Re: [mailop] [EXTERNAL] Anybody seeing a huge spike of (S3140) errors from Hotmail/Outlook started on Sep 7th

[Michael Wise via mailop]

You’re going to have to file a ticket, and they’re really the only folks who 
can assist.
But that s typically an indication that there’s something going weird on your 
network.

And trying to obfuscate it with IP.AD.DR.ES doesn’t help in figuring out what’s 
going on.
Just saying,.

Aloha,
Michael.
--
Michael J Wise
Microsoft Corporation| Spam Analysis
"Your Spam Specimen Has Been Processed."
Open a ticket for Hotmail ?

From: mailop  On Behalf Of Rauf Guliyev via mailop
Sent: Wednesday, September 9, 2020 2:59 PM
To: mailop@mailop.org
Subject: [EXTERNAL] [mailop] Anybody seeing a huge spike of (S3140) errors from 
Hotmail/Outlook started on Sep 7th

Hello there,

We are seeing a huge spike in "550 5.7.1 Unfortunately, messages from 
[IP.AD.DR.ES]
 weren't sent. Please contact your Internet service provider since part of 
their network is on our block list (S3140)" errors while sending to 
Hotmail/Outlook. It started on Sep 7th and is affecting only one datacenter,  
the rest is sending the same emails just fine.  The SNDS shows the affected IPs 
as green. Filed a ticket (SR1508383241) but curious to see if it's widespread.

Thanks in advance,
Rauf

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Anybody seeing a huge spike of (S3140) errors from Hotmail/Outlook started on Sep 7th

[Rauf Guliyev via mailop]

Hello there,

We are seeing a huge spike in "550 5.7.1 Unfortunately, messages from [
IP.AD.DR.ES] weren't sent. Please contact your Internet service provider
since part of their network is on our block list (S3140)" errors while
sending to Hotmail/Outlook. It started on Sep 7th and is affecting only one
datacenter,  the rest is sending the same emails just fine.  The SNDS shows
the affected IPs as green. Filed a ticket (SR1508383241) but curious to see
if it's widespread.

Thanks in advance,
Rauf
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [EXTERNAL] What's Microsoft's S3150 block list and where do I go to request removal?

[Jay Hennigan via mailop]

On 9/9/20 11:01, Michael Wise via mailop wrote:

... people still DO that? Sorry.


Yes. Many of us here have embraced but haven't extended and aren't 
attempting to extinguish. ;-)


--
Jay Hennigan - j...@west.net
Network Engineering - CCIE #7880
503 897-8550 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [EXTERNAL] What's Microsoft's S3150 block list and where do I go to request removal?

[Gardener, Ray A via mailop]

no one szsmmbm



Ray Gardener



 Original message 
From: Jaroslaw Rafa via mailop 
Date: 09/09/2020 7:19 pm (GMT+00:00)
To: mailop@mailop.org
Subject: Re: [mailop] [EXTERNAL] What's Microsoft's S3150 block list and where 
do I go to request removal?

CAUTION: This message was sent from outside the University, purportedly from 
mailop-boun...@mailop.org .

Please check the sender is legitimate before responding. Please treat any links 
or attachments with care -  do not follow or open them unless you are sure they 
are genuine.




Dnia  9.09.2020 o godz. 18:01:27 Michael Wise via mailop pisze:
>
>
> ... people still DO that? Sorry.

Yes, they do.
And especially on this list you should expect that.
--
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [EXTERNAL] What's Microsoft's S3150 block list and where do I go to request removal?

[Luis E. Muñoz via mailop]

On 9 Sep 2020, at 11:29, Atro Tossavainen via mailop wrote:

> (Some time ago I might have added "and isn't even based on x86" to the
> bit about running windows apps. Maybe I'll go back to that and run Mutt
> on ARM instead. Wonder how much it would cost to host an army of Pi at
> a commercial datacenter. My SPARC Solaris 10 box is still doing fine :-D)

AWS rents cheap ARM-based servers now.

Best regards

-lem

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [EXTERNAL] What's Microsoft's S3150 block list and where do I go to request removal?

[Atro Tossavainen via mailop]

> ... people still DO that? Sorry.

Yes, people do still do that, unless you count yours truly as "not
people" =:->=

It's hard to have HTML/JavaScript rendering related security problems
when you don't. It's nice to run the mail client on a server that you
can ssh to from anything, and it's really difficult for the Windows
malware to do anything in a system that does not, cannot, and will not
execute email attachments - and could not even do so because it doesn't
even run Windows.

It's also very difficult to get a shell window, mutt and vi stuck in
some kind of an obscure loop that is perfectly trivial to do in a gooey
application or the browser.

(Some time ago I might have added "and isn't even based on x86" to the
bit about running windows apps. Maybe I'll go back to that and run Mutt
on ARM instead. Wonder how much it would cost to host an army of Pi at
a commercial datacenter. My SPARC Solaris 10 box is still doing fine :-D)



> 
> Aloha,
> Michael.
> --
> Michael J Wise
> Microsoft Corporation| Spam Analysis
> "Your Spam Specimen Has Been Processed."
> Open a ticket for Hotmail ?
> 
> 
> 
> -Original Message-
> From: mailop  On Behalf Of Dan Malm via mailop
> Sent: Wednesday, September 9, 2020 2:25 AM
> To: mailop@mailop.org
> Subject: Re: [mailop] [EXTERNAL] What's Microsoft's S3150 block list and 
> where do I go to request removal?
> 
> 
> 
> On 2020-09-09 10:53, Laura Atkins via mailop wrote:
> 
> > “This” was a link to Open a ticket for Hotmail...
> 
> >
> 
> 
> 
> Referring to "links" using background color works quite poorly when your
> 
> recipients read their mail in text/plain... :)
> 
> 
> 
> --
> 
> BR/Mvh. Dan Malm, Systems Engineer, One.com

> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


-- 
Atro Tossavainen, Chairman of the Board
Infinite Mho Oy, Helsinki, Finland
tel. +358-44-5000 600, http://www.infinitemho.fi/

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [EXTERNAL] What's Microsoft's S3150 block list and where do I go to request removal?

[Graeme Fowler via mailop]

On 9 Sep 2020, at 19:11, Jaroslaw Rafa via mailop  wrote:
> Yes, they do.
> And especially on this list you should expect that.

And especially on this list you should expect that people will compose and read 
emails in all sorts of different ways, which you may have to adjust for in both 
senses.

Fixed that for you.

Graeme


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [EXTERNAL] What's Microsoft's S3150 block list and where do I go to request removal?

[Jaroslaw Rafa via mailop]

Dnia  9.09.2020 o godz. 18:01:27 Michael Wise via mailop pisze:
> 
> 
> ... people still DO that? Sorry.

Yes, they do.
And especially on this list you should expect that.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [EXTERNAL] What's Microsoft's S3150 block list and where do I go to request removal?

[Michael Wise via mailop]

... people still DO that? Sorry.

Aloha,
Michael.
--
Michael J Wise
Microsoft Corporation| Spam Analysis
"Your Spam Specimen Has Been Processed."
Open a ticket for Hotmail ?



-Original Message-
From: mailop  On Behalf Of Dan Malm via mailop
Sent: Wednesday, September 9, 2020 2:25 AM
To: mailop@mailop.org
Subject: Re: [mailop] [EXTERNAL] What's Microsoft's S3150 block list and where 
do I go to request removal?



On 2020-09-09 10:53, Laura Atkins via mailop wrote:

> “This” was a link to Open a ticket for Hotmail...

>



Referring to "links" using background color works quite poorly when your

recipients read their mail in text/plain... :)



--

BR/Mvh. Dan Malm, Systems Engineer, One.com
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [External] antispamcloud.com (SpamExperts) forensics reports format

[Kevin A. McGrail via mailop]

On 9/9/2020 1:12 PM, Sébastien Riccio via mailop wrote:
> We are parsing dmarc reports using parsedmarc and the forensics
> reports coming from antispamcloud.com seems not to follow the
> recommended reporting format (AFRF) and therefore are considered invalid.
>
> Maybe is there anyone from SpamExperts in this list that could
> enlighten me about how we could request to receive the reports in a
> common format?
>

I've forwarded the email to Dreas with SpamExperts to see if he can
weigh in!

Regards,

KAM

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] antispamcloud.com (SpamExperts) forensics reports format

[Sébastien Riccio via mailop]

Hello,

We are parsing dmarc reports using parsedmarc and the forensics reports coming 
from antispamcloud.com seems not to follow the recommended reporting format 
(AFRF) and therefore are considered invalid.

Maybe is there anyone from SpamExperts in this list that could enlighten me 
about how we could request to receive the reports in a common format?

If I understand correctly that should be the case by default:

https://tools.ietf.org/html/rfc7489#section-7.3
When a Domain Owner requests failure reports for the purpose of
forensic analysis, and the Mail Receiver is willing to provide such
reports, the Mail Receiver generates and sends a message using the
format described in [AFRF]; this document updates that reporting
format, as described in Section 7.3.1.

https://tools.ietf.org/html/rfc7489#section-6.3
rf:  Format to be used for message-specific failure reports (colon-
  separated plain-text list of values; OPTIONAL; default is "afrf").
  The value of this tag is a list of one or more report formats as
  requested by the Domain Owner to be used when a message fails both
  [SPF] and [DKIM] tests to report details of the individual
  failure.  The values MUST be present in the registry of reporting
  formats defined in Section 11; a Mail Receiver observing a
  different value SHOULD ignore it or MAY ignore the entire DMARC
  record.  For this version, only "afrf" (the auth-failure report
  type defined in [AFRF]) is presently supported.  See Section 7.3
  for details.  For interoperability, the Authentication Failure
  Reporting Format (AFRF) MUST be supported.


Instead we receive it with this format:

A message claiming to be from you has failed the published DMARC
policy for your domain.

  Sender Domain: xyz.ch
  Sender IP Address: x.x.x.x
  Received Date: Fri, 04 Sep 2020 16:37:40 +0200
  SPF Alignment: no
  DKIM Alignment: no
  DMARC Results: None, Accept

-- This is a copy of the headers that were received before the error
   was detected.


[then all headers of the offending message here that I removed for this post]


Thanks a lot for your infos and help.

Kind regards,

Sébastien RICCIO
SYSTEM ADMINISTRATOR
P  +41 840 888 888
F  +41 840 888 000
M sric...@swisscenter.com





___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] What's Microsoft's S3150 block list and where do I go to request removal?

[Adam Moffett via mailop]

Microsoft's mail blocking is very aggressive.

I've dealt with this a few times.  Each time we found a compromised 
email account on our system.  So if you haven't already done so, I'd 
analyze logs looking for an unusually busy sender.


The catch is that after you fix whatever the problem is you'll still be 
blocked for several days afterwards.  I do wish they'd provide samples 
of whatever messages set off the blocking.  In a perfect world I'd also 
want a way to send them an "all clear" that the problem is resolved.



-- Original Message --
From: "Andy Smith via mailop" 
To: mailop@mailop.org
Sent: 9/8/2020 6:15:16 PM
Subject: [mailop] What's Microsoft's S3150 block list and where do I go 
to request removal?



Hi,

We have a customer who's been receiving Icinga (basically Nagios)
alerts every few hours for the last few days to their hotmail
address. The customer could/should have either addressed the
situation or halted the alerts, but they didn't and that's their
choice.

In the third day of this we've started getting this NDR:

  [removed]@hotmail.com
host hotmail-com.olc.protection.outlook.com [104.47.55.161]
SMTP error from remote mail server after pipelined MAIL 
FROM: SIZE=2107:
550 5.7.1 Unfortunately, messages from [85.119.80.238] weren't sent. Please 
contact your Internet service
provider since part of their network is on our block list (S3150). You can also 
refer your provider to
http://mail.live.com/mail/troubleshooting.aspx#errors. 
[BN8NAM12FT030.eop-nam12.prod.protection.outlook.com]

So, what's "S3150"? — it isn't mentioned at all on
http://mail.live.com/mail/troubleshooting.aspx#errors — and where
should I be going to request delist?

I realise I need to sort out SPF for that envelope sender.

All of the mails will have been almost identical so I can see why
something might have been triggered, however they were requested by
the recipient.

Cheers,
Andy

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [EXTERNAL] What's Microsoft's S3150 block list and where do I go to request removal?

[Andy Smith via mailop]

On Wed, Sep 09, 2020 at 12:10:43AM +, Andy Smith via mailop wrote:
> What's the "this" you mention? My comment that I should fix up SPF?

Response to Hotmail ticket:

Not qualified for mitigation
85.119.80.238
Our investigation has determined that the above IP(s) do not qualify
for mitigation.

The response does not explain why it does not qualify.

Oh well.

On the off-chance that there's anyone here who can look into that (I
have no expectation that there is), the ticket ID is
SRX1508320450ID. I did also follow up to request a review based on
the fact that it's transactional email that the recipient asked for.

Cheers,
Andy

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [EXTERNAL] What's Microsoft's S3150 block list and where do I go to request removal?

[Dan Malm via mailop]

On 2020-09-09 10:53, Laura Atkins via mailop wrote:
> “This” was a link to Open a ticket for Hotmail...
> 

Referring to "links" using background color works quite poorly when your
recipients read their mail in text/plain... :)

-- 
BR/Mvh. Dan Malm, Systems Engineer, One.com


pEpkey.asc
Description: application/pgp-keys
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [EXTERNAL] What's Microsoft's S3150 block list and where do I go to request removal?

[Laura Atkins via mailop]

> On 9 Sep 2020, at 01:10, Andy Smith via mailop  wrote:
> 
> Hi Michael,
> 
> Given that the recipient can't be bothered to either fix the problem
> that's causing the alerts, nor hit the button that silences the
> alerts, I'm guessing they won't take any action on their side. I'm
> fine with them not receiving these emails in that case, but I don't
> want wider block listing to occur.

If that IP is dedicated to this email and only this email to this recipient, 
then he’s the only one who is harmed. If that IP is shared, then you need to 
consider whether or not you should stop mailing this person who clearly can’t 
be bothered to receive the mail. 

> What's the "this" you mention? My comment that I should fix up SPF?

“This” was a link to Open a ticket for Hotmail 
 ? in his signature file. That 
link points to http://go.microsoft.com/fwlink/?LinkID=614866 
 

laura 

> 
> Also if you have any other advice beyond that for actions I can
> take.
> 
> Thanks!
> Andy
> 
> On Tue, Sep 08, 2020 at 11:01:36PM +, Michael Wise via mailop wrote:
>> You’ve pretty much already got the idea.
>> 
>> The recipient should safe-sender the sending address of the probes, and that 
>> should solve the issue.
>> 
>> Failing that … this.
>> 
>> Aloha,
>> Michael.
>> --
>> Michael J Wise
>> Microsoft Corporation| Spam Analysis
>> "Your Spam Specimen Has Been Processed."
>> Open a ticket for Hotmail ?
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

-- 
Having an Email Crisis?  We can help! 800 823-9674 

Laura Atkins
Word to the Wise
la...@wordtothewise.com
(650) 437-0741  

Email Delivery Blog: https://wordtothewise.com/blog 







___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop