Re: [mailop] SMTP noise from *.bouncer.cloud

Wed, 31 Aug 2022 14:12:33 -0700 

For those of us out of the loop....what is this?



On 8/31/22 3:22 PM, Michael Peddemors via mailop wrote:
For the record, I should note in this thread, that in this case it is an actual company behind this (was reached out offlist by a principle) and many on the list are aware of this person. 

https://www.linkedin.com/company/usebouncer/
Who/what/where their clients are, and for what purpose of course, is not likely something we will find out unless they like to share more, but we can continue discussing this in terms of all the operators out there, and what constitutes the good vs the ugly.
But I do of course understand the temptation to simply block them, if you dont' know what they are doing.
But of course recommended that they be more transparent, both in the use of IP space clearly indicating they are the operator (rwhois or SWIP) and the domain used should have an associated URL where contact information can be found.  Those recommendations would apply to all the AWS ones, and other companies equally. 

    -- Michael --



On 2022-08-31 10:15, Jarland Donnell via mailop wrote:
Nice find. Here's the IP list I pulled for them as well: https://clbin.com/Fr1IH
Probably not worth blocking by IP but some blacklistings might alert hosts to abusive behavior more than "yet another ignored abuse complaint." 

On 2022-08-31 08:56, Michael Peddemors via mailop wrote:

Not just OVH, on LeaseWeb as well..

Script at least is sane, even though it simply does a RCPT TO, then
QUIT.  Suggest it is another email validator, or list washer.. without
transparency.

Aug 31 04:38:13 be msd[603032]: Linux Magic SMTPD started: connection
from 212.7.193.14 (192.168.0.118:25) Linux 2.2.x-3.x
Aug 31 04:38:13 be msd[603032]: Created UUID
65a11bb8-2921-11ed-a12c-272390e3399e for message
Aug 31 04:38:13 be msd[603032]: CONN: 212.7.193.14 -> 25 GeoIP = [NL]
PTR = lw-mail-14.bouncer.cloud OS = Linux 2.2.x-3.x
Aug 31 04:38:13 be msd[603032]: EHLO command received, args:
lw-mail-14.bouncer.cloud
Aug 31 04:38:13 be msd[603032]: MAIL command received, args:
FROM:<hello@lw-mail-14.bouncer.cloud>
Aug 31 04:38:13 be msd[603032]: MAIL FROM address:
[hello@lw-mail-14.bouncer.cloud]
Aug 31 04:38:13 be msd[603032]: Doing server-wide checks
Aug 31 04:38:13 be msd[603032]: rfc_mail_from(hello@lw-mail-14.bouncer.cloud) 
Aug 31 04:38:13 be msd[603032]: Done server-wide checks
Aug 31 04:38:13 be msd[603032]: RCPT command received (212.7.193.14),
args: TO:<SNIPPED>
Aug 31 04:38:13 be msd[603032]: from domain country
code[lw-mail-14.bouncer.cloud] = "**"
Aug 31 04:38:13 be msd[603032]: helo domain country
code[lw-mail-14.bouncer.cloud] = "**"
Aug 31 04:38:13 be msd[603032]: Doing server-wide checks
Aug 31 04:38:13 be msd[603032]: Looking up domain
lw-mail-14.bouncer.cloud (this may take a while)
Aug 31 04:38:14 be msd[603032]: Done server-wide checks
Aug 31 04:38:14 be msd[603032]: RCPT address [SNIPPED] is local
Aug 31 04:38:14 be msd[603032]: User spam rules loaded successfully
Aug 31 04:38:14 be msd[603032]: Doing domain-wide checks
Aug 31 04:38:14 be msd[603032]: Done domain-wide checks
Aug 31 04:38:14 be msd[603032]: User spam checking enabled
Aug 31 04:38:14 be msd[603032]: SPAM HIT: block_lists: 41
Aug 31 04:38:14 be msd[603032]: Adding flag for quarantine.
Aug 31 04:38:14 be msd[603032]: QUIT command received, args:
Aug 31 04:38:14 be msd[603032]: Session ending: Client issued QUIT
Aug 31 04:38:14 be msd[603032]: Exiting (bytes in: 118 out: 177)



On 2022-08-31 04:49, Andreas S. Kerber via mailop wrote:
Noticing lot's of noise from OVH adress ranges with "bouncer.cloud" PTR and HELO. Often they are trying only one recipient and seem to move on then. Can anyone shed some light on what these people are trying to accomplish? Could there be any kind of legitimacy, or are just plain bad guys? Seems like a lot of effort to push spam this way and that's what's holding me back from blocking them..
SPF pass: ip=135.125.128.56, fqdn=de1-mail-173.bouncer.cloud, helo=de1-mail-173.bouncer.cloud, from=<hello@de1-mail-173.bouncer.cloud> SPF pass: ip=91.121.50.199, fqdn=sbg5-mail-160.bouncer.cloud, helo=sbg5-mail-160.bouncer.cloud, from=<hello@sbg5-mail-160.bouncer.cloud> SPF pass: ip=51.89.19.107, fqdn=de1-mail-35.bouncer.cloud, helo=de1-mail-35.bouncer.cloud, from=<hello@de1-mail-35.bouncer.cloud> SPF pass: ip=51.68.178.58, fqdn=de1-mail-5.bouncer.cloud, helo=de1-mail-5.bouncer.cloud, from=<hello@de1-mail-5.bouncer.cloud> SPF pass: ip=46.105.33.125, fqdn=sbg5-mail-141.bouncer.cloud, helo=sbg5-mail-141.bouncer.cloud, from=<hello@sbg5-mail-141.bouncer.cloud> SPF pass: ip=37.59.67.40, fqdn=sbg5-mail-37.bouncer.cloud, helo=sbg5-mail-37.bouncer.cloud, from=<hello@sbg5-mail-37.bouncer.cloud> SPF pass: ip=178.32.167.75, fqdn=sbg5-mail-150.bouncer.cloud, helo=sbg5-mail-150.bouncer.cloud, from=<hello@sbg5-mail-150.bouncer.cloud> SPF pass: ip=54.36.212.178, fqdn=sbg5-mail-147.bouncer.cloud, helo=sbg5-mail-147.bouncer.cloud, from=<hello@sbg5-mail-147.bouncer.cloud> SPF pass: ip=135.125.224.91, fqdn=de1-mail-233.bouncer.cloud, helo=de1-mail-233.bouncer.cloud, from=<hello@de1-mail-233.bouncer.cloud> SPF pass: ip=135.125.145.35, fqdn=de1-mail-185.bouncer.cloud, helo=de1-mail-185.bouncer.cloud, from=<hello@de1-mail-185.bouncer.cloud> SPF pass: ip=188.165.49.25, fqdn=sbg5-mail-27.bouncer.cloud, helo=sbg5-mail-27.bouncer.cloud, from=<hello@sbg5-mail-27.bouncer.cloud> SPF pass: ip=51.38.116.69, fqdn=de1-mail-1.bouncer.cloud, helo=de1-mail-1.bouncer.cloud, from=<hello@de1-mail-1.bouncer.cloud> SPF pass: ip=178.33.42.186, fqdn=sbg5-mail-25.bouncer.cloud, helo=sbg5-mail-25.bouncer.cloud, from=<hello@sbg5-mail-25.bouncer.cloud> SPF pass: ip=51.89.47.230, fqdn=de1-mail-108.bouncer.cloud, helo=de1-mail-108.bouncer.cloud, from=<hello@de1-mail-108.bouncer.cloud> 

_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop




--
"Catch the Magic of Linux..."
------------------------------------------------------------------------ 
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------ 
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. 
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop





_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Reply via email to