New type of SPAM aggression

[Rupert Gallagher]

This is to inform about a new type of SPAM aggression.

We received from Russia, for months, and redirected them automatically to an 
administrative address for manual inspection. All emails were spam with links. 
From the standpoint of the attacker(s), all emails were delivered, but none 
turned into exploits.

Today, we learned that "gremlin.ru" included our IPs in their DNSBL. We 
followed the address to de-list, but gremlin.ru does not exist.

So, if you are successful against Russian spam, you will be ... blacklisted by 
an unknown gremlin.

Re: New type of SPAM aggression

[Rupert Gallagher]

The spammers at gremlin.ru have just created a homepage, with no information on 
how to delist an IP.

Their fake dnsbl is listed as genuine in at least two antispam engines.

On Wed, Feb 6, 2019 at 12:55, Rupert Gallagher  wrote:

> This is to inform about a new type of SPAM aggression.
>
> We received from Russia, for months, and redirected them automatically to an 
> administrative address for manual inspection. All emails were spam with 
> links. From the standpoint of the attacker(s), all emails were delivered, but 
> none turned into exploits.
>
> Today, we learned that "gremlin.ru" included our IPs in their DNSBL. We 
> followed the address to de-list, but gremlin.ru does not exist.
>
> So, if you are successful against Russian spam, you will be ... blacklisted 
> by an unknown gremlin.

Re: New type of SPAM aggression

[Tom Hendrikx]

Hi,

Anyone can start a DNSBL and list IP space of people they don't like, as 
you surely know. As long as no one uses such a DNSBL to block traffic, 
no harm is done.


The interesting part is which "engines" (I guess that you mean antispam 
software or antispam saas providers) think that such a DNSBL should be 
actually used. Can you disclose which parties you found?


Kind regards,

Tom

On 06-02-19 14:40, Rupert Gallagher wrote:
The spammers at gremlin.ru have just created a homepage, with no 
information on how to delist an IP.


Their fake dnsbl is listed as genuine in at least two antispam engines.


On Wed, Feb 6, 2019 at 12:55, Rupert Gallagher > wrote:

This is to inform about a new type of SPAM aggression.

We received from Russia, for months, and redirected them automatically 
to an administrative address for manual inspection. All emails were 
spam with links. From the standpoint of the attacker(s), all emails 
were delivered, but none turned into exploits.


Today, we learned that "gremlin.ru" included our IPs in their DNSBL. 
We followed the address to de-list, but gremlin.ru does not exist.


So, if you are successful against Russian spam, you will be ... 
blacklisted by an unknown gremlin.

Re: New type of SPAM aggression

[RW]

On Wed, 06 Feb 2019 11:55:07 +
Rupert Gallagher wrote:

> This is to inform about a new type of SPAM aggression.
> 
> We received from Russia, for months, and redirected them
> automatically to an administrative address for manual inspection. All
> emails were spam with links. From the standpoint of the attacker(s),
> all emails were delivered, but none turned into exploits.
> 
> Today, we learned that "gremlin.ru" included our IPs in their DNSBL.
> We followed the address to de-list, but gremlin.ru does not exist.
> 
> So, if you are successful against Russian spam, you will be ...
> blacklisted by an unknown gremlin.

You reported some spam and now you are listed in a blocklist, therefore
that list is run by the same spammer. There's no evidence of anything
here aside from a paranoid delusion. 

Re: New type of SPAM aggression

[Paul Stead]

Not the first time I’ve heard of gremlin.ru – found this from a mirror of their 
FAQ:

---8<---
A: Surely, you have received a bounce message similar to this:
550 Rejected: 192.168.62.14 is listed at work.drbl.example.net
This is well enough to investigate, who (and ever why) had listed your host. 
First of all, who:
% host -t any 14.62.168.192.work.drbl.example.net
14.62.168.192.work.drbl.example.net has address 127.0.0.2
14.62.168.192.work.drbl.example.net descriptive text
"vote.drbl.example@ns.example.net"
Why:
% host -t any 14.62.168.192.vote.drbl.example.net
14.62.168.192.vote.drbl.example.net has address 127.0.0.2
14.62.168.192.vote.drbl.example.net descriptive text
"Open SOCKS proxy"
Fix the SOCKS issue - e.g., by setting up NAT - and do one more NS query:
% host -t soa vote.drbl.example.net
vote.drbl.example.net SOA ns.example.net postmaster.example.net(
1067889002  ;serial (version)
10800   ;refresh period
1800;retry refresh this often
604800  ;expiration period
86400   ;minimum TTL
)
Now, write to "postmaster AT example DOT net" and ask them to re-test your 
server.

Paul


From: Rupert Gallagher 
Reply-To: Rupert Gallagher 
Date: Wednesday, 6 February 2019 at 11:55
To: SA 
Subject: New type of SPAM aggression

This is to inform about a new type of SPAM aggression.

We received from Russia, for months, and redirected them automatically to an 
administrative address for manual inspection. All emails were spam with links. 
From the standpoint of the attacker(s), all emails were delivered, but none 
turned into exploits.

Today, we learned that "gremlin.ru" included our IPs in their DNSBL. We 
followed the address to de-list, but gremlin.ru does not exist.

So, if you are successful against Russian spam, you will be ... blacklisted by 
an unknown gremlin.


Paul Stead
Senior Engineer
Zen Internet

Re: New type of SPAM aggression

[Rupert Gallagher]

Search engines on DNSBLs:

multiRBL.valli.org
www.rbls.org

On Wed, Feb 6, 2019 at 15:19, Tom Hendrikx  wrote:

> Hi,
>
> Anyone can start a DNSBL and list IP space of people they don't like, as
> you surely know. As long as no one uses such a DNSBL to block traffic,
> no harm is done.
>
> The interesting part is which "engines" (I guess that you mean antispam
> software or antispam saas providers) think that such a DNSBL should be
> actually used. Can you disclose which parties you found?
>
> Kind regards,
>
> Tom
>
> On 06-02-19 14:40, Rupert Gallagher wrote:
>> The spammers at gremlin.ru have just created a homepage, with no
>> information on how to delist an IP.
>>
>> Their fake dnsbl is listed as genuine in at least two antispam engines.
>>
>>
>> On Wed, Feb 6, 2019 at 12:55, Rupert Gallagher > > wrote:
>>> This is to inform about a new type of SPAM aggression.
>>>
>>> We received from Russia, for months, and redirected them automatically
>>> to an administrative address for manual inspection. All emails were
>>> spam with links. From the standpoint of the attacker(s), all emails
>>> were delivered, but none turned into exploits.
>>>
>>> Today, we learned that "gremlin.ru" included our IPs in their DNSBL.
>>> We followed the address to de-list, but gremlin.ru does not exist.
>>>
>>> So, if you are successful against Russian spam, you will be ...
>>> blacklisted by an unknown gremlin.
>>>
>>
>>

Re: New type of SPAM aggression

[Rupert Gallagher]

On Wed, Feb 6, 2019 at 15:42, RW  wrote:

> On Wed, 06 Feb 2019 11:55:07 +
> Rupert Gallagher wrote:
>
>> This is to inform about a new type of SPAM aggression.
>>
>> We received from Russia, for months, and redirected them
>> automatically to an administrative address for manual inspection. All
>> emails were spam with links. From the standpoint of the attacker(s),
>> all emails were delivered, but none turned into exploits.
>>
>> Today, we learned that "gremlin.ru" included our IPs in their DNSBL.
>> We followed the address to de-list, but gremlin.ru does not exist.
>>
>> So, if you are successful against Russian spam, you will be ...
>> blacklisted by an unknown gremlin.
>
> You reported some spam and now you are listed in a blocklist, therefore
> that list is run by the same spammer. There's no evidence of anything
> here aside from a paranoid delusion.

No, you idiot! The spammer votes against you on the dnsbl as a revenge. The 
fact that the dnsbl itself is suspicious and allows downvotes from arrogant 
spammers just adds up. We do not send spam at all, we never did, and we have 
never ever sent anything to Russia.