Not the first time I’ve heard of gremlin.ru – found this from a mirror of their FAQ:
---8<--- A: Surely, you have received a bounce message similar to this: 550 Rejected: 192.168.62.14 is listed at work.drbl.example.net This is well enough to investigate, who (and ever why) had listed your host. First of all, who: % host -t any 14.62.168.192.work.drbl.example.net 14.62.168.192.work.drbl.example.net has address 127.0.0.2 14.62.168.192.work.drbl.example.net descriptive text "vote.drbl.example....@ns.example.net" Why: % host -t any 14.62.168.192.vote.drbl.example.net 14.62.168.192.vote.drbl.example.net has address 127.0.0.2 14.62.168.192.vote.drbl.example.net descriptive text "Open SOCKS proxy" Fix the SOCKS issue - e.g., by setting up NAT - and do one more NS query: % host -t soa vote.drbl.example.net vote.drbl.example.net SOA ns.example.net postmaster.example.net( 1067889002 ;serial (version) 10800 ;refresh period 1800 ;retry refresh this often 604800 ;expiration period 86400 ;minimum TTL ) Now, write to "postmaster AT example DOT net" and ask them to re-test your server. Paul From: Rupert Gallagher <r...@protonmail.com> Reply-To: Rupert Gallagher <r...@protonmail.com> Date: Wednesday, 6 February 2019 at 11:55 To: SA <users@spamassassin.apache.org> Subject: New type of SPAM aggression This is to inform about a new type of SPAM aggression. We received from Russia, for months, and redirected them automatically to an administrative address for manual inspection. All emails were spam with links. From the standpoint of the attacker(s), all emails were delivered, but none turned into exploits. Today, we learned that "gremlin.ru" included our IPs in their DNSBL. We followed the address to de-list, but gremlin.ru does not exist. So, if you are successful against Russian spam, you will be ... blacklisted by an unknown gremlin. Paul Stead Senior Engineer Zen Internet