Re: [mailop] Benin, 197.234.221.180, AS37424, "For Jeny SAS Internet customers" Mylove@1
Dnia 28.11.2019 o godz. 09:15:59 Benoit Panizzon via mailop pisze: > > Over the last months, I have observed many email mailbox abuses from the > "Jeny SAS" IP Range in Benin which used passwords probably obtained by > phishing attacks. > > The interesting thing here is: If we block SMTP for the affected > mailbox, this usually solves the issue. > > Our customer then still can log in, change it's mailbox password and > thus unlock his mailbox. > > Not so from this IP Range. The Attacker knows how to change the > password and changes it to "Mylove@1". So the only way is to force > change the customer's password so he has to request a new one via > customer support. Do I understand correctly? They are sending emails from that Benin IP range with your customers' sender addresses? Do they send it via your SMTP server or directly from their IPs? As you write about blocking mailboxes and changing passwords, I guess they are using your SMTP server. If they know your customers' passwords, what is strange in the fact that they are able to change these passwords? (unless you are using some sort of 2FA, of course). I think if someone's account has been compromised, the correct thing to do is to block access to that account (as you do now), for example by changing password (there could be other options, depending of your configuration - you could temporarily block login possibility for the user without changing his/her password). Not only block some functionality like SMTP. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] ItaliaOnLine (@libero.it, +) now interpreting DMARC p=none as p=quarantine
On Tue, 26 Nov 2019 at 14:30, Benjamin BILLON via mailop wrote: > ItaliaOnline is rolling out new rules, including the necessity of having a > DMARC record (and also a valid DKIM signature), among other things. > I believe those kind of delivery placement (on p=none) is a side effect of > what they're trying to do. UPDATE: sounds like since yesterday everything came back to normal and email are not marked as spam any more for a failed dmarc check with p=none. Now the DMARC header correctly says: "X-IOL-DMARC: fail_monitor con il dominio msn.com" So, I guess you were right and it was an unwanted side effect. Thank you, Stefano ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
[mailop] Benin, 197.234.221.180, AS37424, "For Jeny SAS Internet customers" Mylove@1
Hi Gang Over the last months, I have observed many email mailbox abuses from the "Jeny SAS" IP Range in Benin which used passwords probably obtained by phishing attacks. The interesting thing here is: If we block SMTP for the affected mailbox, this usually solves the issue. Our customer then still can log in, change it's mailbox password and thus unlock his mailbox. Not so from this IP Range. The Attacker knows how to change the password and changes it to "Mylove@1". So the only way is to force change the customer's password so he has to request a new one via customer support. Any others with the same observation? Mit freundlichen Grüssen -Benoît Panizzon- -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
