Hello everyone,
we (AS12816, LRZ Leibniz Computing Centre Munich, a regional network for scientific and educational entities in the Munich area) are being hit by regular spamruns originated from 80.253.80.0/24 for several months now. This network belongs to
inetnum: 80.253.80.0 - 80.253.80.255 netname: JEFTEX-NET descr: Dedicated Servers New country: CH admin-c: JIL9-RIPE tech-c: NEXL1-RIPE status: ASSIGNED PA mnt-by: CH-GREEN-MNT mnt-lower: CH-GREEN-MNT mnt-routes: CH-GREEN-MNT source: RIPE # Filtered
role: Jeftex International Ltd address: Petronas Twin Towers address: Kuala Lumpur 50088 address: Malaysia abuse-mailbox: abuse@jeftexint.com admin-c: OS3984-RIPE tech-c: OS3984-RIPE nic-hdl: JIL9-RIPE source: RIPE # Filtered mnt-by: NEXLINK-MNT
route: 80.253.80.0/20 descr: green.ch ag, Brugg, Switzerland origin: AS21494 mnt-by: CH-GREEN-MNT source: RIPE # Filtered
The spamruns look always the same, they last for a few hours with tens of thousands of connects from various addresses in this /24. All mails have the sender set to "<someimportantgermanword><random>@<largegermanmaildomain>". Examples
postfix/smtpd[21095]: NOQUEUE: reject: RCPT from unknown[80.253.80.19]: 554 5.7.1 <unknown[80.253.80.19]>: Client host rejected: Access denied; from=anwaltsiuvo@freenet.de to=xxx@stud.uni-muenchen.de proto=SMTP helo=<freenet.de> postfix/smtpd[21579]: NOQUEUE: reject: RCPT from unknown[80.253.80.23]: 554 5.7.1 <unknown[80.253.80.23]>: Client host rejected: Access denied; from=bankrjadu@t-online.de to=xxx@ph.tum.de proto=SMTP helo=<t-online.de>
and so on. Most recipients are valid. I don't have any message content as this /24 is blocked for good, but it is annoying nethertheless. I've tried to contact abuse@jeftexint.com and abuse@green.ch without success, I've called them (they referred me to their expensive 0900 hotline and asked me to send a fax) and sent a fax. No response to any of this.
Unfortunately they are not listed on major RBLs yet because most of them seem not to accept submissions but rather rely on their own spamtraps. I've done some survey among the DENOG users and found that while some of the users have no hit at all, other destinations are heavily targetted. Users outside of the german speaking area don't seem to be affected at all. I'm trying to find a way to submit them to Spamhaus (which we have a paid feed for), but this might take some time.
Is AS21494 known to be irresponsive to abuse complaints? Does anyone know some way to get in contact with them? I'm seriously considering blackholing the whole ASN, but I'm not sure whether this is just a spammerheaven or something important.
Any input is appreciated.
Thanks, Bernhard