Re: [mailop] automated looking mailchimp opt-ins (confused by)

[Simon Forster]

> On 30 Jun 2016, at 16:52, Vick Khera  wrote:
> 
> For some customers, enabling reCAPTCHA was the solution because of the volume 
> of bogus signups. For everyone else we opportunistically require reCAPTCHA if 
> the submitting IP is on either CBL or minFraud's proxy list. This latter 
> mechanism matches just shy of 75% of the fake signups exhibiting this pattern 
> historically. Some IP's we observe become "bad" after the fact, so I suspect 
> the actual block rate to be a bit lower.

Spamhaus has the AuthBL whose purpose is to mitigate SMTP Auth abuse. It would 
be interesting to see if it’s of any use combatting this latest maliciousness. 
If anyone would like to test, contact me off list  and 
we’ll get you free access for six months to give it a go.

Simon Forster

  Spamhaus Technology Ltd
  London, UK
  https://www.spamhaustech.com/
  skype: srforster
  m: +44 79 0528 8198___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Failures to .mail.protection.outlook.com

[timrutherford]

Just FYI I’m seeing the same 3 prefixes returning 4xx responses 

 

BL2

BN1

BY2

 

 

From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Kirk MacDonald
Sent: Thursday, June 30, 2016 11:53 AM
To: 'Michael Wise' ; mailop@mailop.org
Subject: Re: [mailop] Failures to .mail.protection.outlook.com

 

If you mean the servers that actually return 4xx responses I do see these:

 

BL2

BN1

BY2

 

BL2FFO11FD005.protection.gbl

BL2FFO11FD006.protection.gbl

BL2FFO11FD013.protection.gbl

BL2FFO11FD016.protection.gbl

BL2FFO11FD020.protection.gbl

BL2FFO11FD024.protection.gbl

BL2FFO11FD042.protection.gbl

BL2FFO11FD043.protection.gbl

BL2FFO11FD045.protection.gbl

BL2FFO11FD046.protection.gbl

BL2FFO11FD047.protection.gbl

BL2FFO11FD050.protection.gbl

BL2FFO11FD051.protection.gbl

BL2FFO11FD052.protection.gbl

BL2FFO11FD053.protection.gbl

BL2FFO11OLC003.protection.gbl

BL2FFO11OLC004.protection.gbl

BL2FFO11OLC005.protection.gbl

BL2FFO11OLC006.protection.gbl

BL2FFO11OLC008.protection.gbl

BL2FFO11OLC010.protection.gbl

BN1AFFO11FD007.protection.gbl

BN1AFFO11FD013.protection.gbl

BN1AFFO11FD014.protection.gbl

BN1AFFO11FD017.protection.gbl

BN1AFFO11FD025.protection.gbl

BN1AFFO11FD026.protection.gbl

BN1AFFO11FD032.protection.gbl

BN1AFFO11FD035.protection.gbl

BN1AFFO11FD039.protection.gbl

BN1AFFO11FD040.protection.gbl

BN1AFFO11FD044.protection.gbl

BN1AFFO11FD045.protection.gbl

BN1AFFO11FD046.protection.gbl

BN1AFFO11FD048.protection.gbl

BN1AFFO11FD054.protection.gbl

BN1AFFO11FD055.protection.gbl

BN1AFFO11OLC001.protection.gbl

BN1AFFO11OLC002.protection.gbl

BN1BFFO11FD002.protection.gbl

BN1BFFO11FD005.protection.gbl

BN1BFFO11FD009.protection.gbl

BN1BFFO11FD012.protection.gbl

BN1BFFO11FD025.protection.gbl

BN1BFFO11FD031.protection.gbl

BN1BFFO11FD036.protection.gbl

BN1BFFO11FD043.protection.gbl

BN1BFFO11FD047.protection.gbl

BN1BFFO11FD048.protection.gbl

BN1BFFO11FD050.protection.gbl

BN1BFFO11FD051.protection.gbl

BN1BFFO11FD053.protection.gbl

BN1BFFO11FD054.protection.gbl

BN1BFFO11FD056.protection.gbl

BN1BFFO11OLC003.protection.gbl

BN1BFFO11OLC004.protection.gbl

BY2FFO11FD011.protection.gbl

BY2FFO11FD013.protection.gbl

BY2FFO11FD015.protection.gbl

BY2FFO11FD017.protection.gbl

BY2FFO11FD027.protection.gbl

BY2FFO11FD029.protection.gbl

BY2FFO11FD031.protection.gbl

BY2FFO11FD035.protection.gbl

BY2FFO11FD038.protection.gbl

BY2FFO11FD049.protection.gbl

BY2FFO11FD050.protection.gbl

BY2FFO11FD051.protection.gbl

BY2FFO11FD053.protection.gbl

BY2FFO11FD055.protection.gbl

BY2FFO11OLC003.protection.gbl

BY2FFO11OLC012.protection.gbl

BY2FFO11OLC015.protection.gbl

BY2FFO11OLC016.protection.gbl


Kirk MacDonald
System Administrator
Internet
Eastlink




 

From: Michael Wise [mailto:michael.w...@microsoft.com] 
Sent: Thursday, June 30, 2016 12:37 PM
To: Kirk MacDonald mailto:kirk.macdon...@corp.eastlink.ca> >; mailop@mailop.org 
 
Subject: RE: [mailop] Failures to .mail.protection.outlook.com

 

Investigating, but seeing this traffic.
Is there any clustering by datacenter?
That would be the first 3 characters of the hostname

Aloha,
Michael.
-- 
Sent from my Windows Phone

  _  

From: Kirk MacDonald  
Sent: ‎6/‎30/‎2016 8:11 AM
To: mailop@mailop.org  
Subject: [mailop] Failures to .mail.protection.outlook.com

Wondering if others are seeing mail queue up within the last hour to domains 
hosted at protection.outlook.com… or if it’s just me? The most frequent 
behaviour is an immediate hangup during ehlo.

 

Also seeing a small number of successful deliveries and 4xx resposes:

 

4.3.2 The maximum number of concurrent server connections has exceeded a 
per-source limit, closing transmission channel (BL2FFO11FD020.protection.gbl)

 

That’s suggests that there are some systems behind the MX that are answering 
and are probably getting stressed.

 

Our IPs in SNDS are “green”, but I am not always clear about where 
Outlook/Live/Hotmail stops and protection.outlook.com begins.

 


Kirk MacDonald
System Administrator
Internet
Eastlink

 

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] automated looking mailchimp opt-ins (confused by)

[Michael Wise via mailop]

Item #1 should be backed up as much as humanly possible with SPF, DKIM and 
DMARC validation.
If the request fails validation, don't send the confirmation email.

Aloha,
Michael.
-- 
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting Tool ?

-Original Message-
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Rich Kulawiec
Sent: Thursday, June 30, 2016 9:23 AM
To: mailop@mailop.org
Subject: Re: [mailop] automated looking mailchimp opt-ins (confused by)

On Thu, Jun 30, 2016 at 02:19:20AM +, Michael Wise via mailop wrote:
> This ... is an attack for which I have become rather familiar.

As have I.  Various countermeasures deployed singly and in combination have 
sufficed to cut it down to a dull roar, but the distributed nature of the 
attack renders it difficult (if not impossible) to stop entirely.

Here's a list.  Some of these will (obviously) not work for everyone; some of 
them may not work for anyone.

1. Don't allow list signups via the web.  Given that -request has been a 
standard for decades, every person attemping to sign up for every mailing list 
should know it.  If not, they should learn.  If they're not capable of 
learning, too bad.

2. Block traffic from problematic regions/countries or allow traffic from 
desired regions/countries.  For mailing lists whose interest is confined to a 
geographic area, this works pretty well.  For those which aren't, nope.

3. Throttle outbound subscription confirmations.  Correlate with originating 
domains/usernames/IP addresses/etc.  At small scale this doesn't work too well, 
but at medium and large scales the accumulated patterns of abuse tend to leap 
off the screen.

4. Perform daily log analysis.  Spikes in subscription rates
*may* reveal abuse-in-progress -- probably not, but it's worth the perfunctory 
exercise just in case.  Of course this is after-the-fact and the damage may 
already be done.

5. There are a lot of worthless (new) TLDs.  "Use a real domain"
is quickly becoming a valid response to requests from them.

---rsk

___
mailop mailing list
mailop@mailop.org
https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchilli.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop&data=01%7c01%7cmichael.wise%40microsoft.com%7c97f7ba6868834261f8a908d3a1039624%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=vNzchOA9OF11UDFHMaRvXR%2fBAWkQwqaa5IK7gy9ZBtA%3d
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] automated looking mailchimp opt-ins (confused by)

[Rich Kulawiec]

On Thu, Jun 30, 2016 at 02:19:20AM +, Michael Wise via mailop wrote:
> This ... is an attack for which I have become rather familiar.

As have I.  Various countermeasures deployed singly and in combination
have sufficed to cut it down to a dull roar, but the distributed nature
of the attack renders it difficult (if not impossible) to stop entirely.

Here's a list.  Some of these will (obviously) not work for everyone;
some of them may not work for anyone.

1. Don't allow list signups via the web.  Given that -request has
been a standard for decades, every person attemping to sign up for
every mailing list should know it.  If not, they should learn.  If
they're not capable of learning, too bad.

2. Block traffic from problematic regions/countries or allow traffic
from desired regions/countries.  For mailing lists whose interest
is confined to a geographic area, this works pretty well.  For
those which aren't, nope.

3. Throttle outbound subscription confirmations.  Correlate with
originating domains/usernames/IP addresses/etc.  At small scale
this doesn't work too well, but at medium and large scales the
accumulated patterns of abuse tend to leap off the screen.

4. Perform daily log analysis.  Spikes in subscription rates
*may* reveal abuse-in-progress -- probably not, but it's worth
the perfunctory exercise just in case.  Of course this is
after-the-fact and the damage may already be done.

5. There are a lot of worthless (new) TLDs.  "Use a real domain"
is quickly becoming a valid response to requests from them.

---rsk

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] automated looking mailchimp opt-ins (confused by)

[Vick Khera]

On Thu, Jun 30, 2016 at 12:04 PM, Michael Wise via mailop  wrote:

> They're BURYING the target in thousands of confirmation requests.
>

In some cases we're seeing the recipient address repeatedly submitted, and
it is known to not exist, ie we get a DNE bounce.
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] automated looking mailchimp opt-ins (confused by)

[Michael Wise via mailop]

They aren't.
They're BURYING the target in thousands of confirmation requests.

Aloha,
Michael.
-- 
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting Tool ?

-Original Message-
From: Mark Jeftovic [mailto:mar...@easydns.com] 
Sent: Thursday, June 30, 2016 9:00 AM
To: Michael Wise ; mailop@mailop.org
Subject: Re: [mailop] automated looking mailchimp opt-ins (confused by)

Wait - if this is an attack against the recipient, how are they
*confirming* the opt-in in an opt-in and confirm situation?

- mark


On 2016-06-30 10:40 AM, Michael Wise wrote:
> Yeah.
> 
> I can imagine a way to block it if one leverages DKIM and DMARC to 
> send a subscribe message FROM the user with a cookie in the Subject, 
> based on a mailto: link on a webform, and if the signatures 
> validate... Consider that sufficient?
> 
> But otherwise, unsure how to block it on the receiving end without 
> some new code. We may have to write it, though.
> 
> Aloha,
> Michael.
> --
> Sent from my Windows Phone
> --
> --
> From: Mark Jeftovic 
> Sent: ‎6/‎30/‎2016 6:45 AM
> To: Michael Wise ; 
> mailop@mailop.org 
> Subject: Re: [mailop] automated looking mailchimp opt-ins (confused 
> by)
> 
> Oh I see. It's the opt-in and confirm version of a reflection attack.
> 
> Interesting, and yes, pretty nasty.
> 
> - mark
> 
> On 2016-06-30 4:55 AM, Michael Wise wrote:
>> No.
>> 
>> From what we see, it *SEEMS* to be that they are attacking others by 
>> flooding the target with confirmation requests from many thousands of 
>> lists all at once, one or more of which might be yours.
>> 
>> In other words, you are not the nail, you're the hammer.
>> 
>> It's a horrible attack, because it's a legitimate thing to do, 
>> sending a confirm message. How are you to know that the recipient has 
>> received a thousand others just like it in the past minute from all around 
>> the globe?
>> 
>> This is just a theory, but we've dealt with the cleanup of a number 
>> of cases like this where our customers were on the receiving end.
>> 
>> Aloha,
>> Michael.
>> --
>> Sent from my Windows Phone
>> -
>> ---
>> From: Mark Jeftovic 
>> Sent: ‎6/‎29/‎2016 8:17 PM
>> To: mailop@mailop.org 
>> Subject: Re: [mailop] automated looking mailchimp opt-ins (confused 
>> by)
>> 
>> What do you mean when you say "hey are attacking people for hire." ?
>> 
>> Do you mean they are hired to attack our list?
>> 
>> - mark
>> 
>> 
>> On 2016-06-29 10:19 PM, Michael Wise via mailop wrote:
>>> 
>>> This ... is an attack for which I have become rather familiar.
>>> I'm guessing that all the subscription request web connects are coming from 
>>> Eastern Europe
>>> 
>>> They are attacking people for hire.
>>> They flood the target accounts with thousands of subscription confirmations.
>>> 
>>> Dig a bit deeper and let me know if my suspicions are correct.
>>> You may want to throttle/blacklist connections from any IP that submits 
>>> requests for more than 1 mailing-list every ... N seconds?
>>> 
>>> Just a hunch, but I'd be surprised if I wasin error on this.
>>> 
>>> Aloha,
>>> Michael.
>>> 
>> 
>> --
>> Mark Jeftovic, Founder & CEO, easyDNS Technologies Inc.
>> Company Website:
>> https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2feasyd
>> ns.com&data=01%7c01%7cmichael.wise%40microsoft.com%7c709b171504f64281
>> c89f08d3a0951809%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=bJC1Dsg
>> 4DvB%2fDTXt2IvKpfWSElSFhNLyB0KiNnf6cGw%3d
>> Read my blog:
>> https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fmarka
>> ble.com&data=01%7c01%7cmichael.wise%40microsoft.com%7c709b171504f6428
>> 1c89f08d3a0951809%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=NkC0u9
>> HvJsxeCb8m%2fGUehq9dkj2wPOuLKZLHdjnrVAw%3d
>> +1-416-535-8672 ext 225
>> 
>> ___
>> mailop mailing list
>> mailop@mailop.org
>> https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchil
>> li.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop&data=01%7c01%
>> 7cmichael.wise%40microsoft.com%7c709b171504f64281c89f08d3a0951809%7c7
>> 2f988bf86f141af91ab2d7cd011db47%7c1&sdata=Qkwvc%2flMgBj%2bRQUrBmipEKM
>> KchESEZOw5NI%2f%2fEMy%2bsU%3d
> 
> --
> Mark Jeftovic, Founder & CEO, easyDNS Technologies Inc.
> Company Website:
> https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2feasydn
> s.com&data=01%7c01%7cMichael.Wise%40microsoft.com%7c414129a1122d4b0511
> 9d08d3a0ecd95f%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=LiO8ewoiJs
> GODFwkjoBGu0V1ya6PZKy9MVUkcpUP5zE%3d
> Read my blog:
> https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fmarkab
> le.com&data=01%7c01%7cMichael.Wise%40microsoft.com%7c414

Re: [mailop] Failures to .mail.protection.outlook.com

[Michael Wise via mailop]

Thanks!
Looks like it's limited to one datacenter then. So far.

Again, thanks!

Aloha,
Michael.
-- 
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting Tool ?

-Original Message-
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of David
Sent: Thursday, June 30, 2016 8:44 AM
To: mailop@mailop.org
Subject: Re: [mailop] Failures to .mail.protection.outlook.com

On 2016-06-30 9:36 AM, Michael Wise via mailop wrote:
> Investigating, but seeing this traffic.
> Is there any clustering by datacenter?
> That would be the first 3 characters of the hostname
>

207.46.163/24 seems to be the worst destinations from our perspective so far.


___
mailop mailing list
mailop@mailop.org
https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchilli.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop&data=01%7c01%7cmichael.wise%40microsoft.com%7cc90abc28d62f4868218508d3a0feb43d%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=bEngi3QWuDGdmlv%2bVOmDWxiQDtugX10RudsRI8rqqfs%3d
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Failures to .mail.protection.outlook.com

[Tony Bunce]

We are seeing the same thing. queueing to *. protection.outlook.com domains, 
most of the errors from that same network.

We are seeing a few different error messages:
Connected to 207.46.163.170 but connection died
421 4.3.2 The maximum number of concurrent server connections has exceeded a 
per-source limit, closing transmission channel (BN1AFFO11FD044.protection.gbl)
451 4.4.3 Temporary server error. Please try again later ATTR2

I see the first error at 09:29:31 EDT.  There was a successful delivery at 
09:26:03 EDT.

-Tony

-Original Message-
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of David
Sent: Thursday, June 30, 2016 11:44 AM
To: mailop@mailop.org
Subject: Re: [mailop] Failures to .mail.protection.outlook.com

On 2016-06-30 9:36 AM, Michael Wise via mailop wrote:
> Investigating, but seeing this traffic.
> Is there any clustering by datacenter?
> That would be the first 3 characters of the hostname
>

207.46.163/24 seems to be the worst destinations from our perspective so 
far.


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Failures to .mail.protection.outlook.com

[Michael Wise via mailop]

Much Thanks!

Aloha,
Michael.
--
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting 
Tool ?

From: Kirk MacDonald [mailto:kirk.macdon...@corp.eastlink.ca]
Sent: Thursday, June 30, 2016 8:53 AM
To: Michael Wise ; mailop@mailop.org
Subject: RE: [mailop] Failures to .mail.protection.outlook.com

If you mean the servers that actually return 4xx responses I do see these:

BL2
BN1
BY2

BL2FFO11FD005.protection.gbl
BL2FFO11FD006.protection.gbl
BL2FFO11FD013.protection.gbl
BL2FFO11FD016.protection.gbl
BL2FFO11FD020.protection.gbl
BL2FFO11FD024.protection.gbl
BL2FFO11FD042.protection.gbl
BL2FFO11FD043.protection.gbl
BL2FFO11FD045.protection.gbl
BL2FFO11FD046.protection.gbl
BL2FFO11FD047.protection.gbl
BL2FFO11FD050.protection.gbl
BL2FFO11FD051.protection.gbl
BL2FFO11FD052.protection.gbl
BL2FFO11FD053.protection.gbl
BL2FFO11OLC003.protection.gbl
BL2FFO11OLC004.protection.gbl
BL2FFO11OLC005.protection.gbl
BL2FFO11OLC006.protection.gbl
BL2FFO11OLC008.protection.gbl
BL2FFO11OLC010.protection.gbl
BN1AFFO11FD007.protection.gbl
BN1AFFO11FD013.protection.gbl
BN1AFFO11FD014.protection.gbl
BN1AFFO11FD017.protection.gbl
BN1AFFO11FD025.protection.gbl
BN1AFFO11FD026.protection.gbl
BN1AFFO11FD032.protection.gbl
BN1AFFO11FD035.protection.gbl
BN1AFFO11FD039.protection.gbl
BN1AFFO11FD040.protection.gbl
BN1AFFO11FD044.protection.gbl
BN1AFFO11FD045.protection.gbl
BN1AFFO11FD046.protection.gbl
BN1AFFO11FD048.protection.gbl
BN1AFFO11FD054.protection.gbl
BN1AFFO11FD055.protection.gbl
BN1AFFO11OLC001.protection.gbl
BN1AFFO11OLC002.protection.gbl
BN1BFFO11FD002.protection.gbl
BN1BFFO11FD005.protection.gbl
BN1BFFO11FD009.protection.gbl
BN1BFFO11FD012.protection.gbl
BN1BFFO11FD025.protection.gbl
BN1BFFO11FD031.protection.gbl
BN1BFFO11FD036.protection.gbl
BN1BFFO11FD043.protection.gbl
BN1BFFO11FD047.protection.gbl
BN1BFFO11FD048.protection.gbl
BN1BFFO11FD050.protection.gbl
BN1BFFO11FD051.protection.gbl
BN1BFFO11FD053.protection.gbl
BN1BFFO11FD054.protection.gbl
BN1BFFO11FD056.protection.gbl
BN1BFFO11OLC003.protection.gbl
BN1BFFO11OLC004.protection.gbl
BY2FFO11FD011.protection.gbl
BY2FFO11FD013.protection.gbl
BY2FFO11FD015.protection.gbl
BY2FFO11FD017.protection.gbl
BY2FFO11FD027.protection.gbl
BY2FFO11FD029.protection.gbl
BY2FFO11FD031.protection.gbl
BY2FFO11FD035.protection.gbl
BY2FFO11FD038.protection.gbl
BY2FFO11FD049.protection.gbl
BY2FFO11FD050.protection.gbl
BY2FFO11FD051.protection.gbl
BY2FFO11FD053.protection.gbl
BY2FFO11FD055.protection.gbl
BY2FFO11OLC003.protection.gbl
BY2FFO11OLC012.protection.gbl
BY2FFO11OLC015.protection.gbl
BY2FFO11OLC016.protection.gbl

Kirk MacDonald
System Administrator
Internet
Eastlink



From: Michael Wise [mailto:michael.w...@microsoft.com]
Sent: Thursday, June 30, 2016 12:37 PM
To: Kirk MacDonald 
mailto:kirk.macdon...@corp.eastlink.ca>>; 
mailop@mailop.org
Subject: RE: [mailop] Failures to .mail.protection.outlook.com

Investigating, but seeing this traffic.
Is there any clustering by datacenter?
That would be the first 3 characters of the hostname

Aloha,
Michael.
--
Sent from my Windows Phone

From: Kirk MacDonald
Sent: ‎6/‎30/‎2016 8:11 AM
To: mailop@mailop.org
Subject: [mailop] Failures to .mail.protection.outlook.com
Wondering if others are seeing mail queue up within the last hour to domains 
hosted at protection.outlook.com… or if it’s just me? The most frequent 
behaviour is an immediate hangup during ehlo.

Also seeing a small number of successful deliveries and 4xx resposes:

4.3.2 The maximum number of concurrent server connections has exceeded a 
per-source limit, closing transmission channel (BL2FFO11FD020.protection.gbl)

That’s suggests that there are some systems behind the MX that are answering 
and are probably getting stressed.

Our IPs in SNDS are “green”, but I am not always clear about where 
Outlook/Live/Hotmail stops and protection.outlook.com begins.


Kirk MacDonald
System Administrator
Internet
Eastlink

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] automated looking mailchimp opt-ins (confused by)

[Mark Jeftovic]

Wait - if this is an attack against the recipient, how are they
*confirming* the opt-in in an opt-in and confirm situation?

- mark


On 2016-06-30 10:40 AM, Michael Wise wrote:
> Yeah.
> 
> I can imagine a way to block it if one leverages DKIM and DMARC to send
> a subscribe message FROM the user with a cookie in the Subject, based on
> a mailto: link on a webform, and if the signatures validate... Consider
> that sufficient?
> 
> But otherwise, unsure how to block it on the receiving end without some
> new code. We may have to write it, though.
> 
> Aloha,
> Michael.
> -- 
> Sent from my Windows Phone
> 
> From: Mark Jeftovic 
> Sent: ‎6/‎30/‎2016 6:45 AM
> To: Michael Wise ; mailop@mailop.org
> 
> Subject: Re: [mailop] automated looking mailchimp opt-ins (confused by)
> 
> Oh I see. It's the opt-in and confirm version of a reflection attack.
> 
> Interesting, and yes, pretty nasty.
> 
> - mark
> 
> On 2016-06-30 4:55 AM, Michael Wise wrote:
>> No.
>> 
>> From what we see, it *SEEMS* to be that they are attacking others by
>> flooding the target with confirmation requests from many thousands of
>> lists all at once, one or more of which might be yours.
>> 
>> In other words, you are not the nail, you're the hammer.
>> 
>> It's a horrible attack, because it's a legitimate thing to do, sending a
>> confirm message. How are you to know that the recipient has received a
>> thousand others just like it in the past minute from all around the globe?
>> 
>> This is just a theory, but we've dealt with the cleanup of a number of
>> cases like this where our customers were on the receiving end.
>> 
>> Aloha,
>> Michael.
>> -- 
>> Sent from my Windows Phone
>> 
>> From: Mark Jeftovic 
>> Sent: ‎6/‎29/‎2016 8:17 PM
>> To: mailop@mailop.org 
>> Subject: Re: [mailop] automated looking mailchimp opt-ins (confused by)
>> 
>> What do you mean when you say "hey are attacking people for hire." ?
>> 
>> Do you mean they are hired to attack our list?
>> 
>> - mark
>> 
>> 
>> On 2016-06-29 10:19 PM, Michael Wise via mailop wrote:
>>> 
>>> This ... is an attack for which I have become rather familiar.
>>> I'm guessing that all the subscription request web connects are coming from 
>>> Eastern Europe
>>> 
>>> They are attacking people for hire.
>>> They flood the target accounts with thousands of subscription confirmations.
>>> 
>>> Dig a bit deeper and let me know if my suspicions are correct.
>>> You may want to throttle/blacklist connections from any IP that submits 
>>> requests for more than 1 mailing-list every ... N seconds?
>>> 
>>> Just a hunch, but I'd be surprised if I wasin error on this.
>>> 
>>> Aloha,
>>> Michael.
>>> 
>> 
>> -- 
>> Mark Jeftovic, Founder & CEO, easyDNS Technologies Inc.
>> Company Website:
>> https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2feasydns.com&data=01%7c01%7cmichael.wise%40microsoft.com%7c709b171504f64281c89f08d3a0951809%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=bJC1Dsg4DvB%2fDTXt2IvKpfWSElSFhNLyB0KiNnf6cGw%3d
>> Read my blog:
>> https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fmarkable.com&data=01%7c01%7cmichael.wise%40microsoft.com%7c709b171504f64281c89f08d3a0951809%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=NkC0u9HvJsxeCb8m%2fGUehq9dkj2wPOuLKZLHdjnrVAw%3d
>> +1-416-535-8672 ext 225
>> 
>> ___
>> mailop mailing list
>> mailop@mailop.org
>> https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchilli.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop&data=01%7c01%7cmichael.wise%40microsoft.com%7c709b171504f64281c89f08d3a0951809%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=Qkwvc%2flMgBj%2bRQUrBmipEKMKchESEZOw5NI%2f%2fEMy%2bsU%3d
> 
> -- 
> Mark Jeftovic, Founder & CEO, easyDNS Technologies Inc.
> Company Website:
> https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2feasydns.com&data=01%7c01%7cMichael.Wise%40microsoft.com%7c414129a1122d4b05119d08d3a0ecd95f%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=LiO8ewoiJsGODFwkjoBGu0V1ya6PZKy9MVUkcpUP5zE%3d
> Read my blog:
> https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fmarkable.com&data=01%7c01%7cMichael.Wise%40microsoft.com%7c414129a1122d4b05119d08d3a0ecd95f%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=p%2b8kyjXpgVrhuVTQi18bvqkdSmt7B8LbCnWDD9k2%2baY%3d
> +1-416-535-8672 ext 225

-- 
Mark Jeftovic, Founder & CEO, easyDNS Technologies Inc.
Company Website: http://easydns.com
Read my blog: http://markable.com
+1-416-535-8672 ext 225

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Failures to .mail.protection.outlook.com

[Kirk MacDonald]

If you mean the servers that actually return 4xx responses I do see these:

BL2
BN1
BY2

BL2FFO11FD005.protection.gbl
BL2FFO11FD006.protection.gbl
BL2FFO11FD013.protection.gbl
BL2FFO11FD016.protection.gbl
BL2FFO11FD020.protection.gbl
BL2FFO11FD024.protection.gbl
BL2FFO11FD042.protection.gbl
BL2FFO11FD043.protection.gbl
BL2FFO11FD045.protection.gbl
BL2FFO11FD046.protection.gbl
BL2FFO11FD047.protection.gbl
BL2FFO11FD050.protection.gbl
BL2FFO11FD051.protection.gbl
BL2FFO11FD052.protection.gbl
BL2FFO11FD053.protection.gbl
BL2FFO11OLC003.protection.gbl
BL2FFO11OLC004.protection.gbl
BL2FFO11OLC005.protection.gbl
BL2FFO11OLC006.protection.gbl
BL2FFO11OLC008.protection.gbl
BL2FFO11OLC010.protection.gbl
BN1AFFO11FD007.protection.gbl
BN1AFFO11FD013.protection.gbl
BN1AFFO11FD014.protection.gbl
BN1AFFO11FD017.protection.gbl
BN1AFFO11FD025.protection.gbl
BN1AFFO11FD026.protection.gbl
BN1AFFO11FD032.protection.gbl
BN1AFFO11FD035.protection.gbl
BN1AFFO11FD039.protection.gbl
BN1AFFO11FD040.protection.gbl
BN1AFFO11FD044.protection.gbl
BN1AFFO11FD045.protection.gbl
BN1AFFO11FD046.protection.gbl
BN1AFFO11FD048.protection.gbl
BN1AFFO11FD054.protection.gbl
BN1AFFO11FD055.protection.gbl
BN1AFFO11OLC001.protection.gbl
BN1AFFO11OLC002.protection.gbl
BN1BFFO11FD002.protection.gbl
BN1BFFO11FD005.protection.gbl
BN1BFFO11FD009.protection.gbl
BN1BFFO11FD012.protection.gbl
BN1BFFO11FD025.protection.gbl
BN1BFFO11FD031.protection.gbl
BN1BFFO11FD036.protection.gbl
BN1BFFO11FD043.protection.gbl
BN1BFFO11FD047.protection.gbl
BN1BFFO11FD048.protection.gbl
BN1BFFO11FD050.protection.gbl
BN1BFFO11FD051.protection.gbl
BN1BFFO11FD053.protection.gbl
BN1BFFO11FD054.protection.gbl
BN1BFFO11FD056.protection.gbl
BN1BFFO11OLC003.protection.gbl
BN1BFFO11OLC004.protection.gbl
BY2FFO11FD011.protection.gbl
BY2FFO11FD013.protection.gbl
BY2FFO11FD015.protection.gbl
BY2FFO11FD017.protection.gbl
BY2FFO11FD027.protection.gbl
BY2FFO11FD029.protection.gbl
BY2FFO11FD031.protection.gbl
BY2FFO11FD035.protection.gbl
BY2FFO11FD038.protection.gbl
BY2FFO11FD049.protection.gbl
BY2FFO11FD050.protection.gbl
BY2FFO11FD051.protection.gbl
BY2FFO11FD053.protection.gbl
BY2FFO11FD055.protection.gbl
BY2FFO11OLC003.protection.gbl
BY2FFO11OLC012.protection.gbl
BY2FFO11OLC015.protection.gbl
BY2FFO11OLC016.protection.gbl

Kirk MacDonald
System Administrator
Internet
Eastlink


From: Michael Wise [mailto:michael.w...@microsoft.com]
Sent: Thursday, June 30, 2016 12:37 PM
To: Kirk MacDonald ; mailop@mailop.org
Subject: RE: [mailop] Failures to .mail.protection.outlook.com

Investigating, but seeing this traffic.
Is there any clustering by datacenter?
That would be the first 3 characters of the hostname

Aloha,
Michael.
--
Sent from my Windows Phone

From: Kirk MacDonald
Sent: ‎6/‎30/‎2016 8:11 AM
To: mailop@mailop.org
Subject: [mailop] Failures to .mail.protection.outlook.com
Wondering if others are seeing mail queue up within the last hour to domains 
hosted at protection.outlook.com… or if it’s just me? The most frequent 
behaviour is an immediate hangup during ehlo.

Also seeing a small number of successful deliveries and 4xx resposes:

4.3.2 The maximum number of concurrent server connections has exceeded a 
per-source limit, closing transmission channel (BL2FFO11FD020.protection.gbl)

That’s suggests that there are some systems behind the MX that are answering 
and are probably getting stressed.

Our IPs in SNDS are “green”, but I am not always clear about where 
Outlook/Live/Hotmail stops and protection.outlook.com begins.


Kirk MacDonald
System Administrator
Internet
Eastlink

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] automated looking mailchimp opt-ins (confused by)

[Vick Khera]

On Wed, Jun 29, 2016 at 9:46 PM, Mark Jeftovic  wrote:

> I look at the complaint data, it's all weird looking signups, this time
> all from:
>
> aol.com
>
>
> netscape.net
>
>
> verizon.net
>
>
>
> and the "First Name Field" in all of them are like this:
>
> 5773fb91d07ad
>
> Again, looks automated or bot-like, or maybe it's some list management
> software?
>
> This is what I'm confused about, namely WHAT'S THE POINT?
>

I've seen these coming for a while now for several of our customer's signup
forms. Recently there was a big uptick on the volume and we had to
implement various robot defenses to block these. If you collect any other
data, they will all have an incrementing hex number like that in them as
well.

For some customers, enabling reCAPTCHA was the solution because of the
volume of bogus signups. For everyone else we opportunistically require
reCAPTCHA if the submitting IP is on either CBL or minFraud's proxy list.
This latter mechanism matches just shy of 75% of the fake signups
exhibiting this pattern historically. Some IP's we observe become "bad"
after the fact, so I suspect the actual block rate to be a bit lower.

Now the most curious part is that a fair number of these signups actually
confirm by following the confirmation link. I know some percentage of those
are automated scanning by our friends at Barracuda and other such services.

I asked this question to quite a few people at M3AAWG a couple of weeks
ago, and the most plausible answer I got was from Elizabeth at yahoo: the
scammers are trying to make their inboxes look "real" so they can game the
"this is not spam" feature.  She says it is fairly easy for them to ignore
the TINS if the entire mailbox from where it came is just spam because they
know it is someone trying to game delivery for their own spam. However, if
there are other non-spam messages in there it is harder for them to
determine automatically (ie, without human looking at the mail which they
are not allowed to do) if the inbox is "real".

Michael's theory that it is a harassment technique for the recipient is
also strong. I've had it happen to me recently at a small scale (someone
signed me up for *every* debian mailing list). The guess that they're
coming from western europe is in my case incorrect. Spot checking the IPs
they are from *everywhere* including large cable providers in the US.
Clearly these are bots and/or open proxies.
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Failures to .mail.protection.outlook.com

[David]

On 2016-06-30 9:36 AM, Michael Wise via mailop wrote:

Investigating, but seeing this traffic.
Is there any clustering by datacenter?
That would be the first 3 characters of the hostname



207.46.163/24 seems to be the worst destinations from our perspective so 
far.



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Failures to .mail.protection.outlook.com

[Michael Wise via mailop]

Investigating, but seeing this traffic.
Is there any clustering by datacenter?
That would be the first 3 characters of the hostname

Aloha,
Michael.
--
Sent from my Windows Phone

From: Kirk MacDonald
Sent: ‎6/‎30/‎2016 8:11 AM
To: mailop@mailop.org
Subject: [mailop] Failures to .mail.protection.outlook.com

Wondering if others are seeing mail queue up within the last hour to domains 
hosted at protection.outlook.com… or if it’s just me? The most frequent 
behaviour is an immediate hangup during ehlo.

Also seeing a small number of successful deliveries and 4xx resposes:

4.3.2 The maximum number of concurrent server connections has exceeded a 
per-source limit, closing transmission channel (BL2FFO11FD020.protection.gbl)

That’s suggests that there are some systems behind the MX that are answering 
and are probably getting stressed.

Our IPs in SNDS are “green”, but I am not always clear about where 
Outlook/Live/Hotmail stops and protection.outlook.com begins.


Kirk MacDonald
System Administrator
Internet
Eastlink


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Email issues with Microsoft?

[frnkblk]

We saw this start to ramp up around 8:20 am (U.S. Central) and about an hour
later messages were predominately getting delayed, yet even now a few do get
delivered from time to time.  

Someone on the outages listserv posted about this, too.
(https://puck.nether.net/pipermail/outages/2016-June/009214.html)

Frank

-Original Message-
From: Frank Bulk (frnk...@iname.com) [mailto:frnk...@iname.com] 
Sent: Thursday, June 30, 2016 10:01 AM
To: 'mailop@mailop.org' (mailop@mailop.org) 
Subject: Email issues with Microsoft?

We're seeing multiple Microsoft-hosted domains having difficulty getting our
email.

@hsitire.com  Open (207.46.163.170) Error
4sec (399 TCP Read failed (Connection reset by peer after 4 seconds) 4 sec)
@animalhealthinternational.comOpen (207.46.163.170) Error
4sec (399 TCP Read failed (Connection reset by peer after 4 seconds) 4 sec)
@midwestwheel.com ubad=13799805, Site
(midwestwheel.com/207.46.163.170) said: 451 4.3.2 Temporary server error.
Please try again later ATTR2
@pamhc.orgOpen (207.46.163.170) Error
3sec (399 TCP Read failed (Connection reset by peer after 3 seconds) 3 sec)
@hsitire.com  Open (207.46.163.170) Error
3sec (399 TCP Read failed (Connection reset by peer after 3 seconds) 3 sec)
@kingsleybank.com Open (207.46.163.170) Error
3sec (399 TCP Read failed (Connection reset by peer after 3 seconds) 3 sec)
@moc-fv.k12.ia.us Open (207.46.163.138) Error
3sec (399 TCP Read failed (Connection reset by peer after 3 seconds) 3 sec)
@dordt.eduOpen (207.46.163.138) Error
1sec (421 4.3.2 The maximum number of concurrent server connections has
exceeded a per-source limit, closing transmission channel
(BN1AFFO11FD020.protection.gbl))
@nimanranch.com   Open
(207.46.163.138) Error 1sec (421 4.3.2 The maximum number of concurrent
server connections has exceeded a limit, closing transmission channel
(BN1AFFO11FD040.protection.gbl))
@hsitire.com  Open (207.46.163.138) Error
4sec (399 TCP Read failed (Connection reset by peer after 4 seconds) 4 sec)
@dordt.eduOpen (207.46.163.138) Error
3sec (399 TCP Read failed (Connection reset by peer after 3 seconds) 3 sec)

Frank


138.163.46.207.in-addr.arpa domain name pointer
mail-bn14138.inbound.protection.outlook.com.

IP: 207.46.163.138
Origin-AS: 8075
Prefix: 207.46.128.0/17
AS-Path: 31019 8075
AS-Org-Name: Microsoft Corporation
Org-Name: Microsoft Corporation
Net-Name: MICROSOFT-GLOBAL-NET
Cache-Date: 1467291365
Latitude: 47.682900
Longitude: -122.120900
City: Redmond
Region: Washington
Country: United States
Country-Code: US


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Failures to .mail.protection.outlook.com

[Chad M Stewart]

It is not just you.  I admin a domain hosted there but the MX records points at 
Mimecast, Mimecast alerted me at 9:05 that > 100 msgs were in queue, which has 
grown more than 10x since.

I suspect O365s first tier of servers cored and as they are trying to come back 
up.  Those that do manage to take a connection are getting hammered and the 
per-src IP rate limits are so low they are not allowing for conditions like 
this.  :(


-Chad


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Failures to .mail.protection.outlook.com

[Kirk MacDonald]

Wondering if others are seeing mail queue up within the last hour to domains 
hosted at protection.outlook.com… or if it’s just me? The most frequent 
behaviour is an immediate hangup during ehlo.

Also seeing a small number of successful deliveries and 4xx resposes:

4.3.2 The maximum number of concurrent server connections has exceeded a 
per-source limit, closing transmission channel (BL2FFO11FD020.protection.gbl)

That’s suggests that there are some systems behind the MX that are answering 
and are probably getting stressed.

Our IPs in SNDS are “green”, but I am not always clear about where 
Outlook/Live/Hotmail stops and protection.outlook.com begins.


Kirk MacDonald
System Administrator
Internet
Eastlink


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Email issues with Microsoft?

[frnkblk]

We're seeing multiple Microsoft-hosted domains having difficulty getting our
email.

@hsitire.com  Open (207.46.163.170) Error
4sec (399 TCP Read failed (Connection reset by peer after 4 seconds) 4 sec)
@animalhealthinternational.comOpen (207.46.163.170) Error
4sec (399 TCP Read failed (Connection reset by peer after 4 seconds) 4 sec)
@midwestwheel.com ubad=13799805, Site
(midwestwheel.com/207.46.163.170) said: 451 4.3.2 Temporary server error.
Please try again later ATTR2
@pamhc.orgOpen (207.46.163.170) Error
3sec (399 TCP Read failed (Connection reset by peer after 3 seconds) 3 sec)
@hsitire.com  Open (207.46.163.170) Error
3sec (399 TCP Read failed (Connection reset by peer after 3 seconds) 3 sec)
@kingsleybank.com Open (207.46.163.170) Error
3sec (399 TCP Read failed (Connection reset by peer after 3 seconds) 3 sec)
@moc-fv.k12.ia.us Open (207.46.163.138) Error
3sec (399 TCP Read failed (Connection reset by peer after 3 seconds) 3 sec)
@dordt.eduOpen (207.46.163.138) Error
1sec (421 4.3.2 The maximum number of concurrent server connections has
exceeded a per-source limit, closing transmission channel
(BN1AFFO11FD020.protection.gbl))
@nimanranch.com   Open
(207.46.163.138) Error 1sec (421 4.3.2 The maximum number of concurrent
server connections has exceeded a limit, closing transmission channel
(BN1AFFO11FD040.protection.gbl))
@hsitire.com  Open (207.46.163.138) Error
4sec (399 TCP Read failed (Connection reset by peer after 4 seconds) 4 sec)
@dordt.eduOpen (207.46.163.138) Error
3sec (399 TCP Read failed (Connection reset by peer after 3 seconds) 3 sec)

Frank


138.163.46.207.in-addr.arpa domain name pointer
mail-bn14138.inbound.protection.outlook.com.

IP: 207.46.163.138
Origin-AS: 8075
Prefix: 207.46.128.0/17
AS-Path: 31019 8075
AS-Org-Name: Microsoft Corporation
Org-Name: Microsoft Corporation
Net-Name: MICROSOFT-GLOBAL-NET
Cache-Date: 1467291365
Latitude: 47.682900
Longitude: -122.120900
City: Redmond
Region: Washington
Country: United States
Country-Code: US


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Failures to .mail.protection.outlook.com

[Kirk MacDonald]

Another reasonably common 4xx:

4.4.3 Temporary server error. Please try again later ATTR2


Kirk MacDonald
System Administrator
Internet
Eastlink


From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Kirk MacDonald
Sent: Thursday, June 30, 2016 11:51 AM
To: mailop@mailop.org
Subject: [mailop] Failures to .mail.protection.outlook.com

Wondering if others are seeing mail queue up within the last hour to domains 
hosted at protection.outlook.com… or if it’s just me? The most frequent 
behaviour is an immediate hangup during ehlo.

Also seeing a small number of successful deliveries and 4xx resposes:

4.3.2 The maximum number of concurrent server connections has exceeded a 
per-source limit, closing transmission channel (BL2FFO11FD020.protection.gbl)

That’s suggests that there are some systems behind the MX that are answering 
and are probably getting stressed.

Our IPs in SNDS are “green”, but I am not always clear about where 
Outlook/Live/Hotmail stops and protection.outlook.com begins.


Kirk MacDonald
System Administrator
Internet
Eastlink

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] automated looking mailchimp opt-ins (confused by)

[Michael Wise via mailop]

Yeah.

I can imagine a way to block it if one leverages DKIM and DMARC to send a 
subscribe message FROM the user with a cookie in the Subject, based on a 
mailto: link on a webform, and if the signatures validate... Consider that 
sufficient?

But otherwise, unsure how to block it on the receiving end without some new 
code. We may have to write it, though.

Aloha,
Michael.
--
Sent from my Windows Phone

From: Mark Jeftovic
Sent: ‎6/‎30/‎2016 6:45 AM
To: Michael Wise; 
mailop@mailop.org
Subject: Re: [mailop] automated looking mailchimp opt-ins (confused by)

Oh I see. It's the opt-in and confirm version of a reflection attack.

Interesting, and yes, pretty nasty.

- mark

On 2016-06-30 4:55 AM, Michael Wise wrote:
> No.
>
> From what we see, it *SEEMS* to be that they are attacking others by
> flooding the target with confirmation requests from many thousands of
> lists all at once, one or more of which might be yours.
>
> In other words, you are not the nail, you're the hammer.
>
> It's a horrible attack, because it's a legitimate thing to do, sending a
> confirm message. How are you to know that the recipient has received a
> thousand others just like it in the past minute from all around the globe?
>
> This is just a theory, but we've dealt with the cleanup of a number of
> cases like this where our customers were on the receiving end.
>
> Aloha,
> Michael.
> --
> Sent from my Windows Phone
> 
> From: Mark Jeftovic 
> Sent: ‎6/‎29/‎2016 8:17 PM
> To: mailop@mailop.org 
> Subject: Re: [mailop] automated looking mailchimp opt-ins (confused by)
>
> What do you mean when you say "hey are attacking people for hire." ?
>
> Do you mean they are hired to attack our list?
>
> - mark
>
>
> On 2016-06-29 10:19 PM, Michael Wise via mailop wrote:
>>
>> This ... is an attack for which I have become rather familiar.
>> I'm guessing that all the subscription request web connects are coming from 
>> Eastern Europe
>>
>> They are attacking people for hire.
>> They flood the target accounts with thousands of subscription confirmations.
>>
>> Dig a bit deeper and let me know if my suspicions are correct.
>> You may want to throttle/blacklist connections from any IP that submits 
>> requests for more than 1 mailing-list every ... N seconds?
>>
>> Just a hunch, but I'd be surprised if I wasin error on this.
>>
>> Aloha,
>> Michael.
>>
>
> --
> Mark Jeftovic, Founder & CEO, easyDNS Technologies Inc.
> Company Website:
> https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2feasydns.com&data=01%7c01%7cmichael.wise%40microsoft.com%7c709b171504f64281c89f08d3a0951809%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=bJC1Dsg4DvB%2fDTXt2IvKpfWSElSFhNLyB0KiNnf6cGw%3d
> Read my blog:
> https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fmarkable.com&data=01%7c01%7cmichael.wise%40microsoft.com%7c709b171504f64281c89f08d3a0951809%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=NkC0u9HvJsxeCb8m%2fGUehq9dkj2wPOuLKZLHdjnrVAw%3d
> +1-416-535-8672 ext 225
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchilli.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop&data=01%7c01%7cmichael.wise%40microsoft.com%7c709b171504f64281c89f08d3a0951809%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=Qkwvc%2flMgBj%2bRQUrBmipEKMKchESEZOw5NI%2f%2fEMy%2bsU%3d

--
Mark Jeftovic, Founder & CEO, easyDNS Technologies Inc.
Company Website: 
https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2feasydns.com&data=01%7c01%7cMichael.Wise%40microsoft.com%7c414129a1122d4b05119d08d3a0ecd95f%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=LiO8ewoiJsGODFwkjoBGu0V1ya6PZKy9MVUkcpUP5zE%3d
Read my blog: 
https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fmarkable.com&data=01%7c01%7cMichael.Wise%40microsoft.com%7c414129a1122d4b05119d08d3a0ecd95f%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=p%2b8kyjXpgVrhuVTQi18bvqkdSmt7B8LbCnWDD9k2%2baY%3d
+1-416-535-8672 ext 225
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] automated looking mailchimp opt-ins (confused by)

[Mark Jeftovic]

Oh I see. It's the opt-in and confirm version of a reflection attack.

Interesting, and yes, pretty nasty.

- mark

On 2016-06-30 4:55 AM, Michael Wise wrote:
> No.
> 
> From what we see, it *SEEMS* to be that they are attacking others by
> flooding the target with confirmation requests from many thousands of
> lists all at once, one or more of which might be yours.
> 
> In other words, you are not the nail, you're the hammer.
> 
> It's a horrible attack, because it's a legitimate thing to do, sending a
> confirm message. How are you to know that the recipient has received a
> thousand others just like it in the past minute from all around the globe?
> 
> This is just a theory, but we've dealt with the cleanup of a number of
> cases like this where our customers were on the receiving end.
> 
> Aloha,
> Michael.
> -- 
> Sent from my Windows Phone
> 
> From: Mark Jeftovic 
> Sent: ‎6/‎29/‎2016 8:17 PM
> To: mailop@mailop.org 
> Subject: Re: [mailop] automated looking mailchimp opt-ins (confused by)
> 
> What do you mean when you say "hey are attacking people for hire." ?
> 
> Do you mean they are hired to attack our list?
> 
> - mark
> 
> 
> On 2016-06-29 10:19 PM, Michael Wise via mailop wrote:
>> 
>> This ... is an attack for which I have become rather familiar.
>> I'm guessing that all the subscription request web connects are coming from 
>> Eastern Europe
>> 
>> They are attacking people for hire.
>> They flood the target accounts with thousands of subscription confirmations.
>> 
>> Dig a bit deeper and let me know if my suspicions are correct.
>> You may want to throttle/blacklist connections from any IP that submits 
>> requests for more than 1 mailing-list every ... N seconds?
>> 
>> Just a hunch, but I'd be surprised if I wasin error on this.
>> 
>> Aloha,
>> Michael.
>> 
> 
> -- 
> Mark Jeftovic, Founder & CEO, easyDNS Technologies Inc.
> Company Website:
> https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2feasydns.com&data=01%7c01%7cmichael.wise%40microsoft.com%7c709b171504f64281c89f08d3a0951809%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=bJC1Dsg4DvB%2fDTXt2IvKpfWSElSFhNLyB0KiNnf6cGw%3d
> Read my blog:
> https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fmarkable.com&data=01%7c01%7cmichael.wise%40microsoft.com%7c709b171504f64281c89f08d3a0951809%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=NkC0u9HvJsxeCb8m%2fGUehq9dkj2wPOuLKZLHdjnrVAw%3d
> +1-416-535-8672 ext 225
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchilli.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop&data=01%7c01%7cmichael.wise%40microsoft.com%7c709b171504f64281c89f08d3a0951809%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=Qkwvc%2flMgBj%2bRQUrBmipEKMKchESEZOw5NI%2f%2fEMy%2bsU%3d

-- 
Mark Jeftovic, Founder & CEO, easyDNS Technologies Inc.
Company Website: http://easydns.com
Read my blog: http://markable.com
+1-416-535-8672 ext 225

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Abuse Contacts hosted @ gmail and Google's Spam filter

[Benoit Panizzon]

Am Tue, 28 Jun 2016 15:57:39 -0700
schrieb Hal Murray :

> 
> > There is currently no way to deliver spam to abuse@ > domain>
> 
> Google isn't the only problem.  There are lots of outfits that do
> content filtering on their abuse mailbox.
> 
> It seem reasonable to reject mail from IP Addresses on black lists,
> but rejecting spam reports because they look like spam seems silly.
> What did you expect them to look like?
> 
> Is that mentioned in any BCP?  Do any spam-filtering examples process
> abuse@ correctly?

Sure, using MIMEDefang, we have this code snipplet that affects all our
hosted email domains:

  # ACCEPT any Emails to Postmaster or Abuse Address
  if ((lc($user) eq "abuse") or (lc($user) eq "postmaster") or (lc($user) eq 
"spam") or (lc($user) eq "ham")) {
md_syslog('warning',"Mail to special recipient $user hardcoded 
whitelisting");
$vars->{imp_sa} = "ACCEPT";
$vars->{imp_va} = "ACCEPT";

SA = Spam Action
VA = Virus Action

Overriding the recipient's settings and spam filter threshold. As
'spam' and 'ham' are also used to report spam or false positives, we
also whitelist those recipients.

I'm pretty sure each ISP could implement such rules on their spam
filters.

You could also easily match the MIME-Type message/feedback-report and
give some 'ham' score to that rule in SpamAssassin and probably any
other Spamfilter.

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] automated looking mailchimp opt-ins (confused by)

[Michael Wise via mailop]

No.

>From what we see, it *SEEMS* to be that they are attacking others by flooding 
>the target with confirmation requests from many thousands of lists all at 
>once, one or more of which might be yours.

In other words, you are not the nail, you're the hammer.

It's a horrible attack, because it's a legitimate thing to do, sending a 
confirm message. How are you to know that the recipient has received a thousand 
others just like it in the past minute from all around the globe?

This is just a theory, but we've dealt with the cleanup of a number of cases 
like this where our customers were on the receiving end.

Aloha,
Michael.
--
Sent from my Windows Phone

From: Mark Jeftovic
Sent: ‎6/‎29/‎2016 8:17 PM
To: mailop@mailop.org
Subject: Re: [mailop] automated looking mailchimp opt-ins (confused by)

What do you mean when you say "hey are attacking people for hire." ?

Do you mean they are hired to attack our list?

- mark


On 2016-06-29 10:19 PM, Michael Wise via mailop wrote:
>
> This ... is an attack for which I have become rather familiar.
> I'm guessing that all the subscription request web connects are coming from 
> Eastern Europe
>
> They are attacking people for hire.
> They flood the target accounts with thousands of subscription confirmations.
>
> Dig a bit deeper and let me know if my suspicions are correct.
> You may want to throttle/blacklist connections from any IP that submits 
> requests for more than 1 mailing-list every ... N seconds?
>
> Just a hunch, but I'd be surprised if I wasin error on this.
>
> Aloha,
> Michael.
>

--
Mark Jeftovic, Founder & CEO, easyDNS Technologies Inc.
Company Website: 
https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2feasydns.com&data=01%7c01%7cmichael.wise%40microsoft.com%7c709b171504f64281c89f08d3a0951809%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=bJC1Dsg4DvB%2fDTXt2IvKpfWSElSFhNLyB0KiNnf6cGw%3d
Read my blog: 
https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fmarkable.com&data=01%7c01%7cmichael.wise%40microsoft.com%7c709b171504f64281c89f08d3a0951809%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=NkC0u9HvJsxeCb8m%2fGUehq9dkj2wPOuLKZLHdjnrVAw%3d
+1-416-535-8672 ext 225

___
mailop mailing list
mailop@mailop.org
https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchilli.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop&data=01%7c01%7cmichael.wise%40microsoft.com%7c709b171504f64281c89f08d3a0951809%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=Qkwvc%2flMgBj%2bRQUrBmipEKMKchESEZOw5NI%2f%2fEMy%2bsU%3d
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop