SPF? DKIM? spammers can do them too

Discussion:

(too old to reply)

Ivan Shmakov

2016-10-04 16:12:21 UTC

To put it short, for about a month, I see a new kind of spam
coming to (strangely) just one of my (many) mailboxes. This one
has DKIM-Signature: (and DomainKey-Signature:) headers in place,
comes from domains with SPF and MX DNS records properly set up,
and, overall, apart from its "unsolicited nature," looks just
like legitimate email. (IPs and MAIL FROM: data shown below.)

There're some characteristics common to all these messages,
however, hinting at possible "common origin" (be it person,
organization, or specific software used.) For instance:

* all the Message-ID: headers follow the same [0-9A-F]{32}@HOST
pattern;

* the domains are all under the "ru" ccTLD, and all registered
via NETHOUSE-RU; also, most were created February or March
this year, but some (r-vl.ru, sarvtb.ru, sm-1.ru,
taxi-five.ru) are just a few days old, created on 2016-10-01;

* all the IPs the messages come from belong to MAROSNET.

I've sent a letter last week reporting the issue to abuse at
marosnet dot ru (per the Whois data), but yet to see any
response.

Meanwhile, I've configured the firewall to drop any traffic from
the addresses in question (but also log incoming TCP "SYN"
connection attempt packets.)

For those interested, the IPs and MAIL FROM: data is as follows
(per ISO week.)

$ gawk '! /\sid=[0-9A-Z]{32}@/ { next; }
1 {
"date +%GW%V --date=" $1 "T" $2 | getline key;
save[key] = save[key] "\t" $5 " " $7 "\n";
}
END {
PROCINFO["sorted_in"] = "@ind_str_desc";
for (key in save) { print key "\t" save[key]; }
}' /var/log/exim...
2016W40 ***@sarvtb.ru [185.58.205.96]
***@proteus-spb.ru [194.67.208.8]
***@kaminfo.ru [193.124.176.209]
***@r-vl.ru [185.58.206.163]
***@sab-moskau.ru [193.124.190.134]
***@taxi-five.ru [185.58.206.232]

2016W39 ***@network-asp.ru [194.67.208.143]
***@sinex-real.ru [194.67.208.219]
***@network-asp.ru [194.67.208.143]
***@karaaltyn.ru [194.67.210.159]
***@cameraforme.ru [185.87.48.186]
***@lagorta.ru [193.124.191.224]
***@sinex-real.ru [194.67.208.219]
***@intra-m.ru [94.142.141.60]
***@eureka-service.ru [193.124.186.253]
***@karaaltyn.ru [194.67.210.159]
***@sirius-87.ru [194.67.208.224]
***@eureka-service.ru [193.124.186.253]
***@sinex-real.ru [194.67.208.219]
***@karaaltyn.ru [194.67.210.159]
***@cameraforme.ru [185.87.48.186]
***@network-asp.ru [194.67.208.143]
***@lambdafsu.ru [193.124.189.172]
***@biomedex.ru [193.124.189.192]
***@kaminfo.ru [193.124.176.209]
***@lambdafsu.ru [193.124.189.172]
***@sab-moskau.ru [193.124.190.134]
***@securityprint.ru [185.5.248.60]
***@sm-1.ru [185.58.206.76]
***@ghtersale.ru [194.67.208.7]

2016W38 ***@mtvigroup.ru [194.67.208.216]
***@php-art.ru [194.67.209.151]
***@sirius-87.ru [194.67.208.224]
***@lagorta.ru [193.124.191.224]
***@cristallgrad.ru [185.87.48.131]
***@php-art.ru [194.67.209.151]
***@lagorta.ru [193.124.191.224]

2016W37 ***@butovo-net.ru [194.67.210.18]
***@carveryachts.ru [85.93.145.29]
***@butovo-net.ru [194.67.210.18]
***@olympus-team.ru [194.67.209.7]
***@polexpack.ru [194.67.208.220]
***@polexpack.ru [194.67.208.220]
***@siae.ru [194.67.209.56]
***@delst.ru [194.67.208.249]
***@php-art.ru [194.67.209.151]
***@instaltek.ru [194.67.208.232]

2016W36 ***@tyumfair.ru [194.67.208.60]
***@fordlimo.ru [194.67.208.50]
***@r-c-g.ru [194.67.208.101]
***@e-dvd.ru [194.67.210.222]
***@lk-prom.ru [194.67.211.17]
***@avtobogatir.ru [194.67.210.2]

--
FSF associate member #7257 58F8 0F47 53F5 2EB2 F6A5 8916 3013 B6A0 230E 334A

David Ritz

2016-10-06 00:29:15 UTC

Permalink

[ news.admin.net-abuse.email added to cross-post ]
[ alt.spam stripped as group only sees spam, spam, spam and more spam ]
[ alt.spam.sightings stripped as bogus (newgrouped by Jamie Baillie) ]
[ <ftp://ftp.isc.org/pub/usenet/control/alt/alt.spam.sightings.gz> ]
[ posted and mailed ]

On Tuesday, 04 October 2016 16:12 -0000,

Post by Ivan Shmakov
To put it short, for about a month, I see a new kind of spam
coming to (strangely) just one of my (many) mailboxes. This one
has DKIM-Signature: (and DomainKey-Signature:) headers in place,
comes from domains with SPF and MX DNS records properly set up,
and, overall, apart from its "unsolicited nature," looks just
like legitimate email. (IPs and MAIL FROM: data shown below.)

Neither SPF nor DKIM say anything about whether mail is unsolicited
and bulk. These are forgery abatement measures. The only things
which might be determined from SPF and DKIM is whether or not mail
originated via a sender allowed host; nothing more, nothing less.

Post by Ivan Shmakov
There're some characteristics common to all these messages,
however, hinting at possible "common origin" (be it person,
pattern;
* the domains are all under the "ru" ccTLD, and all registered
via NETHOUSE-RU; also, most were created February or March
this year, but some (r-vl.ru, sarvtb.ru, sm-1.ru,
taxi-five.ru) are just a few days old, created on 2016-10-01;
* all the IPs the messages come from belong to MAROSNET.
I've sent a letter last week reporting the issue to abuse at
marosnet dot ru (per the Whois data), but yet to see any
response.
Meanwhile, I've configured the firewall to drop any traffic from
the addresses in question (but also log incoming TCP "SYN"
connection attempt packets.)
For those interested, the IPs and MAIL FROM: data is as follows
(per ISO week.)
1 {
"date +%GW%V --date=" $1 "T" $2 | getline key;
save[key] = save[key] "\t" $5 " " $7 "\n";
}
END {
for (key in save) { print key "\t" save[key]; }
}' /var/log/exim...

Of those host I checked, which still resolve, most are listed by the
psbl.org, barracudacentral.org and/or uceprotect.net DNSbls, with a
smattering of SBLCSS (snowshoe) and Spamcop listings. All indicate
the IP addresses you list are spam sources, where SPF and DKIM say
that the sending domain is authorized to send via these spammer
controled, dirty IP addresses.

- --
David Ritz <***@mindspring.com>
Be kind to animals; kiss a shark.

Ivan Shmakov

2016-10-07 16:55:09 UTC

Permalink

[Be warned of a few off-topic bits below.]

[ news.admin.net-abuse.email added to cross-post ]
[ alt.spam stripped as group only sees spam, spam, spam and more spam ]

While I understand the evil of sending spam to a high S/N ratio
group, the above seems to suggest there's something wrong with
doing it the other way around. Which is especially strange
given that (a) n.a.n.email's own S/N doesn't seem all that high,
and (b) alt.spam occasionally sees a legitimate message, too
(say, news:***@4ax.com.)

(... And also (c) apparently, Aioe blocks crossposts to n.a.n.e;
presumably due to ongoing abuse?)

[ alt.spam.sightings stripped as bogus (newgrouped by Jamie Baillie) ]
[ <ftp://ftp.isc.org/pub/usenet/control/alt/alt.spam.sightings.gz> ]

FTP is pretty much obsolete. For one thing, requiring two
TCP connections per "session" means trouble passing them through
Tor, NAT, SOCKS, etc. And having three separate transfer modes
(at the least) doesn't help interoperability, either.

That said, the same resource is available via HTTP, too:

http://ftp.isc.org/pub/usenet/control/alt/alt.spam.sightings.gz

[ posted and mailed ]

Why?

Yes. Still, both somehow get advertised as "counter-spam"
measures.

Not that they fail to work that way: my logs have some
occurrences of the SPF check yielding a "negative" result, thus
allowing to reject the incoming message outright. Looks like a
must for the DNS domains not meant to be used for email at all.

That said, being able to confirm that the message indeed comes
from a genuine spam-only domain doesn't seem all that helpful.

[...]

ACK, thanks for the pointers.

where SPF and DKIM say that the sending domain is authorized to send
via these spammer controlled, dirty IP addresses.

... For those interested, here's an update for this week.

2016W40 ***@sarvtb.ru [185.58.205.96]
***@proteus-spb.ru [194.67.208.8]
***@kaminfo.ru [193.124.176.209]
***@r-vl.ru [185.58.206.163]
***@sab-moskau.ru [193.124.190.134]
***@taxi-five.ru [185.58.206.232]
***@uralgsm.ru [185.117.155.168]
***@nordmor.ru [193.124.181.229]
***@whdent.ru [193.124.184.229]
***@whdent.ru [193.124.184.229]
***@02info.ru [185.87.49.127]
***@agcher.ru [193.124.183.150]
***@fanabe.ru [193.124.181.9]

FWIW, I hope that whatever software they use to distribute spam
is /not/ parallelized. That way, the failure of my MTA to
produce any TCP response whatsoever (thanks to the plain -j DROP
in the iptables' INPUT chain) would result in at least some 30 s
delay (that is: their TCP connection timeout) before the next
address in the list is tried.

--
FSF associate member #7257 58F8 0F47 53F5 2EB2 F6A5 8916 3013 B6A0 230E 334A

David Ritz

2016-10-08 01:29:13 UTC

Permalink

On Friday, 07 October 2016 16:55 -0000,

Post by Ivan Shmakov
[Be warned of a few off-topic bits below.]

[ news.admin.net-abuse.email added to cross-post ]
[ alt.spam stripped as group only sees spam, spam, spam and more spam ]

See <news:***@mako.ath.cx>
(<http://al.howardknight.net/msgid.cgi?ID=147588564000>).

Per my recollection, that makes two (2) legitimate posts to alt.spam,
within the past four to five years.

Post by Ivan Shmakov
(... And also (c) apparently, Aioe blocks crossposts to n.a.n.e;
presumably due to ongoing abuse?)

Paolo has his hands full, in running an open NNTP server, while
attempting to minimize actual net-abuse. Disallowing cross-posts to
certain groups is one option to which he may turn.

Post by Ivan Shmakov

[ alt.spam.sightings stripped as bogus (newgrouped by Jamie Baillie) ]
[ <ftp://ftp.isc.org/pub/usenet/control/alt/alt.spam.sightings.gz> ]

FTP is pretty much obsolete. For one thing, requiring two
TCP connections per "session" means trouble passing them through
Tor, NAT, SOCKS, etc. And having three separate transfer modes
(at the least) doesn't help interoperability, either.
http://ftp.isc.org/pub/usenet/control/alt/alt.spam.sightings.gz

Thanks, I've updated lynx_bookmarks.html accordingly.

Post by Ivan Shmakov

[ posted and mailed ]

Why?

You're the one posting to (d) a bogus newsgroup
(alt.spam.sightings[*]), which has seen a total of eighty two (82)
posts, since it was created with a bogus cmsg message, from an
habitual network abuser, nearly eight (8) years ago; (e) alt.spam, a
newsgroup in which posters use Usenet as a write only medium, in which
one is lucky to find anything even close to topical more than one a
decade; and (f) comp.mail.misc, which is a group with so little
traffic, I wanted to make sure you at least saw my response. Within
the past year or so, most posts to comp.mail.misc are Italian mission
spam.

Post by Ivan Shmakov

Post by Ivan Shmakov
To put it short, for about a month, I see a new kind of spam
coming to (strangely) just one of my (many) mailboxes. This one
has DKIM-Signature: (and DomainKey-Signature:) headers in place,
comes from domains with SPF and MX DNS records properly set up,
and, overall, apart from its "unsolicited nature," looks just like
legitimate email. (IPs and MAIL FROM: data shown below.)

Yes. Still, both somehow get advertised as "counter-spam"
measures.

To the best of my knowledge, both SPF and DKIM counter spam which uses
forged sender information. It has no effect on anything else.

See <https://wordtothewise.com/?s=SPF>
<https://wordtothewise.com/?s=DKIM>
<https://wordtothewise.com/?s=DMARC>

Post by Ivan Shmakov
Not that they fail to work that way: my logs have some occurrences
of the SPF check yielding a "negative" result, thus allowing to
reject the incoming message outright. Looks like a must for the
DNS domains not meant to be used for email at all.
That said, being able to confirm that the message indeed comes
from a genuine spam-only domain doesn't seem all that helpful.

That said, being able to confirm that the message comes form IP
addresses which are sending spam, using an unlimited number of domain
names, may be highly useful. That is where DNSbls come into play.

Post by Ivan Shmakov
[...]

ACK, thanks for the pointers.

where SPF and DKIM say that the sending domain is authorized to send
via these spammer controlled, dirty IP addresses.

... For those interested, here's an update for this week.

185.58.205.96 sarvtb.ru : psbl.surriel.com : BLOCKED (127.0.0.2)
Listed in PSBL, see http://psbl.org/listing?ip=185.58.205.96
185.58.205.96 sarvtb.ru : dnsbl-1.uceprotect.net : BLOCKED (127.0.0.2)
IP 185.58.205.96 is UCEPROTECT-Level 1 listed. See
http://www.uceprotect.net/rblcheck.php?ipr=185.58.205.96
194.67.208.8 proteus-spb.ru : psbl.surriel.com : BLOCKED (127.0.0.2)
Listed in PSBL, see http://psbl.org/listing?ip=194.67.208.8
194.67.208.8 proteus-spb.ru : dnsbl-1.uceprotect.net : BLOCKED
(127.0.0.2)
IP 194.67.208.8 is UCEPROTECT-Level 1 listed. See
http://www.uceprotect.net/rblcheck.php?ipr=194.67.208.8
193.124.176.209 kaminfo.ru : psbl.surriel.com : BLOCKED (127.0.0.2)
Listed in PSBL, see http://psbl.org/listing?ip=193.124.176.209
193.124.176.209 kaminfo.ru : dnsbl.sorbs.net : BLOCKED (127.0.0.6)
Currently Sending Spam See:
http://www.sorbs.net/lookup.shtml?193.124.176.209
193.124.176.209 kaminfo.ru : dnsbl-1.uceprotect.net : BLOCKED
(127.0.0.2)
IP 193.124.176.209 is UCEPROTECT-Level 1 listed. See
http://www.uceprotect.net/rblcheck.php?ipr=193.124.176.209
185.58.206.163 r-vl.ru : psbl.surriel.com : BLOCKED (127.0.0.2)
Listed in PSBL, see http://psbl.org/listing?ip=185.58.206.163
185.58.206.163 r-vl.ru : dnsbl-1.uceprotect.net : BLOCKED (127.0.0.2)
IP 185.58.206.163 is UCEPROTECT-Level 1 listed. See
http://www.uceprotect.net/rblcheck.php?ipr=185.58.206.163
193.124.190.134 sab-moskau.ru : psbl.surriel.com : BLOCKED (127.0.0.2)
Listed in PSBL, see http://psbl.org/listing?ip=193.124.190.134
193.124.190.134 sab-moskau.ru : dnsbl.sorbs.net : BLOCKED (127.0.0.6)
Currently Sending Spam See:
http://www.sorbs.net/lookup.shtml?193.124.190.134
193.124.190.134 sab-moskau.ru : dnsbl-1.uceprotect.net : BLOCKED
(127.0.0.2)
IP 193.124.190.134 is UCEPROTECT-Level 1 listed. See
http://www.uceprotect.net/rblcheck.php?ipr=193.124.190.134
185.58.206.232 taxi-five.ru : zen.spamhaus.org : BLOCKED (127.0.0.3)
https://www.spamhaus.org/sbl/query/SBLCSS
185.58.206.232 taxi-five.ru : dnsbl-1.uceprotect.net : BLOCKED
(127.0.0.2)
IP 185.58.206.232 is UCEPROTECT-Level 1 listed. See
http://www.uceprotect.net/rblcheck.php?ipr=185.58.206.232
185.117.155.168 uralgsm.ru : dnsbl-1.uceprotect.net : BLOCKED
(127.0.0.2)
IP 185.117.155.168 is UCEPROTECT-Level 1 listed. See
http://www.uceprotect.net/rblcheck.php?ipr=185.117.155.168
193.124.181.229 nordmor.ru : zen.spamhaus.org : BLOCKED (127.0.0.3)
https://www.spamhaus.org/sbl/query/SBLCSS
193.124.181.229 nordmor.ru : psbl.surriel.com : BLOCKED (127.0.0.2)
Listed in PSBL, see http://psbl.org/listing?ip=193.124.181.229
193.124.181.229 nordmor.ru : dnsbl.sorbs.net : BLOCKED (127.0.0.6)
Currently Sending Spam See:
http://www.sorbs.net/lookup.shtml?193.124.181.229
193.124.181.229 nordmor.ru : dnsbl-1.uceprotect.net : BLOCKED
(127.0.0.2)
IP 193.124.181.229 is UCEPROTECT-Level 1 listed. See
http://www.uceprotect.net/rblcheck.php?ipr=193.124.181.229
193.124.184.229 whdent.ru : zen.spamhaus.org : BLOCKED (127.0.0.3)
https://www.spamhaus.org/sbl/query/SBLCSS
193.124.184.229 whdent.ru : psbl.surriel.com : BLOCKED (127.0.0.2)
Listed in PSBL, see http://psbl.org/listing?ip=193.124.184.229
193.124.184.229 whdent.ru : ix.dnsbl.manitu.net : BLOCKED (127.0.0.2)
Your e-mail service was detected by mail.ixlab.de (NiX Spam) as
spamming at Fri, 07 Oct 2016 23:39:23 +0200. Your admin
should visit
http://www.dnsbl.manitu.net/lookup.php?value=193.124.184.229
193.124.184.229 whdent.ru : dnsbl.sorbs.net : BLOCKED (127.0.0.6)
Currently Sending Spam See:
http://www.sorbs.net/lookup.shtml?193.124.184.229
193.124.184.229 whdent.ru : dnsbl-1.uceprotect.net : BLOCKED
(127.0.0.2)
IP 193.124.184.229 is UCEPROTECT-Level 1 listed. See
http://www.uceprotect.net/rblcheck.php?ipr=193.124.184.229
193.124.184.229 whdent.ru : zen.spamhaus.org : BLOCKED (127.0.0.3)
https://www.spamhaus.org/sbl/query/SBLCSS
193.124.184.229 whdent.ru : psbl.surriel.com : BLOCKED (127.0.0.2)
Listed in PSBL, see http://psbl.org/listing?ip=193.124.184.229
193.124.184.229 whdent.ru : ix.dnsbl.manitu.net : BLOCKED (127.0.0.2)
Your e-mail service was detected by mail.ixlab.de (NiX Spam) as
spamming at Fri, 07 Oct 2016 23:39:23 +0200. Your admin
should visit
http://www.dnsbl.manitu.net/lookup.php?value=193.124.184.229
193.124.184.229 whdent.ru : dnsbl.sorbs.net : BLOCKED (127.0.0.6)
Currently Sending Spam See:
http://www.sorbs.net/lookup.shtml?193.124.184.229
193.124.184.229 whdent.ru : dnsbl-1.uceprotect.net : BLOCKED
(127.0.0.2)
IP 193.124.184.229 is UCEPROTECT-Level 1 listed. See
http://www.uceprotect.net/rblcheck.php?ipr=193.124.184.229
185.87.49.127 02info.ru : zen.spamhaus.org : BLOCKED (127.0.0.3)
https://www.spamhaus.org/sbl/query/SBLCSS
185.87.49.127 02info.ru : bl.spamcop.net : BLOCKED (127.0.0.2)
Blocked - see http://www.spamcop.net/bl.shtml?185.87.49.127
185.87.49.127 02info.ru : psbl.surriel.com : BLOCKED (127.0.0.2)
Listed in PSBL, see http://psbl.org/listing?ip=185.87.49.127
185.87.49.127 02info.ru : ix.dnsbl.manitu.net : BLOCKED (127.0.0.2)
Your e-mail service was detected by test.port25.me (NiX Spam) as
spamming at Fri, 07 Oct 2016 20:25:53 +0200. Your admin
should visit
http://www.dnsbl.manitu.net/lookup.php?value=185.87.49.127
185.87.49.127 02info.ru : dnsbl.sorbs.net : BLOCKED (127.0.0.6)
Currently Sending Spam See:
http://www.sorbs.net/lookup.shtml?185.87.49.127
185.87.49.127 02info.ru : dnsbl-1.uceprotect.net : BLOCKED (127.0.0.2)
IP 185.87.49.127 is UCEPROTECT-Level 1 listed. See
http://www.uceprotect.net/rblcheck.php?ipr=185.87.49.127
193.124.183.150 agcher.ru : zen.spamhaus.org : BLOCKED (127.0.0.3)
https://www.spamhaus.org/sbl/query/SBLCSS
193.124.183.150 agcher.ru : psbl.surriel.com : BLOCKED (127.0.0.2)
Listed in PSBL, see http://psbl.org/listing?ip=193.124.183.150
193.124.183.150 agcher.ru : dnsbl.sorbs.net : BLOCKED (127.0.0.6)
Currently Sending Spam See:
http://www.sorbs.net/lookup.shtml?193.124.183.150
193.124.183.150 agcher.ru : dnsbl-1.uceprotect.net : BLOCKED (127.0.0.2)
IP 193.124.183.150 is UCEPROTECT-Level 1 listed. See
http://www.uceprotect.net/rblcheck.php?ipr=193.124.183.150
193.124.181.9 fanabe.ru : zen.spamhaus.org : BLOCKED (127.0.0.3)
https://www.spamhaus.org/sbl/query/SBLCSS
193.124.181.9 fanabe.ru : bl.spamcop.net : BLOCKED (127.0.0.2)
Blocked - see http://www.spamcop.net/bl.shtml?193.124.181.9
193.124.181.9 fanabe.ru : psbl.surriel.com : BLOCKED (127.0.0.2)
Listed in PSBL, see http://psbl.org/listing?ip=193.124.181.9
193.124.181.9 fanabe.ru : dnsbl.sorbs.net : BLOCKED (127.0.0.6)
Currently Sending Spam See:
http://www.sorbs.net/lookup.shtml?193.124.181.9
193.124.181.9 fanabe.ru : dnsbl-1.uceprotect.net : BLOCKED (127.0.0.2)
IP 193.124.181.9 is UCEPROTECT-Level 1 listed. See
http://www.uceprotect.net/rblcheck.php?ipr=193.124.181.9

Post by Ivan Shmakov
FWIW, I hope that whatever software they use to distribute spam
is /not/ parallelized. That way, the failure of my MTA to
produce any TCP response whatsoever (thanks to the plain -j DROP
in the iptables' INPUT chain) would result in at least some 30 s
delay (that is: their TCP connection timeout) before the next
address in the list is tried.

HTH.

[*] alt.spam.sighting is not on the active lists of four out of the
six NNTP service to which I subscribe, suggesting that it appears only
on servers running largely on autopilot.

- --
David Ritz <***@mindspring.com>
Be kind to animals; kiss a shark.

David Ritz

2016-10-08 01:53:10 UTC

Permalink

On Tuesday, 04 October 2016 16:12 -0000,
in article <***@violet.siamics.net>,
Ivan Shmakov <***@siamics.net> wrote:

[...]
[...]
[...]
[...]
[...]
[...]

Ivan,

I stripped out the domain names and sorted by unique IP addresses. By
looking at the source IPs, one begins to see clearer paterns.

85.93.145.29
route: 85.93.144.0/20
descr: SPACENET-RU-144-20
origin: AS34300

94.142.141.60
route: 94.142.136.0/21
descr: MAROSNET Telecommunication Company Network
origin: AS48666

185.5.248.60
route: 185.5.248.0/22
descr: MAROSNET Telecommunication Company Network
origin: AS48666

185.58.205.96
route: 185.58.204.0/22
descr: MAROSNET Telecommunication Company Network
origin: AS48666

185.58.206.76
185.58.206.163
185.58.206.232
route: 185.58.204.0/22
descr: MAROSNET Telecommunication Company Network
origin: AS48666

185.87.48.131
185.87.48.186
route: 185.87.48.0/22
descr: MAROSNET Telecommunication Company Network
origin: AS48666

193.124.176.209
route: 193.124.176.0/20
descr: MAROSNET Telecommunication Company Network
origin: AS48666

193.124.186.253
193.124.189.172
193.124.189.192
193.124.190.134
193.124.191.224
route: 193.124.176.0/20
descr: MAROSNET Telecommunication Company Network
origin: AS48666

194.67.208.7
194.67.208.8
194.67.208.50
194.67.208.60
194.67.208.101
194.67.208.143
194.67.208.216
194.67.208.219
194.67.208.220
194.67.208.224
194.67.208.232
194.67.208.249
194.67.209.7
194.67.209.56
194.67.209.151
194.67.210.2
194.67.210.18
194.67.210.159
194.67.210.222
194.67.211.17
route: 194.67.208.0/20
descr: MAROSNET Telecommunication Company Network
origin: AS48666

My observations suggest that MAROSNET Telecommunication Company
Network is running some large scale snowshoe spam hosting services.

- --
David Ritz <***@mindspring.com>
Be kind to animals; kiss a shark.

David Ritz

2016-10-08 02:09:25 UTC

Permalink

On Friday, 07 October 2016 20:53 -0500,

Post by David Ritz
Ivan,
I stripped out the domain names and sorted by unique IP addresses. By
looking at the source IPs, one begins to see clearer paterns.
85.93.145.29
route: 85.93.144.0/20
descr: SPACENET-RU-144-20
origin: AS34300
94.142.141.60
route: 94.142.136.0/21
descr: MAROSNET Telecommunication Company Network
origin: AS48666

[...]

Post by David Ritz
route: 194.67.208.0/20
descr: MAROSNET Telecommunication Company Network
origin: AS48666
My observations suggest that MAROSNET Telecommunication Company
Network is running some large scale snowshoe spam hosting services.

$ route-leecher.pl 48666
# Randomly selected router route-server.exodus.net
# router route-server.exodus.net not responding, retrying with router route-server.gblx.net
# Using router route-server.gblx.net
# Logging into router route-server.gblx.net
# using command: sh ip bg reg ^.*_48666_.*$
# Routes transiting through or originating from AS 48666 :

31.148.99.0/24 from AS: 48666 (upstreams: 12389 9002),
91.202.232.0/22 from AS: 48666 (upstreams: 12389 9002),
93.170.123.0/24 from AS: 48666 (upstreams: 12389 9002),
94.142.136.0/24 from AS: 48666 (upstreams: 12389 9002),
94.142.136.0/21 from AS: 48666 (upstreams: 12389 9002),
94.142.137.0/24 from AS: 48666 (upstreams: 12389 9002),
94.142.143.0/24 from AS: 48666 (upstreams: 12389 9002),
95.46.114.0/24 from AS: 48666 (upstreams: 12389 9002),
154.16.205.0/24 from AS: 48666 (upstreams: 9002 20485),
185.5.248.0/22 from AS: 48666 (upstreams: 12389 9002),
185.58.204.0/22 from AS: 48666 (upstreams: 12389 9002),
185.87.48.0/22 from AS: 48666 (upstreams: 12389 9002),
185.117.152.0/22 from AS: 48666 (upstreams: 12389 9002),
185.125.216.0/22 from AS: 48666 (upstreams: 12389 9002),
185.125.228.0/22 from AS: 48666 (upstreams: 12389 9002),
193.106.96.0/22 from AS: 48666 (upstreams: 12389 9002),
193.124.176.0/20 from AS: 48666 (upstreams: 12389 9002),
194.67.192.0/23 from AS: 48666 (upstreams: 12389 9002),
194.67.194.0/24 from AS: 48666 (upstreams: 12389 9002),
194.67.196.0/22 from AS: 48666 (upstreams: 12389 9002),
194.67.200.0/21 from AS: 48666 (upstreams: 12389 9002),
194.67.208.0/20 from AS: 48666 (upstreams: 12389 9002),

----------end of routes for AS 48666 -----------

$ whois -h whois.radb.net AS48666
aut-num: AS48666
as-name: AS-MAROSNET
descr: Moscow, Russia
org: ORG-MTCL1-RIPE
remarks:
remarks: ------------------------------------
remarks: MAROSNET Routing Policy
remarks: ------------------------------------
remarks:
remarks: TTK
import: from AS20485 action pref=100; accept ANY
export: to AS20485 announce AS-MAROSNET
mp-import: afi ipv6.unicast from AS20485 action pref=100; accept
ANY
mp-export: afi ipv6.unicast to AS20485 announce AS-MAROSNET
remarks:
remarks: RETN
import: from AS9002 action pref=100; accept ANY
export: to AS9002 announce AS-MAROSNET
mp-import: afi ipv6.unicast from AS9002 action pref=100; accept
ANY
mp-export: afi ipv6.unicast to AS9002 announce AS-MAROSNET
remarks:
remarks: MSK-IX
import: from AS8631 action pref=100; accept ANY
export: to AS8631 announce AS-MAROSNET
mp-import: afi ipv6.unicast from AS8631 action pref=100; accept
ANY
mp-export: afi ipv6.unicast to AS8631 announce AS-MAROSNET
remarks:
remarks: DATA-IX
import: from AS50952 action pref=100; accept ANY
export: to AS50952 announce AS-MAROSNET
mp-import: afi ipv6.unicast from AS50952 action pref=100; accept
ANY
mp-export: afi ipv6.unicast to AS50952 announce AS-MAROSNET
remarks:
remarks: CLOUD-IX
import: from AS29076 action pref=100; accept ANY
export: to AS29076 announce AS-MAROSNET
mp-import: afi ipv6.unicast from AS29076 action pref=100; accept
ANY
mp-export: afi ipv6.unicast to AS29076 announce AS-MAROSNET
remarks:
remarks: W-IX
import: from AS50384 action pref=100; accept ANY
export: to AS50384 announce AS-MAROSNET
mp-import: afi ipv6.unicast from AS50384 action pref=100; accept
ANY
mp-export: afi ipv6.unicast to AS50384 announce AS-MAROSNET
remarks:
remarks: ROSTELECOM
import: from AS12389 action pref=100; accept ANY
export: to AS50384 announce AS-MAROSNET
mp-import: afi ipv6.unicast from AS12389 action pref=100; accept
ANY
mp-export: afi ipv6.unicast to AS12389 announce AS-MAROSNET

- --
David Ritz <***@mindspring.com>
Be kind to animals; kiss a shark.

Ivan Shmakov

2016-10-14 17:50:28 UTC

Permalink

[...]

Post by David Ritz
I stripped out the domain names and sorted by unique IP addresses.
By looking at the source IPs, one begins to see clearer paterns.

[...]

Post by David Ritz
route: 194.67.208.0/20
descr: MAROSNET Telecommunication Company Network
origin: AS48666

Yes. That was the reason I've tried to contact their abuse@
department earlier.

Post by David Ritz
My observations suggest that MAROSNET Telecommunication Company
Network is running some large scale snowshoe spam hosting services.

Given the sheer number of IPs, and also that my prior email
resulted in no response, that doesn't sound all that unlikely.

Thus, I've ended up blocking 185.58.204.0/22, 193.124.176.0/20
about last Saturday, and now added 185.125.216.0/22,
185.87.48.0/22, 193.124.176.0/20 and 194.67.196.0/22, too, to my
ipset(8) configuration.

As for the blacklists, I should note that I actually refer to
several in my MTA configuration, although they're used strictly
to decide whether to use graylisting or not. And indeed, some
of this spam I receive matches the DNSbls I employ, but then
ends up passing the "graylist" test successfully. (Thus
suggesting the use of a "full-weight" MTA at the remote; which
is, hopefully, means some cycles are wasted trying to connect to
my firewalled MX.)

On the other hand, some of the messages come from the addresses
/not/ yet blacklisted at the time of delivery. Perhaps the
chances could be improved by querying more blacklists for the
sender IP, though.

Once again, there's the data for the past two weeks.

2016W41 ***@artel-site.ru [193.124.180.126]
***@pampersklub.ru [185.125.216.105]
***@mpeg-imx.ru [193.124.182.45]
***@jclan.ru [185.125.216.249]
***@cybernsk.ru [194.67.196.156]
***@kbidea.ru [194.67.196.163]
***@cybernsk.ru [194.67.196.156]
***@avtotera.ru [185.125.217.100]
***@vakpk.ru [193.124.190.246]
***@goward.ru [185.125.216.210]
***@ostankinomedia.ru [193.124.189.173]
***@rti-travel.ru [185.87.51.68]
***@mig-spb.ru [185.87.51.23]
***@ostankinomedia.ru [193.124.189.173]

2016W40 ***@sarvtb.ru [185.58.205.96]
***@proteus-spb.ru [194.67.208.8]
***@kaminfo.ru [193.124.176.209]
***@r-vl.ru [185.58.206.163]
***@sab-moskau.ru [193.124.190.134]
***@taxi-five.ru [185.58.206.232]
***@uralgsm.ru [185.117.155.168]
***@nordmor.ru [193.124.181.229]
***@whdent.ru [193.124.184.229]
***@whdent.ru [193.124.184.229]
***@02info.ru [185.87.49.127]
***@agcher.ru [193.124.183.150]
***@fanabe.ru [193.124.181.9]
***@vapnyar.ru [194.67.197.50]

--
FSF associate member #7257 58F8 0F47 53F5 2EB2 F6A5 8916 3013 B6A0 230E 334A

David Ritz

2016-10-14 20:21:58 UTC

Permalink

On Friday, 14 October 2016 17:50 -0000,

Post by Ivan Shmakov
[...]

Post by David Ritz
I stripped out the domain names and sorted by unique IP addresses.
By looking at the source IPs, one begins to see clearer patterns.

[...]

Post by David Ritz
route: 194.67.208.0/20
descr: MAROSNET Telecommunication Company Network
origin: AS48666

department earlier.

Post by David Ritz
My observations suggest that MAROSNET Telecommunication Company
Network is running some large scale snowshoe spam hosting services.

Given the sheer number of IPs, and also that my prior email
resulted in no response, that doesn't sound all that unlikely.

There was a reason I included all of the upstream routes announcing
AS48666: AS9002, AS12389 and AS20485. Directing your complaints
upstream, for recalcitrant spam-hosts, is a fairly common and
sometimes useful technique.

$ whois -h whois.ripe.net -- -B\ AS9002 | grep -i abuse
% Abuse contact for 'AS9002' is '***@retn.net'
remarks: SPAM and security issues abuse at retn.net
abuse-c: RCD1-RIPE
remarks: trouble: SPAM and Network security issues: ***@retn.net
abuse-mailbox: ***@retn.net

$ whois -h whois.ripe.net -- -B\ AS12389 | grep -i abuse
% Abuse contact for 'AS12389' is '***@rt.ru'
abuse-c: RTNC-RIPE
abuse-mailbox: ***@rt.ru
abuse-mailbox: ***@rt.ru

$ whois -h whois.ripe.net -- -B\ AS20485 | grep -i abuse
% Abuse contact for 'AS20485' is '***@ttk.ru'
abuse-c: KTTK-RIPE
remarks: Spam & Abuse: ***@ttk.ru
remarks: Please use ***@ttk.ru e-mail address
remarks: for spam and abuse complaints.

Post by Ivan Shmakov
Thus, I've ended up blocking 185.58.204.0/22, 193.124.176.0/20
about last Saturday, and now added 185.125.216.0/22,
185.87.48.0/22, 193.124.176.0/20 and 194.67.196.0/22, too, to my
ipset(8) configuration.
As for the blacklists, I should note that I actually refer to
several in my MTA configuration, although they're used strictly to
decide whether to use graylisting or not. And indeed, some of
this spam I receive matches the DNSbls I employ, but then ends up
passing the "graylist" test successfully. (Thus suggesting the
use of a "full-weight" MTA at the remote; which is, hopefully,
means some cycles are wasted trying to connect to my firewalled
MX.)

I don't know whether you're using UCEProtect among your DNSbls.
History suggests their level one (1) listings accurately list spam
sources, with a particular emphasis on spam hitting European
locations. dnsbl-1.uceprotect.net may be a useful addition for your
purposes. dnsbl-2.uceprotect.net makes a statement about the immediate
net-neighborhood. dnsbl-3.uceprotect.net makes yet broader
statements.

Post by Ivan Shmakov
On the other hand, some of the messages come from the addresses
/not/ yet blacklisted at the time of delivery. Perhaps the
chances could be improved by querying more blacklists for the
sender IP, though.
Once again, there's the data for the past two weeks.

Thanks, Ivan.
# Routes transiting through or originating from AS 48666 :

31.148.99.0/24 from AS: 48666 (upstreams: 12389 9002),
91.202.232.0/22 from AS: 48666 (upstreams: 12389 9002),
93.170.123.0/24 from AS: 48666 (upstreams: 12389 9002),
94.142.136.0/24 from AS: 48666 (upstreams: 12389 9002),
94.142.136.0/21 from AS: 48666 (upstreams: 12389 9002),
94.142.137.0/24 from AS: 48666 (upstreams: 12389 9002),
94.142.143.0/24 from AS: 48666 (upstreams: 12389 9002),
95.46.114.0/24 from AS: 48666 (upstreams: 12389 9002),
154.16.205.0/24 from AS: 48666 (upstreams: 9002 20485),
185.5.248.0/22 from AS: 48666 (upstreams: 12389 9002),
185.58.204.0/22 from AS: 48666 (upstreams: 12389 9002),
185.87.48.0/22 from AS: 48666 (upstreams: 12389 9002),
185.117.152.0/22 from AS: 48666 (upstreams: 12389 9002),
185.125.216.0/22 from AS: 48666 (upstreams: 12389 9002),
185.125.228.0/22 from AS: 48666 (upstreams: 12389 9002),
193.106.96.0/22 from AS: 48666 (upstreams: 12389 9002),
193.124.176.0/20 from AS: 48666 (upstreams: 12389 9002),
194.67.192.0/23 from AS: 48666 (upstreams: 12389 9002),
194.67.194.0/24 from AS: 48666 (upstreams: 12389 9002),
194.67.196.0/22 from AS: 48666 (upstreams: 12389 9002),
194.67.200.0/21 from AS: 48666 (upstreams: 12389 9002),
194.67.208.0/20 from AS: 48666 (upstreams: 12389 9002),

----------end of routes for AS 48666 -----------

- --
David Ritz <***@mindspring.com>
Be kind to animals; kiss a shark.

Ivan Shmakov

2016-10-19 15:35:54 UTC

Permalink

[...]

Post by David Ritz

Post by David Ritz
My observations suggest that MAROSNET Telecommunication Company
Network is running some large scale snowshoe spam hosting services.

Given the sheer number of IPs, and also that my prior email resulted
in no response, that doesn't sound all that unlikely.

ACK, thanks.

(Hope that showing all the IPs there that ended up being in some
well-known DNSbls will help.)

[...]

Post by David Ritz

Thus, I've ended up blocking 185.58.204.0/22, 193.124.176.0/20 about
last Saturday, and now added 185.125.216.0/22, 185.87.48.0/22,
193.124.176.0/20 and 194.67.196.0/22, too, to my ipset(8)
configuration.

I've decided that -j DROP for whole networks may be a tad too
severe a measure, and introduced a separate -j REJECT blacklist
for that purpose instead, like:

## ipset create dropemall hash:ip timeout $((0x100000))
## ipset create rejectnet hash:net timeout $((0x400000))
-A INPUT -m set --match-set dropemall src -j DROPEMALL
-A INPUT -m set --match-set rejectnet src -j REJECTNET
-A DROPEMALL -m limit --limit 13/min -j LOG
-A DROPEMALL -j DROP
-A REJECTNET -m limit --limit 13/min -j LOG
-A REJECTNET -j REJECT --reject-with icmp-admin-prohibited
## And similarly for ip6tables(8), with icmp6-adm-prohibited

Post by David Ritz

As for the blacklists, I should note that I actually refer to
several in my MTA configuration, although they're used strictly to
decide whether to use graylisting or not. And indeed, some of this
spam I receive matches the DNSbls I employ, but then ends up passing
the "graylist" test successfully. (Thus suggesting the use of a
"full-weight" MTA at the remote; which is, hopefully, means some
cycles are wasted trying to connect to my firewalled MX.)

I don't know whether you're using UCEProtect among your DNSbls.
History suggests their level one (1) listings accurately list spam
sources, with a particular emphasis on spam hitting European
locations. dnsbl-1.uceprotect.net may be a useful addition for your
purposes. dnsbl-2.uceprotect.net makes a statement about the
immediate net-neighborhood. dnsbl-3.uceprotect.net makes yet broader
statements.

ACK, thanks; will try them later.

[...]

Post by David Ritz
31.148.99.0/24 from AS: 48666 (upstreams: 12389 9002),
91.202.232.0/22 from AS: 48666 (upstreams: 12389 9002),
93.170.123.0/24 from AS: 48666 (upstreams: 12389 9002),
94.142.136.0/24 from AS: 48666 (upstreams: 12389 9002),
94.142.136.0/21 from AS: 48666 (upstreams: 12389 9002),
94.142.137.0/24 from AS: 48666 (upstreams: 12389 9002),
94.142.143.0/24 from AS: 48666 (upstreams: 12389 9002),
95.46.114.0/24 from AS: 48666 (upstreams: 12389 9002),
154.16.205.0/24 from AS: 48666 (upstreams: 9002 20485),

All the unwanted mail I saw before came from the 13 networks

Post by David Ritz
185.5.248.0/22 from AS: 48666 (upstreams: 12389 9002),
185.58.204.0/22 from AS: 48666 (upstreams: 12389 9002),
185.87.48.0/22 from AS: 48666 (upstreams: 12389 9002),
185.117.152.0/22 from AS: 48666 (upstreams: 12389 9002),
185.125.216.0/22 from AS: 48666 (upstreams: 12389 9002),
185.125.228.0/22 from AS: 48666 (upstreams: 12389 9002),

... except for this one above, which seems to be home to two of
the three MAROSNET's own MXes:

mail.marosnet.ru. IN A 94.142.136.5
mx1.marosnet.ru. IN A 185.125.229.7
mx2.marosnet.ru. IN A 185.125.229.19

Post by David Ritz
193.106.96.0/22 from AS: 48666 (upstreams: 12389 9002),
193.124.176.0/20 from AS: 48666 (upstreams: 12389 9002),
194.67.192.0/23 from AS: 48666 (upstreams: 12389 9002),
194.67.194.0/24 from AS: 48666 (upstreams: 12389 9002),
194.67.196.0/22 from AS: 48666 (upstreams: 12389 9002),
194.67.200.0/21 from AS: 48666 (upstreams: 12389 9002),
194.67.208.0/20 from AS: 48666 (upstreams: 12389 9002),

... So far, only a single message got through the filter
(one from 94.142.140.44, ***@vector2000.ru), and the
following IPs (which I've happily added to the 'dropemall'
ipset(8) list where missing) have shown up kern.log:

185.117.153.120 basf-rus.ru.
185.117.154.30 kogorta-k.ru.
185.125.216.210 goward.ru.
185.87.51.68 rti-travel.ru.
193.124.176.209 kaminfo.ru.
193.124.180.126 artel-site.ru.
193.124.180.206 gtp-ufa.ru.
193.124.181.229 nordmor.ru.
193.124.182.45 mpeg-imx.ru.
193.124.183.150 agcher.ru.
193.124.184.229 whdent.ru.
193.124.186.205 google.com. 2016-10-16 22:33:39 UTC
193.124.189.173 ostankinomedia.ru.
193.124.190.246 vakpk.ru.
193.124.190.38 sale-4u.ru.
194.67.210.202 threeality.ru.

Now, 193.124.186.205 looks suspicious, as it shows up only once,
and I could hardly believe that such a PTR record would be used
by someone who has purchased that many of "valid" domains for
pretty much spam-only purposes.

Finally, the "unwanted correspondence" list for the last week
got five another entries, ending up as follows.

2016W41 ***@artel-site.ru [193.124.180.126]
***@pampersklub.ru [185.125.216.105]
***@mpeg-imx.ru [193.124.182.45]
***@jclan.ru [185.125.216.249]
***@cybernsk.ru [194.67.196.156]
***@kbidea.ru [194.67.196.163]
***@cybernsk.ru [194.67.196.156]
***@avtotera.ru [185.125.217.100]
***@vakpk.ru [193.124.190.246]
***@goward.ru [185.125.216.210]
***@ostankinomedia.ru [193.124.189.173]
***@rti-travel.ru [185.87.51.68]
***@mig-spb.ru [185.87.51.23]
***@ostankinomedia.ru [193.124.189.173]
***@ooo-angara.ru [193.124.190.212]
***@vakpk.ru [193.124.190.246]
***@goward.ru [185.125.216.210]
***@sale-4u.ru [193.124.190.38]
***@tu134.ru [185.117.152.30]

--
FSF associate member #7257 58F8 0F47 53F5 2EB2 F6A5 8916 3013 B6A0 230E 334A

Ivan Shmakov

2016-11-10 17:10:23 UTC

Permalink

[...]

All the unwanted mail I saw before came from the 13 networks below,

185.5.248.0/22 from AS: 48666 (upstreams: 12389 9002),
185.58.204.0/22 from AS: 48666 (upstreams: 12389 9002),
185.87.48.0/22 from AS: 48666 (upstreams: 12389 9002),
185.117.152.0/22 from AS: 48666 (upstreams: 12389 9002),
185.125.216.0/22 from AS: 48666 (upstreams: 12389 9002),
193.106.96.0/22 from AS: 48666 (upstreams: 12389 9002),
193.124.176.0/20 from AS: 48666 (upstreams: 12389 9002),
194.67.192.0/23 from AS: 48666 (upstreams: 12389 9002),
194.67.194.0/24 from AS: 48666 (upstreams: 12389 9002),
194.67.196.0/22 from AS: 48666 (upstreams: 12389 9002),
194.67.200.0/21 from AS: 48666 (upstreams: 12389 9002),
194.67.208.0/20 from AS: 48666 (upstreams: 12389 9002),

This has worked quite well until yesterday, when I've got yet
another message, this time from 95.46.99.0/24 (AS201094), very
similar to those I was getting from the MAROSNET networks.

I've mailed abuse at gmhost dot com dot ua, but seen no reply as
of yet. The hosts were thus added to my 'dropemall' set; while
the network (/24) made it straight to 'rejectnet'.

2016W45 ***@009msk.ru [95.46.99.232]
***@give-gift.ru [95.46.99.233]

FTR, there were a couple more messages with similar Message-ID:
values (/^[0-9A-Z]{32}@/) that came from other networks; namely:

2016W44 ***@sr.incl.ne.jp [219.121.225.37]
2016W42 ***@mail.tjnu.edu.cn [202.113.96.4]

And just in the case someone gets curious, here's a partial
list of IPv4 addresses that were recently denied access to
TCP port 25 at my MX, in reverse chronological order.

## IPv4 days rDNS
94.142.140.44 0 vector2000.ru.
193.124.180.212 0 alpaper.ru.
194.67.198.162 0 raskat-servis.ru.
194.67.198.174 0 mmaweb.ru.
194.67.198.180 0 news40.ru.
194.67.213.188 0 kama-pv.ru.
194.67.213.192 0 lesaltai.ru.
185.58.205.61 1 wapmag.ru.
194.67.198.169 1 100euro.ru.
194.67.213.187 1 teko-pskov.ru.
194.67.213.190 1 fenecair.ru.
194.67.199.166 2 gazon72.ru.
194.67.213.189 2 ra-mart.ru.
185.5.250.180 3 warfilm.ru.
194.67.199.162 3 mmtours.ru.
185.87.48.120 7 sks26.ru.
185.87.48.203 7 mp3mw.ru.
185.87.51.60 7 flat-ice.ru.
193.124.183.150 7 free.marosnet.net.
194.67.213.186 7 tono-int.ru.
185.5.250.20 8 market-ur.ru.
193.124.181.229 8 free.marosnet.net.
194.67.198.197 8 da-lite.ru.
194.67.210.197 8 btforum.ru.
194.67.210.202 8 threeality.ru.
194.67.210.205 8 brook-bond.ru.
194.67.211.112 8 f-plast.ru.
194.67.212.211 8 dialint.ru.
194.67.212.188 9 gummail.ru.
194.67.213.191 9 ecc-inok.ru.

[...]

--
FSF associate member #7257 np. Dream Raga -- Jami Sieber 3013 B6A0 230E 334A