Network abuse

Here is my log of spotted and reported network abuse incidents. It started as private notes aiming to keep track of those being fixed, and to block the hosts if they keep spamming. I decided to make it public, since there is no private information in it (though I'm omitting the bits I may discover that aren't public, such as server administrator email addresses), and it may be of interest for people trying to decide whether reporting is worthwhile.

Spam messages

Below are incidents with spam messages that got through the usual filters, both email and XMPP.

Date Host Type Report Notes
2021-02-09 email
2021-03-31 email
2021-06-24 2a00:1450:4864:20::641 email Gmail abuse reporting form Apparently reporting didn't work, nothing happened on "submit".
2021-06-25 email
2021-09-12 XMPP no xmpp@ address, contacted, no response and spam kept coming, submitted a JabberSPAM blacklist PR Subscription probing from
2021-09-12 XMPP, replied that he'll investigate Probing from
2021-09-12 XMPP, no reply; on 2021-09-20, no reply and no effect either; submitted a blacklist PR. Probing from
2022-04-25 email
2022-04-28 email
2022-05-29 email
2022-05-30 email The client replied that it was solved a long time ago.
2022-05-31 2607:f8b0:4864:20::e41 email Gmail abuse reporting form
2022-06-30 email Chinese ISP, probably not worth reporting Blacklisted in postscreen_access.cidr.
2022-08-15 email
2022-08-25 XMPP No administrator contact information and no mail server there, reported to on 2022-08-30. Been asked to fill a form on 2022-09-07, fought the captcha and filled it, received an auto-reply/confirmation on 2022-09-26 (while subscription requests kept coming). subscription requests and OMEMO-encrypted messages, similar ones from multiple services and JIDs, with occasional plaintext being just silly. This one is from
2022-08-25 XMPP, they've deleted the user and started looking more closely for spammers. From
2022-08-25 XMPP, auto-reply and no effect, wrote to on 2022-09-05 From
2022-09-06 XMPP xmpp@ address doesn't exist, wrote to, been asked for logs and provided those on 2022-09-07 From
2022-09-10 XMPP Didn't notice at first, and it ceased soon. Presence subscription requests from
2022-10-01 XMPP on 2022-10-06, within 30 minutes received a reply saying that it will be looked into, and apparently it was solved. From subscription requests at first, an odd message saying "Request Subscription" (followed by opportunistic OTR's whitespaces, similarly to some of the past spammy/probing messages) on 2022-10-06.
2022-10-18 XMPP Haven't reported, but then it disappeared; possibly somebody else did. From, a subscription request.
2022-10-18 XMPP Same as above: haven't reported, but then it disappeared. From, a subscription request.
2022-11-01 2607:5500:3000:1176::2 email
2022-11-01 XMPP From "Hi there, free for chat?". Then a subscription request from the same JID arrived on 2023-01-03.
2022-11-16 XMPP No administrator contact in sight still. Fought the Hetzner captcha again, submitted the abuse reporting form on 2022-12-13, asking to contact the server administrator. Received an acknowledgement on 2023-01-11, a reply from the XMPP server aministrator on 2023-01-13 saying that it doesn't look like spam; described the issue in more detail, another reply saying that it sounds like "complete nonsense" and suggesting to use iptables. Asked on to ensure that my approach is sensible, and replied to, asking about their policy on XMPP spam; no reply, as of 2023-05-05. Unexpected presence subscription request and no message (likely probing) from
2022-12-13 XMPP, then again on 2023-03-08 (after an additional message from the same XMPP address). From, a presence subscription request, and a "Hi, Free for chat?" message 3 months later.
2023-01-18 XMPP (on 2023-01-19). Received a reply on 2023-02-15, mentioning that the user is being kicked off, and the account had more than 1000 contacts in the roster, most of which were pending a subscription approval. From, a presence subscription request. The last one arrived on 2023-01-31.
2023-05-05 email from
2023-05-30 email
2023-06-16 email from, added REJECT spammers into the file referenced by postfix's check_client_access. returned for it, reported it to them as spam.
2023-06-22 email Their mail server (Gmail) rejects messages with the spam message attached, reported without an attachment.
2023-07-21 email According to the received mail headers, it originated from
2023-09-15 email With valid SPF for apparently a Chinese organization's domain name, but a Russian hoster's IP address. Quickly received a reply saying "Blocked" from
2023-09-15 2607:f8b0:4864:20::935 email Gmail abuse reporting form
2023-09-22 2607:f8b0:4864:20::72c email Gmail abuse reporting form Same address as the previous one (, a follow-up.
2023-09-23 2607:f8b0:4864:20::72a email Gmail abuse reporting form Same address as the previous two, the spammer claimed it is the last message.
2023-09-25 2607:f8b0:4864:20::f29 email Gmail abuse reporting form A new subdomain,, but continuation of the previous 3, and Gmail does nothing; blacklisted the domain in postfix (check_sender_access).
2023-10-19 email Gmail abuse reporting form From
2023-11-01 email Gmail abuse reporting form From
2023-12-05 email Phishing, envelope-from, with valid DKIM and SPF.
2023-12-11 email Phishing again, envelope-from
2023-12-11 email Gmail abuse reporting form From, asking to add a link to some furniture selling website (which supposedly has a blog post on astronomy) from my "links" page.
2023-12-18 email Gmail abuse reporting form From again, Gmail does not seem to do much about outgoing spam.
2023-12-19 email Phishing yet again, this time. Blacklisted
2023-12-26 email Gmail abuse reporting form From yet again, Gmail still does nothing. Blacklisted the address in postfix (check_sender_access).
2024-02-29 email Spam about electric bicycles
2024-03-12 email
2024-03-18 email Spam about electric bicycles, same as on 2024-03-12.
2024-03-20 email Same as the last two, and as on 2024-02-29: e-bikes.
2024-04-25, 2024-04-26 email Scam, 3 messages. And one more message from the misconfigured mail server, notifying about a failed delivery (the "from" address matched the "to" address).
2024-05-09 email Posing as a Docusign notification.
2024-06-12 email

General observations

A lot of network abuse (spam, vulnerability scans, brute-force attacks) comes from China, plenty from Russia as well. As a side note, Chinese researchers similarly spam the world with fabricated research papers (though apparently they try to combat it, up to a death penalty for researchers who commit fraud if it harms people). Apparently wider agreements, policies, and cultures help to fight network abuse about as well as technological methods do. I think it is okay to rate-limit regional IP address blocks (as described in the private server setup notes), but not to block them completely: there may be non-abusive users once in a while, and it would be unfair to them. And then there are large mail providers, particularly Gmail, not caring much about outgoing spam, while blocking them is a bad option, given the number of legitimate users: the ham-to-spam ratio is less than 1, but more than 0.