On Wed 12/Feb/2020 09:51:22 +0100 Ronald F. Guilmette wrote:
The RIPE WHOIS data base says that the abose contact for AS16276 is abuse@ovh.net.
It would appear thet the folks at OVH haven't yet quite figured how this whole email thing works.
Give them time. Another decade or two and they should have it down pat.
+1, X-VR-SPAMCAUSE looks particularly appealing... Best Ale -------- Forwarded Message -------- Subject: failure notice Date: 12 Feb 2020 06:18:04 +0200 From: MAILER-DAEMON@mx1.ovh.net To: abuse@tana.it Hi. This is the qmail-send program at mx1.ovh.net. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. <ovh.net-abuse@ovh.net>: user does not exist, but will deliver to /homez.12/vpopmail/domains/ovh.net/abuse/ can not open new email file errno=2 file=/homez.12/vpopmail/domains/ovh.net/abuse/Maildir/tmp/1581481084.9867.mail660.ha.ovh.net,S=4191 system error --- Below this line is a copy of the message. Return-Path: <abuse@tana.it> Received: from localhost (HELO queue) (127.0.0.1) by localhost with SMTP; 12 Feb 2020 06:18:04 +0200 Received: from unknown (HELO output25.mail.ovh.net) (10.108.117.188) by mail660.ha.ovh.net with AES256-GCM-SHA384 encrypted SMTP; 12 Feb 2020 06:18:04 +0200 Received: from vr26.mail.ovh.net (unknown [10.101.8.26]) by out25.mail.ovh.net (Postfix) with ESMTP id 48HRFm0K5Sz7P6Fd8 for <abuse@ovh.net>; Wed, 12 Feb 2020 04:18:04 +0000 (UTC) Received: from in14.mail.ovh.net (unknown [10.101.4.14]) by vr26.mail.ovh.net (Postfix) with ESMTP id 48HRFf6fgNzrQV85 for <abuse@ovh.net>; Wed, 12 Feb 2020 04:17:58 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=62.94.243.226; helo=wmail.tana.it; envelope-from=abuse@tana.it; receiver=abuse@ovh.net Authentication-Results: in14.mail.ovh.net; dkim=pass (1152-bit key; unprotected) header.d=tana.it header.i=@tana.it header.b="DSzDkiE5"; dkim-atps=neutral Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) by in14.mail.ovh.net (Postfix) with ESMTPS id 48HRFf5rYcz1qqm5 for <abuse@ovh.net>; Wed, 12 Feb 2020 04:17:58 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) (uid 1000) by wmail.tana.it with local id 00000000005DC0BE.000000005E437C70.00006938; Wed, 12 Feb 2020 05:17:51 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1581481072; bh=hqA0axQ0F0EZuKcuD4BJM7lec22phleodccLJFRo7js=; l=1187; h=From:To:Date; b=DSzDkiE5M2E2RHdufCjt/pvL8szxXfCQCiPcYrJMYxbHDSM6/qNrHDy0JZwW3HfQG jvGk5T7PlE7c6dBvfNjmQl2Z0yTpvjOVufBM6xGVi3WEzkPUb2Wpr0b6oW/Ptan3/d d81pOjTCPaAxOXfx0G1t5PpotLEo0P48qxyNPtkGYVZoMp7kdUev7jtac9Jcq Authentication-Results: tana.it; auth=pass (details omitted) X-mmdbcountrylookup: FR From: "tana.it" <abuse@tana.it> To: abuse@ovh.net Date: Wed, 12 Feb 2020 05:17:51 +0100 Subject: Mail server abuse by 188.165.221.36 on 11 February 2020 Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Auto-Response-Suppress: DR, OOF, AutoReply Message-ID: <courier.000000005E437C6F.00006938@wmail.tana.it> X-Ovh-Remote: 62.94.243.226 (wmail.tana.it) X-Ovh-Tracer-Id: 8968355709213900626 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 50 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedugedrieeggdeifecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecuogfvvgigthfqnhhlhidqqdetfeejfedqtdegucdlhedtmdenucfjughrpefhvfffufggtgfgsehtjedttddttdejnecuhfhrohhmpedfthgrnhgrrdhithdfuceorggsuhhsvgesthgrnhgrrdhitheqnecuffhomhgrihhnpehtrghnrgdrihhtpdhrihhpvgdrnhgvthenucfkphepiedvrdelgedrvdegfedrvddvieenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhhouggvpehsmhhtphdphhgvlhhopehinhdugedrmhgrihhlrdhovhhhrdhnvghtpdhinhgvthepiedvrdelgedrvdegfedrvddviedpmhgrihhlfhhrohhmpegrsghushgvsehtrghnrgdrihhtpdhrtghpthhtoheprggsuhhsvgesohhvhhdrnhgvth X-Ovh-Spam-Status: OK X-Ovh-Spam-Reason: vr: OK; dkim: disabled; spf: disabled X-Ovh-Message-Type: OK Dear Abuse Team The following abusive behavior from IP address under your constituency 188.165.221.36 has been detected: 2020-02-11 11:39:25 CET, 188.165.221.36, old decay: 86400, prob: 34.72%, SMTP auth dictionary attack 188.165.221.36 was caught 102 times since Fri May 18 01:42:13 2018 original data from the mail log: 2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[58534] 2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[62026] 2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[63198] 2020-02-11 11:39:25 CET courieresmtpd: started,ip=[188.165.221.36],port=[58743] 2020-02-11 11:39:25 CET courieresmtpd: started,ip=[188.165.221.36],port=[50520] 2020-02-11 11:39:25 CET courieresmtpd: error,relay=188.165.221.36,port=58743,msg="535 Authentication failed.",cmd: AUTH LOGIN 42D117A2.9F10013D