Network abuse

Here is my log of spotted and reported network abuse incidents. It started as private notes aiming to keep track of those being fixed, and to block the hosts if they keep spamming. I decided to make it public, since there is no private information in it (though I'm omitting the bits I may discover that aren't public, such as server administrator email addresses), and it may be of interest for people trying to decide whether reporting is worthwhile.

Spam messages

Below are incidents with spam messages that got through the usual filters, both email and XMPP.

Date Host Type Report Notes
2021-02-09 103.66.105.237 email noc@cmjainimpex.in
2021-03-31 205.201.133.233 email abuse@mailchimp.com
2021-06-24 2a00:1450:4864:20::641 email Gmail abuse reporting form Apparently reporting didn't work, nothing happened on "submit".
2021-06-25 91.223.3.194 email admin@skynode.pl
2021-09-12 188.243.192.232 XMPP no xmpp@ address, contacted abuse@sknt.ru, no response and spam kept coming, submitted a JabberSPAM blacklist PR Subscription probing from v0dka@jabber.infos.ru.
2021-09-12 138.201.50.174 XMPP stian@barmen.nu, replied that he'll investigate Probing from ether@jabber.no.
2021-09-12 54.36.115.48 XMPP info@xmpp.gg, no reply; abuse@ovh.net on 2021-09-20, no reply and no effect either; submitted a blacklist PR. Probing from ink@jabber.gg.
2022-04-25 146.19.173.107 email abuse@ipconnect.services
2022-04-28 5.181.80.128 email noc@4vendeta.com
2022-05-29 200.93.248.119 email rolfex@powerfast.net
2022-05-30 193.218.204.206 email abuse@heficed.com The client replied that it was solved a long time ago.
2022-05-31 2607:f8b0:4864:20::e41 email Gmail abuse reporting form
2022-06-30 211.100.47.38 email Chinese ISP, probably not worth reporting Blacklisted in postscreen_access.cidr.
2022-08-15 159.183.196.221 email abuse@sendgrid.com
2022-08-25 138.201.25.9 XMPP No administrator contact information and no mail server there, reported to abuse@hetzner.com on 2022-08-30. Been asked to fill a form on 2022-09-07, fought the captcha and filled it, received an auto-reply/confirmation on 2022-09-26 (while subscription requests kept coming). subscription requests and OMEMO-encrypted messages, similar ones from multiple services and JIDs, with occasional plaintext being just silly. This one is from klassic@isgeek.info
2022-08-25 185.146.232.56 XMPP vesselwave@protonmail.com, they've deleted the user and started looking more closely for spammers. From klassic@satisprivacy.org.
2022-08-25 95.168.217.72 XMPP support@jabbim.zendesk.com, auto-reply and no effect, wrote to abuse@superhosting.cz on 2022-09-05 From multiks@jabbim.sk.
2022-09-06 170.187.181.190 XMPP xmpp@ address doesn't exist, wrote to abuse@linode.com, been asked for logs and provided those on 2022-09-07 From multiks@rows.im.
2022-09-10 86.250.242.174 XMPP Didn't notice at first, and it ceased soon. Presence subscription requests from multiks@im.azurs.fr.
2022-10-01 89.147.108.127 XMPP info@outerrealm.net on 2022-10-06, within 30 minutes received a reply saying that it will be looked into, and apparently it was solved. From ehf@msg.outerrealm.net: subscription requests at first, an odd message saying "Request Subscription" (followed by opportunistic OTR's whitespaces, similarly to some of the past spammy/probing messages) on 2022-10-06.
2022-10-18 78.72.102.36 XMPP Haven't reported, but then it disappeared; possibly somebody else did. From swe@qwik.space, a subscription request.
2022-10-18 78.72.102.36 XMPP Same as above: haven't reported, but then it disappeared. From basik@qwik.space, a subscription request.
2022-11-01 2607:5500:3000:1176::2 email support@hostwinds.com
2022-11-01 138.201.50.174 XMPP stian@barmen.nu From floki@jabber.no: "Hi there, free for chat?". Then a subscription request from the same JID arrived on 2023-01-03.
2022-11-16 138.201.25.9 XMPP No administrator contact in sight still. Fought the Hetzner captcha again, submitted the abuse reporting form on 2022-12-13, asking to contact the server administrator. Received an acknowledgement on 2023-01-11, a reply from the XMPP server aministrator on 2023-01-13 saying that it doesn't look like spam; described the issue in more detail, another reply saying that it sounds like "complete nonsense" and suggesting to use iptables. Asked on operators@muc.xmpp.org to ensure that my approach is sensible, and replied to abuse@hetzner.com, asking about their policy on XMPP spam; no reply, as of 2023-05-05. Unexpected presence subscription request and no message (likely probing) from basik@isgeek.info.
2022-12-13 138.201.50.174 XMPP stian@barmen.nu, then again on 2023-03-08 (after an additional message from the same XMPP address). From prtship@jabber.no/_, a presence subscription request, and a "Hi, Free for chat?" message 3 months later.
2023-01-18 167.179.180.180 XMPP abuse@octothorn.com (on 2023-01-19). Received a reply on 2023-02-15, mentioning that the user is being kicked off, and the account had more than 1000 contacts in the roster, most of which were pending a subscription approval. From aus@jabber.octothorn.com/_, a presence subscription request. The last one arrived on 2023-01-31.
2023-05-05 106.75.10.112 email ipas@cnnic.cn from ucmail25.sendcloud.io
2023-05-30 69.12.91.126 email abuse@quadranet.com
2023-06-16 117.50.66.12 email ipas@cnnic.cn from ucmail17.sendcloud.io, added sendcloud.io REJECT spammers into the file referenced by postfix's check_client_access. dnswl.org returned 127.0.15.0 for it, reported it to them as spam.
2023-06-22 192.119.65.137 email abuse@hostwinds.com Their mail server (Gmail) rejects messages with the spam message attached, reported without an attachment.
2023-07-21 220.133.13.91 email hostmaster@twnic.net.tw According to the received mail headers, it originated from 185.225.74.219.
2023-09-15 46.17.43.50 email noc@baxet.ru With valid SPF for tiaohu.net: apparently a Chinese organization's domain name, but a Russian hoster's IP address. Quickly received a reply saying "Blocked" from support@justhost.asia.
2023-09-15 2607:f8b0:4864:20::935 email Gmail abuse reporting form
2023-09-22 2607:f8b0:4864:20::72c email Gmail abuse reporting form Same address as the previous one (polachek@squadhelp.co), a follow-up.
2023-09-23 2607:f8b0:4864:20::72a email Gmail abuse reporting form Same address as the previous two, the spammer claimed it is the last message.
2023-09-25 2607:f8b0:4864:20::f29 email Gmail abuse reporting form A new subdomain, polachekg@go.squadhelp.co, but continuation of the previous 3, and Gmail does nothing; blacklisted the domain in postfix (check_sender_access).
2023-10-19 209.85.128.177 email Gmail abuse reporting form From masonlambert190@gmail.com
2023-11-01 209.85.128.172 email Gmail abuse reporting form From katherinesophia523@gmail.com
2023-12-05 31.192.235.11 email abuse@profitserver.ru Phishing, envelope-from abuse@q03.1cooldns.com, with valid DKIM and SPF.
2023-12-11 31.192.237.60 email abuse@profitserver.ru Phishing again, envelope-from abuse@origin.1cooldns.com.
2023-12-11 209.85.219.180 email Gmail abuse reporting form From haileyjtanner@gmail.com, asking to add a link to some furniture selling website (which supposedly has a blog post on astronomy) from my "links" page.
2023-12-18 209.85.128.170 email Gmail abuse reporting form From haileyjtanner@gmail.com again, Gmail does not seem to do much about outgoing spam.
2023-12-19 31.192.239.9 email abuse@profitserver.ru Phishing yet again, envelope-from=no-replies@batixtaneve.com this time. Blacklisted 31.192.232.0/21.
2023-12-26 209.85.128.169 email Gmail abuse reporting form From haileyjtanner@gmail.com yet again, Gmail still does nothing. Blacklisted the address in postfix (check_sender_access).
2024-02-29 204.152.197.177 email abuse@quadranet.com Spam about electric bicycles
2024-03-12 185.218.100.84 email abuse@ipxo.com
2024-03-18 194.53.136.174 email abuse@virtono.com Spam about electric bicycles, same as on 2024-03-12.
2024-03-20 104.223.121.26 email abuse@quadranet.com Same as the last two, and as on 2024-02-29: e-bikes.
2024-04-25, 2024-04-26 216.9.224.143 email abuse@dchost.com Scam, 3 messages. And one more message from the misconfigured mail server, notifying about a failed delivery (the "from" address matched the "to" address).
2024-05-09 173.249.144.124 email abuse@liquidweb.com Posing as a Docusign notification.
2024-06-12 193.188.192.139 email abuse@pipenet.hu

General observations

A lot of network abuse (spam, vulnerability scans, brute-force attacks) comes from China, plenty from Russia as well. As a side note, Chinese researchers similarly spam the world with fabricated research papers (though apparently they try to combat it, up to a death penalty for researchers who commit fraud if it harms people). Apparently wider agreements, policies, and cultures help to fight network abuse about as well as technological methods do. I think it is okay to rate-limit regional IP address blocks (as described in the private server setup notes), but not to block them completely: there may be non-abusive users once in a while, and it would be unfair to them. And then there are large mail providers, particularly Gmail, not caring much about outgoing spam, while blocking them is a bad option, given the number of legitimate users: the ham-to-spam ratio is less than 1, but more than 0.