Not the first time I’ve heard of gremlin.ru – found this from a mirror of their
FAQ:
---8<---
A: Surely, you have received a bounce message similar to this:
550 Rejected: 192.168.62.14 is listed at work.drbl.example.net
This is well enough to investigate, who (and ever why) had listed your host.
First of all, who:
% host -t any 14.62.168.192.work.drbl.example.net
14.62.168.192.work.drbl.example.net has address 127.0.0.2
14.62.168.192.work.drbl.example.net descriptive text
"vote.drbl.example....@ns.example.net"
Why:
% host -t any 14.62.168.192.vote.drbl.example.net
14.62.168.192.vote.drbl.example.net has address 127.0.0.2
14.62.168.192.vote.drbl.example.net descriptive text
"Open SOCKS proxy"
Fix the SOCKS issue - e.g., by setting up NAT - and do one more NS query:
% host -t soa vote.drbl.example.net
vote.drbl.example.net SOA ns.example.net postmaster.example.net(
1067889002 ;serial (version)
10800 ;refresh period
1800 ;retry refresh this often
604800 ;expiration period
86400 ;minimum TTL
)
Now, write to "postmaster AT example DOT net" and ask them to re-test your
server.
Paul
From: Rupert Gallagher <r...@protonmail.com>
Reply-To: Rupert Gallagher <r...@protonmail.com>
Date: Wednesday, 6 February 2019 at 11:55
To: SA <users@spamassassin.apache.org>
Subject: New type of SPAM aggression
This is to inform about a new type of SPAM aggression.
We received from Russia, for months, and redirected them automatically to an
administrative address for manual inspection. All emails were spam with links.
From the standpoint of the attacker(s), all emails were delivered, but none
turned into exploits.
Today, we learned that "gremlin.ru" included our IPs in their DNSBL. We
followed the address to de-list, but gremlin.ru does not exist.
So, if you are successful against Russian spam, you will be ... blacklisted by
an unknown gremlin.
Paul Stead
Senior Engineer
Zen Internet
