Re: [mailop] SendGrid Abuse unresponsive

[Raymond Dijkxhoorn via mailop]

Hello Steve,

I'm seeing a very significant drop off of sendgrid-originated spam. Couple 
of minor phish/419 in the past 24 hours.


Anybody else?



I don't see any drop in volumes here.   I just spent 10 minutes looking at 
anything hitting traps today from Sendgrid ASN and soon found plenty of 
concern:


Usually i am inline with your findings but ...


From: "rakuten" 
Reply-To: ratu...@ratuken.jp
Subject: Subject

From: l...@avibra.fr
Mime-Version: 1.0
Subject: Merci pour votre message
Bonjour D=D0=B0ting site for se=D1=85 with girls in th=D0=B5 USA


Its still certainly not empty. We do agree there. But the volumes are 
definately going down significantly.


I see a drop of 42% roughly on the traps , and i hope they will continue 
to work on them.


That last spam you subscribed to, i am sure ;)

Good night! Raymond___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Abusix Potentially Compromised Account Report

[Jesse Thompson via mailop]

On 5/19/20 5:51 AM, Thomas Walter via mailop wrote:
> On 19.05.20 12:01, Jaroslaw Rafa via mailop wrote:
>> A shared account by itself is a security loophole.
> Why is that? You can perfectly share an account with IMAP4 Access
> Control Lists.
> 
> The issue is not the shared account, the issue is a shared password.
> 

Correct.  Most of our shared mailboxes are indeed accessed via mailbox 
permissions, but some people still choose to set a password on the shared 
account for reasons; sometimes valid, but sometimes misguided.

I guess I was making the logical leap that if the password was in a breach data 
set, then a password associated with that address exists in the wild.  Maybe 
one of the people with access to that account used the address to sign up for a 
3rd party service, and they presumably shared that password with others and 
made it easy to remember.  A typical user may have signed up for multiple 3rd 
party services using the same password.

Hopefully they used a password manager and generated strong unique passwords 
and shared to their colleagues via the password manager's sharing capabilities. 
 No way to really know unless to ask.  Hence why I see value in getting reports 
like what Abusix is providing.

Jesse


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] mailop Digest, Vol 151, Issue 41

[Chris via mailop]

That was one of the ones I reported to Len.

Given the problems I heard sendgrid was having (I'll leave it up to Len 
to say anything detailed about it), I *do* expect to see small numbers 
of light weight things continuing to happen for a little while some 
residuals pop up, get identified, and zapped.  My first round of zappage 
was very high volume truly nasty stuff.  This stuff barely registers 
comparatively.


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Unable to receive email from WeTransfer and Facebook (only for a specific domain)

[Alessio Cecchi via mailop]

Il 16/05/20 21:02, Alessio Cecchi via mailop ha scritto:


Hi,

we are an Email Hosting Provider based in Italy.

One of our customer has transferred her domain from a registrar to 
another. After this transfer the domain is unable to receive emails 
from wetransfer.com and facebookmail.com, but works fine from all 
others sender.


I suspect that during the transfer there was some issue with name 
server of the domain because on the day of the transfer no email was 
received by the domain, but after one week any DNS issue/cache should 
be fixed.



Hello guys,

WeTransfer support replied me:

===

Hi Alessio,

Thanks for contacting us!

Our transfer email could not be delivered to the recipient because their 
email address was on the bounce list of our email delivery service. That 
explains why they didn't receive the confirmation emails.


I have now removed the recipient's email address from our bounce list 
and they should technically be able to receive our emails again.


===

so the problem ha stared, probably, during the change of DNS provider 
where the domain was without or have wrong MX records.


Probably is the same also for Facebook.

Thanks to all for help me :-)

--
Alessio Cecchi
Postmaster @ http://www.qboxmail.it
https://www.linkedin.com/in/alessice


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] mailop Digest, Vol 151, Issue 41

[Michael Peddemors via mailop]

Glad to hear something is being done on it, but...

(Quickly checks the spam folder.. )

Still coming in.. Netflix Phish for instance.. Seems like they are now 
just using the same method, but with slightly more obfuscated From 
friendly names..


Always nice when the spammers add email addresses belonging to a company 
involved in spam protection ;)


Return-Path: 
Delivered-To: sa...@linuxmagic.com
Received: (qmail 42345 invoked from network); 19 May 2020 21:38:26 -
Received: from wrqvffcz.outbound-mail.sendgrid.net (HELO 
wrqvffcz.outbound-mail.sendgrid.net) (149.72.255.206)

by be.cityemail.com with (AES256-GCM-SHA384 encrypted) SMTP
(122e7fd2-9a19-11ea-9d07-b37be4431ee5); Tue, 19 May 2020 14:38:26 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sendgrid.net;
h=content-type:from:mime-version:reply-to:to:subject:list-unsubscribe;
s=smtpapi; bh=v4zCQ3e2LEzO09v9KYrxQ+hDECIEspkidVw61CfRAnc=; b=ZE
3e/kRdCnB2n78B0ELnlLRlf02uoioD6dvyULWg5d71nxNlxpJr01sTCSw/6TIRQj
/h/mdKKR7QIvmJaa0j9ydWNaScS9it6EUz/VuwAx8wVvLR7mO5QSrg8G8UernGWO
bvpgauvq3uR5M7hyvTq11wYS3H+GfjbLHcPFbHVfw=
Received: by filter0857p1iad2.sendgrid.net with SMTP id 
filter0857p1iad2-14214-5EC451D0-6

2020-05-19 21:38:24.281488619 + UTC m=+338595.871356810
Received: from MTYyNTUwMjA (unknown)
by ismtpd0051p1iad1.sendgrid.net (SG) with HTTP id 
5AhElBMwQAeStnVlrMsBXA
Tue, 19 May 2020 21:38:24.175 + (UTC)
Content-Type: multipart/alternative; 
boundary=13aa6f58effcabc0298a9a708c5d7ac0dbf86df5ee8650b564ddc57776a7

Date: Tue, 19 May 2020 21:38:25 + (UTC)
From: "NETFLlX" 
Mime-Version: 1.0
Reply-To: addm...@menuonline.vn
To: sa...@linuxmagic.com
Message-ID: <5ahelbmwqaestnvlrms...@ismtpd0051p1iad1.sendgrid.net>
Subject: Please Verify Your Account
List-Unsubscribe: 

X-SG-EID: 
EoFhXqZWDWKMkKl6jF3E4Mq4DzF9jp3TSi2qk6Ndk3sujlfQmZKPV7xU05PU5pIF4erbLnbCQWeUMl


MU1VI9kHxT2P+dgK60rR7iRFU48VnrGbOx4jV1ykD5yfmEp5+wNF3LBoK+FpOTHbjY+d6YEt1C1HLQ

2vLpnDvGHqefnNDqQYq3rDr5z8oYpVkvtcSEUq4n0CkHD/beVcpYswktH7RIgX5PTF58yAfk8p6fOW
 Q=
X-SG-ID: 
mcTyqcYTtmn56LU3ATD1f+iUTujmwRoxZg64JQ3pudUrwW7b9Bdn8YW+WfsI18Q+elOXMSa2cXdeK/


ohgwkIKgF0usY/5eouVrnJh6vkz6mqanpNTiMyU59QnLEdYtqPGvv4uimAYyv5krN9PxZSapaTD5uF

dX/u55KOmTaSyY0VRh9iiQ3BX3IRTjGTR/ZZDo/aUoQiX48R5zhUTysJR+iM39oOhsUP8ZJGfdw0ig

rBTIxLIcP9KIWoR/jOsHlla9TiAYEeW1vZ1iO7OXf1VJL0rZsR/vfaOlDJxjs3EBzcsFUkffTqopnf

Xf+dh2NwmzNc0Iw7ABTgu86Vvp4++d0JeyayvoUP+96nfILtT185cykUtm7BbOPN1mdhZsXuHQci9Z

1tS4/yjlf4LouZdzCw5GSzOKvc0Ml1yt7lrqV+ojBdtVrkaBsm6XFtCTKGPQ5FQrUYp/D3ZtBjfl5y
 zQ==
X-MagicMail-OS: Linux 3.11 and newer
X-MagicMail-UUID: 122e7fd2-9a19-11ea-9d07-b37be4431ee5
X-MagicMail-SourceIP: 149.72.255.206
X-MagicMail-RegexMatch: 0
X-MagicMail-EnvelopeFrom: 


X-MagicMail-Original-Destination: sa...@linuxmagic.com
X-Archive: Yes
X-MagicMail-Quarantine: Yes
X-Archive: Yes


On 2020-05-20 8:00 a.m., Len Shneyder via mailop wrote:

Hi Chris,

Thanks for letting me know! That's reassuring that the work we started 
last week is having a positive impact. If you're seeing continued abuse 
and can share telemetry to help us narrow down our efforts I'd greatly 
appreciate it. Just so everyone is aware this is an all hands on deck 
effort with long term work planned as a result. Michael, thanks for 
pinging me on both LinkedIN and here, if there's something you can share 
feel free to send it my way.



Thank you,
-L

Message: 3
Date: Tue, 19 May 2020 15:48:58 -0400
From: Chris mailto:clewis%2bmai...@mustelids.ca>>
To: mailop@mailop.org 
Subject: Re: [mailop] SendGrid Abuse unresponsive
Message-ID: mailto:d9cbeec9-447a-d4f5-53fa-083c2295a...@mustelids.ca>>
Content-Type: text/plain; charset=utf-8; format=flowed

I'm seeing a very significant drop off of sendgrid-originated spam.
Couple of minor phish/419 in the past 24 hours.

Anybody else?

--

Message: 4
Date: Tue, 19 May 2020 13:03:48 -0700
From: Michael Peddemors mailto:mich...@linuxmagic.com>>
To: mailop@mailop.org 
Subject: Re: [mailo

[mailop] SparkApp Contact

[Brotman, Alex via mailop]

Any contacts at Spark (https://sparkmailapp.com)?

(not SparkPost/MessageSystems)

Thanks

--
Alex Brotman
Sr. Engineer, Anti-Abuse & Messaging Policy
Comcast


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] mailop Digest, Vol 151, Issue 41

[Len Shneyder via mailop]

Hi Chris,

Thanks for letting me know! That's reassuring that the work we started last
week is having a positive impact. If you're seeing continued abuse and can
share telemetry to help us narrow down our efforts I'd greatly appreciate
it. Just so everyone is aware this is an all hands on deck effort with long
term work planned as a result. Michael, thanks for pinging me on both
LinkedIN and here, if there's something you can share feel free to send it
my way.


Thank you,
-L

Message: 3
> Date: Tue, 19 May 2020 15:48:58 -0400
> From: Chris 
> To: mailop@mailop.org
> Subject: Re: [mailop] SendGrid Abuse unresponsive
> Message-ID: 
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> I'm seeing a very significant drop off of sendgrid-originated spam.
> Couple of minor phish/419 in the past 24 hours.
>
> Anybody else?
>
> --
>
> Message: 4
> Date: Tue, 19 May 2020 13:03:48 -0700
> From: Michael Peddemors 
> To: mailop@mailop.org
> Subject: Re: [mailop] SendGrid Abuse unresponsive
> Message-ID: <5c668439-424f-b6b5-e160-eb49f2497...@linuxmagic.com>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> Still seeing the phishing attempts.. Only reason there is less, is some
> of the older IP(s) still in blacklists ;)
>
> Just kidding, but volume high enough to show that they don't have the
> issue handled as of yet..
>
> On 2020-05-19 12:48 p.m., Chris via mailop wrote:
> > I'm seeing a very significant drop off of sendgrid-originated spam.
> > Couple of minor phish/419 in the past 24 hours.
> >
> > Anybody else?
> >
> > ___
> > mailop mailing list
> > mailop@mailop.org
> >
> https://urldefense.com/v3/__https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop__;!!NCc8flgU!OBe16g681JOdmVwa2463mJ_0LQN3TmT1oqeoaOl9EGnq6OySr7pmu9ystKI$
>
>
>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] AntiSpamCloud not verifying AmazonSES DKIM Signature

[Ashley Elphick via mailop]

Hi,

I should be able to point you to the right people that can help . I'll 
reach out off list.


Cheers

Ashley

On 5/20/20 1:43 PM, Hagop Khatchoian via mailop wrote:

Hi,

I've been working with several domains that use AmazonSES and been 
analyzing DMARC Aggregate and Failure reports accordingly.


Majority of Reporters (Google, Comcast, Verizon) are verifying DKIM 
Signature, but been receiving Failure/Forensic reports from 
AntiSpamCloud (Thankfully we got some providers who still send Failure 
reports) indicating this:
/X-SPF-Result: mx178.antispamcloud.com: domain of 
eu-west-1.amazonses.com designates 54.240.7.21 as permitted sender/

/X-DKIM-Status: none / / eu-west-1.amazonses.com / / //
/X-DKIM-Status: fail / signature_incorrect / domain.com / domain.com / 
/ quffadg26ibodxkvgsxvf2jd7ykxirwf/
/X-DKIM-Status: fail / signature_incorrect / amazonses.com / 
amazonses.com / / shh3fegwg5fppqsuzphvschd53n6ihuv/


So basically, what I can conclude myself is:
AmazonSES signs the outgoing emails from their servers with 2 DKIM 
Signatures (One from AmazonSES, the other from the registered domain 
who created custom DKIM Record.
Interestingly, AntiSpamCloud is labeling those both signatures as 
"incorrect" and failing the authentication.


Have anyone else included this exact issue? What did you do to solve it?

Bonus: Not sure if this cause any issues, but AmazonSES provides DKIM 
Public Signature with just "p=[key]" ; there's nothing in regards to 
"v=DKIM1, or any other tags" --


Please let me know if you can help me debug this.
Cheers,

Hagop Khatchoyan
Email Deliverability and Security Engineer
Mob(Whatsapp/Telegram/Viber): +374 98 028628

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] AntiSpamCloud not verifying AmazonSES DKIM Signature

[Hagop Khatchoian via mailop]

Hi,I've been working with several domains that use AmazonSES and been analyzing DMARC Aggregate and Failure reports accordingly.Majority of Reporters (Google, Comcast, Verizon) are verifying DKIM Signature, but been receiving Failure/Forensic reports from AntiSpamCloud (Thankfully we got some providers who still send Failure reports) indicating this:X-SPF-Result: mx178.antispamcloud.com: domain of eu-west-1.amazonses.com designates 54.240.7.21 as permitted senderX-DKIM-Status: none / / eu-west-1.amazonses.com / / /X-DKIM-Status: fail / signature_incorrect / domain.com / domain.com / / quffadg26ibodxkvgsxvf2jd7ykxirwfX-DKIM-Status: fail / signature_incorrect / amazonses.com / amazonses.com / / shh3fegwg5fppqsuzphvschd53n6ihuvSo basically, what I can conclude myself is:AmazonSES signs the outgoing emails from their servers with 2 DKIM Signatures (One from AmazonSES, the other from the registered domain who created custom DKIM Record.Interestingly, AntiSpamCloud is labeling those both signatures as "incorrect" and failing the authentication.Have anyone else included this exact issue? What did you do to solve it?Bonus: Not sure if this cause any issues, but AmazonSES provides DKIM Public Signature with just "p=[key]" ; there's nothing in regards to "v=DKIM1, or any other tags" --Please let me know if you can help me debug this.Cheers,Hagop KhatchoyanEmail Deliverability and Security EngineerMob(Whatsapp/Telegram/Viber): +374 98 028628  ___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Yahoo MX record question

[Michael E. Weisel via mailop]

Good morning, I hope everyone is staying safe and healthy.  I started seeing 
some out of the norm responses from 2 or 3 Yahoo MX records which are sharing 
the same IP addresses.  Could someone from the Yahoo Postmaster team please 
contact me off list so I can share my findings?



Thanks,

Michael

Michael E. Weisel
CTO / Deliverability Lead
Gold Lasso
(301) 990-9857 Corporate
(240) 813-0174 Direct Dial

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop