Hello everyone,
we (AS12816, LRZ Leibniz Computing Centre Munich, a regional network for scientific and educational entities in the Munich area) are being hit by regular spamruns originated from 80.253.80.0/24 for several months now. This network belongs to
inetnum: 80.253.80.0 - 80.253.80.255 netname: JEFTEX-NET descr: Dedicated Servers New country: CH admin-c: JIL9-RIPE tech-c: NEXL1-RIPE status: ASSIGNED PA mnt-by: CH-GREEN-MNT mnt-lower: CH-GREEN-MNT mnt-routes: CH-GREEN-MNT source: RIPE # Filtered
role: Jeftex International Ltd address: Petronas Twin Towers address: Kuala Lumpur 50088 address: Malaysia abuse-mailbox: abuse@jeftexint.com admin-c: OS3984-RIPE tech-c: OS3984-RIPE nic-hdl: JIL9-RIPE source: RIPE # Filtered mnt-by: NEXLINK-MNT
route: 80.253.80.0/20 descr: green.ch ag, Brugg, Switzerland origin: AS21494 mnt-by: CH-GREEN-MNT source: RIPE # Filtered
The spamruns look always the same, they last for a few hours with tens of thousands of connects from various addresses in this /24. All mails have the sender set to "<someimportantgermanword><random>@<largegermanmaildomain>". Examples
postfix/smtpd[21095]: NOQUEUE: reject: RCPT from unknown[80.253.80.19]: 554 5.7.1 <unknown[80.253.80.19]>: Client host rejected: Access denied; from=anwaltsiuvo@freenet.de to=xxx@stud.uni-muenchen.de proto=SMTP helo=<freenet.de> postfix/smtpd[21579]: NOQUEUE: reject: RCPT from unknown[80.253.80.23]: 554 5.7.1 <unknown[80.253.80.23]>: Client host rejected: Access denied; from=bankrjadu@t-online.de to=xxx@ph.tum.de proto=SMTP helo=<t-online.de>
and so on. Most recipients are valid. I don't have any message content as this /24 is blocked for good, but it is annoying nethertheless. I've tried to contact abuse@jeftexint.com and abuse@green.ch without success, I've called them (they referred me to their expensive 0900 hotline and asked me to send a fax) and sent a fax. No response to any of this.
Unfortunately they are not listed on major RBLs yet because most of them seem not to accept submissions but rather rely on their own spamtraps. I've done some survey among the DENOG users and found that while some of the users have no hit at all, other destinations are heavily targetted. Users outside of the german speaking area don't seem to be affected at all. I'm trying to find a way to submit them to Spamhaus (which we have a paid feed for), but this might take some time.
Is AS21494 known to be irresponsive to abuse complaints? Does anyone know some way to get in contact with them? I'm seriously considering blackholing the whole ASN, but I'm not sure whether this is just a spammerheaven or something important.
Any input is appreciated.
Thanks, Bernhard
Hi Bernhard
Is AS21494 known to be irresponsive to abuse complaints? Does anyone know some way to get in contact with them?
I got the same issue a time ago
I'm seriously considering blackholing the whole ASN,
I didn't go that far but the nets 80.253.80.0/24 80.253.81.0/24
and the hosts matching /zux(\d+-)(\d+-)\d+.adsl.green.ch$/
are blocked by all our mailservers...
Any input is appreciated.
Thanks, Bernhard
Regards André
Bernhard Schmidt wrote:
Hello everyone,
we (AS12816, LRZ Leibniz Computing Centre Munich, a regional network for scientific and educational entities in the Munich area) are being hit by regular spamruns originated from 80.253.80.0/24 for several months now. This network belongs to
We have seen the same throughout November, but nothing since 30nov.
Unfortunately they are not listed on major RBLs yet because most of them seem not to accept submissions but rather rely on their own spamtraps. I've done some survey among the DENOG users and found that while some of the users have no hit at all, other destinations are heavily targetted. Users outside of the german speaking area don't seem to be affected at all. I'm trying to find a way to submit them to Spamhaus (which we have a paid feed for), but this might take some time.
We use greylisting, which took care of all of it.
/Per Jessen, Herrliberg
-
Andre Keller -
Bernhard Schmidt -
Per Jessen