Here is my log of spotted and reported network abuse incidents. It started as private notes aiming to keep track of those being fixed, and to block the hosts if they keep spamming. I decided to make it public, since there is no private information in it (though I'm omitting the bits I may discover that aren't public, such as server administrator email addresses), and it may be of interest for people trying to decide whether reporting is worthwhile.
Below are incidents with spam messages that got through the usual filters, both email and XMPP.
Date | Host | Type | Report | Notes |
---|---|---|---|---|
2021-02-09 | 103.66.105.237 | noc@cmjainimpex.in | ||
2021-03-31 | 205.201.133.233 | abuse@mailchimp.com | ||
2021-06-24 | 2a00:1450:4864:20::641 | Gmail abuse reporting form | Apparently reporting didn't work, nothing happened on "submit". | |
2021-06-25 | 91.223.3.194 | admin@skynode.pl | ||
2021-09-12 | 188.243.192.232 | XMPP | no xmpp@ address, contacted abuse@sknt.ru, no response and spam kept coming, submitted a JabberSPAM blacklist PR | Subscription probing from v0dka@jabber.infos.ru. |
2021-09-12 | 138.201.50.174 | XMPP | stian@barmen.nu, replied that he'll investigate | Probing from ether@jabber.no. |
2021-09-12 | 54.36.115.48 | XMPP | info@xmpp.gg, no reply; abuse@ovh.net on 2021-09-20, no reply and no effect either; submitted a blacklist PR. | Probing from ink@jabber.gg. |
2022-04-25 | 146.19.173.107 | abuse@ipconnect.services | ||
2022-04-28 | 5.181.80.128 | noc@4vendeta.com | ||
2022-05-29 | 200.93.248.119 | rolfex@powerfast.net | ||
2022-05-30 | 193.218.204.206 | abuse@heficed.com | The client replied that it was solved a long time ago. | |
2022-05-31 | 2607:f8b0:4864:20::e41 | Gmail abuse reporting form | ||
2022-06-30 | 211.100.47.38 | Chinese ISP, probably not worth reporting | Blacklisted in postscreen_access.cidr . |
|
2022-08-15 | 159.183.196.221 | abuse@sendgrid.com | ||
2022-08-25 | 138.201.25.9 | XMPP | No administrator contact information and no mail server there, reported to abuse@hetzner.com on 2022-08-30. Been asked to fill a form on 2022-09-07, fought the captcha and filled it, received an auto-reply/confirmation on 2022-09-26 (while subscription requests kept coming). | subscription requests and OMEMO-encrypted messages, similar ones from multiple services and JIDs, with occasional plaintext being just silly. This one is from klassic@isgeek.info |
2022-08-25 | 185.146.232.56 | XMPP | vesselwave@protonmail.com, they've deleted the user and started looking more closely for spammers. | From klassic@satisprivacy.org. |
2022-08-25 | 95.168.217.72 | XMPP | support@jabbim.zendesk.com, auto-reply and no effect, wrote to abuse@superhosting.cz on 2022-09-05 | From multiks@jabbim.sk. |
2022-09-06 | 170.187.181.190 | XMPP | xmpp@ address doesn't exist, wrote to abuse@linode.com, been asked for logs and provided those on 2022-09-07 | From multiks@rows.im. |
2022-09-10 | 86.250.242.174 | XMPP | Didn't notice at first, and it ceased soon. | Presence subscription requests from multiks@im.azurs.fr. |
2022-10-01 | 89.147.108.127 | XMPP | info@outerrealm.net on 2022-10-06, within 30 minutes received a reply saying that it will be looked into, and apparently it was solved. | From ehf@msg.outerrealm.net: subscription requests at first, an odd message saying "Request Subscription" (followed by opportunistic OTR's whitespaces, similarly to some of the past spammy/probing messages) on 2022-10-06. |
2022-10-18 | 78.72.102.36 | XMPP | Haven't reported, but then it disappeared; possibly somebody else did. | From swe@qwik.space, a subscription request. |
2022-10-18 | 78.72.102.36 | XMPP | Same as above: haven't reported, but then it disappeared. | From basik@qwik.space, a subscription request. |
2022-11-01 | 2607:5500:3000:1176::2 | support@hostwinds.com | ||
2022-11-01 | 138.201.50.174 | XMPP | stian@barmen.nu | From floki@jabber.no: "Hi there, free for chat?". Then a subscription request from the same JID arrived on 2023-01-03. |
2022-11-16 | 138.201.25.9 | XMPP | No administrator contact in sight still. Fought the Hetzner captcha again, submitted the abuse reporting form on 2022-12-13, asking to contact the server administrator. Received an acknowledgement on 2023-01-11, a reply from the XMPP server aministrator on 2023-01-13 saying that it doesn't look like spam; described the issue in more detail, another reply saying that it sounds like "complete nonsense" and suggesting to use iptables. Asked on operators@muc.xmpp.org to ensure that my approach is sensible, and replied to abuse@hetzner.com, asking about their policy on XMPP spam; no reply, as of 2023-05-05. | Unexpected presence subscription request and no message (likely probing) from basik@isgeek.info. |
2022-12-13 | 138.201.50.174 | XMPP | stian@barmen.nu, then again on 2023-03-08 (after an additional message from the same XMPP address). | From prtship@jabber.no/_, a presence subscription request, and a "Hi, Free for chat?" message 3 months later. |
2023-01-18 | 167.179.180.180 | XMPP | abuse@octothorn.com (on 2023-01-19). Received a reply on 2023-02-15, mentioning that the user is being kicked off, and the account had more than 1000 contacts in the roster, most of which were pending a subscription approval. | From aus@jabber.octothorn.com/_, a presence subscription request. The last one arrived on 2023-01-31. |
2023-05-05 | 106.75.10.112 | ipas@cnnic.cn | from ucmail25.sendcloud.io | |
2023-05-30 | 69.12.91.126 | abuse@quadranet.com | ||
2023-06-16 | 117.50.66.12 | ipas@cnnic.cn | from ucmail17.sendcloud.io, added sendcloud.io
REJECT spammers into the file referenced by
postfix's check_client_access. dnswl.org returned
127.0.15.0 for it, reported it to them as spam. |
|
2023-06-22 | 192.119.65.137 | abuse@hostwinds.com | Their mail server (Gmail) rejects messages with the spam message attached, reported without an attachment. | |
2023-07-21 | 220.133.13.91 | hostmaster@twnic.net.tw | According to the received mail headers, it originated from 185.225.74.219. | |
2023-09-15 | 46.17.43.50 | noc@baxet.ru | With valid SPF for tiaohu.net: apparently a Chinese organization's domain name, but a Russian hoster's IP address. Quickly received a reply saying "Blocked" from support@justhost.asia. | |
2023-09-15 | 2607:f8b0:4864:20::935 | Gmail abuse reporting form | ||
2023-09-22 | 2607:f8b0:4864:20::72c | Gmail abuse reporting form | Same address as the previous one (polachek@squadhelp.co), a follow-up. | |
2023-09-23 | 2607:f8b0:4864:20::72a | Gmail abuse reporting form | Same address as the previous two, the spammer claimed it is the last message. | |
2023-09-25 | 2607:f8b0:4864:20::f29 | Gmail abuse reporting form | A new subdomain, polachekg@go.squadhelp.co, but continuation of the previous 3, and Gmail does nothing; blacklisted the domain in postfix (check_sender_access). | |
2023-10-19 | 209.85.128.177 | Gmail abuse reporting form | From masonlambert190@gmail.com | |
2023-11-01 | 209.85.128.172 | Gmail abuse reporting form | From katherinesophia523@gmail.com | |
2023-12-05 | 31.192.235.11 | abuse@profitserver.ru | Phishing, envelope-from abuse@q03.1cooldns.com, with valid DKIM and SPF. | |
2023-12-11 | 31.192.237.60 | abuse@profitserver.ru | Phishing again, envelope-from abuse@origin.1cooldns.com. | |
2023-12-11 | 209.85.219.180 | Gmail abuse reporting form | From haileyjtanner@gmail.com, asking to add a link to some furniture selling website (which supposedly has a blog post on astronomy) from my "links" page. | |
2023-12-18 | 209.85.128.170 | Gmail abuse reporting form | From haileyjtanner@gmail.com again, Gmail does not seem to do much about outgoing spam. | |
2023-12-19 | 31.192.239.9 | abuse@profitserver.ru | Phishing yet again, envelope-from=no-replies@batixtaneve.com this time. Blacklisted 31.192.232.0/21. | |
2023-12-26 | 209.85.128.169 | Gmail abuse reporting form | From haileyjtanner@gmail.com yet again, Gmail still does nothing. Blacklisted the address in postfix (check_sender_access). | |
2024-02-29 | 204.152.197.177 | abuse@quadranet.com | Spam about electric bicycles | |
2024-03-12 | 185.218.100.84 | abuse@ipxo.com | ||
2024-03-18 | 194.53.136.174 | abuse@virtono.com | Spam about electric bicycles, same as on 2024-03-12. | |
2024-03-20 | 104.223.121.26 | abuse@quadranet.com | Same as the last two, and as on 2024-02-29: e-bikes. | |
2024-04-25, 2024-04-26 | 216.9.224.143 | abuse@dchost.com | Scam, 3 messages. And one more message from the misconfigured mail server, notifying about a failed delivery (the "from" address matched the "to" address). | |
2024-05-09 | 173.249.144.124 | abuse@liquidweb.com | Posing as a Docusign notification. | |
2024-06-12 | 193.188.192.139 | abuse@pipenet.hu | ||
2024-07-31 | 47.90.198.34 | abuse@alibaba-inc.com | ||
2024-08-08 | 103.224.90.82 | abuse@nexcess.net | phishing | |
2024-09-23 | 208.234.3.27 | abuse@verizon.net, abuse@ait.com | A scam, as described in "Beware of Chinese Domain Scams" or "Chinese domain registration emails". Verizon pointed to AIT.com, I wrote there, the "support ticket" was closed quickly without a comment. | |
2024-09-24 | 2a00:1450:4864:20::42b | Gmail abuse reporting form | From saracody9@gmail.com, a request to link some irrelevant website from mine. |
A lot of network abuse (spam, vulnerability scans, brute-force attacks) comes from China, plenty from Russia as well. As a side note, Chinese researchers similarly spam the world with fabricated research papers (though apparently they try to combat it, up to a death penalty for researchers who commit fraud if it harms people). Apparently wider agreements, policies, and cultures help to fight network abuse about as well as technological methods do. I think it is okay to rate-limit regional IP address blocks (as described in the private server setup notes), but not to block them completely: there may be non-abusive users once in a while, and it would be unfair to them. And then there are large mail providers, particularly Gmail, not caring much about outgoing spam, while blocking them is a bad option, given the number of legitimate users: the ham-to-spam ratio is less than 1, but more than 0.