Re: [mailop] Unsubscription requests from O365

2018-08-08 Thread Michael Wise via mailop 

I wouldn’t go beyond 40.107.223.255 at this point, as the next block at least 
looks like outbound traffic.
If there’s no rDNS and it’s in the block, you’re probably okay… unless your DNS 
server fell over.

Aloha,
Michael.
--
Michael J Wise
Microsoft Corporation| Spam Analysis
"Your Spam Specimen Has Been Processed."
Got the Junk Mail Reporting 
Tool ?

From: mailop  On Behalf Of Al Iverson via mailop
Sent: Wednesday, August 8, 2018 5:28 PM
To: mailop@mailop.org
Subject: Re: [mailop] Unsubscription requests from O365

Is it still correct to say that SONAR scans seem to be coming from 40.107.194.0 
- 40.107.248.99? If we wanted to make sure not to count those as legit tickles 
from end users...

Cheers,
Al

On Wed, Aug 8, 2018 at 8:03 PM, Michael Wise via mailop 
mailto:mailop@mailop.org>> wrote:



No worries!

Aloha,
Michael.
--
Michael J Wise
Microsoft Corporation| Spam Analysis
"Your Spam Specimen Has Been Processed."
Got the Junk Mail Reporting 
Tool
 ?



-Original Message-
From: Andrew Beverley mailto:a...@simplelists.com>>
Sent: Wednesday, August 8, 2018 4:15 PM
To: Michael Wise mailto:michael.w...@microsoft.com>>
Cc: mailop@mailop.org
Subject: Re: [mailop] Unsubscription requests from O365



Sorry... I think it might actually be a problem this end. There are some 
additional parameters that can be added to the URL which means it doesn't 
require a POST request. I'm not sure how, but the scanner appears to be adding 
these. I can't see the parameters in a list email anywhere, so I'm not sure 
where it's getting them from, but that's our problem not yours. Sorry for the 
noise.



Andy







On Wed, 8 Aug 2018 22:57:37 +

Michael Wise mailto:michael.w...@microsoft.com>> 
wrote:



>

>

> "Hmm...[tm]"

>

>

>

> Making inquiries.

>

> Aloha,

> Michael.

> --

> Michael J Wise

> Microsoft Corporation| Spam Analysis

> "Your Spam Specimen Has Been Processed."

> Got the Junk Mail Reporting 
> Tool>
>  ?

>

>

>

> -Original Message-

> From: Andrew Beverley mailto:a...@simplelists.com>>

> Sent: Wednesday, August 8, 2018 3:55 PM

> To: Michael Wise 
> mailto:michael.w...@microsoft.com>>

> Cc: mailop@mailop.org

> Subject: Re: [mailop] Unsubscription requests from O365

>

>

>

> Thanks for the quick reply Michael,

>

>

>

> > Does the URL include the user identifier as part of the domain or path?

>

>

>

> No, it's in the query string, e.g.

>

>

>

> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.s

> implelists.com%2Fconfirm.php%3Fu%3DQzwKTj9iXcEWOT1I5MQObv4l7aPma9tN

> p;data=02%7C01%7CMichael.Wise%40microsoft.com%7C755a036e18a24ddc5ba908

> d5fd849a80%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63669366833039

> 0743sdata=KZniwBUKvtkDHCuVMEJJoyXlOWSyT8MDYRL1r6aa1cA%3Drese

> rved=0

>

>

>

> > This is our SONAR system testing if the URL is malicious.

>

>

>

> But surely it shouldn't be doing POST requests to test the URL? It's only the 
> last 24 hours or so that this has suddenly become a problem - it was okay 
> before that.

>

>

>

> > Or, you could just block the IP ranges that you see this behavior

>

> > coming from, as I recall they’re all in a /24 or thereabouts.

>

>

>

> Thanks, that's a good option - I guess genuine requests will be from a 
> different IP range. It looks like a bit more than a /24 but not much more 
> (about

Re: [mailop] Unsubscription requests from O365

2018-08-08 Thread Al Iverson via mailop 
Is it still correct to say that SONAR scans seem to be coming from 40.107.194.0
- 40.107.248.99? If we wanted to make sure not to count those as legit
tickles from end users...

Cheers,
Al

On Wed, Aug 8, 2018 at 8:03 PM, Michael Wise via mailop 
wrote:

>
>
> No worries!
>
>
>
> Aloha,
>
> Michael.
>
> --
>
> *Michael J Wise*
> Microsoft Corporation| Spam Analysis
>
> "Your Spam Specimen Has Been Processed."
>
> Got the Junk Mail Reporting Tool
>  ?
>
>
>
> -Original Message-
> From: Andrew Beverley 
> Sent: Wednesday, August 8, 2018 4:15 PM
> To: Michael Wise 
> Cc: mailop@mailop.org
> Subject: Re: [mailop] Unsubscription requests from O365
>
>
>
> Sorry... I think it might actually be a problem this end. There are some
> additional parameters that can be added to the URL which means it doesn't
> require a POST request. I'm not sure how, but the scanner appears to be
> adding these. I can't see the parameters in a list email anywhere, so I'm
> not sure where it's getting them from, but that's our problem not yours.
> Sorry for the noise.
>
>
>
> Andy
>
>
>
>
>
>
>
> On Wed, 8 Aug 2018 22:57:37 +
>
> Michael Wise  wrote:
>
>
>
> >
>
> >
>
> > "Hmm...[tm]"
>
> >
>
> >
>
> >
>
> > Making inquiries.
>
> >
>
> > Aloha,
>
> > Michael.
>
> > --
>
> > Michael J Wise
>
> > Microsoft Corporation| Spam Analysis
>
> > "Your Spam Specimen Has Been Processed."
>
> > Got the Junk Mail Reporting Tool protection.outlook.com/?url=http%3A%2F%2Fwww.microsoft.
> com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D18275&
> amp;data=02%7C01%7CMichael.Wise%40microsoft.com%
> 7C755a036e18a24ddc5ba908d5fd849a80%7C72f988bf86f141af91ab2d7cd011
> db47%7C1%7C0%7C636693668330390743sdata=UJeSnjJFIEdQivS08XjIuUqTqaYeYD
> QA19MOnXDtzFo%3Dreserved=0> ?
>
> >
>
> >
>
> >
>
> > -Original Message-
>
> > From: Andrew Beverley 
>
> > Sent: Wednesday, August 8, 2018 3:55 PM
>
> > To: Michael Wise 
>
> > Cc: mailop@mailop.org
>
> > Subject: Re: [mailop] Unsubscription requests from O365
>
> >
>
> >
>
> >
>
> > Thanks for the quick reply Michael,
>
> >
>
> >
>
> >
>
> > > Does the URL include the user identifier as part of the domain or path?
>
> >
>
> >
>
> >
>
> > No, it's in the query string, e.g.
>
> >
>
> >
>
> >
>
> > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.s
>
> > implelists.com%2Fconfirm.php%3Fu%3DQzwKTj9iXcEWOT1I5MQObv4l7aPma9tN
>
> > p;data=02%7C01%7CMichael.Wise%40microsoft.com%7C755a036e18a24ddc5ba908
>
> > d5fd849a80%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63669366833039
>
> > 0743sdata=KZniwBUKvtkDHCuVMEJJoyXlOWSyT8MDYRL1r6aa1cA%3Drese
>
> > rved=0
>
> >
>
> >
>
> >
>
> > > This is our SONAR system testing if the URL is malicious.
>
> >
>
> >
>
> >
>
> > But surely it shouldn't be doing POST requests to test the URL? It's
> only the last 24 hours or so that this has suddenly become a problem - it
> was okay before that.
>
> >
>
> >
>
> >
>
> > > Or, you could just block the IP ranges that you see this behavior
>
> >
>
> > > coming from, as I recall they’re all in a /24 or thereabouts.
>
> >
>
> >
>
> >
>
> > Thanks, that's a good option - I guess genuine requests will be from a
> different IP range. It looks like a bit more than a /24 but not much more
> (about 40.107.194.0 - 40.107.248.99 or so).
>
> >
>
> >
>
> >
>
> > Thanks,
>
> >
>
> >
>
> >
>
> > Andy
>
>
>
>
>
> --
>
> Andrew Beverley 
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
>


-- 
al iverson // 312-725-0130 // miami
http://www.aliverson.com
http://www.spamresource.com
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Unsubscription requests from O365

2018-08-08 Thread Michael Wise via mailop 


No worries!

Aloha,
Michael.
--
Michael J Wise
Microsoft Corporation| Spam Analysis
"Your Spam Specimen Has Been Processed."
Got the Junk Mail Reporting 
Tool ?



-Original Message-
From: Andrew Beverley 
Sent: Wednesday, August 8, 2018 4:15 PM
To: Michael Wise 
Cc: mailop@mailop.org
Subject: Re: [mailop] Unsubscription requests from O365



Sorry... I think it might actually be a problem this end. There are some 
additional parameters that can be added to the URL which means it doesn't 
require a POST request. I'm not sure how, but the scanner appears to be adding 
these. I can't see the parameters in a list email anywhere, so I'm not sure 
where it's getting them from, but that's our problem not yours. Sorry for the 
noise.



Andy







On Wed, 8 Aug 2018 22:57:37 +

Michael Wise mailto:michael.w...@microsoft.com>> 
wrote:



>

>

> "Hmm...[tm]"

>

>

>

> Making inquiries.

>

> Aloha,

> Michael.

> --

> Michael J Wise

> Microsoft Corporation| Spam Analysis

> "Your Spam Specimen Has Been Processed."

> Got the Junk Mail Reporting 
> Tool
>  ?

>

>

>

> -Original Message-

> From: Andrew Beverley mailto:a...@simplelists.com>>

> Sent: Wednesday, August 8, 2018 3:55 PM

> To: Michael Wise 
> mailto:michael.w...@microsoft.com>>

> Cc: mailop@mailop.org

> Subject: Re: [mailop] Unsubscription requests from O365

>

>

>

> Thanks for the quick reply Michael,

>

>

>

> > Does the URL include the user identifier as part of the domain or path?

>

>

>

> No, it's in the query string, e.g.

>

>

>

> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.s

> implelists.com%2Fconfirm.php%3Fu%3DQzwKTj9iXcEWOT1I5MQObv4l7aPma9tN

> p;data=02%7C01%7CMichael.Wise%40microsoft.com%7C755a036e18a24ddc5ba908

> d5fd849a80%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63669366833039

> 0743sdata=KZniwBUKvtkDHCuVMEJJoyXlOWSyT8MDYRL1r6aa1cA%3Drese

> rved=0

>

>

>

> > This is our SONAR system testing if the URL is malicious.

>

>

>

> But surely it shouldn't be doing POST requests to test the URL? It's only the 
> last 24 hours or so that this has suddenly become a problem - it was okay 
> before that.

>

>

>

> > Or, you could just block the IP ranges that you see this behavior

>

> > coming from, as I recall they’re all in a /24 or thereabouts.

>

>

>

> Thanks, that's a good option - I guess genuine requests will be from a 
> different IP range. It looks like a bit more than a /24 but not much more 
> (about 40.107.194.0 - 40.107.248.99 or so).

>

>

>

> Thanks,

>

>

>

> Andy





--

Andrew Beverley mailto:a...@simplelists.com>>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Unsubscription requests from O365

2018-08-08 Thread Michael Wise via mailop 


"Hmm...[tm]"



Making inquiries.

Aloha,
Michael.
--
Michael J Wise
Microsoft Corporation| Spam Analysis
"Your Spam Specimen Has Been Processed."
Got the Junk Mail Reporting 
Tool ?



-Original Message-
From: Andrew Beverley 
Sent: Wednesday, August 8, 2018 3:55 PM
To: Michael Wise 
Cc: mailop@mailop.org
Subject: Re: [mailop] Unsubscription requests from O365



Thanks for the quick reply Michael,



> Does the URL include the user identifier as part of the domain or path?



No, it's in the query string, e.g.



https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.simplelists.com%2Fconfirm.php%3Fu%3DQzwKTj9iXcEWOT1I5MQObv4l7aPma9tNdata=02%7C01%7CMichael.Wise%40microsoft.com%7C7bbb4374adfa43bdee9708d5fd81cf97%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636693656336439282sdata=%2BlJKT00gN7bqsgTUyhU0QO2CCR2HAXLneSNFNFEz%2FW8%3Dreserved=0



> This is our SONAR system testing if the URL is malicious.



But surely it shouldn't be doing POST requests to test the URL? It's only the 
last 24 hours or so that this has suddenly become a problem - it was okay 
before that.



> Or, you could just block the IP ranges that you see this behavior

> coming from, as I recall they’re all in a /24 or thereabouts.



Thanks, that's a good option - I guess genuine requests will be from a 
different IP range. It looks like a bit more than a /24 but not much more 
(about 40.107.194.0 - 40.107.248.99 or so).



Thanks,



Andy
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Unsubscription requests from O365

2018-08-08 Thread Andrew Beverley 
Thanks for the quick reply Michael,

> Does the URL include the user identifier as part of the domain or path?

No, it's in the query string, e.g.

https://www.simplelists.com/confirm.php?u=QzwKTj9iXcEWOT1I5MQObv4l7aPma9tN

> This is our SONAR system testing if the URL is malicious.

But surely it shouldn't be doing POST requests to test the URL? It's
only the last 24 hours or so that this has suddenly become a problem -
it was okay before that.

> Or, you could just block the IP ranges that you see this behavior
> coming from, as I recall they’re all in a /24 or thereabouts.

Thanks, that's a good option - I guess genuine requests will be from a
different IP range. It looks like a bit more than a /24 but not much
more (about 40.107.194.0 - 40.107.248.99 or so).

Thanks,

Andy

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Unsubscription requests from O365

2018-08-08 Thread Michael Wise via mailop 


Does the URL include the user identifier as part of the domain or path?

If so ... that's your issue.

Move it to after a “?” or some such.



This is our SONAR system testing if the URL is malicious.

And you're probably having issues with others as well.

Or, you could just block the IP ranges that you see this behavior coming from, 
as I recall they’re all in a /24 or thereabouts.

Aloha,
Michael.
--
Michael J Wise
Microsoft Corporation| Spam Analysis
"Your Spam Specimen Has Been Processed."
Got the Junk Mail Reporting 
Tool ?



-Original Message-
From: mailop  On Behalf Of Andrew Beverley
Sent: Wednesday, August 8, 2018 2:59 PM
To: mailop@mailop.org
Subject: [mailop] Unsubscription requests from O365



We are seeing a large increase in the number of list unsubscriptions from 
O365-hosted email addresses, using the List-Unsubscribe header.



Has anyone else noticed this and/or is anyone aware of any problems? Or has a 
new "easy" unsubscribe feature been added? Apparently many of the 
unsubscriptions are unintended by the list member in question.



The unsubscriptions seem to happen almost as soon as a list email is 
distributed, so they look automated rather than the accidental action of 
members.



The list-unsubscribe URL in question requires a POST request to action it 
(there is also an associated RFC8058 List-Unsubscribe-Post header).



Thanks,



Andy



___

mailop mailing list

mailop@mailop.org

https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fchilli.nosignal.org%2Fcgi-bin%2Fmailman%2Flistinfo%2Fmailopdata=02%7C01%7Cmichael.wise%40microsoft.com%7C0ddfa1530bde4fb92f4d08d5fd7b96ed%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636693629613084763sdata=G3A%2FLW4dumM%2BFFjgy2JpMcNAw9fIQlG2C4uEW%2BDXMEs%3Dreserved=0
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Unsubscription requests from O365

2018-08-08 Thread Andrew Beverley 
We are seeing a large increase in the number of list unsubscriptions
from O365-hosted email addresses, using the List-Unsubscribe header.

Has anyone else noticed this and/or is anyone aware of any problems? Or
has a new "easy" unsubscribe feature been added? Apparently many of the
unsubscriptions are unintended by the list member in question.

The unsubscriptions seem to happen almost as soon as a list email is
distributed, so they look automated rather than the accidental action
of members.

The list-unsubscribe URL in question requires a POST request to action
it (there is also an associated RFC8058 List-Unsubscribe-Post header).

Thanks,

Andy

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] anyone from psu.edu ?

2018-08-08 Thread Scott Undercofler 

Isnt mail-abuse now owned by Trendmicro?On August 8, 2018 at 10:29 AM Carl Byington  wrote:-BEGIN PGP SIGNED MESSAGE-Hash: SHA512IsThe psu.edu mail servers are returning an error message:reason: 551 5.7.1 $IP blacklisted due to listing on www.mail-abuse.orgwhich is interesting, since that name has a cname, but no A record.Anyone know what list they are actually checking against?-BEGIN PGP SIGNATURE-Version: GnuPG v2.0.14 (GNU/Linux)iEYEAREKAAYFAltrGmoACgkQL6j7milTFsFw8wCfQbPCBU6cMVi5nLDZ7VeWQhzIpi8An104CkpSCDAijsq7tc1icK6qaZ/9=tXby-END PGP SIGNATURE-___mailop mailing listmailop@mailop.orghttps://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
 

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] anyone from psu.edu ?

2018-08-08 Thread Carl Byington 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512


> which is interesting, since that name has a cname, but no A record.
> Anyone know what list they are actually checking against?

I should have mentioned that the address 69.167.152.152 is not listed on
the public lookup at https://www.ers.trendmicro.com/reputations


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAltrHy0ACgkQL6j7milTFsGYcwCeIe791erPaG5r5v47gelobeAs
9MUAn0ARgzdIYTT0TBzQPpRxJqaSN10R
=rrEb
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] anyone from psu.edu ?

2018-08-08 Thread Carl Byington 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

The psu.edu mail servers are returning an error message:

reason: 551 5.7.1 $IP blacklisted due to listing on www.mail-abuse.org

which is interesting, since that name has a cname, but no A record.
Anyone know what list they are actually checking against?


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAltrGmoACgkQL6j7milTFsFw8wCfQbPCBU6cMVi5nLDZ7VeWQhzI
pi8An104CkpSCDAijsq7tc1icK6qaZ/9
=tXby
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Any FarmersTel people on here?

2018-08-08 Thread Josh Nason 
Anyone from Minnesota-based FarmersTel on here or does anyone know people from 
there? 

Thanks in advance.

- Josh from Oracle Dyn
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop