Network abuse

Here is my log of spotted and reported network abuse incidents. It started as private notes aiming to keep track of those being fixed, and to block the hosts if they keep spamming. I decided to make it public, since there is no private information in it (though I'm omitting the bits I may discover that aren't public, such as server administrator email addresses), and it may be of interest for people trying to decide whether reporting is worthwhile.

Spam messages

Below are incidents with spam messages that got through the usual filters: dates, hosts, the abuse contact and other report information, other notes.

XMPP

2021-09-12, 188.243.192.232, abuse@sknt.ru: no response and spam kept coming, submitted a JabberSPAM blacklist PR.
2021-09-12, 138.201.50.174, stian@barmen.nu: replied that he will investigate. Probing from ether@jabber.no.
2021-09-12, 54.36.115.48, info@xmpp.gg and abuse@ovh.net: no reply from either and the spam kept coming, submitted a blacklist PR. Probing from ink@jabber.gg.
2022-08-25, 138.201.25.9, abuse@hetzner.com followed by Hetzner abuse reporting form. Subscription requests and OMEMO-encrypted messages, similar ones from multiple services and JIDs, with occasional plaintext being just silly. This one is from klassic@isgeek.info. Those kept coming for at least a month.
2022-08-25, 185.146.232.56, vesselwave@protonmail.com: they deleted the user and started looking more closely for spammers. From klassic@satisprivacy.org.
2022-08-25, 95.168.217.72, support@jabbim.zendesk.com and abuse@superhosting.cz (since the first one had no effect). From multiks@jabbim.sk.
2022-09-06, 170.187.181.190, abuse@linode.com. From multiks@rows.im.
2022-09-10, 86.250.242.174. Did not notice at first, and then it ceased. Probing (presence subscription requests) from multiks@im.azurs.fr.
2022-10-01, 89.147.108.127, info@outerrealm.net on 2022-10-06, within 30 minutes received a reply saying that it will be looked into, and apparently it was solved. From ehf@msg.outerrealm.net: subscription requests at first, an odd message saying "Request Subscription" (followed by opportunistic OTR's whitespaces, similarly to some of the past spammy/probing messages) on 2022-10-06.
2022-10-18, 78.72.102.36. Have not reported, but then it disappeared; possibly somebody else did. From swe@qwik.space, a subscription request.
2022-10-18, 78.72.102.36. Same as above: haven't reported, but then it disappeared. From basik@qwik.space, a subscription request.
2022-11-01, 138.201.50.174, stian@barmen.nu. From floki@jabber.no: "Hi there, free for chat?". Then a subscription request from the same JID arrived on 2023-01-03.
2022-11-16, 138.201.25.9, the Hetzner reporting form (since have not found aministrator contact information). Received an acknowledgement on 2023-01-11, a reply from the XMPP server aministrator on 2023-01-13 saying that it doesn't look like spam; described the issue in more detail, another reply saying that it sounds like "complete nonsense" and suggesting to use iptables. Asked on operators@muc.xmpp.org to ensure that my approach is sensible, and replied to abuse@hetzner.com, asking about their policy on XMPP spam; no reply, as of 2023-05-05. Unexpected presence subscription request and no message (likely probing) from basik@isgeek.info.
2022-12-13, 138.201.50.174, stian@barmen.nu. Then again on 2023-03-08 (after an additional message from the same XMPP address). From prtship@jabber.no/_, a presence subscription request, and a "Hi, Free for chat?" message 3 months later.
2023-01-18, 167.179.180.180, abuse@octothorn.com (on 2023-01-19). Received a reply on 2023-02-15, mentioning that the user is being kicked off, and the account had more than 1000 contacts in the roster, most of which were pending a subscription approval. From aus@jabber.octothorn.com/_, a presence subscription request. The last one arrived on 2023-01-31.

Email

2021-02-09, 103.66.105.237, noc@cmjainimpex.in.
2021-03-31, 205.201.133.233, abuse@mailchimp.com.
2021-06-24, 2a00:1450:4864:20::641, Gmail abuse reporting form. Apparently reporting didn't work, nothing happened on "submit".
2021-06-25, 91.223.3.194, admin@skynode.pl.
2022-04-25, 146.19.173.107, abuse@ipconnect.services.
2022-04-28, 5.181.80.128, noc@4vendeta.com.
2022-05-29, 200.93.248.119, rolfex@powerfast.net.
2022-05-30, 193.218.204.206, abuse@heficed.com. The client replied that it was solved a long time ago.
2022-05-31, 2607:f8b0:4864:20::e41, Gmail abuse reporting form.
2022-06-30, 211.100.47.38. A Chinese ISP, probably not worth reporting, Blacklisted in postscreen_access.cidr.
2022-08-15, 159.183.196.221, abuse@sendgrid.com.
2022-11-01, 2607:5500:3000:1176::2, support@hostwinds.com.
2023-05-05, 106.75.10.112, ipas@cnnic.cn. From ucmail25.sendcloud.io.
2023-05-30, 69.12.91.126, abuse@quadranet.com.
2023-06-16, 117.50.66.12, ipas@cnnic.cn. From ucmail17.sendcloud.io, added sendcloud.io REJECT spammers into the file referenced by postfix's check_client_access. dnswl.org returned 127.0.15.0 for it, reported it to them as spam.
2023-06-22, 192.119.65.137, abuse@hostwinds.com. Their mail server (Gmail) rejects messages with the spam message attached, reported without an attachment.
2023-07-21, 220.133.13.91, hostmaster@twnic.net.tw. According to the received mail headers, it originated from 185.225.74.219.
2023-09-15, 46.17.43.50, noc@baxet.ru. With valid SPF for tiaohu.net: apparently a Chinese organization's domain name, but a Russian hoster's IP address. Quickly received a reply saying "Blocked" from support@justhost.asia.
2023-09-15, 2607:f8b0:4864:20::935, Gmail abuse reporting form.
2023-09-22, 2607:f8b0:4864:20::72c, Gmail abuse reporting form. Same address as the previous one (polachek@squadhelp.co), a follow-up.
2023-09-23, 2607:f8b0:4864:20::72a, Gmail abuse reporting form. Same address as the previous two, the spammer claimed it is the last message.
2023-09-25, 2607:f8b0:4864:20::f29, Gmail abuse reporting form. A new subdomain, polachekg@go.squadhelp.co, but continuation of the previous 3, and Gmail does nothing; blacklisted the domain in postfix (check_sender_access).
2023-10-19, 209.85.128.177, Gmail abuse reporting form. From masonlambert190@gmail.com
2023-11-01, 209.85.128.172, Gmail abuse reporting form. From katherinesophia523@gmail.com
2023-12-05, 31.192.235.11, abuse@profitserver.ru. Phishing, envelope-from abuse@q03.1cooldns.com, with valid DKIM and SPF.
2023-12-11, 31.192.237.60, abuse@profitserver.ru. Phishing again, envelope-from abuse@origin.1cooldns.com.
2023-12-11, 209.85.219.180, Gmail abuse reporting form. From haileyjtanner@gmail.com, asking to add a link to some furniture selling website (which supposedly has a blog post on astronomy) from my "links" page.
2023-12-18, 209.85.128.170, Gmail abuse reporting form. From haileyjtanner@gmail.com again, Gmail does not seem to do much about outgoing spam.
2023-12-19, 31.192.239.9, abuse@profitserver.ru. Phishing yet again, envelope-from=no-replies@batixtaneve.com this time. Blacklisted 31.192.232.0/21.
2023-12-26, 209.85.128.169, Gmail abuse reporting form. From haileyjtanner@gmail.com yet again, Gmail still does nothing. Blacklisted the address in postfix (check_sender_access).
2024-02-29, 204.152.197.177, abuse@quadranet.com. Spam about electric bicycles
2024-03-12, 185.218.100.84, abuse@ipxo.com.
2024-03-18, 194.53.136.174, abuse@virtono.com. Spam about electric bicycles, same as on 2024-03-12.
2024-03-20, 104.223.121.26, abuse@quadranet.com. Same as the last two, and as on 2024-02-29: e-bikes.
2024-04-25, 2024-04-26, 216.9.224.143, abuse@dchost.com. Scam, 3 messages. And one more message from the misconfigured mail server, notifying about a failed delivery (the "from" address matched the "to" address).
2024-05-09, 173.249.144.124, abuse@liquidweb.com. Posing as a Docusign notification.
2024-06-12, 193.188.192.139, abuse@pipenet.hu.
2024-07-31, 47.90.198.34, abuse@alibaba-inc.com.
2024-08-08, 103.224.90.82, abuse@nexcess.net. Phishing
2024-09-23, 208.234.3.27, abuse@verizon.net, abuse@ait.com. A scam, as described in "Beware of Chinese Domain Scams" or "Chinese domain registration emails". Verizon pointed to AIT.com, I wrote there, the "support ticket" was closed quickly without a comment.
2024-09-24, 2a00:1450:4864:20::42b, Gmail abuse reporting form. From saracody9@gmail.com, a request to link some irrelevant website from mine.
2024-10-27, 219.134.170.101, anti-spam@chinatelecom.cn. Router advertisements.
2024-11-18, 46.23.108.219, abuse@bullethost.net. Electric bicycle advertisement.
2024-11-19, 192.154.230.159, abuse@host4yourself.com. Electric bicycle advertisement.
2024-11-22, 181.214.99.201, abuse@ipxo.com. E-bikes.
2024-11-30, 188.127.247.224, abuse@smartape.net (though SmartApe is reported to be a Russian hosting for cybercriminals itself). Probing.
2024-12-01, 120.241.40.88, abuse@chinamobile.com. Spam about shipping from China.
2024-12-04, 91.193.18.13, abuse@hostzealot.com. E-bikes.
2024-12-06, 181.214.99.132, report@abuseradar.com. E-bikes.
2024-12-10, 84.32.41.141, report@abuseradar.com. E-bikes.
2024-12-13, 162.250.189.12, complaints@servarica.com. The ticket was automatically created and automatically closed without response in 36 hours; blacklisted its subnet in postscreen_access.cidr.

General observations

A lot of network abuse (spam, vulnerability scans, brute-force attacks) comes from China, plenty from Russia as well. As a side note, Chinese researchers similarly spam the world with fabricated research papers (though apparently they try to combat it, up to a death penalty for researchers who commit fraud if it harms people). Apparently wider agreements, policies, and cultures help to fight network abuse about as well as technological methods do. I think it is okay to rate-limit regional IP address blocks (as described in the private server setup notes), but not to block them completely: there may be non-abusive users once in a while, and it would be unfair to them. And then there are large mail providers, particularly Gmail, not caring much about outgoing spam, while blocking them is a bad option, given the number of legitimate users: the ham-to-spam ratio is less than 1, but more than 0.