Re: [mailop] Cisco PIX Mailguard Oddity

[Bill Cole]

On 6 May 2016, at 9:05, Todd Herr wrote:

On Thu, May 5, 2016 at 10:10 PM, Dave Warren  
wrote:



Given that RFC 821 is from August of 1982, I would wholeheartedly
recommend unplugging them until they catch up to at least 1984, or if
that's not possible, at least disable the SMTP-breaking "feature". 
Even

Microsoft published a how-to article on the topic:
https://support.microsoft.com/en-us/kb/320027



​Yes, while I appreciate the sentiment, the PIXen are not mine to 
unplug.​


Unfortunately, there's no general solution to the problem from the "not 
my PIX" side of this problem. If you use Postfix, there's a *PARTIAL* 
fix in the smtp_pix_workarounds feature, but ultimately the only way to 
make mail work reliably through a PIX or ASA firewall is to turn off its 
misguided and fundamentally broken manipulation of SMTP.


And on the bright side: if this is an actual PIX, it stands a strong 
chance of being so compromised in the near future that unplugging is the 
only rational fix. Cisco stopped putting out fixes for them some years 
ago, but well-documented vulnerabilities did not cease to be found and 
fully disclosed.


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Cisco PIX Mailguard Oddity

[Franck Martin via mailop]

If your network people think they can do a better job than your mail
people, then give them the management of your mail servers, otherwise, tell
them to disable cisco fixup (or whatever it is called nowadays).

On Fri, May 6, 2016 at 8:15 AM, Steve Atkins  wrote:

>
> > On May 6, 2016, at 6:04 AM, Todd Herr  wrote:
> >
> >
> > On Thu, May 5, 2016 at 9:00 PM, Steve Atkins  wrote:
> > I've seen them do that when they get out of sequence. Are you doing the
> transaction above by hand (and with a real HELO and so on), or is it from
> MTA logs?
> >
> > ​By hand, real HELO and MAIL FROM, followed by RSET or QUIT, but AIUI,
> RSET or QUIT can be issued at any time, yes?
>
> Yes they can, but I've seen PIXes inexplicably get into a state where they
> reject everything.
>
> Also, they can't handle (with at least some firmware revisions) SMTP
> commands broken across TCP packet boundaries. If you're interacting with
> them using a character-at-a-time tool rather than a line-at-a-time tool
> then that would cause all commands not to be recognized, unless you type
> fast enough to beat Nagle.
>
> Telnet (at least on unixy platforms) defaults to line-at-a-time, I think.
>
> Cheers,
>   Steve
>
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] DNS Errors for Microsoft Hostnames

[Franck Martin via mailop]

On Fri, May 6, 2016 at 3:22 AM, Tony Finch  wrote:

> Franck Martin via mailop  wrote:
>
> > This page, provides a way to test EDNS:
> > https://www.dns-oarc.net/oarc/services/replysizetest
>
> That's testing the EDNS large packet feature. A DNS server can support
> EDNS without supporting large packets.
>
> which is not the default with bind...
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] What in the name of all that is evil is this new spam technique?

[Aaron C. de Bruyn]

Weird.  I've been involved with mail servers for 15 years, and it's the
first time I've run in to that.

Out of all the spam I've seen, this strikes me as the absolute sleaziest
possibly way to go about it...

/me makes preparations to nuke bounceio from orbit...

Thanks,

-A

On Fri, May 6, 2016 at 1:56 PM, Gil Bahat  wrote:

> It's called bounceio 'domain monetization' and it's not new at all. They
> will send bounces specifically back to the sender address and not the
> return path address. Like any spam operation, it's UCE. Unlike any other
> spam operation, not enough people mark them as spam, so their email still
> gets accepted. I asked our ESP to avoid sending email to any domain with a
> BIO server in the MX.
>
> Gil
> On May 6, 2016 11:43 PM, "Aaron C. de Bruyn"  wrote:
>
> A user sent a message to the django-users list asking for help.  I replied
> and about 5 minutes later I got a 'bounce' message that is basically a
> bounce message laden with spam.
>
> http://imgur.com/Ohn6sPE
>
> Is this a new method of delivering spam?  Get 'someone' like
> j...@piccloud.com to sign up for the mailing list, then delete the
> account and have piccloud.com send spam thinly-disguised as bounce
> messages?
>
> -A
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Cisco PIX Mailguard Oddity

[Steve Atkins]

> On May 6, 2016, at 6:04 AM, Todd Herr  wrote:
> 
> 
> On Thu, May 5, 2016 at 9:00 PM, Steve Atkins  wrote:
> I've seen them do that when they get out of sequence. Are you doing the 
> transaction above by hand (and with a real HELO and so on), or is it from MTA 
> logs?
> 
> ​By hand, real HELO and MAIL FROM, followed by RSET or QUIT, but AIUI, RSET 
> or QUIT can be issued at any time, yes?

Yes they can, but I've seen PIXes inexplicably get into a state where they 
reject everything.

Also, they can't handle (with at least some firmware revisions) SMTP commands 
broken across TCP packet boundaries. If you're interacting with them using a 
character-at-a-time tool rather than a line-at-a-time tool then that would 
cause all commands not to be recognized, unless you type fast enough to beat 
Nagle.

Telnet (at least on unixy platforms) defaults to line-at-a-time, I think.

Cheers,
  Steve


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] SBA.gov Contact

[Brotman, Alexander]

We're seeing an issue with delivering to sba.gov.  The DNS servers we reference 
from these MTAs are showing SERVFAIL for a PTR lookup on 165.110.5.75.  

http://dnsviz.net/d/75.5.110.165.in-addr.arpa/dnssec/

seems to imply they're having a DNSSEC issue (unless I'm misinterpreting the 
output).  Thanks

--
Alex Brotman
Engineer, Anti-Abuse
Comcast
x5364



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Cisco PIX Mailguard Oddity

[Todd Herr]

On Thu, May 5, 2016 at 9:00 PM, Steve Atkins  wrote:

> I've seen them do that when they get out of sequence. Are you doing the
> transaction above by hand (and with a real HELO and so on), or is it from
> MTA logs?


​By hand, real HELO and MAIL FROM, followed by RSET or QUIT, but AIUI, RSET
or QUIT can be issued at any time, yes?


-- 
Todd
703.220.4153
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Cisco PIX Mailguard Oddity

[Tony Finch]

Dave Warren  wrote:
>
> They're broken by design and not fit for purpose. Among their many flaws, they
> don't even make it to RFC821 3.1, the MAIL command, which is described as the
> following:
>
> MAIL  FROM: 
>
> Instead, when they receive a "M" in a packet alone, they interpret it as an
> invalid command and don't bother to parse the rest of the command. However, if
> you deliver the whole command in one TCP packet, they will accept it; This is
> patently stupid.
>
> Although TCP won't generally break up such a short string into multiple
> packets there's actually nothing wrong with doing so and there's no
> requirement in RFC 821 to send each command in a single packet.

I have actually seen this happen in the real world, though it affected
the RCPT comand instead of MAIL.

The server offered PIPELINING and the PIX allowed it through, but if the
pipelined RCPT commands happened to span a packet boundary the PIX
destroyed the command, and thereby wrecked the transaction.

http://fanf.livejournal.com/102206.html

If you have a PIX or ASA, turn off all its protocol fuxup options.

Tony.
-- 
f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h punycode
Sole, Lundy, Fastnet, Irish Sea: North or northeast 4 or 5, occasionally 6
later. Rough becoming moderate in Sole, otherwise slight or moderate. Fair
then thundery showers. Good, occasionally poor.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] DNS Errors for Microsoft Hostnames

[Tony Finch]

Franck Martin via mailop  wrote:

> This page, provides a way to test EDNS:
> https://www.dns-oarc.net/oarc/services/replysizetest

That's testing the EDNS large packet feature. A DNS server can support
EDNS without supporting large packets.

Tony.
-- 
f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h punycode
Trafalgar: Cyclonic becoming west or northwest, 4 or 5. Moderate, occasionally
rough in north. Thundery showers. Moderate or good.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Removing a JMRP complaint feed from a previous

[Syed Alam]

Hi Michael,

We have tried to contact msn-s...@microsoft.com few times now but didn't
hear back.

All the FBL complaints are going to previous IP owner's feed address which
has no access(or should not have access) to the IP range.

Any other suggestions?

Thanks,
Syed

On Mon, Apr 25, 2016 at 1:27 PM, Syed Alam  wrote:

> ​Thanks Michael. We have received a response now​
>
> ​and advised to contact ​msn-s...@microsoft.com regarding JMRP
> queries/issues.
> ​
>
>
> Message: 1
>> Date: Tue, 19 Apr 2016 22:02:39 +
>> From: Michael Wise 
>> To: "mailop@mailop.org" 
>> Subject: Re: [mailop] Removing a JMRP complaint feed from a previous
>> IP owner
>> Message-ID:
>> <
>> by2pr03mb411ef93e3c21d7a60107ea080...@by2pr03mb411.namprd03.prod.outlook.com
>> >
>>
>> Content-Type: text/plain; charset="utf-8"
>>
>>
>> Yup. “Open A Ticket…” here:
>>
>> http://go.microsoft.com/fwlink/?LinkID=614866
>> (Yes, you should probably bookmark that for all
>> HotMail/JMRP/SNDS issues)
>>
>> T1 (the robot) won’t be able to deal with it, so when it replies, reply
>> to that email and let T2 know what the core issue is.
>>
>> Aloha,
>> Michael.
>> --
>> Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been
>> Processed." | Got the Junk Mail Reporting Tool<
>> http://www.microsoft.com/en-us/download/details.aspx?id=18275> ?
>>
>> From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Michael Wise
>> Sent: Tuesday, April 19, 2016 2:41 PM
>> To: mailop@mailop.org
>> Subject: Re: [mailop] Removing a JMRP complaint feed from a previous IP
>> owner
>>
>> Just a heads-up that I am trying to get some clarification on this.
>> Will let y’all know when I have something to share.
>>
>> ☺
>>
>> Aloha,
>> Michael.
>> --
>> Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been
>> Processed." | Got the Junk Mail Reporting Tool<
>> https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.microsoft.com%2fen-us%2fdownload%2fdetails.aspx%3fid%3d18275=01%7c01%7cmichael.wise%40microsoft.com%7c7222ba78001d481c739008d3689cd443%7c72f988bf86f141af91ab2d7cd011db47%7c1=LQTqkOCezks%2fSywDDsV0pYsAtAEwzf%2b25Qo9jLrVzMo%3d>
>> ?
>>
>> From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Syed Alam
>> Sent: Tuesday, April 19, 2016 8:37 AM
>> To: Mr. Frechette >
>> Cc: mailop@mailop.org
>> Subject: Re: [mailop] Removing a JMRP complaint feed from a previous IP
>> owner
>>
>> Thanks for your input @Frechette. In your case, you were the owner of
>> both(old and new) feeds.
>>
>> In our case, we are the new owner of IPs. We are unable to reach previous
>> IP owner. Technically the previous IP owner rights should have revoked
>> after the new verified IP owner.
>>
>> On Tue, Apr 19, 2016 at 4:58 PM, Mr. Frechette > > wrote:
>> You're not alone! We had 2 IPs that we needed to change the FBL email
>> address. I would remove the IPs from the SNDS and JMRP on the original feed
>> and attempt to add them under a new feed. Every time I would do that, it
>> would appear to work and then on page refresh, revert back to the original
>> settings.
>>
>> What helped with us is to remove the IPs from the old feed (revoke
>> access) and wait a day. Then, add them under the new feed.
>>
>> We did have to send multiple emails to request support and by providing
>> screenshots and even video of our actions helped to get someone to
>> investigate the issue. Not sure if it was a combination of support help and
>> waiting overnight, but that's how we got the new feed setup.
>>
>> Justin Frechette
>> iContact
>>
>> On Tue, Apr 19, 2016 at 10:30 AM, Syed Alam  s...@postmastery.net>> wrote:
>> Does anyone have experience with removing a JMRP complaint feed from a
>> previous IP owner? Even though the old owner does not have access to the
>> IPs, he is receiving all complaints.
>>
>> We see the old feed in SNDS, but are not allowed to manage it. We tried
>> to contact Outlook.com support(many times), but weren’t able to get past
>> the “bot” with standard replies. Any help is appreciated.
>>
>> ​Thanks,​
>>
>> --
>> Syed Alam
>>
>> [Image removed by sender.]
>> Postmastery
>> Amsterdam, NL
>> Skype: alam50
>> T: +31 20 261 0438
>>
>> ___
>> mailop mailing list
>> mailop@mailop.org
>> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop<
>> https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchilli.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop=01%7c01%7cmichael.wise%40microsoft.com%7ca87ae6f38d784e5fb3af08d3686986ea%7c72f988bf86f141af91ab2d7cd011db47%7c1=ZYRZ%2fH8VF5ncoCNxw8CXk9k%2fBKlSoP9em5Zmqh02bME%3d
>> >
>>
>>
>>
>>
>> --
>> Syed