Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

"In short, _N is Richardian if, and only if, _N is not Richardian."

computers / news.admin.net-abuse.email / Re: Break in attempt 5.34.205.54 [Whois(RIPE): UA, RISWHOIS: AS15828/IR]

SubjectAuthor
* Break in attempt 5.34.205.54Post To Usenet
`* Re: Break in attempt 5.34.205.54Bob Milutinovic
 +* Re: Break in attempt 5.34.205.54Post To Usenet
 |`* Re: Break in attempt 5.34.205.54David Ritz
 | +- Re: Break in attempt 5.34.205.54jrg
 | `- Re: Break in attempt 5.34.205.54Post To Usenet
 `* Re: Break in attempt 5.34.205.54 [Whois(RIPE): UA, RISWHOIS: AS15828/IR]Andrzej Adam Filip
  `* Re: Break in attempt 5.34.205.54 [Whois(RIPE): UA, RISWHOIS:Post To Usenet
   `- Re: Break in attempt 5.34.205.54 [Whois(RIPE): UA, RISWHOIS: AS15828/IR]Andrzej Adam Filip

1
Break in attempt 5.34.205.54

<t15gr5$5f5$1@dont-email.me>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=257&group=news.admin.net-abuse.email#257

  copy link   Newsgroups: news.admin.net-abuse.email
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: posttous...@gmail.com (Post To Usenet)
Newsgroups: news.admin.net-abuse.email
Subject: Break in attempt 5.34.205.54
Date: Sat, 19 Mar 2022 15:09:54 -0600
Organization: A noiseless patient Spider
Lines: 260
Message-ID: <t15gr5$5f5$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Sat, 19 Mar 2022 21:09:57 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="046e965270265e192c842c9107049fd5";
logging-data="5605"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+734LLaPfEvhYUzOWxZCDPTWMKkrWaS2k="
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
Thunderbird/91.7.0
Cancel-Lock: sha1:KX3uSrmrMifygplQC+HFv5J2bUg=
Content-Language: en-US
 by: Post To Usenet - Sat, 19 Mar 2022 21:09 UTC

Ok so all of this happened on March 8 2022 when I got a person
trying to break into my mail server from IP 5.34.205.54 (AS15828)

Mar 8 19:01:20 server1 postfix/smtps/smtpd[151411]: warning:
unknown[5.34.205.54]: SASL LOGIN authentication failed: Invalid
authentication mechanism
Mar 8 19:01:20 server1 postfix/smtps/smtpd[151411]: disconnect from
unknown[5.34.205.54] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Mar 8 19:04:41 server1 postfix/anvil[151414]: statistics: max
connection rate 1/60s for (smtps:5.34.205.54) at Mar 8 19:01:19
Mar 8 19:04:41 server1 postfix/anvil[151414]: statistics: max
connection count 1 for (smtps:5.34.205.54) at Mar 8 19:01:19
Mar 8 19:04:41 server1 postfix/anvil[151414]: statistics: max cache
size 1 at Mar 8 19:01:19
Mar 8 19:22:15 server1 postfix/smtps/smtpd[151551]: connect from
unknown[5.34.205.54]
Mar 8 19:22:16 server1 postfix/smtps/smtpd[151551]: warning:
unknown[5.34.205.54]: SASL LOGIN authentication failed: Invalid
authentication mechanism
Mar 8 19:22:16 server1 postfix/smtps/smtpd[151551]: disconnect from
unknown[5.34.205.54] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Mar 8 19:25:36 server1 postfix/anvil[151554]: statistics: max
connection rate 1/60s for (smtps:5.34.205.54) at Mar 8 19:22:15
Mar 8 19:25:36 server1 postfix/anvil[151554]: statistics: max
connection count 1 for (smtps:5.34.205.54) at Mar 8 19:22:15
Mar 8 19:25:36 server1 postfix/anvil[151554]: statistics: max cache
size 1 at Mar 8 19:22:15
Mar 8 19:43:05 server1 postfix/smtps/smtpd[151689]: connect from
unknown[5.34.205.54]
Mar 8 19:43:06 server1 postfix/smtps/smtpd[151689]: warning:
unknown[5.34.205.54]: SASL LOGIN authentication failed: Invalid
authentication mechanism
Mar 8 19:43:07 server1 postfix/smtps/smtpd[151689]: disconnect from
unknown[5.34.205.54] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Mar 8 19:46:27 server1 postfix/anvil[151692]: statistics: max
connection rate 1/60s for (smtps:5.34.205.54) at Mar 8 19:43:06
Mar 8 19:46:27 server1 postfix/anvil[151692]: statistics: max
connection count 1 for (smtps:5.34.205.54) at Mar 8 19:43:06

So I believe that the person responsible for this break in attempt was
the one that I was contacting is the one responsible for the spam.

The person is using a free yandex.com email address as their contact
email address and doesn't appear to be any kind of legit website
for this ISP. The person is using the email address of
spaceshipnetworks@yandex.com the whole thing looks fishy to me.

I did contact the person on the ripe record first and got no where
with them before contacting the one providing connectivity to them.

https://apps.db.ripe.net/db-web-ui/query?searchtext=5.34.205.54

https://www.cidr-report.org/cgi-bin/as-report?as=AS15828

15828 WCD-AS, IR

Adjacency: 1 Upstream: 1 Downstream: 0
Upstream Adjacent AS list
AS133398 TELE-AS Tele Asia Limited, HK

whois: 401308

IANA has recorded AS15828 as originally allocated by
/usr/bin/whois -h jwhois.apnic.netr "AS15828\n % This is the
RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.

% Information related to 'AS15826 - AS15833'

as-block: AS15826 - AS15833
descr: RIPE NCC ASN block
remarks: These AS Numbers are assigned to network
operators in the RIPE NCC service region.
mnt-by: RIPE-NCC-HM-MNT
created: 2018-11-22T15:27:25Z
last-modified: 2018-11-22T15:27:25Z
source: RIPE

% Information related to 'AS15828'

% Abuse contact for 'AS15828' is
'spaceshipnetworks@yandex.com'

aut-num: AS15828
as-name: WCD-AS
export: to AS59721 announce as15828
export: to AS43754 announce as15828
export: to AS48011 announce as15828
export: to AS47350 announce as15828
export: to AS133398 announce as15828
import: From AS43754 accept any
import: From AS48011 accept any
import: From AS47350 accept any
import: From AS59721 accept any
import: From AS133398 accept any
org: ORG-BDNC3-RIPE
admin-c: MK17520-RIPE
tech-c: MK17520-RIPE
abuse-c: ACRO45411-RIPE
status: ASSIGNED
mnt-by: RIPE-NCC-END-MNT
mnt-by: wcd
created: 2015-08-31T13:46:05Z
last-modified: 2021-12-22T17:59:44Z
source: RIPE
sponsoring-org: ORG-RNB1-RIPE

organisation: ORG-BDNC3-RIPE
org-name: Blue Diamond Network Co., Ltd.
org-type: OTHER
address: AlmaseAbi Building - Mosalla blv -
RobatKarim - Tehran - Iran
abuse-c: AR33223-RIPE
mnt-ref: MNT-ALMAS
mnt-by: MNT-ALMAS
created: 2015-08-17T07:55:22Z
last-modified: 2015-08-17T08:19:44Z
source: RIPE # Filtered

person: DWCI NET
address: 1110 Palms Airport Drive 89119 Las Vegas, NV
phone: +971525729284
nic-hdl: MK17520-RIPE
mnt-by: wcd
created: 2015-01-27T10:15:09Z
last-modified: 2022-03-12T22:46:25Z
source: RIPE

So I decided to contact the person who it appears is providing ISP
providing connectivity to them Who is Tele Asia Limited, HK

Lovely another provider in Hong Hong. But this one is a special kind
of stupid he has been insulting and rude towards me every since the
start when I asked him to block all traffic to the /24 5.34.205.0/24

I have been dealing with Clive Rand clive.rand@tele-asia.net and he
has been rude and ignorant and cursing at me and insulting me constantly.

So then I started to do a bit more digging and find out who exact
is tele-asia.net is.

I came across this

https://www.spamhaus.org/sbl/listings/tele-asia.net

Found 6 SBL listings for IPs under the responsibility of tele-asia.net

SBL545218
185.36.81.177/32 tele-asia.net
17-Mar-2022 10:49 GMT
Spamvertised website

SBL543599
45.125.67.0/24 tele-asia.net
23-Feb-2022 23:29 GMT
Suspected Snowshoe Spam IP Range

SBL543598
45.125.67.77/32 tele-asia.net
23-Feb-2022 23:28 GMT
spam source

SBL543473
45.125.67.75/32 tele-asia.net
22-Feb-2022 17:39 GMT
spam source

SBL543230
45.125.67.74/32 tele-asia.net
18-Feb-2022 22:22 GMT
spam source

SBL543112
45.125.67.73/32 tele-asia.net
17-Feb-2022 15:32 GMT
spam source

Oh looks like they are quite spam friendly too
it makes sense now why they are willing to provide
connectivity to some one who is trying to break into mail
servers.

Then I did a bit more digging on abuseipdb.com

https://www.abuseipdb.com/check/5.34.205.54

There has been 656 reports of abuse coming from this IP at
the time of writing this post from 44 different sources.
and the last report was just 48 minutes ago at the time of writing
this post. So the abuse is very active.

So it isn't just me seeing abuse coming from this IP

https://www.abuseipdb.com/check/5.34.205.54

Anyone else seeing these break in attempts it appears to be a spammer
trying to break into mail servers to gain access to to the mail
server to send out spam emails.

I would also be very careful contacting tele-asia.net as they appear to
either being paid a large sum of money to turn a blind eye to this abuse
or are working in conjunction with this abuser.

http://www.tele-asia.net/eng/index.php

They also don't even have a working abuse mailbox at tele-asia.net
either. If you email abuse@tele-asia.net it bounces back saying the
mailbox is full.

They must be getting a lot of abuse complaints or something.

You can report abuse here as well and open a ticket but it appears
tickets fall on deaf ears with these guys when it comes to abuse
at tele-asia.net

https://www.tele-asia.net/billing/submitticket.php?step=2&deptid=5

This is the bounce back that I get. If you email
abusedept@tele-asia.net it works.

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

abuse@tele-asia.net
LMTP error after RCPT TO:<abuse@tele-asia.net>:
552 5.2.2 <abuse@tele-asia.net> Quota exceeded (mailbox for user is
full)


Click here to read the complete article
Re: Break in attempt 5.34.205.54

<t19u5l$ucn$1@cognicom.eternal-september.org>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=258&group=news.admin.net-abuse.email#258

  copy link   Newsgroups: news.admin.net-abuse.email
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!cognicom.eternal-september.org!.POSTED!not-for-mail
From: cogni...@gmail.com (Bob Milutinovic)
Newsgroups: news.admin.net-abuse.email
Subject: Re: Break in attempt 5.34.205.54
Date: Tue, 22 Mar 2022 00:21:53 +1100
Organization: Cognicom
Lines: 19
Message-ID: <t19u5l$ucn$1@cognicom.eternal-september.org>
References: <t15gr5$5f5$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="utf-8";
reply-type=response
Content-Transfer-Encoding: 7bit
Injection-Date: Mon, 21 Mar 2022 13:21:57 -0000 (UTC)
Injection-Info: cognicom.eternal-september.org; posting-host="c9867d141498615674210d837394b184";
logging-data="31127"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18EIxMVJOhJhWh+x/5x4eLXEY17Ac018GU="
Cancel-Lock: sha1:UZZ53N3XBfsmLfjkaP1Hkh55DYs=
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
X-Newsreader: Microsoft Outlook Express 6.00.2900.5931
X-Priority: 3
X-MSMail-Priority: Normal
 by: Bob Milutinovic - Mon, 21 Mar 2022 13:21 UTC

"Post To Usenet" <posttousenet@gmail.com> wrote in message
news:t15gr5$5f5$1@dont-email.me...

<a lot of crap>

<snip>
> Has anyone else seen anything coming from 5.34.205.54?
</snip>

Nope, nothing here. Ukraine is null-routed at the network border (as are all
of the former USSR states, the Middle East, most of Asia and a large chunk
of Africa).

Have you heard about rate limiting? Fail2Ban?

--
Bob Milutinovic
Cognicom

Re: Break in attempt 5.34.205.54

<t1abc8$3da$1@dont-email.me>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=259&group=news.admin.net-abuse.email#259

  copy link   Newsgroups: news.admin.net-abuse.email
Path: i2pn2.org!i2pn.org!aioe.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: posttous...@gmail.com (Post To Usenet)
Newsgroups: news.admin.net-abuse.email
Subject: Re: Break in attempt 5.34.205.54
Date: Mon, 21 Mar 2022 11:07:19 -0600
Organization: A noiseless patient Spider
Lines: 60
Message-ID: <t1abc8$3da$1@dont-email.me>
References: <t15gr5$5f5$1@dont-email.me>
<t19u5l$ucn$1@cognicom.eternal-september.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Mon, 21 Mar 2022 17:07:20 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="f01725255efd87c0088be9d4214f59fa";
logging-data="3498"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19cBm1iuhk68Mu6AK7zwSabdEyXglfsPeE="
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
Thunderbird/91.7.0
Cancel-Lock: sha1:Gv2+UBGRqd+0LIUGQRcFhnBr1D8=
In-Reply-To: <t19u5l$ucn$1@cognicom.eternal-september.org>
Content-Language: en-US
 by: Post To Usenet - Mon, 21 Mar 2022 17:07 UTC

On 2022-03-21 7:21 a.m., Bob Milutinovic wrote:
> "Post To Usenet" <posttousenet@gmail.com> wrote in message
> news:t15gr5$5f5$1@dont-email.me...
>
> <a lot of crap>
>
> <snip>
>> Has anyone else seen anything coming from 5.34.205.54?
> </snip>
>
> Nope, nothing here. Ukraine is null-routed at the network border (as are
> all of the former USSR states, the Middle East, most of Asia and a large
> chunk of Africa).
>
> Have you heard about rate limiting? Fail2Ban?
>

Yes have heard of Fail2ban and yes I run it already.

It also isn't Ukraine the person responsible for this Clive Rand
I believe is the one using this other IP block to do this.

I got a similar message from the free email account as the
one sent to me by Clive Rand.

They are in Hong Kong not the Ukraine tele0asia.net

Also if anyone else is interested in blocking tele-asia.net
here are at least some of their IP blocks.

Tele-asia.net

45.123.88.0/22
45.123.188.0/24
45.123.189.0/24
45.123.190.0/24
45.123.191.0/24
45.125.65.0/24
45.125.66.0/24
45.125.67.0/24
79.141.168.0/23
91.224.92.0/24
103.16.228.0/22
103.253.40.0/23
103.253.42.0/24
103.253.43.0/24
114.112.255.0/24
122.14.132.0/24
185.36.81.0/24
185.174.41.0/24
191.101.180.0/24
193.31.41.0/24
223.252.173.0/24

# Spaceship Networks
5.34.205.0/24

Re: Break in attempt 5.34.205.54

<qo195psp-1p73-7q30-28r7-9487o8no77n@zvaqfcevat.pbz>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=260&group=news.admin.net-abuse.email#260

  copy link   Newsgroups: news.admin.net-abuse.email
Path: i2pn2.org!i2pn.org!aioe.org!news.servidellagleba.it!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: dri...@mindspring.com (David Ritz)
Newsgroups: news.admin.net-abuse.email
Subject: Re: Break in attempt 5.34.205.54
Date: Mon, 21 Mar 2022 13:10:14 -0500
Organization: SpamBusters!
Lines: 88
Message-ID: <qo195psp-1p73-7q30-28r7-9487o8no77n@zvaqfcevat.pbz>
References: <t15gr5$5f5$1@dont-email.me> <t19u5l$ucn$1@cognicom.eternal-september.org> <t1abc8$3da$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
X-Trace: individual.net fngJz7Rims25Nm2eRA9mngZpASKcXR7AdyL1VDlBUDyInhG7uo
X-Orig-Path: not-for-mail
Cancel-Lock: sha1:Nc+GqcLeFcrSfDA8gJkk4KCN4f8=
In-Reply-To: <t1abc8$3da$1@dont-email.me>
OpenPGP: id=9CD055375C05466038D2194852BC29991A12DEEB
X-Comment-1: Spam is bad. <http://trillian.mit.edu/~jc/humor/WhatIsSpam.html>
X-Comment-2: LART a spammer for Dobbs.
X-Comment-3: Invalid assumptions tend to produce invalid conclusions.
X-Comment-4: This message is intended to be read with a monospaced font.
X-Meow: yes
 by: David Ritz - Mon, 21 Mar 2022 18:10 UTC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Monday, 21 March 2022 11:07 -0600,
in article <t1abc8$3da$1@dont-email.me>,
Jamie Baillie <posttousenet@gmail.com> wrote:

> On 2022-03-21 7:21 a.m., Bob Milutinovic wrote:

>> Jamie <posttousenet@gmail.com> wrote in message
>> news:t15gr5$5f5$1@dont-email.me...

>> <a lot of crap>

>> <snip>
>> > Has anyone else seen anything coming from 5.34.205.54?
>> </snip>

>> Nope, nothing here. Ukraine is null-routed at the network border
>> (as are all of the former USSR states, the Middle East, most of
>> Asia and a large chunk of Africa).

>> Have you heard about rate limiting? Fail2Ban?

> Yes have heard of Fail2ban and yes I run it already.
>
> It also isn't Ukraine the person responsible for this Clive Rand I
> believe is the one using this other IP block to do this.

> I got a similar message from the free email account as the one sent
> to me by Clive Rand.

> They are in Hong Kong not the Ukraine tele0asia.net

> # Spaceship Networks
> 5.34.205.0/24

$ db-ip.sh 5.34.205.54
{ "ipAddress": "5.34.205.54",
"continentCode": "EU",
"continentName": "Europe",
"countryCode": "UA",
"countryName": "Ukraine",
"stateProv": "Kyiv City",
"city": "Kyiv"
}

[omit the backslash escape on Linux]
$ whois -h whois.ripe.net -- -BL\ 5.34.205.54 | grep @
e-mail: bitbucket@ripe.net
e-mail: bitbucket@ripe.net
% Abuse contact for '5.34.192.0 - 5.34.207.255' is 'abuse@rasane.com'
notify: haghshenas@gmail.com
notify: majid.mashayekhi@gmail.com
e-mail: haghshenas@gmail.com
notify: ripe@rsane.com
e-mail: mashayekhi@rasane.com
e-mail: majid.mashayekhi@gmail.com
% Abuse contact for '5.34.204.0 - 5.34.207.255' is 'abuse@rasane.com'
e-mail: spaceshipnetworks@yandex.com
% Abuse contact for '5.34.205.0 - 5.34.205.255' is 'spaceshipnetworks@yandex.com'
e-mail: spaceshipnetworks@yandex.com
e-mail: spaceshipnetworks@yandex.com

Rather than tilting against windmills in Hong Kong, perhaps contacting
SpaceshipNetworks' hosting provider might prove more useful.

% Abuse contact for '5.34.204.0 - 5.34.207.255' is 'abuse@rasane.com'

One would hope that Jamie has learned to keep his "reports" neutral,
brief and to the point, rather than including a quagmire of copy and
paste text, such as the butt-load of crap which Bob graciously trimmed.

So far as Jamie being treated rudely in a belligerent manner, it sounds
as though Jamie's been Jamied.

- --
David Ritz <dritz@mindspring.com>
Be kind to animals; kiss a shark.

-----BEGIN PGP SIGNATURE-----

iF0EARECAB0WIQSc0FU3XAVGYDjSGUhSvCmZGhLe6wUCYji/hgAKCRBSvCmZGhLe
6zsBAKDs3zqOnrS2eChAW0vQk5W4YdjJ4QCgu8QwkxXQPyMRnSIfo3usLB4sTRo=
=FV8Q
-----END PGP SIGNATURE-----

Re: Break in attempt 5.34.205.54

<t1al9k$9mj$1@gioia.aioe.org>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=261&group=news.admin.net-abuse.email#261

  copy link   Newsgroups: news.admin.net-abuse.email
Path: i2pn2.org!i2pn.org!aioe.org!5i8Ep7ErYoJUgtWmlIInIw.user.46.165.242.75.POSTED!not-for-mail
From: jeff.g.g...@att.net (jrg)
Newsgroups: news.admin.net-abuse.email
Subject: Re: Break in attempt 5.34.205.54
Date: Mon, 21 Mar 2022 12:56:35 -0700
Organization: Aioe.org NNTP Server
Message-ID: <t1al9k$9mj$1@gioia.aioe.org>
References: <t15gr5$5f5$1@dont-email.me>
<t19u5l$ucn$1@cognicom.eternal-september.org> <t1abc8$3da$1@dont-email.me>
<qo195psp-1p73-7q30-28r7-9487o8no77n@zvaqfcevat.pbz>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Info: gioia.aioe.org; logging-data="9939"; posting-host="5i8Ep7ErYoJUgtWmlIInIw.user.gioia.aioe.org"; mail-complaints-to="abuse@aioe.org";
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
Thunderbird/91.5.0
X-Notice: Filtered by postfilter v. 0.9.2
Content-Language: en-US
 by: jrg - Mon, 21 Mar 2022 19:56 UTC

On 3/21/22 11:10, David Ritz wrote:
> On Monday, 21 March 2022 11:07 -0600,
> in article <t1abc8$3da$1@dont-email.me>,
> Jamie Baillie <posttousenet@gmail.com> wrote:
>
>> On 2022-03-21 7:21 a.m., Bob Milutinovic wrote:
>
>>> Jamie <posttousenet@gmail.com> wrote in message
>>> news:t15gr5$5f5$1@dont-email.me...
>
>>> <a lot of crap>
>
>>> <snip>
>>>> Has anyone else seen anything coming from 5.34.205.54?
>>> </snip>
>
>>> Nope, nothing here. Ukraine is null-routed at the network border
>>> (as are all of the former USSR states, the Middle East, most of
>>> Asia and a large chunk of Africa).
>
>>> Have you heard about rate limiting? Fail2Ban?
>
>> Yes have heard of Fail2ban and yes I run it already.
>
>> It also isn't Ukraine the person responsible for this Clive Rand I
>> believe is the one using this other IP block to do this.
>
>> I got a similar message from the free email account as the one sent
>> to me by Clive Rand.
>
>> They are in Hong Kong not the Ukraine tele0asia.net
>
>> # Spaceship Networks
>> 5.34.205.0/24
>
> $ db-ip.sh 5.34.205.54
> {
> "ipAddress": "5.34.205.54",
> "continentCode": "EU",
> "continentName": "Europe",
> "countryCode": "UA",
> "countryName": "Ukraine",
> "stateProv": "Kyiv City",
> "city": "Kyiv"
> }
>
>
> [omit the backslash escape on Linux]
> $ whois -h whois.ripe.net -- -BL\ 5.34.205.54 | grep @
> e-mail: bitbucket@ripe.net
> e-mail: bitbucket@ripe.net
> % Abuse contact for '5.34.192.0 - 5.34.207.255' is 'abuse@rasane.com'
> notify: haghshenas@gmail.com
> notify: majid.mashayekhi@gmail.com
> e-mail: haghshenas@gmail.com
> notify: ripe@rsane.com
> e-mail: mashayekhi@rasane.com
> e-mail: majid.mashayekhi@gmail.com
> % Abuse contact for '5.34.204.0 - 5.34.207.255' is 'abuse@rasane.com'
> e-mail: spaceshipnetworks@yandex.com
> % Abuse contact for '5.34.205.0 - 5.34.205.255' is 'spaceshipnetworks@yandex.com'
> e-mail: spaceshipnetworks@yandex.com
> e-mail: spaceshipnetworks@yandex.com
>
> Rather than tilting against windmills in Hong Kong, perhaps contacting
> SpaceshipNetworks' hosting provider might prove more useful.
>
> % Abuse contact for '5.34.204.0 - 5.34.207.255' is 'abuse@rasane.com'
>
> One would hope that Jamie has learned to keep his "reports" neutral,
> brief and to the point, rather than including a quagmire of copy and
> paste text, such as the butt-load of crap which Bob graciously trimmed.
>
> So far as Jamie being treated rudely in a belligerent manner, it sounds
> as though Jamie's been Jamied.
>

+1

Re: Break in attempt 5.34.205.54 [Whois(RIPE): UA, RISWHOIS: AS15828/IR]

<anfi+kxbfozd3pf-m3l1@wp.eu>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=262&group=news.admin.net-abuse.email#262

  copy link   Newsgroups: news.admin.net-abuse.email
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: anf...@onet.eu (Andrzej Adam Filip)
Newsgroups: news.admin.net-abuse.email
Subject: Re: Break in attempt 5.34.205.54 [Whois(RIPE): UA, RISWHOIS: AS15828/IR]
Date: Mon, 21 Mar 2022 20:03:52 +0000 (UTC)
Organization: It is for me to know and for you to find out.
Lines: 38
Message-ID: <anfi+kxbfozd3pf-m3l1@wp.eu>
References: <t15gr5$5f5$1@dont-email.me>
<t19u5l$ucn$1@cognicom.eternal-september.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Injection-Info: reader02.eternal-september.org; posting-host="cd85a604a1ab9478ef657a95ab82900d";
logging-data="6884"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX189AJFrWd6MTmwhg7sXYdWJ"
Cancel-Lock: sha1:6AGsn2elQaVIqDTCEmE7kKq7aBI=
sha1:8YBK+RpSlOYlU640tWTkxP54mUA=
 by: Andrzej Adam Filip - Mon, 21 Mar 2022 20:03 UTC

"Bob Milutinovic" <cognicom@gmail.com> wrote:
> "Post To Usenet" <posttousenet@gmail.com> wrote in message
> news:t15gr5$5f5$1@dont-email.me...
>
> <a lot of crap>
>
> <snip>
>> Has anyone else seen anything coming from 5.34.205.54?
> </snip>
>
> Nope, nothing here. Ukraine is null-routed at the network border (as
> are all of the former USSR states, the Middle East, most of Asia and a
> large chunk of Africa).
>
> Have you heard about rate limiting? Fail2Ban?

$ whois 5.34.205.54
inetnum: 5.34.205.0 - 5.34.205.255
org: ORG-SL1132-RIPE
netname: SpaceshipNetworks
country: UA
[…]

organisation: ORG-SL1132-RIPE
org-name: Spaceshipnetworks LTD
org-type: OTHER
address: Khreshhatik St., 14D, Kyiv (Kiev), UA
[…]

$ whois -h riswhois.ripe.net 5.34.205.54

route: 5.34.205.0/24
origin: AS15828
descr: WCD-AS Blue Diamond Network Co., Ltd., IR

--
A. Filip

Re: Break in attempt 5.34.205.54

<t1bkdk$6l8$1@dont-email.me>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=263&group=news.admin.net-abuse.email#263

  copy link   Newsgroups: news.admin.net-abuse.email
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: posttous...@gmail.com (Post To Usenet)
Newsgroups: news.admin.net-abuse.email
Subject: Re: Break in attempt 5.34.205.54
Date: Mon, 21 Mar 2022 22:47:46 -0600
Organization: A noiseless patient Spider
Lines: 128
Message-ID: <t1bkdk$6l8$1@dont-email.me>
References: <t15gr5$5f5$1@dont-email.me>
<t19u5l$ucn$1@cognicom.eternal-september.org> <t1abc8$3da$1@dont-email.me>
<qo195psp-1p73-7q30-28r7-9487o8no77n@zvaqfcevat.pbz>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Tue, 22 Mar 2022 04:47:48 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="6156006b7185d90774156954a8ab5509";
logging-data="6824"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/52DYAemV6Do1e8AgIkEZTxEUiB64Jqdw="
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
Thunderbird/91.7.0
Cancel-Lock: sha1:+9q4KdSgpHVPySNsML81OiI2BKI=
In-Reply-To: <qo195psp-1p73-7q30-28r7-9487o8no77n@zvaqfcevat.pbz>
Content-Language: en-US
X-Priority: 1 (Highest)
 by: Post To Usenet - Tue, 22 Mar 2022 04:47 UTC

On 2022-03-21 12:10 p.m., David Ritz wrote:
> On Monday, 21 March 2022 11:07 -0600,
> in article <t1abc8$3da$1@dont-email.me>,
> Jamie Baillie <posttousenet@gmail.com> wrote:
>
>> On 2022-03-21 7:21 a.m., Bob Milutinovic wrote:
>
>>> Jamie <posttousenet@gmail.com> wrote in message
>>> news:t15gr5$5f5$1@dont-email.me...
>
>>> <a lot of crap>
>
>>> <snip>
>>>> Has anyone else seen anything coming from 5.34.205.54?
>>> </snip>
>
>>> Nope, nothing here. Ukraine is null-routed at the network border
>>> (as are all of the former USSR states, the Middle East, most of
>>> Asia and a large chunk of Africa).
>
>>> Have you heard about rate limiting? Fail2Ban?
>
>> Yes have heard of Fail2ban and yes I run it already.
>
>> It also isn't Ukraine the person responsible for this Clive Rand I
>> believe is the one using this other IP block to do this.
>
>> I got a similar message from the free email account as the one sent
>> to me by Clive Rand.
>
>> They are in Hong Kong not the Ukraine tele0asia.net
>
>> # Spaceship Networks
>> 5.34.205.0/24
>
> $ db-ip.sh 5.34.205.54
> {
> "ipAddress": "5.34.205.54",
> "continentCode": "EU",
> "continentName": "Europe",
> "countryCode": "UA",
> "countryName": "Ukraine",
> "stateProv": "Kyiv City",
> "city": "Kyiv"
> }
>
>
> [omit the backslash escape on Linux]
> $ whois -h whois.ripe.net -- -BL\ 5.34.205.54 | grep @
> e-mail: bitbucket@ripe.net
> e-mail: bitbucket@ripe.net
> % Abuse contact for '5.34.192.0 - 5.34.207.255' is 'abuse@rasane.com'
> notify: haghshenas@gmail.com
> notify: majid.mashayekhi@gmail.com
> e-mail: haghshenas@gmail.com
> notify: ripe@rsane.com
> e-mail: mashayekhi@rasane.com
> e-mail: majid.mashayekhi@gmail.com
> % Abuse contact for '5.34.204.0 - 5.34.207.255' is 'abuse@rasane.com'
> e-mail: spaceshipnetworks@yandex.com
> % Abuse contact for '5.34.205.0 - 5.34.205.255' is 'spaceshipnetworks@yandex.com'
> e-mail: spaceshipnetworks@yandex.com
> e-mail: spaceshipnetworks@yandex.com
>
> Rather than tilting against windmills in Hong Kong, perhaps contacting
> SpaceshipNetworks' hosting provider might prove more useful.
>
> % Abuse contact for '5.34.204.0 - 5.34.207.255' is 'abuse@rasane.com'
>
> One would hope that Jamie has learned to keep his "reports" neutral,
> brief and to the point, rather than including a quagmire of copy and
> paste text, such as the butt-load of crap which Bob graciously trimmed.
>
> So far as Jamie being treated rudely in a belligerent manner, it sounds
> as though Jamie's been Jamied.
>

Yes I know Mr. Ritz the information listed on the whois record but I
don't believe that information is accurate. I believe the information
to be inaccurate and is actually Clive Rand from tele-asia.net who is
using this IP block that I was reporting before to do these criminal
activities. Also the fact that tele-asia.net has several spamhaus.org
records and the fact that the ports being tried on is the secure port
for my mail server and that is the only port being tried.

I believe that the same person who owns tele-asia.net is using this
IP block 5.34.205.0/24 and IP 5.34.205.54 to try and break into networks
and is providing false information on this whois record and is silently
providing connectivity / peering to this IP block though tele-asia.net

That way tele-asia.net won't take any of the heat for this as it isn't
listed under then and uses a free email address on yandex.com and false
whois information on the rest of the record.

It wouldn't be the first time a spammer fakes a whois record.

Also when I emailed abuse@rsane.com I got this response from them
that they are not responsible for this block and point me back to
emailing spaceshipnetworks@yandex.com who is the actual abuser
themselves. Hiding behind false information.

It wouldn't be the first time a spammer has faked the whois information
and provided false information.

I got a very similar email from Clive Rand calling me "Karen" then
shortly after that one from the free yandex account calling me the same
thing I have reason to believe he is in control of that free yandex
account as well as running tele-asia.net and uses this IP block for any
illegal activity (5.34.205.0) so that it doesn't come back on
his company tele-asia.net.

I also emailed info@rasane.com which they have listed on their website
and it bounces back saying the mailbox is full.

Delivery has failed to these recipients or groups:

"info@rasane.com
Your message couldn't be delivered. When Office 365 tried to send the
message, the external email server returned the error below. This is
probably due to a problem or policy setting on the recipient's email system.

Diagnostic information for administrators:

Generating server: DM5PR0401MB3543.namprd04.prod.outlook.com

info@rasane.com
Remote Server returned '550 5.0.350 Remote server returned an error ->
550 Mailbox is full / Blocks limit exceeded / Inode limit exceeded'"

Re: Break in attempt 5.34.205.54 [Whois(RIPE): UA, RISWHOIS: AS15828/IR]

<t1bkgi$6l8$2@dont-email.me>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=264&group=news.admin.net-abuse.email#264

  copy link   Newsgroups: news.admin.net-abuse.email
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: posttous...@gmail.com (Post To Usenet)
Newsgroups: news.admin.net-abuse.email
Subject: Re: Break in attempt 5.34.205.54 [Whois(RIPE): UA, RISWHOIS:
AS15828/IR]
Date: Mon, 21 Mar 2022 22:49:22 -0600
Organization: A noiseless patient Spider
Lines: 43
Message-ID: <t1bkgi$6l8$2@dont-email.me>
References: <t15gr5$5f5$1@dont-email.me>
<t19u5l$ucn$1@cognicom.eternal-september.org> <anfi+kxbfozd3pf-m3l1@wp.eu>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Tue, 22 Mar 2022 04:49:23 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="6156006b7185d90774156954a8ab5509";
logging-data="6824"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+9N6nBSNEbOKOAuwAgf8GK3BawcFqeoDw="
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
Thunderbird/91.7.0
Cancel-Lock: sha1:EWc7hWOJPxnoefFUW9DPagjuGFM=
In-Reply-To: <anfi+kxbfozd3pf-m3l1@wp.eu>
Content-Language: en-US
 by: Post To Usenet - Tue, 22 Mar 2022 04:49 UTC

On 2022-03-21 2:03 p.m., Andrzej Adam Filip wrote:
> "Bob Milutinovic" <cognicom@gmail.com> wrote:
>> "Post To Usenet" <posttousenet@gmail.com> wrote in message
>> news:t15gr5$5f5$1@dont-email.me...
>>
>> <a lot of crap>
>>
>> <snip>
>>> Has anyone else seen anything coming from 5.34.205.54?
>> </snip>
>>
>> Nope, nothing here. Ukraine is null-routed at the network border (as
>> are all of the former USSR states, the Middle East, most of Asia and a
>> large chunk of Africa).
>>
>> Have you heard about rate limiting? Fail2Ban?
>
> $ whois 5.34.205.54
> inetnum: 5.34.205.0 - 5.34.205.255
> org: ORG-SL1132-RIPE
> netname: SpaceshipNetworks
> country: UA
> […]
>
> organisation: ORG-SL1132-RIPE
> org-name: Spaceshipnetworks LTD
> org-type: OTHER
> address: Khreshhatik St., 14D, Kyiv (Kiev), UA
> […]
>
> $ whois -h riswhois.ripe.net 5.34.205.54
>
> route: 5.34.205.0/24
> origin: AS15828
> descr: WCD-AS Blue Diamond Network Co., Ltd., IR
>
>

See my post above to David Ritz. I know what the record says
but I don't believe that information to be accurate or correct
please see my other post.

Thank you,

Re: Break in attempt 5.34.205.54 [Whois(RIPE): UA, RISWHOIS: AS15828/IR]

<anfi+35xadvhvif-m3m2@wp.eu>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=265&group=news.admin.net-abuse.email#265

  copy link   Newsgroups: news.admin.net-abuse.email
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: anf...@onet.eu (Andrzej Adam Filip)
Newsgroups: news.admin.net-abuse.email
Subject: Re: Break in attempt 5.34.205.54 [Whois(RIPE): UA, RISWHOIS: AS15828/IR]
Date: Tue, 22 Mar 2022 05:01:23 +0000 (UTC)
Organization: It is for me to know and for you to find out.
Lines: 47
Message-ID: <anfi+35xadvhvif-m3m2@wp.eu>
References: <t15gr5$5f5$1@dont-email.me>
<t19u5l$ucn$1@cognicom.eternal-september.org>
<anfi+kxbfozd3pf-m3l1@wp.eu> <t1bkgi$6l8$2@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Injection-Info: reader02.eternal-september.org; posting-host="edc5eda7a83707dc71d1e98183ac95b2";
logging-data="9146"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/kO4i3jKu+z8Dll6bpmTEW"
Cancel-Lock: sha1:YERYYXUFv6dpyS8DvnwlZ/AJzDo=
sha1:got5zi2GYuw0x8v41++zHx5QkNQ=
 by: Andrzej Adam Filip - Tue, 22 Mar 2022 05:01 UTC

Post To Usenet <posttousenet@gmail.com> wrote:
> On 2022-03-21 2:03 p.m., Andrzej Adam Filip wrote:
>> "Bob Milutinovic" <cognicom@gmail.com> wrote:
>>> "Post To Usenet" <posttousenet@gmail.com> wrote in message
>>> news:t15gr5$5f5$1@dont-email.me...
>>>
>>> <a lot of crap>
>>>
>>> <snip>
>>>> Has anyone else seen anything coming from 5.34.205.54?
>>> </snip>
>>>
>>> Nope, nothing here. Ukraine is null-routed at the network border (as
>>> are all of the former USSR states, the Middle East, most of Asia and a
>>> large chunk of Africa).
>>>
>>> Have you heard about rate limiting? Fail2Ban?
>> $ whois 5.34.205.54
>> inetnum: 5.34.205.0 - 5.34.205.255
>> org: ORG-SL1132-RIPE
>> netname: SpaceshipNetworks
>> country: UA
>> […]
>> organisation: ORG-SL1132-RIPE
>> org-name: Spaceshipnetworks LTD
>> org-type: OTHER
>> address: Khreshhatik St., 14D, Kyiv (Kiev), UA
>> […]
>> $ whois -h riswhois.ripe.net 5.34.205.54
>> route: 5.34.205.0/24
>> origin: AS15828
>> descr: WCD-AS Blue Diamond Network Co., Ltd., IR
>>
>
> See my post above to David Ritz. I know what the record says
> but I don't believe that information to be accurate or correct
> please see my other post.

RISWOIS reports current routing *as reported by internet (BGP) routers*.
WHOIS "may" sometimes be outdated or inaccurate. In short: such
discrepancy between WHOIS and RISWHOIS is at very least "interesting".

AFAIR There has bas outbreak on spam source on spamcop top-200 from IP
addresses formally assigned to CZ but routed via russian AS.

--
A. Filip

1
server_pubkey.txt

rocksolid light 0.9.81
clearnet tor