subject:"Re\: \[mailop\] Spam received from ips with forged reverse names"

Re: [mailop] Spam received from ips with forged reverse names

2023-01-06 Thread Mary via mailop


My deepest condolences :)



On Fri, 6 Jan 2023 18:29:05 +0100 Jaroslaw Rafa via mailop  
wrote:

> Dnia  6.01.2023 o godz. 19:16:16 Mary via mailop pisze:
> > 
> > Eventually I got tired of them and blocked all their AS networks from all
> > my clients. Spam and other malicious traffic dropped by 20% and not a
> > single complaint about legitimate traffic being blocked.  
> 
> Probably because I don't know anyone who you manage mail for and had no
> reason to mail them. Because my server is hosted by OVH exactly.
> -- 
> Regards,
>Jaroslaw Rafa
>r...@rafa.eu.org
> --
> "In a million years, when kids go to school, they're gonna know: once there
> was a Hushpuppy, and she lived with her daddy in the Bathtub."
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Spam received from ips with forged reverse names

2023-01-06 Thread Jaroslaw Rafa via mailop

Dnia  6.01.2023 o godz. 19:16:16 Mary via mailop pisze:
> 
> Eventually I got tired of them and blocked all their AS networks from all
> my clients. Spam and other malicious traffic dropped by 20% and not a
> single complaint about legitimate traffic being blocked.

Probably because I don't know anyone who you manage mail for and had no
reason to mail them. Because my server is hosted by OVH exactly.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Spam received from ips with forged reverse names

2023-01-06 Thread Mary via mailop

I don't think they care to do that, probably because they make a lot of money 
from said miscreants

One such bright example, is OVH. I've had the unpleasant experience dealing 
with their imaginary "abuse" department.

Eventually I got tired of them and blocked all their AS networks from all my 
clients. Spam and other malicious traffic dropped by 20% and not a single 
complaint about legitimate traffic being blocked.

On Fri, 6 Jan 2023 08:53:31 -0800 Michael Peddemors via mailop 
 wrote:

> For the record, this has been going on for some time...
> You know it is a bullet proof hoster when...
> 
> You see those companies on RBL's really quickly.  Surprised that many 
> well known hosters don't simply do a PTR walk on their own IP Space, 
> reveals quite quickly the miscreants.  It's #NOTHATHARD ;)
> 
> If all hosting companies did two simple things, they would catch most of 
> the bad actors, before their IP space got blacklisted.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Spam received from ips with forged reverse names

2023-01-06 Thread Michael Peddemors via mailop


For the record, this has been going on for some time...
You know it is a bullet proof hoster when...

You see those companies on RBL's really quickly.  Surprised that many 
well known hosters don't simply do a PTR walk on their own IP Space, 
reveals quite quickly the miscreants.  It's #NOTHATHARD ;)


If all hosting companies did two simple things, they would catch most of 
the bad actors, before their IP space got blacklisted.


On 2023-01-05 13:46, Serizy via mailop wrote:

Hello.

I would like to report here a spam source that is sending messages to 
some of our users. Interestingly this source is using forged reverse 
names for their ips, and they are using many different ips in what seems 
a snowshoe pattern.


The domains used for their reverse names, PTR records, are “stolen” from 
other public companies, even Microsoft or Google!


Has anyone seen this pattern? Are they trying to steal reputation from 
these domains?  Almost all messages received end in spam folder, but 
what worries me is that, the PTR resolves to the fake hostname, but the 
host name doesn’t resolve to the ip, logically…and the messages go to 
the user mailbox in Outlook.com


All messages come from same source, they all show the same footer, with 
different company/database name, but same physical address…they belong 
to the same sender company, of course, that points to be Rodlandsky.


Is there any way to report this? Shouldn’t be even legal I think.

I’ll post here most samples i got from the users mailbox, for your 
review, as you can see, there are lots of ips pointing to forged host 
names with domains that they don’t own:


Received: fromr81.e-mails.microsoft.com(5.105.205.36)
Date: Thu, 22 Dec 2022 08:09:41 +0100
;
Received: frommta.adriatics.eucerin.com(200.234.137.46)
Date: Tue, 20 Dec 2022 09:26:34 +0100
;
Received: fromeoei.mta7.appspot.com(20.185.222.69)
Date: Fri, 30 Dec 2022 05:09:19 +0100
;
Received: fromebifccidhbfd.ams03.turbo-smtp.net(103.180.85.188)
Date: Tue, 27 Dec 2022 16:11:06 +0100
;
Received: from mx01.cruncher.email (115.126.32.242)
Date: Sat, 24 Dec 2022 05:09:00 +0100
;
Received: frommail.projectseven.com(200.234.157.51)
Date: Mon, 26 Dec 2022 03:43:00 +0100
;
Received: frommta.deliver.purdue.edu(212.236.83.49)
Date: Tue, 27 Dec 2022 05:49:15 +0100
;
Received: frommta.fr.page.com(200.234.159.125)
Date: Mon, 26 Dec 2022 13:06:12 +0100
;
Received: frommailing.agrealestate.eu(212.236.153.158)
Date: Sun, 01 Jan 2023 14:19:19 +0100
;
Received: frommta.email.interepargne.natixis.com(139.190.109.57)
Date: Tue, 20 Dec 2022 22:36:38 +0100
;
Received: frommta.comm.hanglungmalls.com(5.105.133.174)
Date: Thu, 22 Dec 2022 18:47:25 +0100
;
Received: frommailing.makeinternetfair.eu(5.105.146.211)
Date: Sat, 24 Dec 2022 16:30:43 +0100
;
Received: frommta.email.dominionenergysc.com(115.126.39.182)
Date: Sun, 25 Dec 2022 19:19:31 +0100
;
Received: frommta.palvelut.lexus.fi(5.105.152.110)
Date: Sat, 24 Dec 2022 16:29:36 +0100
;
Received: fromo185.p8.mailjet.com(212.236.116.176)
Date: Tue, 27 Dec 2022 18:06:24 +0100
;
Received: frommailing.whoman.be(5.105.140.222)
Date: Tue, 20 Dec 2022 21:23:41 +0100
;
Received: frommta.franciscanhealth-email.org(114.66.160.188)
Date: Fri, 23 Dec 2022 12:18:47 +0100
;
Received: frommailing.dommelroute.be(212.236.119.33)
Date: Sat, 24 Dec 2022 05:13:43 +0100
;
Received: fromrelay-001.mailer.nexxtmove.me(200.239.192.62)
Date: Sun, 25 Dec 2022 16:04:50 +0100
;
Received: frommta99d8.r.grouponmail.fr(5.105.145.217)
Date: Wed, 28 Dec 2022 10:00:18 +0100
;
Received: frommail-io1-f100.google.com(200.239.241.28)
Date: Fri, 30 Dec 2022 14:33:27 +0100
;
Received: frompr81.mxout.mta2.net(200.234.136.92)
Date: Thu, 29 Dec 2022 08:34:06 +0100
;
Received: frommailing.pvi.be(139.190.109.253)
Date: Tue, 20 Dec 2022 21:14:14 +0100
;
Received: frommail.projectseven.com(114.66.162.153)
Date: Thu, 22 Dec 2022 04:17:16 +0100
;
Received: frommta.mail.payingtoomuch.com(200.239.194.171)
Date: Thu, 22 Dec 2022 12:17:38 +0100
;
Received: frommta.traveladvisors.exoticca.com(200.239.194.240)
Date: Fri, 23 Dec 2022 08:08:47 +0100
;
Received: fromo1.email.dossierdata.nl(5.105.167.21)
Date: Tue, 20 Dec 2022 14:14:57 +0100
;
Received: frommta057234.operations.smartbox.com(5.105.154.89)
Date: Mon, 26 Dec 2022 12:21:19 +0100
;
Received: frommail.rpr-spa.it(200.239.201.200)
Date: Fri, 23 Dec 2022 07:55:00 +0100
;
Received: frommail3.ept.de(200.234.157.188)
Date: Mon, 26 Dec 2022 14:00:51 +0100
;
Received: frommail5.mxc.infra.improvmx.com(87.246.22.41)
Date: Wed, 28 Dec 2022 12:09:53 +0100
;
Received: frommta.email.onduo.com(177.37.10.95)
Date: Thu, 29 Dec 2022 08:52:29 +0100
;
Received: frome96.umail.jobcase.com(212.236.82.81)
Date: Fri, 30 Dec 2022 19:14:01 +0100
;
Received: frommta.mail1.editions-heritage.com(5.105.133.194)
Date: Sat, 24 Dec 2022 16:09:09 +0100
;
Received: frommta010.addemar.com(5.105.154.222)
Date: Fri, 30 Dec 2022 23:48:58 +0100
;
Received: frompr73.mxout.mta2.net(74.117.117.220)
Date: Tue, 03 Jan

Re: [mailop] Spam received from ips with forged reverse names

2023-01-05 Thread Alexander Huynh via mailop

On Jan 5, 2023, at 14:54, Serizy via mailop  wrote:

but what worries me is that, the PTR resolves to the fake hostname, but the 
host name doesn’t resolve to the ip, logically…and the messages go to the user 
mailbox in Outlook.com

This should not be an issue if the MTA performs both forward (A//CNAME) and 
reverse (PTR) DNS validation.

Is there any way to report this?

Others may correct me, but I believe the channels for reporting abusive PTR 
records lie with the body who owns those IPs. A WHOIS on the offending IPs 
should provide an abuse contact.

Shouldn’t be even legal I think.

Legal or not, that may not prevent people from doing so, as evidenced here, nor 
may incentivize people to rectify these abuses.
--
Alex
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Spam received from ips with forged reverse names

Re: [mailop] Spam received from ips with forged reverse names

Re: [mailop] Spam received from ips with forged reverse names

Re: [mailop] Spam received from ips with forged reverse names

Re: [mailop] Spam received from ips with forged reverse names

5 matches

Site Navigation

Mail list logo

Footer information