Hello everyone,
we (AS12816, LRZ Leibniz Computing Centre Munich, a regional network for
scientific and educational entities in the Munich area) are being hit by
regular spamruns originated from 80.253.80.0/24 for several months now.
This network belongs to
inetnum: 80.253.80.0 - 80.253.80.255
netname: JEFTEX-NET
descr: Dedicated Servers New
country: CH
admin-c: JIL9-RIPE
tech-c: NEXL1-RIPE
status: ASSIGNED PA
mnt-by: CH-GREEN-MNT
mnt-lower: CH-GREEN-MNT
mnt-routes: CH-GREEN-MNT
source: RIPE # Filtered
role: Jeftex International Ltd
address: Petronas Twin Towers
address: Kuala Lumpur 50088
address: Malaysia
abuse-mailbox: [EMAIL PROTECTED]
admin-c: OS3984-RIPE
tech-c: OS3984-RIPE
nic-hdl: JIL9-RIPE
source: RIPE # Filtered
mnt-by: NEXLINK-MNT
route: 80.253.80.0/20
descr: green.ch ag, Brugg, Switzerland
origin: AS21494
mnt-by: CH-GREEN-MNT
source: RIPE # Filtered
The spamruns look always the same, they last for a few hours with tens
of thousands of connects from various addresses in this /24. All mails
have the sender set to
"<someimportantgermanword><random>@<largegermanmaildomain>". Examples
postfix/smtpd[21095]: NOQUEUE: reject: RCPT from unknown[80.253.80.19]:
554 5.7.1 <unknown[80.253.80.19]>: Client
host rejected: Access denied; from=<[EMAIL PROTECTED]>
to=<[EMAIL PROTECTED]> proto=SMTP helo=<freenet.de>
postfix/smtpd[21579]: NOQUEUE: reject: RCPT from unknown[80.253.80.23]:
554 5.7.1 <unknown[80.253.80.23]>: Client
host rejected: Access denied; from=<[EMAIL PROTECTED]>
to=<[EMAIL PROTECTED]> proto=SMTP helo=<t-online.de>
and so on. Most recipients are valid. I don't have any message content
as this /24 is blocked for good, but it is annoying nethertheless. I've
tried to contact [EMAIL PROTECTED] and [EMAIL PROTECTED] without success,
I've called them (they referred me to their expensive 0900 hotline and
asked me to send a fax) and sent a fax. No response to any of this.
Unfortunately they are not listed on major RBLs yet because most of them
seem not to accept submissions but rather rely on their own spamtraps.
I've done some survey among the DENOG users and found that while some of
the users have no hit at all, other destinations are heavily targetted.
Users outside of the german speaking area don't seem to be affected at
all. I'm trying to find a way to submit them to Spamhaus (which we have
a paid feed for), but this might take some time.
Is AS21494 known to be irresponsive to abuse complaints? Does anyone
know some way to get in contact with them? I'm seriously considering
blackholing the whole ASN, but I'm not sure whether this is just a
spammerheaven or something important.
Any input is appreciated.
Thanks,
Bernhard
--
Bernhard Schmidt Netzplanung / IPv6
Leibniz-Rechenzentrum Muenchen Leibniz Computing Centre Munich
Boltzmannstr. 1 D-85748 Garching bei Muenchen
Tel: +49 89 35831-7885 Raum I.2.071 [EMAIL PROTECTED]
_______________________________________________
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
