Re: [mailop] Delisting request from sendgrid customer about ip used in recent phishing campaign.

[Matt Harris via mailop]

On Tue, Aug 11, 2020 at 2:21 PM Michael Orlitzky via mailop <
mailop@mailop.org> wrote:

> In the past few months there have been several threads on mailop and
> similar lists (sdlu, spamassassin-users, nanog, ...) complaining about
> how SendGrid doesn't seem to do anything at all to stop the ongoing
> blatant phishing campaigns from their servers.
>

I've received some spam from sendgrid, including another "we caught you
looking at pr0n, send us btc" just today from sendgrid at my personal email
address, and dutifully forwarded them with headers along to abuse@. What
I've never received is any sort of follow up on those reports indicating
that they were received, much less any action would be taken. Some of these
messages are spam in ways that are exceptionally obvious - things like
having the From: header set to the same address as the recipient, for
example, or matching patterns that even a junior sysadmin's spamassassin
deployment would be able to catch.

We'd been using sendgrid in production for some stuff, but we're looking at
changing that now because it seems like their lack of concern regarding
abuse on their platform will lead to more and more deliverability issues as
time goes on. It just seems like sendgrid doesn't care about abuse on their
platform.

As far as determining the difference between a compromised account that
isn't a spammer and a spammer who simply signed up for an account, this
should be relatively simple by looking at their history. Even without doing
so, the action should clearly be the same: shut down the account
immediately. There's no reason to let a legitimate user's compromised
account continue being used illicitly, and the legitimate user can be
contacted to address the issue after which time the account can be
re-enabled.

Matt Harris|Infrastructure Lead Engineer
816-256-5446|Direct
Looking for something?
Helpdesk Portal|Email Support|Billing Portal
We build and deliver end-to-end IT solutions.
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Delisting request from sendgrid customer about ip used in recent phishing campaign.

[Michael Orlitzky via mailop]

On 2020-08-11 16:53:46, Benoit Panizzon via mailop wrote:
> 
> Now a sendgrid customers complains to us, that his emails are being
> rejected because of this listing.
> 
> But that makes me wonder: Doesn't sendgrid deal with such issues like
> asking for delisting after blocking the sender itself and re-uses
> recently (last phish received on 14. July) 'abused' ip addresses for
> other customers?
> 

In the past few months there have been several threads on mailop and
similar lists (sdlu, spamassassin-users, nanog, ...) complaining about
how SendGrid doesn't seem to do anything at all to stop the ongoing
blatant phishing campaigns from their servers.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [OFFLIST] Re: Delisting request from sendgrid customer about ip used in recent phishing campaign.

[Michael Peddemors via mailop]

On 2020-08-11 9:39 a.m., Michael Peddemors via mailop wrote:

Hi Len,



DOH! Sorry about that Len.. and list..



--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Delisting request from sendgrid customer about ip used in recent phishing campaign.

[Adam D. Barratt via mailop]

On Tue, 2020-08-11 at 09:22 -0700, Len Shneyder via mailop wrote:
> Thanks for pointing this out and I'm sorry you're still seeing what
> sounds like a high volume of phish. I've asked our fraud ops team to
> investigate this. In the future if you could send suspicious emails
> to ab...@sendgrid.com we will get this handled.

fwiw I forwarded an obvious phish to that address last Friday (claiming
to be from ebay and using a sender address @ebay-ws.com, which isn't
even registered) and received no response other than a second
practically identical mail today.

Adam


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] [OFFLIST] Re: Delisting request from sendgrid customer about ip used in recent phishing campaign.

[Michael Peddemors via mailop]

Hi Len,

We have been extremely busy over here, so I haven't had a chance to 
circle back around, but for the record, volumes are still excessive, and 
our team is detected malicious, easily identifiable spam on a regular 
basis..


Received: from o2.hv1nn.shared.sendgrid.net (HELO 
o2.hv1nn.shared.sendgrid.net) (167.89.100.17)


From: "Mail Server" 


X-SG-EID: 
vCX7tmYXiV6kNiEMv3qHLBZRLdYJGTdPfZ+ASpLC2jlG9kE530AO6U3R7PsFrIheAMiGeiDLpIrmnS


RtlTY9CPxuYA7jT9E8Ee9Z81oSV3MmJC7ZUECs1XZlAETd6NeSOstLUJ7UQ4jo2Ys24TNjIMqW8x/S

5g6P+GvuzeFiLbRUsQ/krrt44O8WIQGsu5Nn5EjdhrjVbxRlhfjWywOToii0B5jLVHVGPl61bljt1M
 U=

Do you want to circle around to talking about how we can create 
automated reports of these for your company?


On 2020-08-11 9:22 a.m., Len Shneyder via mailop wrote:

Hello Benoit and Hokan,

Thanks for pointing this out and I'm sorry you're still seeing what 
sounds like a high volume of phish. I've asked our fraud ops team to 
investigate this. In the future if you could send suspicious emails to 
ab...@sendgrid.com  we will get this handled. 
Feel free to CC me when you do this to make sure these are handled quickly.


We've instituted some self-limiting features on our front door that 
should've decreased the overall volume of abuse. This is a stop gap 
measure as we roll out some other countermeasures in the next few weeks. 
Could you let me know if you have seen a perceptible drop in volume and 
velocity between June and July when this was rolled out?


Again, I want to assure you that there is a massive effort happening 
here to address the problems you are seeing. I'm happy to meet off list 
and discuss this further and help you understand what we're working on 
if that would be helpful. Again, thank you for your patience and please 
don't hesitate to contact me when you see any of these issues arise.


Best,
-L

Len Shneyder
VP Industry Relations
Twilio 
EMAIL   l...@twilio.com 
TWITTER @LenShneyder 

Message: 6
Date: Tue, 11 Aug 2020 16:53:46 +0200
From: Benoit Panizzon >

To: mailop@mailop.org 
Subject: [mailop] Delisting request from sendgrid customer about ip
         used in recent phishing campaign.
Message-ID: <20200811165346.4e775...@go.imp.ch 
>

Content-Type: text/plain; charset=UTF-8

Hi List

o1678912x138.outbound-mail.sendgrid.net 
 [167.89.12.138] and IP 
under

control of sendgrid was repeatedly involved in phishing and other spam
since June.

It ended up being blacklisted @ SWINOG.

Now a sendgrid customers complains to us, that his emails are being
rejected because of this listing.

But that makes me wonder: Doesn't sendgrid deal with such issues like
asking for delisting after blocking the sender itself and re-uses
recently (last phish received on 14. July) 'abused' ip addresses for
other customers?

Mit freundlichen Grüssen

-Benoît Panizzon-
--
I m p r o W a r e   A G    -    Leiter Commerce Kunden
__

Zurlindenstrasse 29             Tel  +41 61 826 93 00
CH-4133 Pratteln                Fax  +41 61 826 93 01
Schweiz                         Web 
https://urldefense.com/v3/__http://www.imp.ch__;!!NCc8flgU!Jyb1oWP7APkgX0rrc5NFacUfW0Yu4XeA1B6Dcl0IJWNPlcXIUaIq9196yCI$

__



--

Message: 7
Date: Tue, 11 Aug 2020 10:20:47 -0500
From: Hokan mailto:ho...@me.umn.edu>>
To: mailop@mailop.org 
Subject: Re: [mailop] Delisting request from sendgrid customer about
         ip used in recent phishing campaign.
Message-ID: <20200811152047.ga7...@me.umn.edu 
>

Content-Type: text/plain; charset=iso-8859-1

I've instituted short-term blocks of Sendgrid mail several times this year
and started another today because it looks like as much as a third of the
mail they've sent us in the past week has been evil -- mostly phishing.

This is a problem for me because some of the mail Sendgrid sends is
wanted by my users.  I'm thinking about just accepting it all and filing
it into user spam folders.

I see that the IP you mention, Benoit, is currently listed on the SBL and
Spamcop.


On Tue, Aug 11, 2020 at 04:53:46PM +0200, Benoit Panizzon via mailop wrote:

Hi List

o1678912x138.outbound-mail.sendgrid.net 
 [167.89.12.138] and IP 
under

control of sendgrid was repeatedly involved in phishing and other spam
since June.

It ended up being blacklisted @ SWINOG.

Now a sendgrid customers complains to us, that his emails are being
rejected because of this listing.

But that makes me wonder: Doesn't sendgrid deal with such issues like
asking for delisting after blocking the sender itsel

Re: [mailop] [EXTERNAL] Re: Comcast contact?

[Brotman, Alex via mailop]

Responding to Brett offlist as well.   Thanks

--
Alex Brotman
Sr. Engineer, Anti-Abuse & Messaging Policy
Comcast

From: mailop  On Behalf Of Brett Schenker via mailop
Sent: Tuesday, August 11, 2020 11:37 AM
To: Aaron C. de Bruyn via mailop 
Subject: [EXTERNAL] Re: [mailop] Comcast contact?

I should add, so that folks don't just think "grey listing," that some emails 
are being delivered twice so something is up either at our mailer or on 
Comcast, so trying to narrow it down and need some help.

On Tue, Aug 11, 2020 at 10:27 AM Brett Schenker 
mailto:bhschen...@gmail.com>> wrote:
I was hoping there's someone on here that might be with Comcast I can chat 
with. We're seeing some issues with them where the email sends but then isn't 
delivered for multiple days later and get the 250ok response. It could be grey 
listing, it could be something else but hoping to see if there was someone that 
might help diagnose where the issue is. Thanks!

Brett

--
Brett Schenker
Man of Many Things, Including
5B Consulting - 
http://www.5bconsulting.com
Graphic Policy - 
http://www.graphicpolicy.com

Twitter - 
http://twitter.com/bhschenker
LinkedIn - 
http://www.linkedin.com/in/brettschenker


--
Brett Schenker
Man of Many Things, Including
5B Consulting - 
http://www.5bconsulting.com
Graphic Policy - 
http://www.graphicpolicy.com

Twitter - 
http://twitter.com/bhschenker
LinkedIn - 
http://www.linkedin.com/in/brettschenker
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] ReliableSite Contact

[Ashley Rodriguez via mailop]

Hey y'all.

I was curious if anyone on here has a contact for or has recently had luck
with reliablesite.net. We found some active phishing sites and it's been
over 5 days on the takedown request. I've updated the ticket a few times
and no luck yet. Just curious to see if anyone else is facing the same
issue.

Thanks in advance!
-- 
Ashley Rodriguez
Deliverability Engineer
Mailgun
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Delisting request from sendgrid customer about ip used in recent phishing campaign.

[Len Shneyder via mailop]

Hello Benoit and Hokan,

Thanks for pointing this out and I'm sorry you're still seeing what sounds
like a high volume of phish. I've asked our fraud ops team to investigate
this. In the future if you could send suspicious emails to
ab...@sendgrid.com we will get this handled. Feel free to CC me when you do
this to make sure these are handled quickly.

We've instituted some self-limiting features on our front door that
should've decreased the overall volume of abuse. This is a stop gap measure
as we roll out some other countermeasures in the next few weeks. Could you
let me know if you have seen a perceptible drop in volume and velocity
between June and July when this was rolled out?

Again, I want to assure you that there is a massive effort happening here
to address the problems you are seeing. I'm happy to meet off list and
discuss this further and help you understand what we're working on if that
would be helpful. Again, thank you for your patience and please don't
hesitate to contact me when you see any of these issues arise.

Best,
-L

Len Shneyder
VP Industry Relations
[image: Twilio] 
EMAIL l...@twilio.com
TWITTER @LenShneyder Message: 6
Date: Tue, 11 Aug 2020 16:53:46 +0200
From: Benoit Panizzon 
To: mailop@mailop.org
Subject: [mailop] Delisting request from sendgrid customer about ip
used in recent phishing campaign.
Message-ID: <20200811165346.4e775...@go.imp.ch>
Content-Type: text/plain; charset=UTF-8

Hi List

o1678912x138.outbound-mail.sendgrid.net [167.89.12.138] and IP under
control of sendgrid was repeatedly involved in phishing and other spam
since June.

It ended up being blacklisted @ SWINOG.

Now a sendgrid customers complains to us, that his emails are being
rejected because of this listing.

But that makes me wonder: Doesn't sendgrid deal with such issues like
asking for delisting after blocking the sender itself and re-uses
recently (last phish received on 14. July) 'abused' ip addresses for
other customers?

Mit freundlichen Grüssen

-Benoît Panizzon-
--
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web
https://urldefense.com/v3/__http://www.imp.ch__;!!NCc8flgU!Jyb1oWP7APkgX0rrc5NFacUfW0Yu4XeA1B6Dcl0IJWNPlcXIUaIq9196yCI$
__



--

Message: 7
Date: Tue, 11 Aug 2020 10:20:47 -0500
From: Hokan 
To: mailop@mailop.org
Subject: Re: [mailop] Delisting request from sendgrid customer about
ip used in recent phishing campaign.
Message-ID: <20200811152047.ga7...@me.umn.edu>
Content-Type: text/plain; charset=iso-8859-1

I've instituted short-term blocks of Sendgrid mail several times this year
and started another today because it looks like as much as a third of the
mail they've sent us in the past week has been evil -- mostly phishing.

This is a problem for me because some of the mail Sendgrid sends is
wanted by my users.  I'm thinking about just accepting it all and filing
it into user spam folders.

I see that the IP you mention, Benoit, is currently listed on the SBL and
Spamcop.


On Tue, Aug 11, 2020 at 04:53:46PM +0200, Benoit Panizzon via mailop wrote:
> Hi List
>
> o1678912x138.outbound-mail.sendgrid.net [167.89.12.138] and IP under
> control of sendgrid was repeatedly involved in phishing and other spam
> since June.
>
> It ended up being blacklisted @ SWINOG.
>
> Now a sendgrid customers complains to us, that his emails are being
> rejected because of this listing.
>
> But that makes me wonder: Doesn't sendgrid deal with such issues like
> asking for delisting after blocking the sender itself and re-uses
> recently (last phish received on 14. July) 'abused' ip addresses for
> other customers?
>
> Mit freundlichen Grüssen
>
> -Benoît Panizzon-

--
Hokan MEnet, a wholly owned subsidiary of
Enet
System Administrator Department of Aerospace Engineering and
Mechanics
ho...@me.umn.edu  Department of Mechanical
Engineering
612.208.3105 (cell)   Department of Industrial and Systems
Engineering



--

Subject: Digest Footer
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Delisting request from sendgrid customer about ip used in recent phishing campaign.

[Hans-Martin Mosner via mailop]

Am 11.08.20 um 16:53 schrieb Benoit Panizzon via mailop:
> Hi List
>
> o1678912x138.outbound-mail.sendgrid.net [167.89.12.138] and IP under
> control of sendgrid was repeatedly involved in phishing and other spam
> since June.
>
> It ended up being blacklisted @ SWINOG.
>
> Now a sendgrid customers complains to us, that his emails are being
> rejected because of this listing.
>
> But that makes me wonder: Doesn't sendgrid deal with such issues like
> asking for delisting after blocking the sender itself and re-uses
> recently (last phish received on 14. July) 'abused' ip addresses for
> other customers?
>
> Mit freundlichen Grüssen
>
> -Benoît Panizzon-

As far as I understood, the IP addresses are not allocated to customers (except 
in some cases where the customer domain
is being used for hostnames of big customers) but are part of a shared mail 
distribution network.

This means that blocking sendgrid IPs does on one hand affect other customers, 
and on the other hand it does not
reliably block the spammer.

Much more effective is to block based on the string of digits in the envelope 
sender address (bounces+1234567-...) which
apparently identifies the sender.

Whether the sender has been hacked or is a genuine spammer is sometimes not 
easy to see, because sendgrid does some
header obfuscation of their own, so some marks normally associated with 
spammers may also be seen in mails from
non-spammers or compromised accounts.

Cheers,
Hans-Martin



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Comcast contact?

[Brett Schenker via mailop]

I should add, so that folks don't just think "grey listing," that some
emails are being delivered twice so something is up either at our mailer or
on Comcast, so trying to narrow it down and need some help.

On Tue, Aug 11, 2020 at 10:27 AM Brett Schenker 
wrote:

> I was hoping there's someone on here that might be with Comcast I can chat
> with. We're seeing some issues with them where the email sends but then
> isn't delivered for multiple days later and get the 250ok response. It
> could be grey listing, it could be something else but hoping to see if
> there was someone that might help diagnose where the issue is. Thanks!
>
> Brett
>
> --
> Brett Schenker
> Man of Many Things, Including
> 5B Consulting - http://www.5bconsulting.com
> Graphic Policy - http://www.graphicpolicy.com
>
> Twitter - http://twitter.com/bhschenker
> LinkedIn - http://www.linkedin.com/in/brettschenker
>


-- 
Brett Schenker
Man of Many Things, Including
5B Consulting - http://www.5bconsulting.com
Graphic Policy - http://www.graphicpolicy.com

Twitter - http://twitter.com/bhschenker
LinkedIn - http://www.linkedin.com/in/brettschenker
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Delisting request from sendgrid customer about ip used in recent phishing campaign.

[Hokan via mailop]

I've instituted short-term blocks of Sendgrid mail several times this year
and started another today because it looks like as much as a third of the
mail they've sent us in the past week has been evil -- mostly phishing.

This is a problem for me because some of the mail Sendgrid sends is
wanted by my users.  I'm thinking about just accepting it all and filing
it into user spam folders.

I see that the IP you mention, Benoit, is currently listed on the SBL and
Spamcop.


On Tue, Aug 11, 2020 at 04:53:46PM +0200, Benoit Panizzon via mailop wrote:
> Hi List
> 
> o1678912x138.outbound-mail.sendgrid.net [167.89.12.138] and IP under
> control of sendgrid was repeatedly involved in phishing and other spam
> since June.
> 
> It ended up being blacklisted @ SWINOG.
> 
> Now a sendgrid customers complains to us, that his emails are being
> rejected because of this listing.
> 
> But that makes me wonder: Doesn't sendgrid deal with such issues like
> asking for delisting after blocking the sender itself and re-uses
> recently (last phish received on 14. July) 'abused' ip addresses for
> other customers?
> 
> Mit freundlichen Grüssen
> 
> -Benoît Panizzon-
 
-- 
Hokan MEnet, a wholly owned subsidiary of Enet
System Administrator Department of Aerospace Engineering and Mechanics
ho...@me.umn.edu  Department of Mechanical Engineering
612.208.3105 (cell)   Department of Industrial and Systems Engineering

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Delisting request from sendgrid customer about ip used in recent phishing campaign.

[Benoit Panizzon via mailop]

Hi List

o1678912x138.outbound-mail.sendgrid.net [167.89.12.138] and IP under
control of sendgrid was repeatedly involved in phishing and other spam
since June.

It ended up being blacklisted @ SWINOG.

Now a sendgrid customers complains to us, that his emails are being
rejected because of this listing.

But that makes me wonder: Doesn't sendgrid deal with such issues like
asking for delisting after blocking the sender itself and re-uses
recently (last phish received on 14. July) 'abused' ip addresses for
other customers?

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Comcast contact?

[Brett Schenker via mailop]

I was hoping there's someone on here that might be with Comcast I can chat
with. We're seeing some issues with them where the email sends but then
isn't delivered for multiple days later and get the 250ok response. It
could be grey listing, it could be something else but hoping to see if
there was someone that might help diagnose where the issue is. Thanks!

Brett

-- 
Brett Schenker
Man of Many Things, Including
5B Consulting - http://www.5bconsulting.com
Graphic Policy - http://www.graphicpolicy.com

Twitter - http://twitter.com/bhschenker
LinkedIn - http://www.linkedin.com/in/brettschenker
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] spearphishing

[Marc Ballarin via mailop]

Hi,

please report issues like this to the abuse contact given in WHOIS, i.e. 
ab...@1and1.com. Please always include complete headers or the complete 
mail as an attachment and clearly mention that this is phishing.


You could also report this to Oracle's cloud abuse contact for the URL.

perfora.net is part of our large, shared mail system for US customers. 
This mail was sent through a compromised mailbox that has now been locked.


Regards,
Marc

Am 10.08.2020 um 20:11 schrieb Eric Henson via mailop:
Slightly sanitized headers: https://pastebin.com/w2JJj8TJ 



Email pretends to be a Microsoft voicemail, with an attachment that uses 
javascript to open a URLEncoded page.


Image of page for the more cautious: https://imgur.com/WOpva4Q 



broken hyperlink for the more adventurous:

ttps://objectstorage.us-sanjose-1.oraclecloud.com/n/axcdfbfimho2/b/bucket-dreamland20200806-0427/o/index.html#u...@example.com

You can edit the email address at the end to be whatever you like.

Microsoft has started putting the emails in the “Junk” folder, but 
Barracuda just lets them right on through. I’m opening a case with 
Barracuda as to why they can’t catch this, but I’m open to suggestions 
on other activities I can do.


I’ve seen about a dozen of these, targeting 3 finance-related employees. 
All are routed through perfora.net, which apparently has an open relay? 
Anyone know anything about that domain? I’m putting in a rule to block 
anything that has perfora.net in the header.




*Eric Henson*

Windows Server Team Manager

PFSweb, Inc.

*m:*972.948.3424

www.pfsweb.com


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop



--
Marc Ballarin

Senior Anti-Abuse Software Engineer
Hosting Security

1&1 IONOS Service GmbH | Brauerstraße 50 | 76135 Karlsruhe | Germany

Hauptsitz Montabaur, Amtsgericht Montabaur, HRB 20141

Geschäftsführer: Michael Fromm, Christoph Steger


Member of United Internet

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop