf1EpWAjkXpC5eTMxH73FfrIkpPQa8v5ag6qKMP+GRk8B3GO1
eQxsci0l3eATOMFFeEAW/QkSB+ur5f2bPEraluEN5VD4iwWzd2tBGmbcT0ZKaw==
ARC-Authentication-Results: i=1;
mail.mnin.de;
dkim=pass header.d=corp.mail.ru header.s=mail header.b=k6PdTMpn;
spf=pass (mail.mnin.de: domain of dmarc_supp...@corp.mail.ru designates 
94.100.178.51 as permitted sender) smtp.mailfrom=dmarc_supp...@corp.mail.ru
X-Last-TLS-Session-Version: TLSv1.2
Authentication-Results: mail.mnin.de;
dkim=pass header.d=corp.mail.ru header.s=mail header.b=k6PdTMpn;
dmarc=pass (policy=reject) header.from=corp.mail.ru;
spf=pass (mail.mnin.de: domain of dmarc_supp...@corp.mail.ru designates 
94.100.178.51 as permitted sender) smtp.mailfrom=dmarc_supp...@corp.mail.ru

--===1678280035031557895==
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

VGhpcyBpcyBhbiBhZ2dyZWdhdGUgcmVwb3J0IGZyb20gTWFpbC5SdS4=

--===1678280035031557895==
Content-Type: application/gzip
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
 filename="mail.ru!mnin.de!1590019200!1590105600.xml.gz"

H4sICM4Kx14C/21haWwucnUhbW5pbi5kZSExNTkwMDE5MjAwITE1OTAxMDU2MDAueG1sAIVTQXKk