dmarc retard for September is latinnewsmail.us

It is a bit early since it is still september but this is clearly an exceptional case which deserves this special award.

the domain  latinnewsmail . us apparently sent something to the zoo (could have been spam) , its mail handler did not like the standard opendmarc attachment rejected as

eforward3.registrar-servers.com[162.255.118.61] said: 550 We do not accept
.zip attachments here. (in reply to end of DATA command)

So if your thinking of using registrar-servers.com clearly your an retard as to the domain well they also deserve to be associated with retards since they setup the email aggregate@latinnewsmail.us to be sent to that address.  The good news is that latinnewsmail . us wont be getting any more dmarc email from the zoo despite them requesting it.

I pass on just to show that the clueless seem to have found dmarc and what could possibly go wrong.

I like spotting idiots wth dmarc

atps and adsp records (featuring asl too) and dmarc reporting

Sisyphus is still a role model

Sisyphus is still a role model

Yes i am doing dmarc today once again,exciting stuff this.and i have finally figured out opendmarc-reports which for the zoo atps is apparently needed.

These records are fun and once you do one domain, the others also need doing ala.

  • example.com
  • example.net
  • etc
_adsp._domainkey.example.com IN TXT "dkim=all; atps=y; asl=example.net;"
YFP5HEI6FUVG5WMNRBCEO6BK2Z75XKJZ._atps.example.com IN TXT "v=atps01; d=example.net;"

The YFP5HEI6FUVG5WMNRBCEO6BK2Z75XKJZ is sha1 hashed example.net.  opendkim-atpszone can make this with

opendkim-atpszone -h sha1 -u example.com -A example.net -vvv

The rest of the dns lines from above  is where your on your own

YFP5HEI6FUVG5WMNRBCEO6BK2Z75XKJZ._atps TXT 86400 "v=ATPS1; d=example.net"

Eagle eyed readers will note that v=ATPS1; and v=atps01; differ and no adsp record is made.

The has found that atps01 works and is unwilling to test the capital variant.

The only reason i have this is for opendmarc-report which for some reason if i do not have them i get a dmarc error of no.

postfix/smtp[*]: *:
status=bounced (host aspmx.l.google.com[74.125.71.26] 
said: 550-5.7.1 Unauthenticated email from example is not accepted 
due to 550-5.7.1 domain's DMARC policy. 
Please contact the administrator of 550-5.7.1 example domain if this 
was a legitimate mail.

That’s it which is what brought me to this vague corner of dns and email

The dmarc report i received back the next day was interesting.

<source_ip>munged .com</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>pass</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>example.net</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>example.net</domain>
<result>pass</result>
<selector>mail2</selector>
</dkim>
<dkim>
<domain>example.net</domain>
<result>pass</result>
<selector>mailxx</selector>
</dkim>
<spf>
<domain>example.net</domain>
<result>pass</result>
</spf>
</auth_results>

rubberduckSo perhaps more evidence that atps is needed when its a dead duck considered to say spf .

Maybe the zoo’s way of doing things is weird to openmarc-reports which is good at keeping secrets on our live mail server, so it is happy with adsp and human emaail gets sent properly with aligned spf,dkim and dmarc i will say no more.

So that fixes opendmarc-reporting.  Yay

 

 

 

 

opendmarc reporting and extended thoughts

thxI decided to install some very crappy software to get dmarc reporting (my blog) working and adapted a script to suit from a blog,  it works you import, report and expire the db.

This is week long plus blog post so i may contradict myself the longer i document stuff.

However with stuff inbound to the database i got no email reports out which i can assume is due to either an error on my part, the policy not to bother them with strict compliance or the software is broken.

A brainwave I had on exploring this was that as a low traffic host (the zoo is not gmail) that email we do get is strictly controlled by rules where gmail i guess might be lax on say spam where as we are not.

So most of the email dealt with needs no dmarc action.

I will run the import , report and expire once a day and see if dmarc reporting via opendmarc is worthwhile.

Later on with reports being sent i observed some issues…

Dmarc can be abused by marketing people, and it depends on who runs the report address they specified take pure360.com.

(host x.GOOGLE.com[74.125.x.x] said:
450-4.2.1 The user you are trying to contact is receiving mail at a rate that 450-4.2.1 prevents additional messages from being delivered. Please resend your 450-4.2.1 message at a later time. If the user is able to receive mail at that 450-4.2.1 time, your message will be delivered. For more information, please 450-4.2.1 visit 450 4.2.1 – gsmtp (in reply to RCPT TO command))
dmarcreporting@pure360.com

minion

It is amusing to note that they also use gmail.

So dmarc might mismanaged by some who might know better.  Does this mean pure360.com dmarc should be ignored? what do you think.

Another retard with dmarc did the below humorous issue – Please note this was collected by dmarc, and sent by dmarc it is not a typo error by a human.

opendmarc-reports: sent report for email3.telegraph.co.uk 
to craig.millar@telegraph.co.uk (2.0.0 Ok: queued as 5F1F4BD6315)

<craig.millar@telegraph.co.uk>: host <host>.google.com[74.125.x.x] said:
550-5.1.1 The email account that you tried to reach does not exist. Please try 550-5.1.1 double-checking the recipient’s email address for typos

Plenty of other idiots exist.

(host eu-smtp-inbound-1.mimecast.com[91.220.42.241] said: 451 IP temporarily blacklisted – https://community.mimecast.com/docs/DOC-1369#451 (in reply to RCPT TO command))
dmarc@communicatorcorp.com

mindreaderNot sure they want dmarc although they request it.

(host eu-smtp-inbound-2.mimecast.com[91.220.42.241] said: 451 IP temporarily blacklisted – https://community.mimecast.com/docs/DOC-1369#451 (in reply to RCPT TO command))
rua@rac.co.uk

These appear to go hours and hours later that is getting the dmarc report back (rac do send spam) and piss off hosts when it reports back – Oh to be a mind reader.

Yet another brainwave i had was that there is no way to block ‘pfishing’ emails via opendkmarc unless there is a strict policy setup.  Unless you search headers for dmarc rules but thats down to the mta or spambotter not opendmarc.  There is an example below.

Routing loops could be a problem – ala i send mail, they send mail, we mail back etc.  Have to see on that one.  I guess you could turn off reporting which kind of makes dmarc reporting an odd idea to start with.

In the real world i found out:

If you do not import messages into sql and then close down opendmarc (say for an kernel upgrade) then opendmarc deletes the text file is one bug i noticed – not an end of the world issue but occasional one.

Another bug i noticed in 1.3.0 release (1.3.2 is debian experimental) is that opendmarc-reports will still send email out even if you had a typo in the address or email set in script (the zoo has four domains)

I noticed as our dkim signing did not initiate when it should have (my typo).

The sql data is stored although its not designed for humans to read, the xml reports which it makes and we also get from others as the zoo has dmarc are more human readable.

Microsoft (microshit) are pretty crap at dmarc -there reports leave a lot to be desired due to \n issues.

They also bounce failure – this is pure microshit in action. I perceive this as bit spammy.  It took a little time to sanitize here.

Subject x has left you a private message
From No signature information staff@hotmail.com
To technical_dmarc@zoo
Date Thu 07:46 PM
This is an email abuse report for an email message received from IP 201.217.243.222 on Thu, 19 Jan 2017 11:xx:40 -0800.
The message below did not meet the sending domain’s authentication policy.
For more information about this format please see http://www.ietf.org/rfc/rfc5965.txt.
Subject x has left you a private message
From Signature is not valid ! verified by VMessage
Sender notification+bingxia006@zoo
To REDACTED
Date Thu 04:44 PM
You have 1 new message
Crook

Crook

Typical crap from microsoft, it was spamcop proof too

Criminals also have odd dmarc setups an good example is quantumaccountingservices . net which is scammy* returned at time of wtiting

Host not found, try again

So i guess your going to get a lot of domains to ignore.

A problem i have is with multiple domain reporting (say mail.zoo mail.zoo1 etc). In the debian 1.3.0 version the first report run for mail.zoo has all the fun the other opendmarc report scripts run but have nothing to report on.  That might be a level of complexity most with one domain and one host never get to see or care about and might be down to the shit sql server it uses.

My adsp and atps lines in dns needed some tweaking since reporting uses port 25 and i use the other port for outbound mail which for over a week i failed to comprehend so this might be a postfix / amavis or some other issue i cannot resolve currently.

The zoo will not be sending reports until we figure out adsp (my blog) even though the sql import and expire work

opendmarc-spam looks interesting although a thought experiment needing a look at source code to guess how it works

That’s about it for opendmarc reporting. Tomorrow I will be delving into the science of mind reading** after all it appears to be a required skill with dmarc.

*the hint is in the name. ** i joke

Dead letter abuse boxes (or an end to dmarc probers)

boredOne day they just stopped and since most of them are in China*  its been boring on the dmarc (my blog) front ever since.

However since reporting abuse to china does not work except for ‘special’ people it can be said that many Chinese isps colluded.  Any american reading this should comprehend that china is not russia

Of other countries Vietnam has one attempt, the us a couple so either there spoofing somebody without dmarc which is something i would have done months ago or the thing that controlled it is down rather the look an idiot to the once a day like China did.

I still have the data and can firewall it in seconds, the dmarc records still exist and are permanent and so I will only now report on the latest attempts and correlate with previous behaviour.

Latterly I have also caught amazon (yes the big retailer)  trying 24 attempts in one day via ec2 (my blog) – so maybe this year will be the year that the us wins the gold medal in dmarc probes over china with quantity from single hosts.

I am sure you are all looking forward to these posts.  Exciting stuff

*both HK and mainland.

Exploring opendmarc in debian jessie

clownbootUses horrible mysql (my blog) for a database so i just looked at the milter.

Spf needs an ar header so you need to read a man page although that seems to be a bit buggy in debian stable although amavis (my blog) does ar.

It lives on 127.0.0.1:8893 and it appears all those it bloggers do not run opendmarc so there are not many blogs with bad information like for dkim although to call some bloggers technical is perhaps stretching things and many just rehashing not there content only for the advert views.

In debian the conf file is simple and examples can be found however while the software works not all options work.

Using jessie defaults seem to want one host one email server so if like the zoo you have five mta’s hanging off one piece of hardware your doing to need to do some work.

In an hour i got a working opendkim instance and plumbed it in and checking the plumbing was able to get messages in and out as before so i left it like that and see what happens in a weeks time.

Examples include auth and forensicreports Here is one error line

postfix/smtpd[17677]: warning: connect to Milter service inet:127.0.0.1:8893: Connection refused

I also notice with Header_Type = AR you get no spf line appended in the email that’s an unrelated problem with postfix-policyd-spf (my blog) probably that hinders opendmarc.

One site suggested you use the backports repo a suggestion i did not take up and some changes to postfix with extra headers (not ar).

I also created a history file and enabled it and that stubbornly recorded nothing even with a restart.

failI will take a another look at opendmarc in the future but it strikes me as  not worth the bother inbound and the mysql is off-putting.  Could be wrong but that was what a weeks worth of activity recorded.

Email was signed with dkim and was sent and received so our email server was working during the time with the new milter.

This might be a compile it yourself thing for all i know at this stage in Debian or maybe i do not need it.

Chinese botnets in the mist

minionIs not a film about Rwanda and apes but  a specific Chinese isp  who pretends to be the zoo

In this (my blog) i first noticed them, then caught up with them again here and one more time i decided to update you all on Huashu media&Network Limited.

After all this is fun, and most of this report is now generated by a computer so these blog entries take very little time to create.

    1    CN    58.101.214.24    58.100.0.0 - 58.101.255.255 WASUHZ CN ipas@cnnic.cn
    1    CN    58.101.213.197    
    1    CN    58.101.211.1    
    1    CN    58.101.208.115    
    1    CN    58.101.149.254    
    1    CN    58.101.149.245    
    3    CN    58.101.149.234    
    2    CN    58.101.149.233    
    1    CN    58.101.149.228    
    1    CN    58.101.149.223    
    1    CN    58.101.149.222    
    1    CN    58.101.149.221    
    1    CN    58.101.149.220    
    1    CN    58.101.149.191    
    1    CN    58.101.149.180    
    2    CN    58.101.149.177    
    1    CN    58.101.149.160    
    1    CN    58.101.149.158    
    1    CN    58.101.149.148    
    1    CN    58.101.149.143    
    1    CN    58.101.149.140    
    1    CN    58.101.149.139    
    1    CN    58.101.149.134    
    1    CN    58.101.107.89    
    1    CN    58.100.7.84    
    1    CN    58.100.7.56    
    1    CN    58.100.7.228    
    1    CN    58.100.7.22    
    1    CN    58.100.7.18    
    1    CN    58.100.7.149    
    1    CN    58.100.7.135    
    1    CN    58.100.7.113    
    1    CN    58.100.7.107    
    1    CN    58.100.6.39    
    1    CN    58.100.6.254    
    1    CN    58.100.6.247    
    1    CN    58.100.6.219    
    1    CN    58.100.6.216    
    1    CN    58.100.6.198    
    1    CN    58.100.6.145    
    1    CN    58.100.6.135    
    1    CN    58.100.6.132    
    1    CN    58.100.6.110    
    1    CN    58.100.6.106    
    1    CN    58.100.5.94    
    1    CN    58.100.5.34    
    1    CN    58.100.5.24    
    1    CN    58.100.5.200    
    1    CN    58.100.5.180    
    1    CN    58.100.5.15    
    1    CN    58.100.5.146    
    1    CN    58.100.5.105    
    1    CN    58.100.4.5    
    1    CN    58.100.4.248    
    1    CN    58.100.4.237    
    1    CN    58.100.4.218    
    1    CN    58.100.4.177    
    1    CN    58.100.4.14    
    1    CN    58.100.3.90    
    1    CN    58.100.3.9    
    1    CN    58.100.3.64    
    1    CN    58.100.3.40    
    1    CN    58.100.3.4    
    2    CN    58.100.3.27    
    1    CN    58.100.3.242    
    1    CN    58.100.3.216    
    1    CN    58.100.3.215    
    1    CN    58.100.3.211    
    2    CN    58.100.3.208    
    1    CN    58.100.3.20    
    1    CN    58.100.3.196    
    2    CN    58.100.3.194    
    1    CN    58.100.3.184    
    1    CN    58.100.3.179    
    1    CN    58.100.3.175    
    1    CN    58.100.3.16    
    1    CN    58.100.3.147    
    1    CN    58.100.3.140    
    1    CN    58.100.3.132    
    2    CN    58.100.3.13    
    1    CN    58.100.3.113    
    1    CN    58.100.3.107    
    1    CN    58.100.3.105    
    2    CN    58.100.3.10    
    1    CN    58.100.24.95    
    1    CN    58.100.24.57    
    1    CN    58.100.24.4    
    1    CN    58.100.24.171    
    1    CN    58.100.24.0    
    1    CN    58.100.201.88    
    1    CN    58.100.201.86    
    1    CN    58.100.201.81    
    1    CN    58.100.201.59    
    1    CN    58.100.201.40    
    1    CN    58.100.201.255    
    1    CN    58.100.201.253    
    1    CN    58.100.201.246    
    1    CN    58.100.201.244    
    1    CN    58.100.201.236    
    1    CN    58.100.201.207    
    1    CN    58.100.201.199    
    1    CN    58.100.201.189    
    2    CN    58.100.201.175    
    2    CN    58.100.201.163    
    1    CN    58.100.201.162    
    1    CN    58.100.201.155    
    1    CN    58.100.201.152    
    1    CN    58.100.201.147    
    1    CN    58.100.201.140    
    2    CN    58.100.201.138    
    1    CN    58.100.201.131    
    1    CN    58.100.201.121    
    1    CN    58.100.201.117    
    1    CN    58.100.201.109    
    2    CN    58.100.201.105    
    1    CN    58.100.201.104    
    1    CN    58.100.201.100    
    1    CN    58.100.2.97    
    1    CN    58.100.2.94    
    1    CN    58.100.2.55    
    1    CN    58.100.2.34    
    1    CN    58.100.2.31    
    1    CN    58.100.2.3    
    1    CN    58.100.2.29    
    1    CN    58.100.2.240    
    1    CN    58.100.2.223    
    1    CN    58.100.2.220    
    1    CN    58.100.2.216    
    1    CN    58.100.2.201    
    1    CN    58.100.2.2    
    1    CN    58.100.2.197    
    1    CN    58.100.2.192    
    2    CN    58.100.2.19    
    1    CN    58.100.2.187    
    1    CN    58.100.2.170    
    1    CN    58.100.2.156    
    1    CN    58.100.2.153    
    1    CN    58.100.2.128    
    1    CN    58.100.2.119    
    1    CN    58.100.2.118    
    1    CN    58.100.2.100    
    1    CN    58.100.182.224    
    1    CN    58.100.180.90    
    1    CN    58.100.180.237    
    1    CN    58.100.180.106    
    1    CN    58.100.1.97    
    1    CN    58.100.1.81    
    1    CN    58.100.1.30    
    1    CN    58.100.1.26    
    1    CN    58.100.1.251    
    1    CN    58.100.1.242    
    1    CN    58.100.1.217    
    1    CN    58.100.1.211    
    1    CN    58.100.1.192    
    1    CN    58.100.1.190    
    1    CN    58.100.1.155    
    1    CN    58.100.1.145    
    1    CN    58.100.0.73    
    1    CN    58.100.0.71    
    1    CN    58.100.0.61    
    2    CN    58.100.0.46    
    1    CN    58.100.0.41    
    1    CN    58.100.0.32    
    1    CN    58.100.0.26    
    1    CN    58.100.0.252    
    1    CN    58.100.0.236    
    1    CN    58.100.0.207    
    1    CN    58.100.0.166    
    1    CN    58.100.0.14    
    1    CN    58.100.0.130    
    2    CN    58.100.0.110    
188 1    CN    58.100.0.105    
(127)
61

Another 61 since i last saw them Impressive! Huashu media&Network Limited keep up the good work.

A most impressive botnet

minionIn this (my blog) I explored botnets

Most of the existing data remains the same in trend except for this isp in China who is either blissfully ignorant, or quite happy to allow it and which i keep logging.

Whatever the reason i remain ready to keep logging them from Huashu media&Network Limited when this (not here) tells me there are 3,216 spam hosts  so only 3089 entries to go.

你好 华数传媒网络有限公司

    1    58.100.0.105 58.100.0.0 - 58.101.255.255 WASUHZ CN ipas@cnnic.cn
    1    58.100.0.110
    1    58.100.0.130
    1    58.100.0.166
    1    58.100.0.207
    1    58.100.0.236
    1    58.100.0.26
    1    58.100.0.32
    1    58.100.0.41
    1    58.100.0.46
    1    58.100.0.71
    1    58.100.0.73
    1    58.100.1.145
    1    58.100.1.155
    1    58.100.1.192
    1    58.100.1.211
    1    58.100.1.217
    1    58.100.1.242
    1    58.100.1.251
    1    58.100.1.30
    1    58.100.180.106
    1    58.100.182.224
    1    58.100.201.100
    1    58.100.201.104
    2    58.100.201.105
    1    58.100.201.109
    1    58.100.201.117
    1    58.100.201.121
    1    58.100.201.131
    2    58.100.201.138
    1    58.100.201.140
    1    58.100.201.152
    1    58.100.201.155
    1    58.100.201.162
    1    58.100.201.163
    1    58.100.201.175
    1    58.100.201.199
    1    58.100.201.207
    1    58.100.201.236
    1    58.100.201.244
    1    58.100.201.246
    1    58.100.201.40
    1    58.100.201.81
    1    58.100.201.88
    1    58.100.2.100
    1    58.100.2.118
    1    58.100.2.119
    1    58.100.2.128
    1    58.100.2.156
    1    58.100.2.170
    1    58.100.2.187
    2    58.100.2.19
    1    58.100.2.192
    1    58.100.2.197
    1    58.100.2.201
    1    58.100.2.240
    1    58.100.2.31
    1    58.100.2.34
    1    58.100.24.0
    1    58.100.24.4
    1    58.100.2.97
    1    58.100.3.10
    1    58.100.3.105
    1    58.100.3.107
    2    58.100.3.13
    1    58.100.3.140
    1    58.100.3.16
    1    58.100.3.175
    1    58.100.3.179
    1    58.100.3.184
    1    58.100.3.194
    1    58.100.3.20
    1    58.100.3.211
    1    58.100.3.242
    2    58.100.3.27
    1    58.100.3.4
    1    58.100.3.40
    1    58.100.3.9
    1    58.100.3.90
    1    58.100.4.177
    1    58.100.4.237
    1    58.100.4.248
    1    58.100.4.5
    1    58.100.5.105
    1    58.100.5.146
    1    58.100.5.15
    1    58.100.5.180
    1    58.100.5.94
    1    58.100.6.106
    1    58.100.6.110
    1    58.100.6.145
    1    58.100.6.198
    1    58.100.6.216
    1    58.100.6.219
    1    58.100.6.247
    1    58.100.6.254
    1    58.100.6.39
    1    58.100.7.107
    1    58.100.7.113
    1    58.100.7.135
    1    58.100.7.149
    1    58.100.7.18
    1    58.100.7.22
    1    58.100.7.228
    1    58.100.7.56
    1    58.100.7.84
    1    58.101.149.139
    1    58.101.149.143
    1    58.101.149.158
    2    58.101.149.177
    1    58.101.149.180
    1    58.101.149.191
    1    58.101.149.221
    1    58.101.149.222
    1    58.101.149.223
    1    58.101.149.228
    3    58.101.149.234
    1    58.101.208.115
127 1    58.101.214.24
(91)

An increase of 36 reports.  Some people collect pokemon i collect chinese botnet ip’s. Fun.

dmarc stats – or hi to 754th Electronic Systems Group of the us air force.

scumbag spammer Robert Soloway

scumbag spammer Robert Soloway

Dmarc (my blog) is something really really boring – in fact most microsoft admins have never heard of it along with spf but that is the sad state of microsoft who i love to poke fun at given an opportunity (my blog) to do so.

Anyhow i was getting bored of collecting some other information and so decided to document dmarc attempts.

I can do this as non microsoft people have things that send this info remotely so this is not something i was looking for but an event that a mail provider saw.

A month in and i have 37 offenders and 86% of them originated from China

Here is two months, note the suspicious quantities of certain subnets.

sort -n dkim.bl| uniq -c

      1 58.100.0.105 58.100.0.0 - 58.101.255.255 WASUHZ CN ipas@cnnic.cn
      1 58.100.0.110
      1 58.100.0.166
      1 58.100.0.207
      1 58.100.0.236
      1 58.100.0.26
      1 58.100.0.32
      1 58.100.0.46
      1 58.100.0.73
      1 58.100.1.145
      1 58.100.1.155
      1 58.100.1.211
      1 58.100.182.224
      1 58.100.201.100
      1 58.100.201.104
      2 58.100.201.105
      1 58.100.201.131
      1 58.100.201.138
      1 58.100.201.140
      1 58.100.201.152
      1 58.100.201.155
      1 58.100.201.207
      1 58.100.201.236
      1 58.100.201.244
      1 58.100.201.246
      1 58.100.201.81
      1 58.100.201.88
      1 58.100.2.100
      1 58.100.2.118
      1 58.100.2.128
      1 58.100.2.170
      1 58.100.2.187
      1 58.100.2.19
      1 58.100.2.192
      1 58.100.2.197
      1 58.100.2.201
      1 58.100.2.240
      1 58.100.2.31
      1 58.100.2.34
      1 58.100.24.4
      1 58.100.2.97
      1 58.100.3.107
      2 58.100.3.13
      1 58.100.3.140
      1 58.100.3.16
      1 58.100.3.175
      1 58.100.3.179
      1 58.100.3.184
      1 58.100.3.194
      1 58.100.3.242
      2 58.100.3.27
      1 58.100.3.4
      1 58.100.3.90
      1 58.100.4.177
      1 58.100.4.237
      1 58.100.4.248
      1 58.100.5.105
      1 58.100.5.146
      1 58.100.5.15
      1 58.100.5.180
      1 58.100.5.94
      1 58.100.6.106
      1 58.100.6.110
      1 58.100.6.216
      1 58.100.6.219
      1 58.100.6.39
      1 58.100.7.107
      1 58.100.7.113
      1 58.100.7.135
      1 58.100.7.149
      1 58.100.7.18
      1 58.100.7.228
      1 58.100.7.56
      1 58.100.7.84
      1 58.101.149.139
      1 58.101.149.143
      1 58.101.149.158
      2 58.101.149.177
      1 58.101.149.180
      1 58.101.149.221
      1 58.101.149.222
      1 58.101.149.223
      1 58.101.149.228
      3 58.101.149.234
(91)  1 58.101.208.115
      1 101.71.192.51 101.64.0.0 - 101.71.255.255 UNICOM-ZJ CN zhouxm@chinaunicom.cn
      1 101.71.193.235
      1 101.71.194.100
      1 101.71.194.198
      1 101.71.196.49
      1 101.71.196.70
      1 101.71.196.8
      1 101.71.197.4
      1 101.71.197.60
      1 101.71.217.144
(11)  1 101.71.217.192
 (1)  1 114.148.3.208 114.148.0.0 - 114.148.127.255 OCN JP
      1 123.158.33.124 123.152.0.0 - 123.159.255.255 UNICOM-ZJ CN abuse@cnc-noc.net
 (2)  1 123.158.33.197
      1 124.90.194.31 124.90.0.0 - 124.91.255.255 UNICOM-ZJ CN abuse@cnc-noc.net
      1 124.90.199.159
      1 124.90.199.235
      1 124.90.69.93
      1 124.90.70.79
 (6)  1 124.90.71.85
      1 128.238.7.189 128.238.0.0 - 128.238.255.255 POLY-U-NET US noc-na23-poly-arin@nyu.edu
      1 131.44.184.194 131.44.0.0 - 131.44.255.255 RANDOLPH1-NET US disa.columbus.ns.mbx.arin-registrations@mail.mil
      1 140.28.152.236 140.28.0.0 - 140.28.255.255 DNIC-RNET-140-028 US disa.columbus.ns.mbx.arin-registrations@mail.mil
      1 218.109.107.134 218.109.107.0 - 218.109.107.255 WASU-BB CN abuse@hzdtv.com
      1 218.109.220.125
      1 218.109.221.247
      1 218.109.243.207
 (5)  1 218.109.253.141
      1 219.82.112.65 219.82.112.0 - 219.82.112.255 WASU-BB CN abuse@hzdtv.com
      1 219.82.160.124 219.82.160.0 - 219.82.160.255 WASU-BB CN abuse@hzdtv.com
      1 219.82.164.18 219.82.164.0 - 219.82.164.255 WASU-BB CN abuse@hzdtv.com 
      1 219.82.166.132 219.82.166.0 - 219.82.166.255 WASU-BB CN abuse@hzdtv.com
      1 219.82.184.136 219.82.184.0 - 219.82.184.255 WASU-BB CN abuse@hzdtv.com
      1 219.82.187.68 219.82.187.0 - 219.82.187.255 WASU-BB CN abuse@hzdtv.com
      1 219.82.35.1 219.82.35.0 - 219.82.35.255 WASU-BB CN abuse@hzdtv.com
      1 219.82.50.249 219.82.50.0 - 219.82.50.255 WASU-BB CN abuse@hzdtv.com
      1 219.82.51.206 219.82.51.0 - 219.82.51.255 WASU-BB CN abuse@hzdtv.com
      1 219.82.51.75
 (3)  1 219.82.57.167
      1 228.143.204.76 dmarc report error

secretOf interest is the false ip i copied and pasted from the dmarc reports so the error is not mine that is what some isp sent.   Most of these are Chinese, but the 754th Electronic Systems Group in the US airforce deserve an honourable mention although there a bit shit at what they do as there’s a reddit topic on them and when us apes notice them you have a problem.

I wonder what they where trying to do ?

The text should be parseable with ” ” into a spreadsheet.

Dmarc actually works

babymemeIts been a while since i mentioned dmarc (my blog) but recently the dmarc reports went silent telling me that somebody in china pretended to be the monkey house and the not us with the thing being rejected and they informed us too via the record..

So dmarc really does work and makes it harder for spammers.

Totally recommended.

Email virus scanning needing some help

The zoo’s virus thing [not that microsoft windows crap you run] was not working well or did not have the definitions and as we do not get that many and they get reported and blocked until the next server reboot whenever that is so life is limited here for botnet members.

Anyhow with the rise of attachments whom did not originate where they said they did i decided to go look at improving at virus detection rather than doing spf that some retard at yahoo (my blog) and elsewhere has yet to figure out.

Yes we have spf but being correct in inbound spf means a lot yahoo email wont get through and you have to tolerate idiots sending email or the zoo staff complains about it

moranIts a fact of life that many retards inhabit email servers, an example where i nearly choked on my coffee one morning was on the dmarc email list when some corporate citizen had yet to even do spf and also wanted dmarc (my blog).  I assume that as it was not a paid service from somebody else it failed the i should have done that about ten years ago motivation

So i go looking for fresher virus databases and find them.so one saturday i decide to install them, apart from some missing settings on update and ownership of the files i am pretty close after installing rsync the sunday log looks good.

The reason i worked on the saturday is so i could troubleshoot and be ready for monday for testing  by you special internet users you know them as well.  Monday came round and Vietnam verified it was working.

amavis[x]: (26467-09) Blocked INFECTED (Malware.24819.MacroHeurGen.Hp.UNOFFICIAL) {DiscardedInbound,Quarantined}, [14.170.60.120]:50964 [14.170.60.120] <sales@transglobalexpress.co.uk> -> <info@zoo>, quarantine: O/virus-Oupswa7kUlmo, Queue-ID: ECA6EBD6899, Message-ID: <7D1C0677256B441FAF71558ABA98D26D@409733db1>, mail_id: Oupswa7kUlmo, Hits: -, size: 98052, 328 ms

great bananas, but the catholic preist raped my childrenSo i broke out the celebratory bananas after all that Monday was declared a success. Retards at yahoo get there mail delivered and i dont have to deal with nasty stuff with the zoo.

I still hate microsoft for designing this crap that even i have to deflect.

Crook

Crook

Eventually the server which is not a microsoft product will delete the virus attachment when set so it will never be opened by a lifeform. It would be nice to not have a scanner on the server but it appears that is how things are however i do get to call all microsoft employees retards for writing special code (my blog) that makes windows software unusable.