date:20160525

Re: [mailop] signup form abuse

2016-05-25 Thread Michael Wise via mailop

Yeah, pretty much. :)

Aloha,
Michael.
-- 
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting Tool ?

-Original Message-
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Jay Hennigan
Sent: Wednesday, May 25, 2016 4:25 PM
To: mailop@mailop.org
Subject: Re: [mailop] signup form abuse

On 5/25/16 4:11 PM, Michael Wise wrote:
> That may or may not be a good metric, since if I just signed up for a legit 
> mailing-list, I may be anxiously awaiting the confirmation mail, or if I'm a 
> robot, I might be backlogged a few tens of seconds.

So, "Click here to subscribe", "Click here if you're a robot" 
white-on-white tiny font. Only count if 1 > 2.


--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse 
Internet Service  -  
https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.impulse.net%2f&data=01%7c01%7cmichael.wise%40microsoft.com%7ca285b4851de84c9af1f908d384f47cda%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=ouB5JoFwSlBReFwvakAy6ww56Bl8RoacU3MbHhDsEe4%3d
Your local telephone and internet company - 805 884-6323 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchilli.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop&data=01%7c01%7cmichael.wise%40microsoft.com%7ca285b4851de84c9af1f908d384f47cda%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=U6GOv%2bT3BNdme5bMp1Fax1%2fTpUO9%2fmhTJ76XyVgpT6M%3d
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Jay Hennigan


On 5/25/16 4:11 PM, Michael Wise wrote:

That may or may not be a good metric, since if I just signed up for a legit 
mailing-list, I may be anxiously awaiting the confirmation mail, or if I'm a 
robot, I might be backlogged a few tens of seconds.


So, "Click here to subscribe", "Click here if you're a robot" 
white-on-white tiny font. Only count if 1 > 2.



--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Michael Wise via mailop

[ lightbulb / ]

I've been thinking about this for a while, and just had a flash of brilliance 
(or madness, hard to tell at times...)

You know what might be a good solution?
Just occurred to me.

The mailing list software displays a clickable link that will send an email 
address with a cookie in the Subject to a special address hosted by the mailing 
list server.

But the trick is, the email *MUST* pass a sufficiently strict DMARC check.

So if the mailing list receives a piece of email *FROM* the sending domain, and 
it's DKIM signed, and it validates, and DMARC passes...
That would be a remarkably strong authentication that the recipient really did 
want the traffic.
It could even be stored for reference later.

And if it was not actually from the recipient, but someone on the same service, 
the true recipient has a piece of evidence of either a compromise, or malicious 
act by another user that would be grounds to TOS them.

Thoughts?

Aloha,
Michael.
-- 
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting Tool ?

-Original Message-
From: Michael Wise 
Sent: Wednesday, May 25, 2016 4:11 PM
To: 'Jay Hennigan' ; mailop@mailop.org
Subject: RE: [mailop] signup form abuse

That may or may not be a good metric, since if I just signed up for a legit 
mailing-list, I may be anxiously awaiting the confirmation mail, or if I'm a 
robot, I might be backlogged a few tens of seconds.

So the Venn Diagram circles just might overlap more than you would wish.

Aloha,
Michael.
--
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting Tool ?

-Original Message-
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Jay Hennigan
Sent: Wednesday, May 25, 2016 4:03 PM
To: mailop@mailop.org
Subject: Re: [mailop] signup form abuse

On 5/25/16 8:36 AM, Vick Khera wrote:

> I did a spot check of a recent attack. The email address was 
> jabradb...@kanawhascales.com 
> and it got signed up to 12 lists during May 17 and 18. Amazingly, 
> whoever is on the other end of that address clicked to confirm every 
> one of those confirmation messages. All confirmation clicks appear to 
> come from a netblock owned by Barracuda Networks... Hmm...

Maybe Barracuda spam filtering is doing something like opening remote content 
to inspect it before forwarding it to the inbox.

What was the latency between when the confirmations were sent and when they 
were "clicked"?

--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse 
Internet Service  -  
https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.impulse.net%2f&data=01%7c01%7cmichael.wise%40microsoft.com%7cce37d60a078e41cab81e08d384f15cf7%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=x0mTD7A0OqaRkzR%2fgnb7sHsi7oIhOgP7OJEi4c%2bVTv8%3d
Your local telephone and internet company - 805 884-6323 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchilli.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop&data=01%7c01%7cmichael.wise%40microsoft.com%7cce37d60a078e41cab81e08d384f15cf7%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=R5a9BsHXQJjF81%2fAeHFChLTICwDj14lNST8CpCmq00k%3d
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Michael Wise via mailop

That may or may not be a good metric, since if I just signed up for a legit 
mailing-list, I may be anxiously awaiting the confirmation mail, or if I'm a 
robot, I might be backlogged a few tens of seconds.

So the Venn Diagram circles just might overlap more than you would wish.

Aloha,
Michael.
-- 
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting Tool ?

-Original Message-
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Jay Hennigan
Sent: Wednesday, May 25, 2016 4:03 PM
To: mailop@mailop.org
Subject: Re: [mailop] signup form abuse

On 5/25/16 8:36 AM, Vick Khera wrote:

> I did a spot check of a recent attack. The email address was 
> jabradb...@kanawhascales.com 
> and it got signed up to 12 lists during May 17 and 18. Amazingly, 
> whoever is on the other end of that address clicked to confirm every 
> one of those confirmation messages. All confirmation clicks appear to 
> come from a netblock owned by Barracuda Networks... Hmm...

Maybe Barracuda spam filtering is doing something like opening remote content 
to inspect it before forwarding it to the inbox.

What was the latency between when the confirmations were sent and when they 
were "clicked"?

--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse 
Internet Service  -  
https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.impulse.net%2f&data=01%7c01%7cmichael.wise%40microsoft.com%7cce37d60a078e41cab81e08d384f15cf7%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=x0mTD7A0OqaRkzR%2fgnb7sHsi7oIhOgP7OJEi4c%2bVTv8%3d
Your local telephone and internet company - 805 884-6323 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchilli.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop&data=01%7c01%7cmichael.wise%40microsoft.com%7cce37d60a078e41cab81e08d384f15cf7%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=R5a9BsHXQJjF81%2fAeHFChLTICwDj14lNST8CpCmq00k%3d
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Laura Atkins


> On May 25, 2016, at 4:03 PM, Jay Hennigan  wrote:
> 
> On 5/25/16 8:36 AM, Vick Khera wrote:
> 
>> I did a spot check of a recent attack. The email address
>> was jabradb...@kanawhascales.com 
>> and it got signed up to 12 lists during May 17 and 18. Amazingly,
>> whoever is on the other end of that address clicked to confirm every one
>> of those confirmation messages. All confirmation clicks appear to come
>> from a netblock owned by Barracuda Networks... Hmm...
> 
> Maybe Barracuda spam filtering is doing something like opening remote content 
> to inspect it before forwarding it to the inbox.
> 
> What was the latency between when the confirmations were sent and when they 
> were "clicked”?

Barracuda is well known for following every link in an email, including 
confirmation links

laura

-- 
Having an Email Crisis?  800 823-9674 

Laura Atkins
Word to the Wise
la...@wordtothewise.com
(650) 437-0741  

Email Delivery Blog: http://wordtothewise.com/blog  






___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Michael Wise via mailop


Oh heck yeah.
And if nothing else, it's Rule Fodder.

Subject =~ /confirm [\da-f]{32}/
Body =~ /\bxx.yy.zz.\d+\b/
... you know the drill.

Aloha,
Michael.
-- 
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting Tool ?

-Original Message-
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Jay Hennigan
Sent: Wednesday, May 25, 2016 3:49 PM
To: mailop@mailop.org
Subject: Re: [mailop] signup form abuse

On 5/25/16 7:59 AM, Vick Khera wrote:
>
> On Wed, May 25, 2016 at 10:45 AM, Matthew Black 
> mailto:matthew.bl...@csulb.edu>> wrote:
>
> Are your customers using confirmed opt-in mailing lists? If not,
> they should not be running mailing lists.
>
>
> Yes, the only effect is to send a confirmation message, which is quite 
> generic and at most contains the customer's logo and name of the list, 
> to the victim.

Consider adding the origin IP and timestamp/timezone to the confirmation 
message. It can be useful to savvy folks and to your abuse department if people 
complain about fraudulent confirmation messages themselves, and might act as a 
mild deterrent if the bad guys know you're doing it.

--
--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse 
Internet Service  -  
https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.impulse.net%2f&data=01%7c01%7cmichael.wise%40microsoft.com%7c0e6a58359c014fa180b008d384efa268%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=ZgDQ9cukcInQ041qGJUQM21kUKDyRqRn88BOIhg9wWw%3d
Your local telephone and internet company - 805 884-6323 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchilli.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop&data=01%7c01%7cmichael.wise%40microsoft.com%7c0e6a58359c014fa180b008d384efa268%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=PFxzxOHGZeQgpOCD2ioi6OB2q69DFyKTZ1hdVyY8%2b7k%3d
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Jay Hennigan


On 5/25/16 8:36 AM, Vick Khera wrote:


I did a spot check of a recent attack. The email address
was jabradb...@kanawhascales.com 
and it got signed up to 12 lists during May 17 and 18. Amazingly,
whoever is on the other end of that address clicked to confirm every one
of those confirmation messages. All confirmation clicks appear to come
from a netblock owned by Barracuda Networks... Hmm...


Maybe Barracuda spam filtering is doing something like opening remote 
content to inspect it before forwarding it to the inbox.


What was the latency between when the confirmations were sent and when 
they were "clicked"?


--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Jay Hennigan


On 5/25/16 7:45 AM, Matthew Black wrote:

Are your customers using confirmed opt-in mailing lists? If not, they
should not be running mailing lists.


The monetary compensation of ESPs is directly proportional to the volume 
of promotional messages that they send. Let that sink in.


--
--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Jay Hennigan


On 5/25/16 7:59 AM, Vick Khera wrote:


On Wed, May 25, 2016 at 10:45 AM, Matthew Black mailto:matthew.bl...@csulb.edu>> wrote:

Are your customers using confirmed opt-in mailing lists? If not,
they should not be running mailing lists.


Yes, the only effect is to send a confirmation message, which is quite
generic and at most contains the customer's logo and name of the list,
to the victim.


Consider adding the origin IP and timestamp/timezone to the confirmation 
message. It can be useful to savvy folks and to your abuse department if 
people complain about fraudulent confirmation messages themselves, and 
might act as a mild deterrent if the bad guys know you're doing it.


--
--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Michelle Sullivan


Michael Wise wrote:

The classical response to that is a "Hidden" URL that, if "clicked" by the scanning 
software, gives "Insight" into the fact that the recipient is doing that, yes?

Aloha,
Michael.
That is the best solution - I'd hate for people to stop single click 
unsubscribes because they think single click subscribes are dangerous 
therefore the unsub are...   (I will never put my email address into a 
webpage to 'unsubscribe' it...  if it doesn't already know who I am 
well I'm not about to tell it.


--
Michelle Sullivan
http://www.mhix.org/


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Al Iverson

I've heard John Levine propose the "hidden link to catch scanning
robots" solution but I've never heard of an email system implementing
it. Similarly, senders have often suggested that spamtrap systems
shouldn't follow links. (Security systems, sure, but don't do that
with spamtrap addresses.) And today I heard it suggested that it would
be wiser to have COI have a second click (probably an HTTP POST-based
button) on the landing web page, to prevent security systems from
erroneously completing COI confirm steps. All good stuff, but it
doesn't sound as though any of it has been widely broadcasted as a
best practice or requirement.

--
Al Iverson
www.aliverson.com
(312)725-0130


On Wed, May 25, 2016 at 4:55 PM, Michael Wise via mailop
 wrote:
> The classical response to that is a "Hidden" URL that, if "clicked" by the 
> scanning software, gives "Insight" into the fact that the recipient is doing 
> that, yes?
>
> Aloha,
> Michael.
> --
> Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
> Processed." | Got the Junk Mail Reporting Tool ?
>
> -Original Message-
> From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Erwin Harte
> Sent: Wednesday, May 25, 2016 2:48 PM
> To: Michelle Sullivan ; Vick Khera 
> Cc: mailop@mailop.org
> Subject: Re: [mailop] signup form abuse
>
> On 5/25/16 4:40 PM, Michelle Sullivan wrote:
>> Vick Khera wrote:
>>> On Wed, May 25, 2016 at 3:02 PM, Erwin Harte >> > wrote:
>>>
  I did a spot check of a recent attack. The email address was
  jabradb...@kanawhascales.com
   and it got signed up to 12
  lists during May 17 and 18. Amazingly, whoever is on the other
  end of that address clicked to confirm every one of those
  confirmation messages. All confirmation clicks appear to come
  from a netblock owned by Barracuda Networks... Hmm...
>>>  Which netblock was that?
>>>
>>>
>>> 64.235.144.0/20
>>> >> 35.144.0%2f20&data=01%7c01%7cmichael.wise%40microsoft.com%7c0958149c2
>>> 70e4866966b08d384e71286%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=
>>> oIRzp1YSYhsrARm8tlIY7lSAqbZvAx0rP1eLn4MWmaE%3d>
>>>
>>> Specifically: 64.235.154.109,
>>> 64.235.153.2, 64.235.150.252, 64.235.153.10, 64.235.154.105,
>>> 64.235.154.109
>>>
>>>
>> Single click through?  (as in everything in the URL?) - if so probably
>> automated mail scanning.
>>
> That's what I expect as well. Those addresses are all from ESS
> (https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.barracuda.com%2fproducts%2femailsecurityservice&data=01%7c01%7cmichael.wise%40microsoft.com%7c0958149c270e4866966b08d384e71286%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=b1Dd64fsAyanlvQmva%2bkNgXdpLD4wqzC1UGwQxAjwVk%3d)
>  which does 'intent' checking.
>
> --Erwin
>
> ===
>
>
> Considering Office 365?  Barracuda security and storage solutions can help. 
> Learn more about Barracuda solutions for Office 365 at 
> https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fbarracuda.com%2foffice365&data=01%7c01%7cmichael.wise%40microsoft.com%7c0958149c270e4866966b08d384e71286%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=RWCdhi4rj1HgPH5M%2bu9hUibpTdxR3T5NqbHgE%2f5Fh%2bU%3d.
>
> DISCLAIMER:
> This e-mail and any attachments to it contain confidential and proprietary 
> material of Barracuda, its affiliates or agents, and is solely for the use of 
> the intended recipient. Any review, use, disclosure, distribution or copying 
> of this transmittal is prohibited except by or on behalf of the intended 
> recipient. If you have received this transmittal in error, please notify the 
> sender and destroy this e-mail and any attachments and all copies, whether 
> electronic or printed.
>
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchilli.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop&data=01%7c01%7cmichael.wise%40microsoft.com%7c0958149c270e4866966b08d384e71286%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=%2f1rLcSOg0Pk3Bn9UsmkSPQokBSFF2F5T0gtlsCpAJ8A%3d
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Connection failures to Hotmail domains

2016-05-25 Thread frnkblk

Finally has a chance to look at my logs … looking at error count over time (all 
U.S. Central) I see the following:

 

Server 1:

  1 25 12:3

  1 25 12:4

  4 25 13:1

 22 25 13:2

 22 25 13:3

 24 25 13:4

 31 25 13:5

 18 25 14:0

  8 25 14:1

 16 25 14:2

  5 25 14:3

 19 25 14:4

 15 25 14:5

 18 25 15:0

  7 25 15:1

  6 25 15:2

  4 25 15:3

 11 25 15:4

  2 25 15:5

  8 25 16:0

  9 25 16:1

  6 25 16:2

  7 25 16:3

  9 25 16:4

  6 25 16:5

  4 25 17:0

 

Server 2:

  2 25 12:4

  1 25 13:0

 14 25 13:1

 10 25 13:2

 24 25 13:3

 20 25 13:4

 11 25 13:5

 11 25 14:0

 19 25 14:1

 11 25 14:2

  9 25 14:3

 12 25 14:4

 14 25 14:5

  7 25 15:0

  8 25 15:1

 16 25 15:2

  8 25 15:3

 17 25 15:4

 17 25 15:5

  7 25 16:0

 12 25 16:1

 12 25 16:2

 27 25 16:3

 13 25 16:4

 18 25 16:5

  4 25 17:0

 

So it’s off its peak, but not resolved.

 

Frank

 

From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Jaren Angerbauer
Sent: Wednesday, May 25, 2016 3:50 PM
To: Michael Wise 
Cc: mailop 
Subject: Re: [mailop] Connection failures to Hotmail domains

 

Thanks Mike.  If you can, any update you receive (and can disclose) would be 
greatly appreciated.




--Jaren

 

 

 

On Wed, May 25, 2016 at 2:29 PM, Michael Wise via mailop mailto:mailop@mailop.org> > wrote:


Oh yeah, we're aware.
Hearing some reports that the issue may have been mitigated, but until I hear 
anything from Inside the House, can't really comment except to say ... PRI:0, 
being worked on as I type. But not by me, as I have no insight into the inner 
workings.

Aloha,
Michael.
--
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting Tool ?

-Original Message-
From: mailop [mailto:mailop-boun...@mailop.org 
 ] On Behalf Of Al Iverson
Sent: Wednesday, May 25, 2016 1:19 PM
To: mailop mailto:mailop@mailop.org> >
Subject: Re: [mailop] Connection failures to Hotmail domains

You're not alone. It's quite widespread. Multiple folks have talked to 
Microsoft people about the issue, they are aware.

Regards,
Al

--
Al Iverson
https://na01.safelinks.protection.outlook.com/?url=www.aliverson.com 

 
&data=01%7c01%7cmichael.wise%40microsoft.com%7c0a5ec58b131c4c5a5f2708d384dad364%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=aAsiNeE1mgSCmbWOUv3P%2b9YXhGHv2v45p1LBMnD%2bdJs%3d

(312)725-0130  


On Wed, May 25, 2016 at 3:08 PM, Keenan Tims mailto:kt...@stargate.ca> > wrote:
> I'm seeing 90+% of our connection attempts to the MXes for
> 'hotmail.com  ' and other Hotmail domains 
> (mx[1-4].hotmail.com  ) are
> either timing out (30s) or getting connection refused since ~11:00am
> PDT. Anyone else seeing this? I've tested from a few off-net points
> and am seeing the same. Mail is starting to pile up in our queues in
> quantity. Given the scale of what this appears to be I assume the team
> is already hard at work on it, but the lack of mention here concerns
> me, so sorry for the noise if this is too obvious for the list ;-).
>
> Our primary outbound relays are within 64.253.128.0/19 
>  
>
> Here are a couple representative logs:
>
> 2016-05-25T12:55:19.470647-07:00 skaro postfix/smtp[6486]: connect to
> mx1.hotmail.com  [65.55.37.104]:25: Connection timed 
> out
> 2016-05-25T12:55:49.504155-07:00 skaro postfix/smtp[6486]: connect to
> mx1.hotmail.com  [207.46.8.167]:25: Connection timed 
> out
> 2016-05-25T12:55:49.513775-07:00 skaro postfix/smtp[6486]: connect to
> mx2.hotmail.com  [65.55.33.119]:25: Connection refused
> 2016-05-25T12:56:19.550093-07:00 skaro postfix/smtp[6486]: connect to
> mx1.hotmail.com  [134.170.2.199]:25: Connection timed 
> out
> 2016-05-25T12:56:49.583216-07:00 skaro postfix/smtp[6486]: connect to
> mx1.hotmail.com  [65.54.188.110]:25: Connection timed 
> out
> 2016-05-25T12:56:49.585566-07:00 skaro postfix/smtp[6486]: 3F2D5FFC9B:
> to=mailto:indra_...@hotmail.com> >, relay=none, 
> delay=120,
> delays=0.17/0/120/0, dsn=4.4.1, status=deferred (connect to mx1.hotmail.com 
>  [65.54.188.110]:25:
> Connection timed out)
>
> 2016-05-25T12:59:32.971606-07:00 skaro postfix/smtp[5033]: connect to
> mx3.hotmail.com  [65.55.37.72]:25: Connection timed 
> out
> 2016-05-25T12:59:32.995152-07:00 skaro postfix/smtp[5033]: connect to
> mx4.hotmail.c

Re: [mailop] signup form abuse

2016-05-25 Thread Michael Wise via mailop

The classical response to that is a "Hidden" URL that, if "clicked" by the 
scanning software, gives "Insight" into the fact that the recipient is doing 
that, yes?

Aloha,
Michael.
-- 
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting Tool ?

-Original Message-
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Erwin Harte
Sent: Wednesday, May 25, 2016 2:48 PM
To: Michelle Sullivan ; Vick Khera 
Cc: mailop@mailop.org
Subject: Re: [mailop] signup form abuse

On 5/25/16 4:40 PM, Michelle Sullivan wrote:
> Vick Khera wrote:
>> On Wed, May 25, 2016 at 3:02 PM, Erwin Harte > > wrote:
>>
>>>  I did a spot check of a recent attack. The email address was
>>>  jabradb...@kanawhascales.com
>>>   and it got signed up to 12
>>>  lists during May 17 and 18. Amazingly, whoever is on the other
>>>  end of that address clicked to confirm every one of those
>>>  confirmation messages. All confirmation clicks appear to come
>>>  from a netblock owned by Barracuda Networks... Hmm...
>>  Which netblock was that?
>>
>>
>> 64.235.144.0/20 
>> > 35.144.0%2f20&data=01%7c01%7cmichael.wise%40microsoft.com%7c0958149c2
>> 70e4866966b08d384e71286%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=
>> oIRzp1YSYhsrARm8tlIY7lSAqbZvAx0rP1eLn4MWmaE%3d>
>>
>> Specifically: 64.235.154.109,
>> 64.235.153.2, 64.235.150.252, 64.235.153.10, 64.235.154.105, 
>> 64.235.154.109
>>
>>
> Single click through?  (as in everything in the URL?) - if so probably 
> automated mail scanning.
>
That's what I expect as well. Those addresses are all from ESS
(https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.barracuda.com%2fproducts%2femailsecurityservice&data=01%7c01%7cmichael.wise%40microsoft.com%7c0958149c270e4866966b08d384e71286%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=b1Dd64fsAyanlvQmva%2bkNgXdpLD4wqzC1UGwQxAjwVk%3d)
 which does 'intent' checking.

--Erwin

===

Considering Office 365?  Barracuda security and storage solutions can help. 
Learn more about Barracuda solutions for Office 365 at 
https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fbarracuda.com%2foffice365&data=01%7c01%7cmichael.wise%40microsoft.com%7c0958149c270e4866966b08d384e71286%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=RWCdhi4rj1HgPH5M%2bu9hUibpTdxR3T5NqbHgE%2f5Fh%2bU%3d.

DISCLAIMER:
This e-mail and any attachments to it contain confidential and proprietary 
material of Barracuda, its affiliates or agents, and is solely for the use of 
the intended recipient. Any review, use, disclosure, distribution or copying of 
this transmittal is prohibited except by or on behalf of the intended 
recipient. If you have received this transmittal in error, please notify the 
sender and destroy this e-mail and any attachments and all copies, whether 
electronic or printed.

___
mailop mailing list
mailop@mailop.org
https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchilli.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop&data=01%7c01%7cmichael.wise%40microsoft.com%7c0958149c270e4866966b08d384e71286%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=%2f1rLcSOg0Pk3Bn9UsmkSPQokBSFF2F5T0gtlsCpAJ8A%3d
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Erwin Harte


On 5/25/16 4:40 PM, Michelle Sullivan wrote:

Vick Khera wrote:

On Wed, May 25, 2016 at 3:02 PM, Erwin Harte mailto:eha...@barracuda.com>> wrote:


 I did a spot check of a recent attack. The email address was
 jabradb...@kanawhascales.com
  and it got signed up to 12
 lists during May 17 and 18. Amazingly, whoever is on the other
 end of that address clicked to confirm every one of those
 confirmation messages. All confirmation clicks appear to come
 from a netblock owned by Barracuda Networks... Hmm...

 Which netblock was that?


64.235.144.0/20 

Specifically: 64.235.154.109,
64.235.153.2, 64.235.150.252, 64.235.153.10, 64.235.154.105, 64.235.154.109



Single click through?  (as in everything in the URL?) - if so probably
automated mail scanning.

That's what I expect as well. Those addresses are all from ESS 
(https://www.barracuda.com/products/emailsecurityservice) which does 
'intent' checking.


--Erwin

===


Considering Office 365?  Barracuda security and storage solutions can help. 
Learn more about Barracuda solutions for Office 365 at 
http://barracuda.com/office365.

DISCLAIMER:
This e-mail and any attachments to it contain confidential and proprietary 
material of Barracuda, its affiliates or agents, and is solely for the use of 
the intended recipient. Any review, use, disclosure, distribution or copying of 
this transmittal is prohibited except by or on behalf of the intended 
recipient. If you have received this transmittal in error, please notify the 
sender and destroy this e-mail and any attachments and all copies, whether 
electronic or printed.


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Michael Wise via mailop

When you say, “Confirmation Clicks”, do you mean on a link provided via email, 
or a confirmation button of a web form?

Aloha,
Michael.
--
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting 
Tool ?

From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Vick Khera
Sent: Wednesday, May 25, 2016 2:14 PM
To: Erwin Harte 
Cc: mailop@mailop.org
Subject: Re: [mailop] signup form abuse


On Wed, May 25, 2016 at 3:02 PM, Erwin Harte 
mailto:eha...@barracuda.com>> wrote:
I did a spot check of a recent attack. The email address was 
jabradb...@kanawhascales.com and it got 
signed up to 12 lists during May 17 and 18. Amazingly, whoever is on the other 
end of that address clicked to confirm every one of those confirmation 
messages. All confirmation clicks appear to come from a netblock owned by 
Barracuda Networks... Hmm...
Which netblock was that?

64.235.144.0/20

Specifically: 64.235.154.109, 64.235.153.2, 64.235.150.252, 64.235.153.10, 
64.235.154.105, 64.235.154.109
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Michelle Sullivan


Vick Khera wrote:


On Wed, May 25, 2016 at 3:02 PM, Erwin Harte > wrote:



I did a spot check of a recent attack. The email address was
jabradb...@kanawhascales.com
 and it got signed up to 12
lists during May 17 and 18. Amazingly, whoever is on the other
end of that address clicked to confirm every one of those
confirmation messages. All confirmation clicks appear to come
from a netblock owned by Barracuda Networks... Hmm...

Which netblock was that?


64.235.144.0/20 

Specifically: 64.235.154.109, 
64.235.153.2, 64.235.150.252, 64.235.153.10, 64.235.154.105, 64.235.154.109





Single click through?  (as in everything in the URL?) - if so probably 
automated mail scanning.


--
Michelle Sullivan
http://www.mhix.org/


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Vick Khera

On Wed, May 25, 2016 at 3:02 PM, Erwin Harte  wrote:

> I did a spot check of a recent attack. The email address was
> jabradb...@kanawhascales.com and it got signed up to 12 lists during May
> 17 and 18. Amazingly, whoever is on the other end of that address clicked
> to confirm every one of those confirmation messages. All confirmation
> clicks appear to come from a netblock owned by Barracuda Networks... Hmm...
>
> Which netblock was that?
>

64.235.144.0/20

Specifically: 64.235.154.109,
64.235.153.2, 64.235.150.252, 64.235.153.10, 64.235.154.105, 64.235.154.109
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Connection failures to Hotmail domains

2016-05-25 Thread Jaren Angerbauer

Thanks Mike.  If you can, any update you receive (and can disclose) would
be greatly appreciated.

--Jaren



On Wed, May 25, 2016 at 2:29 PM, Michael Wise via mailop 
wrote:

>
> Oh yeah, we're aware.
> Hearing some reports that the issue may have been mitigated, but until I
> hear anything from Inside the House, can't really comment except to say ...
> PRI:0, being worked on as I type. But not by me, as I have no insight into
> the inner workings.
>
> Aloha,
> Michael.
> --
> Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been
> Processed." | Got the Junk Mail Reporting Tool ?
>
> -Original Message-
> From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Al Iverson
> Sent: Wednesday, May 25, 2016 1:19 PM
> To: mailop 
> Subject: Re: [mailop] Connection failures to Hotmail domains
>
> You're not alone. It's quite widespread. Multiple folks have talked to
> Microsoft people about the issue, they are aware.
>
> Regards,
> Al
>
> --
> Al Iverson
>
> https://na01.safelinks.protection.outlook.com/?url=www.aliverson.com&data=01%7c01%7cmichael.wise%40microsoft.com%7c0a5ec58b131c4c5a5f2708d384dad364%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=aAsiNeE1mgSCmbWOUv3P%2b9YXhGHv2v45p1LBMnD%2bdJs%3d
> (312)725-0130
>
>
> On Wed, May 25, 2016 at 3:08 PM, Keenan Tims  wrote:
> > I'm seeing 90+% of our connection attempts to the MXes for
> > 'hotmail.com' and other Hotmail domains (mx[1-4].hotmail.com) are
> > either timing out (30s) or getting connection refused since ~11:00am
> > PDT. Anyone else seeing this? I've tested from a few off-net points
> > and am seeing the same. Mail is starting to pile up in our queues in
> > quantity. Given the scale of what this appears to be I assume the team
> > is already hard at work on it, but the lack of mention here concerns
> > me, so sorry for the noise if this is too obvious for the list ;-).
> >
> > Our primary outbound relays are within 64.253.128.0/19
> >
> > Here are a couple representative logs:
> >
> > 2016-05-25T12:55:19.470647-07:00 skaro postfix/smtp[6486]: connect to
> > mx1.hotmail.com[65.55.37.104]:25: Connection timed out
> > 2016-05-25T12:55:49.504155-07:00 skaro postfix/smtp[6486]: connect to
> > mx1.hotmail.com[207.46.8.167]:25: Connection timed out
> > 2016-05-25T12:55:49.513775-07:00 skaro postfix/smtp[6486]: connect to
> > mx2.hotmail.com[65.55.33.119]:25: Connection refused
> > 2016-05-25T12:56:19.550093-07:00 skaro postfix/smtp[6486]: connect to
> > mx1.hotmail.com[134.170.2.199]:25: Connection timed out
> > 2016-05-25T12:56:49.583216-07:00 skaro postfix/smtp[6486]: connect to
> > mx1.hotmail.com[65.54.188.110]:25: Connection timed out
> > 2016-05-25T12:56:49.585566-07:00 skaro postfix/smtp[6486]: 3F2D5FFC9B:
> > to=, relay=none, delay=120,
> > delays=0.17/0/120/0, dsn=4.4.1, status=deferred (connect to
> mx1.hotmail.com[65.54.188.110]:25:
> > Connection timed out)
> >
> > 2016-05-25T12:59:32.971606-07:00 skaro postfix/smtp[5033]: connect to
> > mx3.hotmail.com[65.55.37.72]:25: Connection timed out
> > 2016-05-25T12:59:32.995152-07:00 skaro postfix/smtp[5033]: connect to
> > mx4.hotmail.com[65.54.188.126]:25: Connection refused
> > 2016-05-25T13:00:03.033047-07:00 skaro postfix/smtp[5033]: connect to
> > mx2.hotmail.com[207.46.8.167]:25: Connection timed out
> > 2016-05-25T13:00:33.066589-07:00 skaro postfix/smtp[5033]: connect to
> > mx4.hotmail.com[207.46.8.199]:25: Connection timed out
> > 2016-05-25T13:00:33.076153-07:00 skaro postfix/smtp[5033]: connect to
> > mx2.hotmail.com[65.55.33.119]:25: Connection refused
> > 2016-05-25T13:00:33.080762-07:00 skaro postfix/smtp[5033]: 25B4FFFC00:
> > to=, relay=none, delay=91,
> > delays=0.78/0/90/0, dsn=4.4.1, status=deferred (connect to
> > mx2.hotmail.com[65.55.33.119]:25: Connection refused)
> >
> > 2016-05-25T13:02:08.167728-07:00 skaro postfix/smtp[7967]: connect to
> > mx4.hotmail.com[65.55.37.88]:25: Connection timed out
> > 2016-05-25T13:02:08.177325-07:00 skaro postfix/smtp[7967]: connect to
> > mx4.hotmail.com[65.55.37.120]:25: Connection refused
> > 2016-05-25T13:02:38.208945-07:00 skaro postfix/smtp[7967]: connect to
> > mx1.hotmail.com[65.54.188.72]:25: Connection timed out
> > 2016-05-25T13:03:08.242467-07:00 skaro postfix/smtp[7967]: connect to
> > mx1.hotmail.com[207.46.8.167]:25: Connection timed out
> > 2016-05-25T13:03:38.275974-07:00 skaro postfix/smtp[7967]: connect to
> > mx3.hotmail.com[207.46.8.199]:25: Connection timed out
> > 2016-05-25T13:03:38.278894-07:00 skaro postfix/smtp[7967]: 7DA71FFC4D:
> > to=, relay=none, delay=3265,
> > delays=3145/0/120/0, dsn=4.4.1, status=deferred (connect to
> mx3.hotmail.com[207.46.8.199]:25:
> > Connection timed out)
> >
> > Keenan
> >
> > Stargate Connections AS19171
> >
> >
> > ___
> > mailop mailing list
> > mailop@mailop.org
> > https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchill
> > i.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop&data=01%7c01%

Re: [mailop] Connection failures to Hotmail domains

2016-05-25 Thread Michael Wise via mailop

As soon as I have something external-facing-worthy, I will let y’all know.

Aloha,
Michael.
--
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting 
Tool ?

From: Jaren Angerbauer [mailto:jarenangerba...@gmail.com]
Sent: Wednesday, May 25, 2016 1:50 PM
To: Michael Wise 
Cc: mailop 
Subject: Re: [mailop] Connection failures to Hotmail domains

Thanks Mike.  If you can, any update you receive (and can disclose) would be 
greatly appreciated.

--Jaren



On Wed, May 25, 2016 at 2:29 PM, Michael Wise via mailop 
mailto:mailop@mailop.org>> wrote:

Oh yeah, we're aware.
Hearing some reports that the issue may have been mitigated, but until I hear 
anything from Inside the House, can't really comment except to say ... PRI:0, 
being worked on as I type. But not by me, as I have no insight into the inner 
workings.

Aloha,
Michael.
--
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting Tool ?

-Original Message-
From: mailop 
[mailto:mailop-boun...@mailop.org] On Behalf 
Of Al Iverson
Sent: Wednesday, May 25, 2016 1:19 PM
To: mailop mailto:mailop@mailop.org>>
Subject: Re: [mailop] Connection failures to Hotmail domains

You're not alone. It's quite widespread. Multiple folks have talked to 
Microsoft people about the issue, they are aware.

Regards,
Al

--
Al Iverson
https://na01.safelinks.protection.outlook.com/?url=www.aliverson.com&data=01%7c01%7cmichael.wise%40microsoft.com%7c0a5ec58b131c4c5a5f2708d384dad364%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=aAsiNeE1mgSCmbWOUv3P%2b9YXhGHv2v45p1LBMnD%2bdJs%3d
(312)725-0130


On Wed, May 25, 2016 at 3:08 PM, Keenan Tims 
mailto:kt...@stargate.ca>> wrote:
> I'm seeing 90+% of our connection attempts to the MXes for
> 'hotmail.com'
>  and other Hotmail domains 
> (mx[1-4].hotmail.com)
>  are
> either timing out (30s) or getting connection refused since ~11:00am
> PDT. Anyone else seeing this? I've tested from a few off-net points
> and am seeing the same. Mail is starting to pile up in our queues in
> quantity. Given the scale of what this appears to be I assume the team
> is already hard at work on it, but the lack of mention here concerns
> me, so sorry for the noise if this is too obvious for the list ;-).
>
> Our primary outbound relays are within 
> 64.253.128.0/19
>
> Here are a couple representative logs:
>
> 2016-05-25T12:55:19.470647-07:00 skaro postfix/smtp[6486]: connect to
> mx1.hotmail.com[65.55.37.104]:25:
>  Connection timed out
> 2016-05-25T12:55:49.504155-07:00 skaro postfix/smtp[6486]: connect to
> mx1.hotmail.com[207.46.8.167]:25:
>  Connection timed out
> 2016-05-25T12:55:49.513775-07:00 skaro postfix/smtp[6486]: connect to
> mx2.hotmail.com[65.55.33.119]:25:
>  Connection refused
> 2016-05-25T12:56:19.550093-07:00 skaro postfix/smtp[6486]: connect to
> mx1.hotmail.com[134.170.2.199]:25:
>  Connection timed out
> 2016-05-25T12:56:49.583216-07:00 skaro postfix/smtp[6486]: connect to
> mx1.hotmail.com

Re: [mailop] Connection failures to Hotmail domains

2016-05-25 Thread frnkblk

We saw the same thing too, just too busy dealing with the fallout of a 
lightning strike.

Frank

-Original Message-
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Keenan Tims
Sent: Wednesday, May 25, 2016 3:09 PM
To: mailop@mailop.org
Subject: [mailop] Connection failures to Hotmail domains

I'm seeing 90+% of our connection attempts to the MXes for 'hotmail.com' 
and other Hotmail domains (mx[1-4].hotmail.com) are either timing out 
(30s) or getting connection refused since ~11:00am PDT. Anyone else 
seeing this? I've tested from a few off-net points and am seeing the 
same. Mail is starting to pile up in our queues in quantity. Given the 
scale of what this appears to be I assume the team is already hard at 
work on it, but the lack of mention here concerns me, so sorry for the 
noise if this is too obvious for the list ;-).

Our primary outbound relays are within 64.253.128.0/19

Here are a couple representative logs:

2016-05-25T12:55:19.470647-07:00 skaro postfix/smtp[6486]: connect to 
mx1.hotmail.com[65.55.37.104]:25: Connection timed out
2016-05-25T12:55:49.504155-07:00 skaro postfix/smtp[6486]: connect to 
mx1.hotmail.com[207.46.8.167]:25: Connection timed out
2016-05-25T12:55:49.513775-07:00 skaro postfix/smtp[6486]: connect to 
mx2.hotmail.com[65.55.33.119]:25: Connection refused
2016-05-25T12:56:19.550093-07:00 skaro postfix/smtp[6486]: connect to 
mx1.hotmail.com[134.170.2.199]:25: Connection timed out
2016-05-25T12:56:49.583216-07:00 skaro postfix/smtp[6486]: connect to 
mx1.hotmail.com[65.54.188.110]:25: Connection timed out
2016-05-25T12:56:49.585566-07:00 skaro postfix/smtp[6486]: 3F2D5FFC9B: 
to=, relay=none, delay=120, delays=0.17/0/120/0, 
dsn=4.4.1, status=deferred (connect to 
mx1.hotmail.com[65.54.188.110]:25: Connection timed out)

2016-05-25T12:59:32.971606-07:00 skaro postfix/smtp[5033]: connect to 
mx3.hotmail.com[65.55.37.72]:25: Connection timed out
2016-05-25T12:59:32.995152-07:00 skaro postfix/smtp[5033]: connect to 
mx4.hotmail.com[65.54.188.126]:25: Connection refused
2016-05-25T13:00:03.033047-07:00 skaro postfix/smtp[5033]: connect to 
mx2.hotmail.com[207.46.8.167]:25: Connection timed out
2016-05-25T13:00:33.066589-07:00 skaro postfix/smtp[5033]: connect to 
mx4.hotmail.com[207.46.8.199]:25: Connection timed out
2016-05-25T13:00:33.076153-07:00 skaro postfix/smtp[5033]: connect to 
mx2.hotmail.com[65.55.33.119]:25: Connection refused
2016-05-25T13:00:33.080762-07:00 skaro postfix/smtp[5033]: 25B4FFFC00: 
to=, relay=none, delay=91, 
delays=0.78/0/90/0, dsn=4.4.1, status=deferred (connect to 
mx2.hotmail.com[65.55.33.119]:25: Connection refused)

2016-05-25T13:02:08.167728-07:00 skaro postfix/smtp[7967]: connect to 
mx4.hotmail.com[65.55.37.88]:25: Connection timed out
2016-05-25T13:02:08.177325-07:00 skaro postfix/smtp[7967]: connect to 
mx4.hotmail.com[65.55.37.120]:25: Connection refused
2016-05-25T13:02:38.208945-07:00 skaro postfix/smtp[7967]: connect to 
mx1.hotmail.com[65.54.188.72]:25: Connection timed out
2016-05-25T13:03:08.242467-07:00 skaro postfix/smtp[7967]: connect to 
mx1.hotmail.com[207.46.8.167]:25: Connection timed out
2016-05-25T13:03:38.275974-07:00 skaro postfix/smtp[7967]: connect to 
mx3.hotmail.com[207.46.8.199]:25: Connection timed out
2016-05-25T13:03:38.278894-07:00 skaro postfix/smtp[7967]: 7DA71FFC4D: 
to=, relay=none, delay=3265, 
delays=3145/0/120/0, dsn=4.4.1, status=deferred (connect to 
mx3.hotmail.com[207.46.8.199]:25: Connection timed out)

Keenan

Stargate Connections AS19171


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Connection failures to Hotmail domains

2016-05-25 Thread Michael Wise via mailop


Oh yeah, we're aware.
Hearing some reports that the issue may have been mitigated, but until I hear 
anything from Inside the House, can't really comment except to say ... PRI:0, 
being worked on as I type. But not by me, as I have no insight into the inner 
workings.

Aloha,
Michael.
-- 
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting Tool ?

-Original Message-
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Al Iverson
Sent: Wednesday, May 25, 2016 1:19 PM
To: mailop 
Subject: Re: [mailop] Connection failures to Hotmail domains

You're not alone. It's quite widespread. Multiple folks have talked to 
Microsoft people about the issue, they are aware.

Regards,
Al

--
Al Iverson
https://na01.safelinks.protection.outlook.com/?url=www.aliverson.com&data=01%7c01%7cmichael.wise%40microsoft.com%7c0a5ec58b131c4c5a5f2708d384dad364%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=aAsiNeE1mgSCmbWOUv3P%2b9YXhGHv2v45p1LBMnD%2bdJs%3d
(312)725-0130


On Wed, May 25, 2016 at 3:08 PM, Keenan Tims  wrote:
> I'm seeing 90+% of our connection attempts to the MXes for 
> 'hotmail.com' and other Hotmail domains (mx[1-4].hotmail.com) are 
> either timing out (30s) or getting connection refused since ~11:00am 
> PDT. Anyone else seeing this? I've tested from a few off-net points 
> and am seeing the same. Mail is starting to pile up in our queues in 
> quantity. Given the scale of what this appears to be I assume the team 
> is already hard at work on it, but the lack of mention here concerns 
> me, so sorry for the noise if this is too obvious for the list ;-).
>
> Our primary outbound relays are within 64.253.128.0/19
>
> Here are a couple representative logs:
>
> 2016-05-25T12:55:19.470647-07:00 skaro postfix/smtp[6486]: connect to
> mx1.hotmail.com[65.55.37.104]:25: Connection timed out
> 2016-05-25T12:55:49.504155-07:00 skaro postfix/smtp[6486]: connect to
> mx1.hotmail.com[207.46.8.167]:25: Connection timed out
> 2016-05-25T12:55:49.513775-07:00 skaro postfix/smtp[6486]: connect to
> mx2.hotmail.com[65.55.33.119]:25: Connection refused
> 2016-05-25T12:56:19.550093-07:00 skaro postfix/smtp[6486]: connect to
> mx1.hotmail.com[134.170.2.199]:25: Connection timed out
> 2016-05-25T12:56:49.583216-07:00 skaro postfix/smtp[6486]: connect to
> mx1.hotmail.com[65.54.188.110]:25: Connection timed out
> 2016-05-25T12:56:49.585566-07:00 skaro postfix/smtp[6486]: 3F2D5FFC9B:
> to=, relay=none, delay=120, 
> delays=0.17/0/120/0, dsn=4.4.1, status=deferred (connect to 
> mx1.hotmail.com[65.54.188.110]:25:
> Connection timed out)
>
> 2016-05-25T12:59:32.971606-07:00 skaro postfix/smtp[5033]: connect to
> mx3.hotmail.com[65.55.37.72]:25: Connection timed out
> 2016-05-25T12:59:32.995152-07:00 skaro postfix/smtp[5033]: connect to
> mx4.hotmail.com[65.54.188.126]:25: Connection refused
> 2016-05-25T13:00:03.033047-07:00 skaro postfix/smtp[5033]: connect to
> mx2.hotmail.com[207.46.8.167]:25: Connection timed out
> 2016-05-25T13:00:33.066589-07:00 skaro postfix/smtp[5033]: connect to
> mx4.hotmail.com[207.46.8.199]:25: Connection timed out
> 2016-05-25T13:00:33.076153-07:00 skaro postfix/smtp[5033]: connect to
> mx2.hotmail.com[65.55.33.119]:25: Connection refused
> 2016-05-25T13:00:33.080762-07:00 skaro postfix/smtp[5033]: 25B4FFFC00:
> to=, relay=none, delay=91, 
> delays=0.78/0/90/0, dsn=4.4.1, status=deferred (connect to
> mx2.hotmail.com[65.55.33.119]:25: Connection refused)
>
> 2016-05-25T13:02:08.167728-07:00 skaro postfix/smtp[7967]: connect to
> mx4.hotmail.com[65.55.37.88]:25: Connection timed out
> 2016-05-25T13:02:08.177325-07:00 skaro postfix/smtp[7967]: connect to
> mx4.hotmail.com[65.55.37.120]:25: Connection refused
> 2016-05-25T13:02:38.208945-07:00 skaro postfix/smtp[7967]: connect to
> mx1.hotmail.com[65.54.188.72]:25: Connection timed out
> 2016-05-25T13:03:08.242467-07:00 skaro postfix/smtp[7967]: connect to
> mx1.hotmail.com[207.46.8.167]:25: Connection timed out
> 2016-05-25T13:03:38.275974-07:00 skaro postfix/smtp[7967]: connect to
> mx3.hotmail.com[207.46.8.199]:25: Connection timed out
> 2016-05-25T13:03:38.278894-07:00 skaro postfix/smtp[7967]: 7DA71FFC4D:
> to=, relay=none, delay=3265, 
> delays=3145/0/120/0, dsn=4.4.1, status=deferred (connect to 
> mx3.hotmail.com[207.46.8.199]:25:
> Connection timed out)
>
> Keenan
>
> Stargate Connections AS19171
>
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchill
> i.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop&data=01%7c01%7c
> michael.wise%40microsoft.com%7c0a5ec58b131c4c5a5f2708d384dad364%7c72f9
> 88bf86f141af91ab2d7cd011db47%7c1&sdata=1lBgm%2bJnd7TLKgze60qkqXI10v4xy
> E3BKYe42l%2fS5Z0%3d

___
mailop mailing list
mailop@mailop.org
https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchilli.nosignal.org%2fcgi-bin

Re: [mailop] Connection failures to Hotmail domains

2016-05-25 Thread Steve Ratzlaff


On 5/25/2016 3:08 PM, Keenan Tims wrote:
I'm seeing 90+% of our connection attempts to the MXes for 
'hotmail.com' and other Hotmail domains (mx[1-4].hotmail.com) are 
either timing out (30s) or getting connection refused since ~11:00am 
PDT. Anyone else seeing this? I've tested from a few off-net points 
and am seeing the same. Mail is starting to pile up in our queues in 
quantity. Given the scale of what this appears to be I assume the team 
is already hard at work on it, but the lack of mention here concerns 
me, so sorry for the noise if this is too obvious for the list ;-).


Our primary outbound relays are within 64.253.128.0/19

Here are a couple representative logs:

2016-05-25T12:55:19.470647-07:00 skaro postfix/smtp[6486]: connect to 
mx1.hotmail.com[65.55.37.104]:25: Connection timed out
2016-05-25T12:55:49.504155-07:00 skaro postfix/smtp[6486]: connect to 
mx1.hotmail.com[207.46.8.167]:25: Connection timed out
2016-05-25T12:55:49.513775-07:00 skaro postfix/smtp[6486]: connect to 
mx2.hotmail.com[65.55.33.119]:25: Connection refused
2016-05-25T12:56:19.550093-07:00 skaro postfix/smtp[6486]: connect to 
mx1.hotmail.com[134.170.2.199]:25: Connection timed out
2016-05-25T12:56:49.583216-07:00 skaro postfix/smtp[6486]: connect to 
mx1.hotmail.com[65.54.188.110]:25: Connection timed out
2016-05-25T12:56:49.585566-07:00 skaro postfix/smtp[6486]: 3F2D5FFC9B: 
to=, relay=none, delay=120, 
delays=0.17/0/120/0, dsn=4.4.1, status=deferred (connect to 
mx1.hotmail.com[65.54.188.110]:25: Connection timed out)


2016-05-25T12:59:32.971606-07:00 skaro postfix/smtp[5033]: connect to 
mx3.hotmail.com[65.55.37.72]:25: Connection timed out
2016-05-25T12:59:32.995152-07:00 skaro postfix/smtp[5033]: connect to 
mx4.hotmail.com[65.54.188.126]:25: Connection refused
2016-05-25T13:00:03.033047-07:00 skaro postfix/smtp[5033]: connect to 
mx2.hotmail.com[207.46.8.167]:25: Connection timed out
2016-05-25T13:00:33.066589-07:00 skaro postfix/smtp[5033]: connect to 
mx4.hotmail.com[207.46.8.199]:25: Connection timed out
2016-05-25T13:00:33.076153-07:00 skaro postfix/smtp[5033]: connect to 
mx2.hotmail.com[65.55.33.119]:25: Connection refused
2016-05-25T13:00:33.080762-07:00 skaro postfix/smtp[5033]: 25B4FFFC00: 
to=, relay=none, delay=91, 
delays=0.78/0/90/0, dsn=4.4.1, status=deferred (connect to 
mx2.hotmail.com[65.55.33.119]:25: Connection refused)


2016-05-25T13:02:08.167728-07:00 skaro postfix/smtp[7967]: connect to 
mx4.hotmail.com[65.55.37.88]:25: Connection timed out
2016-05-25T13:02:08.177325-07:00 skaro postfix/smtp[7967]: connect to 
mx4.hotmail.com[65.55.37.120]:25: Connection refused
2016-05-25T13:02:38.208945-07:00 skaro postfix/smtp[7967]: connect to 
mx1.hotmail.com[65.54.188.72]:25: Connection timed out
2016-05-25T13:03:08.242467-07:00 skaro postfix/smtp[7967]: connect to 
mx1.hotmail.com[207.46.8.167]:25: Connection timed out
2016-05-25T13:03:38.275974-07:00 skaro postfix/smtp[7967]: connect to 
mx3.hotmail.com[207.46.8.199]:25: Connection timed out
2016-05-25T13:03:38.278894-07:00 skaro postfix/smtp[7967]: 7DA71FFC4D: 
to=, relay=none, delay=3265, 
delays=3145/0/120/0, dsn=4.4.1, status=deferred (connect to 
mx3.hotmail.com[207.46.8.199]:25: Connection timed out)


Keenan

Stargate Connections AS19171


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


We started seeing the same thing at ~ 1:40 p.m. Central time.  All 
connections to their MXs are timing out.


Steve


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Connection failures to Hotmail domains

2016-05-25 Thread Jeremy Harris

On 25/05/16 21:08, Keenan Tims wrote:
> I'm seeing 90+% of our connection attempts to the MXes for 'hotmail.com'
> and other Hotmail domains (mx[1-4].hotmail.com) are either timing out
> (30s) or getting connection refused since ~11:00am PDT. Anyone else
> seeing this?

Yup.
-- 
Jeremy



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Connection failures to Hotmail domains

2016-05-25 Thread Al Iverson

You're not alone. It's quite widespread. Multiple folks have talked to
Microsoft people about the issue, they are aware.

Regards,
Al

--
Al Iverson
www.aliverson.com
(312)725-0130


On Wed, May 25, 2016 at 3:08 PM, Keenan Tims  wrote:
> I'm seeing 90+% of our connection attempts to the MXes for 'hotmail.com' and
> other Hotmail domains (mx[1-4].hotmail.com) are either timing out (30s) or
> getting connection refused since ~11:00am PDT. Anyone else seeing this? I've
> tested from a few off-net points and am seeing the same. Mail is starting to
> pile up in our queues in quantity. Given the scale of what this appears to
> be I assume the team is already hard at work on it, but the lack of mention
> here concerns me, so sorry for the noise if this is too obvious for the list
> ;-).
>
> Our primary outbound relays are within 64.253.128.0/19
>
> Here are a couple representative logs:
>
> 2016-05-25T12:55:19.470647-07:00 skaro postfix/smtp[6486]: connect to
> mx1.hotmail.com[65.55.37.104]:25: Connection timed out
> 2016-05-25T12:55:49.504155-07:00 skaro postfix/smtp[6486]: connect to
> mx1.hotmail.com[207.46.8.167]:25: Connection timed out
> 2016-05-25T12:55:49.513775-07:00 skaro postfix/smtp[6486]: connect to
> mx2.hotmail.com[65.55.33.119]:25: Connection refused
> 2016-05-25T12:56:19.550093-07:00 skaro postfix/smtp[6486]: connect to
> mx1.hotmail.com[134.170.2.199]:25: Connection timed out
> 2016-05-25T12:56:49.583216-07:00 skaro postfix/smtp[6486]: connect to
> mx1.hotmail.com[65.54.188.110]:25: Connection timed out
> 2016-05-25T12:56:49.585566-07:00 skaro postfix/smtp[6486]: 3F2D5FFC9B:
> to=, relay=none, delay=120, delays=0.17/0/120/0,
> dsn=4.4.1, status=deferred (connect to mx1.hotmail.com[65.54.188.110]:25:
> Connection timed out)
>
> 2016-05-25T12:59:32.971606-07:00 skaro postfix/smtp[5033]: connect to
> mx3.hotmail.com[65.55.37.72]:25: Connection timed out
> 2016-05-25T12:59:32.995152-07:00 skaro postfix/smtp[5033]: connect to
> mx4.hotmail.com[65.54.188.126]:25: Connection refused
> 2016-05-25T13:00:03.033047-07:00 skaro postfix/smtp[5033]: connect to
> mx2.hotmail.com[207.46.8.167]:25: Connection timed out
> 2016-05-25T13:00:33.066589-07:00 skaro postfix/smtp[5033]: connect to
> mx4.hotmail.com[207.46.8.199]:25: Connection timed out
> 2016-05-25T13:00:33.076153-07:00 skaro postfix/smtp[5033]: connect to
> mx2.hotmail.com[65.55.33.119]:25: Connection refused
> 2016-05-25T13:00:33.080762-07:00 skaro postfix/smtp[5033]: 25B4FFFC00:
> to=, relay=none, delay=91,
> delays=0.78/0/90/0, dsn=4.4.1, status=deferred (connect to
> mx2.hotmail.com[65.55.33.119]:25: Connection refused)
>
> 2016-05-25T13:02:08.167728-07:00 skaro postfix/smtp[7967]: connect to
> mx4.hotmail.com[65.55.37.88]:25: Connection timed out
> 2016-05-25T13:02:08.177325-07:00 skaro postfix/smtp[7967]: connect to
> mx4.hotmail.com[65.55.37.120]:25: Connection refused
> 2016-05-25T13:02:38.208945-07:00 skaro postfix/smtp[7967]: connect to
> mx1.hotmail.com[65.54.188.72]:25: Connection timed out
> 2016-05-25T13:03:08.242467-07:00 skaro postfix/smtp[7967]: connect to
> mx1.hotmail.com[207.46.8.167]:25: Connection timed out
> 2016-05-25T13:03:38.275974-07:00 skaro postfix/smtp[7967]: connect to
> mx3.hotmail.com[207.46.8.199]:25: Connection timed out
> 2016-05-25T13:03:38.278894-07:00 skaro postfix/smtp[7967]: 7DA71FFC4D:
> to=, relay=none, delay=3265, delays=3145/0/120/0,
> dsn=4.4.1, status=deferred (connect to mx3.hotmail.com[207.46.8.199]:25:
> Connection timed out)
>
> Keenan
>
> Stargate Connections AS19171
>
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Connection failures to Hotmail domains

2016-05-25 Thread Keenan Tims

I'm seeing 90+% of our connection attempts to the MXes for 'hotmail.com' 
and other Hotmail domains (mx[1-4].hotmail.com) are either timing out 
(30s) or getting connection refused since ~11:00am PDT. Anyone else 
seeing this? I've tested from a few off-net points and am seeing the 
same. Mail is starting to pile up in our queues in quantity. Given the 
scale of what this appears to be I assume the team is already hard at 
work on it, but the lack of mention here concerns me, so sorry for the 
noise if this is too obvious for the list ;-).


Our primary outbound relays are within 64.253.128.0/19

Here are a couple representative logs:

2016-05-25T12:55:19.470647-07:00 skaro postfix/smtp[6486]: connect to 
mx1.hotmail.com[65.55.37.104]:25: Connection timed out
2016-05-25T12:55:49.504155-07:00 skaro postfix/smtp[6486]: connect to 
mx1.hotmail.com[207.46.8.167]:25: Connection timed out
2016-05-25T12:55:49.513775-07:00 skaro postfix/smtp[6486]: connect to 
mx2.hotmail.com[65.55.33.119]:25: Connection refused
2016-05-25T12:56:19.550093-07:00 skaro postfix/smtp[6486]: connect to 
mx1.hotmail.com[134.170.2.199]:25: Connection timed out
2016-05-25T12:56:49.583216-07:00 skaro postfix/smtp[6486]: connect to 
mx1.hotmail.com[65.54.188.110]:25: Connection timed out
2016-05-25T12:56:49.585566-07:00 skaro postfix/smtp[6486]: 3F2D5FFC9B: 
to=, relay=none, delay=120, delays=0.17/0/120/0, 
dsn=4.4.1, status=deferred (connect to 
mx1.hotmail.com[65.54.188.110]:25: Connection timed out)


2016-05-25T12:59:32.971606-07:00 skaro postfix/smtp[5033]: connect to 
mx3.hotmail.com[65.55.37.72]:25: Connection timed out
2016-05-25T12:59:32.995152-07:00 skaro postfix/smtp[5033]: connect to 
mx4.hotmail.com[65.54.188.126]:25: Connection refused
2016-05-25T13:00:03.033047-07:00 skaro postfix/smtp[5033]: connect to 
mx2.hotmail.com[207.46.8.167]:25: Connection timed out
2016-05-25T13:00:33.066589-07:00 skaro postfix/smtp[5033]: connect to 
mx4.hotmail.com[207.46.8.199]:25: Connection timed out
2016-05-25T13:00:33.076153-07:00 skaro postfix/smtp[5033]: connect to 
mx2.hotmail.com[65.55.33.119]:25: Connection refused
2016-05-25T13:00:33.080762-07:00 skaro postfix/smtp[5033]: 25B4FFFC00: 
to=, relay=none, delay=91, 
delays=0.78/0/90/0, dsn=4.4.1, status=deferred (connect to 
mx2.hotmail.com[65.55.33.119]:25: Connection refused)


2016-05-25T13:02:08.167728-07:00 skaro postfix/smtp[7967]: connect to 
mx4.hotmail.com[65.55.37.88]:25: Connection timed out
2016-05-25T13:02:08.177325-07:00 skaro postfix/smtp[7967]: connect to 
mx4.hotmail.com[65.55.37.120]:25: Connection refused
2016-05-25T13:02:38.208945-07:00 skaro postfix/smtp[7967]: connect to 
mx1.hotmail.com[65.54.188.72]:25: Connection timed out
2016-05-25T13:03:08.242467-07:00 skaro postfix/smtp[7967]: connect to 
mx1.hotmail.com[207.46.8.167]:25: Connection timed out
2016-05-25T13:03:38.275974-07:00 skaro postfix/smtp[7967]: connect to 
mx3.hotmail.com[207.46.8.199]:25: Connection timed out
2016-05-25T13:03:38.278894-07:00 skaro postfix/smtp[7967]: 7DA71FFC4D: 
to=, relay=none, delay=3265, 
delays=3145/0/120/0, dsn=4.4.1, status=deferred (connect to 
mx3.hotmail.com[207.46.8.199]:25: Connection timed out)


Keenan

Stargate Connections AS19171


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Erwin Harte


On 5/25/16 10:36 AM, Vick Khera wrote:
On Tue, May 24, 2016 at 2:18 PM, Michael Wise 
mailto:michael.w...@microsoft.com>> wrote:


Are these IP addresses on CBL?

I did a spot check of a recent attack. The email address was 
jabradb...@kanawhascales.com  and 
it got signed up to 12 lists during May 17 and 18. Amazingly, whoever 
is on the other end of that address clicked to confirm every one of 
those confirmation messages. All confirmation clicks appear to come 
from a netblock owned by Barracuda Networks... Hmm...

Which netblock was that?

--Erwin

===


Considering Office 365?  Barracuda security and storage solutions can help. 
Learn more about Barracuda solutions for Office 365 at 
http://barracuda.com/office365.

DISCLAIMER:
This e-mail and any attachments to it contain confidential and proprietary 
material of Barracuda, its affiliates or agents, and is solely for the use of 
the intended recipient. Any review, use, disclosure, distribution or copying of 
this transmittal is prohibited except by or on behalf of the intended 
recipient. If you have received this transmittal in error, please notify the 
sender and destroy this e-mail and any attachments and all copies, whether 
electronic or printed.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Vick Khera

On Tue, May 24, 2016 at 2:18 PM, Michael Wise 
wrote:

> Are these IP addresses on CBL?
>

I did a spot check of a recent attack. The email address was
jabradb...@kanawhascales.com and it got signed up to 12 lists during May 17
and 18. Amazingly, whoever is on the other end of that address clicked to
confirm every one of those confirmation messages. All confirmation clicks
appear to come from a netblock owned by Barracuda Networks... Hmm...

Each signup request came from a different IP address. 5 were on CBL (as of
right now) and 7 were not. In case anyone is interested, I also checked
them against MinFraud from Maxmind. Of the 7 CBL did not detect, it said 5
of them were high risk of being fraudulent source. Between the two, only 2
would get through.

If anyone is interested, these are the IPs used for the signup form
submission:

 107.184.168.161 - CBL, MF
 67.208.149.17 - CBL, MF "low"
 116.212.155.5 -
 73.4.8.181 - MF
 76.74.237.61 - CBL, MF
 96.245.176.53 - MF
 50.196.42.201 - MF
 32.213.237.56 -
 50.192.254.21 - MF
 76.74.237.61 - CBL, MF
 74.196.162.37 - MF
 76.74.237.61 - CBL, MF

I am definitely going to start checking CBL and MinFraud for these forms.
Thanks for the tip.

Are these addresses in a larger pool, like a Nigerian coffee shop?
>

Doesn't seem like it. I spot checked a couple and they look like ISPs in
the states.

> At some point, you should have a CAPTCHA, and also possibly a list of
> ranges of known bad actors.
>
>
>

We do have CAPTCHA available. I think it is time to start pushing it on the
customers a little harder...
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Vick Khera

On Wed, May 25, 2016 at 11:02 AM, Al Iverson 
wrote:

> Which ESPs operate that way? (Hint: none. Most ESPs offer COI, few or
> none require it.)
>

All our direct signup forms are only COI. We do permit customers to import
existing lists, which may or may not have been COI previously, though we
suggest strongly they should be. There's no way to stay in business if you
require every list import to be run through a confirmation at the time of
import.
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Vick Khera

On Tue, May 24, 2016 at 3:07 PM, Jay Hennigan 
wrote:

> The appearance of the confirmation email makes a big difference. If it
> looks like an advertisement with lots of graphics, hidden tracking bugs,
> etc. it's likely to be viewed as abuse and used by bad guys to harass
> innocents.
>
> I'm very pleasantly (and rarely) surprised with list confirmations that
> look like this:
>
> * A single small logo for branding or no graphics at all
> * No advertising
> * A statement like "On [date] at [time] [timezone] you or someone claiming
> to be you requested to subscribe to [list] from IP address [IP]. To confirm
> your request, click [link]. If you didn't make this request, do nothing and
> you will not hear from us again. To report abuse, [do whatever].
>
> Of course that's assuming that the ESP bothers to confirm subscriptions at
> all.
>

This is more or less what our confirmations contain. We also include the
customer's address.
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Al Iverson

Matthew,

Which ESPs operate that way? (Hint: none. Most ESPs offer COI, few or
none require it.)

So since that's not happening...

--
Al Iverson
www.aliverson.com
(312)725-0130


On Wed, May 25, 2016 at 9:45 AM, Matthew Black  wrote:
> Are your customers using confirmed opt-in mailing lists? If not, they should
> not be running mailing lists.
>
>
>
> matthew
>
>
>
>
>
> From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Vick Khera
> Sent: Tuesday, May 24, 2016 10:18 AM
> To: mailop@mailop.org
> Subject: [mailop] signup form abuse
>
>
>
> As an ESP, we host mailing list signup forms for many customers. Of late, it
> appears they have been getting pounded on with fraudulent signups for real
> addresses. Sometimes the people confirm by clicking the confirmation link in
> the message and we are left scratching our heads as to why they would do
> that. Mostly they get ignored and sometimes they come back as spam
> complaints.
>
>
>
> One opinion I got regarding this was that people were using bots to sign up
> to newsletter lists other bot-driven email addresses at gmail, yahoo, etc.,
> to make those mailboxes look more real before they became "weaponized" for
> use in sending junk. That does not seem to be entirely what is happening
> here...
>
>
>
> Today we got a set of complaints for what appears to be a personal email
> address at a reasonably sized ISP. The complaint clearly identified the
> messages as a signup confirmation message and chastised us for not having
> the form protected by a CAPTCHA. Of course, they blocked some of our IPs for
> good measure :( They characterized it as a DDoS.
>
>
>
> What are the folks on this fine list doing about this kind of abuse? We do
> have ability to turn on CAPTCHA for our customers, but often they have
> nicely integrated the signup forms into their own web sites and making it
> work for those is pretty complicated. If I enabled CAPTCHA naively, the
> subscribers would have to click the submit form twice and then click the
> confirm on the email. The UX for that sucks, but such is the cost of
> allowing jerks on the internet...
>
>
>
> Rate limiting doesn't seem to be useful since the forms are being submitted
> at low rates and from a wide number of IP addresses.
>
>
>
> I look forward to hearing what others here are doing.
>
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Vick Khera

On Wed, May 25, 2016 at 10:45 AM, Matthew Black 
wrote:

> Are your customers using confirmed opt-in mailing lists? If not, they
> should not be running mailing lists.
>
>
Yes, the only effect is to send a confirmation message, which is quite
generic and at most contains the customer's logo and name of the list, to
the victim.
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Matthew Black

Are your customers using confirmed opt-in mailing lists? If not, they should 
not be running mailing lists.

matthew

From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Vick Khera
Sent: Tuesday, May 24, 2016 10:18 AM
To: mailop@mailop.org
Subject: [mailop] signup form abuse

As an ESP, we host mailing list signup forms for many customers. Of late, it 
appears they have been getting pounded on with fraudulent signups for real 
addresses. Sometimes the people confirm by clicking the confirmation link in 
the message and we are left scratching our heads as to why they would do that. 
Mostly they get ignored and sometimes they come back as spam complaints.

One opinion I got regarding this was that people were using bots to sign up to 
newsletter lists other bot-driven email addresses at gmail, yahoo, etc., to 
make those mailboxes look more real before they became "weaponized" for use in 
sending junk. That does not seem to be entirely what is happening here...

Today we got a set of complaints for what appears to be a personal email 
address at a reasonably sized ISP. The complaint clearly identified the 
messages as a signup confirmation message and chastised us for not having the 
form protected by a CAPTCHA. Of course, they blocked some of our IPs for good 
measure :( They characterized it as a DDoS.

What are the folks on this fine list doing about this kind of abuse? We do have 
ability to turn on CAPTCHA for our customers, but often they have nicely 
integrated the signup forms into their own web sites and making it work for 
those is pretty complicated. If I enabled CAPTCHA naively, the subscribers 
would have to click the submit form twice and then click the confirm on the 
email. The UX for that sucks, but such is the cost of allowing jerks on the 
internet...

Rate limiting doesn't seem to be useful since the forms are being submitted at 
low rates and from a wide number of IP addresses.

I look forward to hearing what others here are doing.
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

Re: [mailop] signup form abuse

Re: [mailop] signup form abuse

Re: [mailop] signup form abuse

Re: [mailop] signup form abuse

Re: [mailop] signup form abuse

Re: [mailop] signup form abuse

Re: [mailop] signup form abuse

Re: [mailop] signup form abuse

Re: [mailop] signup form abuse

Re: [mailop] signup form abuse

Re: [mailop] Connection failures to Hotmail domains

Re: [mailop] signup form abuse

Re: [mailop] signup form abuse

Re: [mailop] signup form abuse

Re: [mailop] signup form abuse

Re: [mailop] signup form abuse

Re: [mailop] Connection failures to Hotmail domains

Re: [mailop] Connection failures to Hotmail domains

Re: [mailop] Connection failures to Hotmail domains

Re: [mailop] Connection failures to Hotmail domains

Re: [mailop] Connection failures to Hotmail domains

Re: [mailop] Connection failures to Hotmail domains

Re: [mailop] Connection failures to Hotmail domains

[mailop] Connection failures to Hotmail domains

Re: [mailop] signup form abuse

Re: [mailop] signup form abuse

Re: [mailop] signup form abuse

Re: [mailop] signup form abuse

Re: [mailop] signup form abuse

Re: [mailop] signup form abuse

Re: [mailop] signup form abuse

32 matches

Site Navigation

Mail list logo

Footer information