Nice find. Here's the IP list I pulled for them as well:
https://clbin.com/Fr1IH
Probably not worth blocking by IP but some blacklistings might alert
hosts to abusive behavior more than "yet another ignored abuse
complaint."
On 2022-08-31 08:56, Michael Peddemors via mailop wrote:
Not just OVH, on LeaseWeb as well..
Script at least is sane, even though it simply does a RCPT TO, then
QUIT. Suggest it is another email validator, or list washer.. without
transparency.
Aug 31 04:38:13 be msd[603032]: Linux Magic SMTPD started: connection
from 212.7.193.14 (192.168.0.118:25) Linux 2.2.x-3.x
Aug 31 04:38:13 be msd[603032]: Created UUID
65a11bb8-2921-11ed-a12c-272390e3399e for message
Aug 31 04:38:13 be msd[603032]: CONN: 212.7.193.14 -> 25 GeoIP = [NL]
PTR = lw-mail-14.bouncer.cloud OS = Linux 2.2.x-3.x
Aug 31 04:38:13 be msd[603032]: EHLO command received, args:
lw-mail-14.bouncer.cloud
Aug 31 04:38:13 be msd[603032]: MAIL command received, args:
FROM:<hello@lw-mail-14.bouncer.cloud>
Aug 31 04:38:13 be msd[603032]: MAIL FROM address:
[hello@lw-mail-14.bouncer.cloud]
Aug 31 04:38:13 be msd[603032]: Doing server-wide checks
Aug 31 04:38:13 be msd[603032]:
rfc_mail_from(hello@lw-mail-14.bouncer.cloud)
Aug 31 04:38:13 be msd[603032]: Done server-wide checks
Aug 31 04:38:13 be msd[603032]: RCPT command received (212.7.193.14),
args: TO:<SNIPPED>
Aug 31 04:38:13 be msd[603032]: from domain country
code[lw-mail-14.bouncer.cloud] = "**"
Aug 31 04:38:13 be msd[603032]: helo domain country
code[lw-mail-14.bouncer.cloud] = "**"
Aug 31 04:38:13 be msd[603032]: Doing server-wide checks
Aug 31 04:38:13 be msd[603032]: Looking up domain
lw-mail-14.bouncer.cloud (this may take a while)
Aug 31 04:38:14 be msd[603032]: Done server-wide checks
Aug 31 04:38:14 be msd[603032]: RCPT address [SNIPPED] is local
Aug 31 04:38:14 be msd[603032]: User spam rules loaded successfully
Aug 31 04:38:14 be msd[603032]: Doing domain-wide checks
Aug 31 04:38:14 be msd[603032]: Done domain-wide checks
Aug 31 04:38:14 be msd[603032]: User spam checking enabled
Aug 31 04:38:14 be msd[603032]: SPAM HIT: block_lists: 41
Aug 31 04:38:14 be msd[603032]: Adding flag for quarantine.
Aug 31 04:38:14 be msd[603032]: QUIT command received, args:
Aug 31 04:38:14 be msd[603032]: Session ending: Client issued QUIT
Aug 31 04:38:14 be msd[603032]: Exiting (bytes in: 118 out: 177)
On 2022-08-31 04:49, Andreas S. Kerber via mailop wrote:
Noticing lot's of noise from OVH adress ranges with "bouncer.cloud"
PTR and HELO. Often they are trying only one recipient and seem to
move on then.
Can anyone shed some light on what these people are trying to
accomplish? Could there be any kind of legitimacy, or are just plain
bad guys? Seems like a lot of effort to push spam this way and that's
what's holding me back from blocking them..
SPF pass: ip=135.125.128.56, fqdn=de1-mail-173.bouncer.cloud,
helo=de1-mail-173.bouncer.cloud,
from=<hello@de1-mail-173.bouncer.cloud>
SPF pass: ip=91.121.50.199, fqdn=sbg5-mail-160.bouncer.cloud,
helo=sbg5-mail-160.bouncer.cloud,
from=<hello@sbg5-mail-160.bouncer.cloud>
SPF pass: ip=51.89.19.107, fqdn=de1-mail-35.bouncer.cloud,
helo=de1-mail-35.bouncer.cloud, from=<hello@de1-mail-35.bouncer.cloud>
SPF pass: ip=51.68.178.58, fqdn=de1-mail-5.bouncer.cloud,
helo=de1-mail-5.bouncer.cloud, from=<hello@de1-mail-5.bouncer.cloud>
SPF pass: ip=46.105.33.125, fqdn=sbg5-mail-141.bouncer.cloud,
helo=sbg5-mail-141.bouncer.cloud,
from=<hello@sbg5-mail-141.bouncer.cloud>
SPF pass: ip=37.59.67.40, fqdn=sbg5-mail-37.bouncer.cloud,
helo=sbg5-mail-37.bouncer.cloud,
from=<hello@sbg5-mail-37.bouncer.cloud>
SPF pass: ip=178.32.167.75, fqdn=sbg5-mail-150.bouncer.cloud,
helo=sbg5-mail-150.bouncer.cloud,
from=<hello@sbg5-mail-150.bouncer.cloud>
SPF pass: ip=54.36.212.178, fqdn=sbg5-mail-147.bouncer.cloud,
helo=sbg5-mail-147.bouncer.cloud,
from=<hello@sbg5-mail-147.bouncer.cloud>
SPF pass: ip=135.125.224.91, fqdn=de1-mail-233.bouncer.cloud,
helo=de1-mail-233.bouncer.cloud,
from=<hello@de1-mail-233.bouncer.cloud>
SPF pass: ip=135.125.145.35, fqdn=de1-mail-185.bouncer.cloud,
helo=de1-mail-185.bouncer.cloud,
from=<hello@de1-mail-185.bouncer.cloud>
SPF pass: ip=188.165.49.25, fqdn=sbg5-mail-27.bouncer.cloud,
helo=sbg5-mail-27.bouncer.cloud,
from=<hello@sbg5-mail-27.bouncer.cloud>
SPF pass: ip=51.38.116.69, fqdn=de1-mail-1.bouncer.cloud,
helo=de1-mail-1.bouncer.cloud, from=<hello@de1-mail-1.bouncer.cloud>
SPF pass: ip=178.33.42.186, fqdn=sbg5-mail-25.bouncer.cloud,
helo=sbg5-mail-25.bouncer.cloud,
from=<hello@sbg5-mail-25.bouncer.cloud>
SPF pass: ip=51.89.47.230, fqdn=de1-mail-108.bouncer.cloud,
helo=de1-mail-108.bouncer.cloud,
from=<hello@de1-mail-108.bouncer.cloud>
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and
intended
solely for the use of the individual or entity to which they are
addressed.
Please note that any views or opinions presented in this email are
solely
those of the author and are not intended to represent those of the
company.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop