Re: More then 2800 spams from the list...
Now I have made a script to analyse where the traffic is comming from:
A singel network in Spain!
Am 2018-03-19 hackte tomas@tuxteam.de in die Tasten:
> What do you mean by "the spammer is on the list"? The spam messages
> don't go via list. I would get them (my own mail server and no spam
> filter beyond the standard Exim header checking, which would never
> drop/reject a mail coming from the list).
>
>> <mail.tamay-dogan.net> is subject of a DOS attack.
>
> Yes, I rather think they are targetting you. The Debian mailing
> list headers seem to me (well placed) spoof.
>
>> It seems, the Attacker know probably several 10.000 wrong configured
>> mailservers and now use it, to pull down my server...
>
> Yes, that's how it looks to me. Perhaps they're real bounces,
> perhaps they're fake. But I'm pretty sure by now that the
> Debian-list related headers are plain fake, to nudge people
> into "responding to list" and thus spreading the spam even
> more.
I am attacked by this network:
----[ c 'whois -B 188.164.196.32' ]-------------------------------------
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Information related to '188.164.192.0 - 188.164.199.255'
% Abuse contact for '188.164.192.0 - 188.164.199.255' is
'abuse@infortelecom.es'
inetnum: 188.164.192.0 - 188.164.199.255
netname: ES-INFORTELECOM-20120912
country: ES
org: ORG-ISS3-RIPE
admin-c: JDDG1-RIPE
tech-c: JDDG1-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-by: AS50926-MNT
created: 2012-09-12T11:52:24Z
last-modified: 2017-11-30T11:26:09Z
source: RIPE
organisation: ORG-ISS3-RIPE
org-name: Infortelecom Hosting S.L.
org-type: LIR
address: Ronda Narciso Monturiol, num.17
Puerta 1 1 Parque Tecnologico
address: 46980
address: Paterna - VALENCIA
address: SPAIN
phone: +34910820073
phone: +34963788771
e-mail: jdomenech@infortelecom.es
admin-c: JDDG1-RIPE
admin-c: VGP13-RIPE
abuse-c: ABIT11-RIPE
mnt-ref: RIPE-NCC-HM-MNT
mnt-ref: AS50926-MNT
mnt-by: RIPE-NCC-HM-MNT
mnt-by: AS50926-MNT
created: 2004-10-07T15:33:06Z
last-modified: 2017-10-30T14:49:58Z
source: RIPE
person: Jose Daniel Domenech Gasco
address: C/ Ciudad de Sevilla, 76 - Pol. Ind. Fuente del Jarro
address: 46980 Paterna
address: Valencia, SPAIN
e-mail: jdomenech@infortelecom.es
phone: +34963788771
fax-no: +34960451442
nic-hdl: JDDG1-RIPE
mnt-by: AS50926-MNT
created: 2002-10-08T14:20:22Z
last-modified: 2013-04-03T16:12:35Z
source: RIPE
% Information related to '188.164.196.0/24AS50926'
route: 188.164.196.0/24
origin: AS50926
descr: AXARnet-Network
mnt-by: AXARNET-MNT
mnt-by: AS50926-MNT
created: 2017-05-16T10:01:19Z
last-modified: 2017-05-16T10:01:19Z
source: RIPE
% This query was served by the RIPE Database Query Service version
1.91.1 (BLAARKOP)
-----------------------------------------------------------------------
They have several 1000 mailservers which send me this crap...
...and if I read on theire website "VPS & CLOUD" my alarm bells are
ringing. I blocked there WHOLE network!
> FWIW, I've sent a test mesage to (some randomly chosen user name)
> at one of the servers in list and am awaiting a bounce message.
>
> Let's see...
>
> @Michelle: could you please send me a *complete* bounce message,
> headers and all, as it arrives at your place? I still can't figure
> out what kind of headers you sent to this list.
yes in some seconds.
> Thanks
> - -- tomás
Thanks in advance
--
Michelle Konzack Miila ITSystems @ TDnet
GNU/Linux Developer 00372-54541400
Reply to: