=== http://groups.google.com/groups?selm=200405251024.i4PAOrXK017691%40post.it.helsinki.fi ===
From: abuse@biocenter.helsinki.fi
Newsgroups: news.admin.net-abuse.sightings
Subject: [email] [SBL9486] [SPEWS S2715] Re: [email] [spam]  Лучшие м
Followup-To: news.admin.net-abuse.email
Date: Tue, 25 May 2004 10:25:00 +0000 (UTC)
Organization: VeriMod (<URL:http://www.killfile.org/~tskirvin/verimod/>)
Lines: 151
Approved: nanas-sub@cybernothing.org
Message-ID: <200405251024.i4PAOrXK017691@post.it.helsinki.fi>
X-Trace: victor.killfile.org 1085480700 11347 216.43.25.138 (25 May 2004 10:25:00 GMT)
X-Complaints-To: usenet@killfile.org
Processed-By: Bob the NANAS ModBot <nanas-req@cybernothing.org>
X-Auth: PGPMoose V1.1 PGP news.admin.net-abuse.sightings
	iD8DBQFAsx78v1i8LqUfqQURAn6nAJ9KZAUK1HZSnp3pePGBGKUcNwv/fgCfVD24
	ozgYyxccXlTZZDLvlsHWioM=
	=Tg7M
X-Group-Homepage: http://www.killfile.org/~tskirvin/nana/
X-Mail-Path: post.it.helsinki.fi!kruuna.helsinki.fi!abuse@biocenter.helsinki.fi
X-Modbot: Bob the NANAS ModBot <nanas-req@cybernothing.org>
X-Original-Cc: trouble@noc.geant.net, adm@ripn.net, noc@relarn.ru, noc@rbnet.ru,
        irt@telia.net, nanas@killfile.org, project-admin@spamhaus.org,
        abuse@biocenter.helsinki.fi
X-Original-To: abuse@relcom.net, alex@RELCOM.EU.NET, olegs@relcom.net
X-Submissions-To: nanas-sub@cybernothing.org


(This is related to Dmitriy Avramenko, abuse@relcom.net, responding to
 <URL:http://groups.google.com/groups?selm=200405241228.i4OCSBcS020586%40post.it.helsinki.fi>)

cc: Oleg Semenyuk, Aleksei Roudnev, RELCOM
cc: IRT at Telia, Relcom's upstream
cc: GEANT, RBNet's upstream
cc: RBNet NOC
cc: Spamhaus

Dear Mr. Dmitriy Avramenko, abuse@relcom.net,

First of all, thank you for the quick personal response.  It is
always a pleasure to deal with human beings instead of machines.

However:

: Received: from alpha.ru ([144.206.32.10])
: 	by send.it.helsinki.fi (8.12.11/8.12.11) with ESMTP id i4P9VUbk021037
: 	for <abuse@biocenter.helsinki.fi>; Tue, 25 May 2004 12:31:30 +0300 (EEST)

Hm.  As in the past October.

: Received: from alpha.ru (expo.dtk.kiae.su [144.206.32.10])
: 	by no-spam.it.helsinki.fi (8.12.10/8.12.10) with ESMTP id h9OCZ1eY011318
: 	for <abuse@biocenter.helsinki.fi>; Fri, 24 Oct 2003 15:35:01 +0300 (EEST)

Your responses came to our system from expo.dtk.kiae.su [144.206.32.10],
not from systems owned by Relcom.  Why is that?  Perhaps because of both
of your corporate mail servers are blocklisted.  What are you doing at
the Russian Research Centre, Kurchatov Institute of Atomic Energy anyway?

$ host -t mx relcom.net
relcom.net              MX      80 relay.spb.su
relcom.net              MX      60 duplex.relcom.ru

$ host duplex.relcom.ru
duplex.relcom.ru        A       193.125.152.61

$ host relay.spb.su
relay.spb.su            A       193.124.83.73

Both of those IP addresses (indeed entire /24's) are blocklisted on
either Spamhaus, SPEWS, or both, and are therefore unable to send any
e-mail to the University of Helsinki (and many others).

I have a feeling that

route:        144.206.0.0/16
descr:        KIAE-MOSCOW
descr:        Main network of Kurchatov Institute
descr:        Russian Research Centre "Kurchatov Institute"
descr:        ( Kurchatov Institute of Atomic Energy )
descr:        1 Kurchatov square
descr:        123182 Moscow
descr:        Russia
origin:       AS3316

will soon be blocklisted as well, along with its upstreams

route:        194.226.0.0/18
descr:        RELARN-MSK
descr:        Research & Education Network
origin:       AS3316

route:        195.209.0.0/19
descr:        RBNet
descr:        Russian Backbone Network
origin:       AS5568

who connect to GEANT, the European backbone.

> [The spammers at 194.135.19.10] [have] got a warning. We've refrained
> from shooting them as yet. Tell us if they continue to annoy you.

As in the past October, when I complained to you about the spam-advertised
site 3suisses.ru (you said you "warned" them, remember?) who are still
active in your network, on 194.135.19.99, I must say I am not entirely
happy with your policy of "warning" spammers.

To put it another way, if I had a pair of scissors and access to the fibers
that connect RELCOM to the rest of the Internet, I wouldn't feel any pain
fixing your spam problem quite effectively, albeit slightly brutally.

markets.ru do continue to annoy us, merely by existing on the Internet.  It
is a professional spam operation for which RELCOM have ignored complaints
for at least 17 months.  You know this perfectly well and are trying to
shine on system administrators all around the world.  We don't like being
treated like idiots, which is what you are trying to do.

Spamming is never an accident these days.  It certainly isn't so for this
spammer.  There are public spam reports for this exact same spam, coming
from the exact same IP address, from as long ago as December 2002.  Anri
Erinin's spam complaint was sent to multiple addresses at RELCOM and you
should already have terminated them back then, in December 2002.

<URL:http://groups.google.com/groups?selm=3DF11535.8071DE5A%40rambler.ru>

Here's another spam complaint caused by the same spammer, in September 2003.
This spam went to Denmark.

<URL:http://groups.google.com/groups?selm=20030903162156.5B54AD68030%40mailrelay.fgnet.dk>

Mr. Avramenko, can you please tell me just how many times you intend to
"warn" this spammer before terminating them?  On the other hand, don't
bother, I don't need to hear more lies.

I think it is the case that your spamming customers are paying RELCOM so well
that you think you cannot afford to lose them at all.  You are also thinking
that you can keep replying to complaints with letters indicating you've sent
"warnings" to the spammer and that the problem goes away with that even
though the spamming and hosting of spam-advertised sites continues.

SPEWS and Spamhaus seem to think otherwise.

http://spews.org/html/S1164.html
http://spews.org/html/S1505.html
http://spews.org/html/S2715.html
http://www.spamhaus.org/SBL/sbl.lasso?query=SBL9486

Mr. Avramenko, you and your colleagues should take a moment to think very
hard about whether you can afford to lose the entire connectivity of RELCOM
to the Internet instead.  The blocklisting for 194.135.19.0/24 has already
been expanded to cover your other networks, including the ones where your
corporate mail servers are, and when you still aren't doing anything about
the problem even when your own corporate mail servers cannot deliver mail
to quite a few destinations who use SPEWS or Spamhaus, the blocklisting
will start hitting Telia, the Kurchatov Institute and RBNet too.  Since
you have already shown that you don't mind anybody being blocklisted, the
only proper response for them will be to cut your cables completely.

Would the Incident Response Team at Telia, the RBNet NOC, and the GEANT
NOC please explain to Mr. Avramenko in painstaking detail why it is
absolutely mandatory for RELCOM to lose all spammers immediately.

I would appreciate it if Telia, RBNET and GEANT also sent copies of
those letters to the newsgroup news.admin.net-abuse.blocklisting, but
if you don't feel comfortable doing it, then don't.

-- 
Abuse desk, Institute of Biotechnology, University of Helsinki
P.O. Box 56, FIN-00014  UNIVERSITY OF HELSINKI, FINLAND
Tel. +358-9-1911 (central exchange), http://www.biocenter.helsinki.fi/bi/

-- 
All postings to news.admin.net-abuse.sightings are unconfirmed and
unverified unless stated otherwise by the moderators.  All opinions
expressed above are considered the opinions of the original poster,
not the moderators or their respective employers.

For a copy of the guidelines to this group, see:
<URL:http://www.killfile.org/~tskirvin/nana/>