=== http://groups.google.com/groups?selm=200405251024.i4PAOrXK017691%40post.it.helsinki.fi === From: abuse@biocenter.helsinki.fi Newsgroups: news.admin.net-abuse.sightings Subject: [email] [SBL9486] [SPEWS S2715] Re: [email] [spam] Лучшие м Followup-To: news.admin.net-abuse.email Date: Tue, 25 May 2004 10:25:00 +0000 (UTC) Organization: VeriMod () Lines: 151 Approved: nanas-sub@cybernothing.org Message-ID: <200405251024.i4PAOrXK017691@post.it.helsinki.fi> X-Trace: victor.killfile.org 1085480700 11347 216.43.25.138 (25 May 2004 10:25:00 GMT) X-Complaints-To: usenet@killfile.org Processed-By: Bob the NANAS ModBot X-Auth: PGPMoose V1.1 PGP news.admin.net-abuse.sightings iD8DBQFAsx78v1i8LqUfqQURAn6nAJ9KZAUK1HZSnp3pePGBGKUcNwv/fgCfVD24 ozgYyxccXlTZZDLvlsHWioM= =Tg7M X-Group-Homepage: http://www.killfile.org/~tskirvin/nana/ X-Mail-Path: post.it.helsinki.fi!kruuna.helsinki.fi!abuse@biocenter.helsinki.fi X-Modbot: Bob the NANAS ModBot X-Original-Cc: trouble@noc.geant.net, adm@ripn.net, noc@relarn.ru, noc@rbnet.ru, irt@telia.net, nanas@killfile.org, project-admin@spamhaus.org, abuse@biocenter.helsinki.fi X-Original-To: abuse@relcom.net, alex@RELCOM.EU.NET, olegs@relcom.net X-Submissions-To: nanas-sub@cybernothing.org (This is related to Dmitriy Avramenko, abuse@relcom.net, responding to ) cc: Oleg Semenyuk, Aleksei Roudnev, RELCOM cc: IRT at Telia, Relcom's upstream cc: GEANT, RBNet's upstream cc: RBNet NOC cc: Spamhaus Dear Mr. Dmitriy Avramenko, abuse@relcom.net, First of all, thank you for the quick personal response. It is always a pleasure to deal with human beings instead of machines. However: : Received: from alpha.ru ([144.206.32.10]) : by send.it.helsinki.fi (8.12.11/8.12.11) with ESMTP id i4P9VUbk021037 : for ; Tue, 25 May 2004 12:31:30 +0300 (EEST) Hm. As in the past October. : Received: from alpha.ru (expo.dtk.kiae.su [144.206.32.10]) : by no-spam.it.helsinki.fi (8.12.10/8.12.10) with ESMTP id h9OCZ1eY011318 : for ; Fri, 24 Oct 2003 15:35:01 +0300 (EEST) Your responses came to our system from expo.dtk.kiae.su [144.206.32.10], not from systems owned by Relcom. Why is that? Perhaps because of both of your corporate mail servers are blocklisted. What are you doing at the Russian Research Centre, Kurchatov Institute of Atomic Energy anyway? $ host -t mx relcom.net relcom.net MX 80 relay.spb.su relcom.net MX 60 duplex.relcom.ru $ host duplex.relcom.ru duplex.relcom.ru A 193.125.152.61 $ host relay.spb.su relay.spb.su A 193.124.83.73 Both of those IP addresses (indeed entire /24's) are blocklisted on either Spamhaus, SPEWS, or both, and are therefore unable to send any e-mail to the University of Helsinki (and many others). I have a feeling that route: 144.206.0.0/16 descr: KIAE-MOSCOW descr: Main network of Kurchatov Institute descr: Russian Research Centre "Kurchatov Institute" descr: ( Kurchatov Institute of Atomic Energy ) descr: 1 Kurchatov square descr: 123182 Moscow descr: Russia origin: AS3316 will soon be blocklisted as well, along with its upstreams route: 194.226.0.0/18 descr: RELARN-MSK descr: Research & Education Network origin: AS3316 route: 195.209.0.0/19 descr: RBNet descr: Russian Backbone Network origin: AS5568 who connect to GEANT, the European backbone. > [The spammers at 194.135.19.10] [have] got a warning. We've refrained > from shooting them as yet. Tell us if they continue to annoy you. As in the past October, when I complained to you about the spam-advertised site 3suisses.ru (you said you "warned" them, remember?) who are still active in your network, on 194.135.19.99, I must say I am not entirely happy with your policy of "warning" spammers. To put it another way, if I had a pair of scissors and access to the fibers that connect RELCOM to the rest of the Internet, I wouldn't feel any pain fixing your spam problem quite effectively, albeit slightly brutally. markets.ru do continue to annoy us, merely by existing on the Internet. It is a professional spam operation for which RELCOM have ignored complaints for at least 17 months. You know this perfectly well and are trying to shine on system administrators all around the world. We don't like being treated like idiots, which is what you are trying to do. Spamming is never an accident these days. It certainly isn't so for this spammer. There are public spam reports for this exact same spam, coming from the exact same IP address, from as long ago as December 2002. Anri Erinin's spam complaint was sent to multiple addresses at RELCOM and you should already have terminated them back then, in December 2002. Here's another spam complaint caused by the same spammer, in September 2003. This spam went to Denmark. Mr. Avramenko, can you please tell me just how many times you intend to "warn" this spammer before terminating them? On the other hand, don't bother, I don't need to hear more lies. I think it is the case that your spamming customers are paying RELCOM so well that you think you cannot afford to lose them at all. You are also thinking that you can keep replying to complaints with letters indicating you've sent "warnings" to the spammer and that the problem goes away with that even though the spamming and hosting of spam-advertised sites continues. SPEWS and Spamhaus seem to think otherwise. http://spews.org/html/S1164.html http://spews.org/html/S1505.html http://spews.org/html/S2715.html http://www.spamhaus.org/SBL/sbl.lasso?query=SBL9486 Mr. Avramenko, you and your colleagues should take a moment to think very hard about whether you can afford to lose the entire connectivity of RELCOM to the Internet instead. The blocklisting for 194.135.19.0/24 has already been expanded to cover your other networks, including the ones where your corporate mail servers are, and when you still aren't doing anything about the problem even when your own corporate mail servers cannot deliver mail to quite a few destinations who use SPEWS or Spamhaus, the blocklisting will start hitting Telia, the Kurchatov Institute and RBNet too. Since you have already shown that you don't mind anybody being blocklisted, the only proper response for them will be to cut your cables completely. Would the Incident Response Team at Telia, the RBNet NOC, and the GEANT NOC please explain to Mr. Avramenko in painstaking detail why it is absolutely mandatory for RELCOM to lose all spammers immediately. I would appreciate it if Telia, RBNET and GEANT also sent copies of those letters to the newsgroup news.admin.net-abuse.blocklisting, but if you don't feel comfortable doing it, then don't. -- Abuse desk, Institute of Biotechnology, University of Helsinki P.O. Box 56, FIN-00014 UNIVERSITY OF HELSINKI, FINLAND Tel. +358-9-1911 (central exchange), http://www.biocenter.helsinki.fi/bi/ -- All postings to news.admin.net-abuse.sightings are unconfirmed and unverified unless stated otherwise by the moderators. All opinions expressed above are considered the opinions of the original poster, not the moderators or their respective employers. For a copy of the guidelines to this group, see: