Re: [mailop] [E] Re: IP based reporting for Yahoo feedback loop gone?

[Hans-Martin Mosner via mailop]

Am 31.12.20 um 22:07 schrieb Hal Murray via mailop:
> Scott Mutter said:
>> If spam is sent from one of our servers - the IP address of one of our
>> servers - it's me you ultimately want to contact, not the owner of the IP
>> address.  If you contact the owner of the IP address - they don't have root
>> access to the server - they will have to filter that report down to me, for
>> me to take action. And whether or not if that happens or if that happens in a
>> timely manner is anybody's guess.
> That's correct if you are white-hat.  If you are black-hat, I want to contact 
> the owner in hopes that you will become an ex-customer.
>
>
This pretty much nails it - if you're the bad guy I don't want to talk to you, 
if not, I want to talk to a competent entity.

Simplified, these are the possible cases:

  * Blackhat provider (owner), any customer: reject, possibly with an SMTP 
error message indicating that you will have
to move to a different provider if you want to reach us.
  * Greyhat provider, whitehat customer: I might whitelist you.
  * Greyhat provider, blackhat customer: I will blacklist you or the IP range, 
depending on the perceived unwillingness
of the provider to handle spam problems at all.
  * Greyhat provider, compromised customer: I will send a spamcop report and 
block the IP range. If the info gets to
you, and you fix the problem, and you or the provider gets back with that 
info to me, then I will unblock. Fat
chance, sorry.
  * Whitehat provider, whitehat customer: no problem except a possible data 
entry error which I'll fix as soon as I get
notified.
  * Whitehat provider, blackhat customer: Of course I contact the provider 
hoping to get you booted. If that does not
happen, provider has apparently turned greyhat.
  * Whitehat provider, compromised customer: That's the only case where it 
would make any sense to talk to the customer.
However, if your services are compromised, you're probably not very 
competent or you have an organizational problem,
and getting this resolved might take some time and energy. You're not my 
customer, why should I spend my time and
energy helping you fix that problem? I'll notify the owner of the IP so 
they work with you (their paying customer)
to fix your problem.

Given the additional hurdles of identifying the responsible entity beyond the 
IP space owner (domain whois? mostly
unusable), why should I jump through the hoops of identifying the customer 
whose service was used to send spam? The
owner of the IP space is much better equipped to do that.

In very isolated situations, I may decide to do something different. But in 
general, the IP space owner is the right
person for me to talk to.

Cheers,
Hans-Martin

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [E] Re: IP based reporting for Yahoo feedback loop gone?

[Hal Murray via mailop]

Scott Mutter said:
> If spam is sent from one of our servers - the IP address of one of our
> servers - it's me you ultimately want to contact, not the owner of the IP
> address.  If you contact the owner of the IP address - they don't have root
> access to the server - they will have to filter that report down to me, for
> me to take action. And whether or not if that happens or if that happens in a
> timely manner is anybody's guess.

That's correct if you are white-hat.  If you are black-hat, I want to contact 
the owner in hopes that you will become an ex-customer.


-- 
These are my opinions.  I hate spam.



___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [E] Re: IP based reporting for Yahoo feedback loop gone?

[Marcel Becker via mailop]

On Thu, Dec 31, 2020 at 11:00 Scott Mutter via mailop 
wrote:

>
> Back in the day, AOL had a great feedback loop system.  This system was
> immensely helpful for us, because it allowed us to find spammers on our
> servers very quickly.  But either that feedback loop system died off or AOL
> diminished in use (I suspect the latter).
>

Well:
https://blog.postmaster.verizonmedia.com/post/175121113628/oath-mail-migration-update

(And ignore that oath branding piece...)

>
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [E] Re: IP based reporting for Yahoo feedback loop gone?

[Scott Mutter via mailop]

> I don't think so. I'm primarily a datacenter operator and
> commercial-only ISP and my AUP says no spamming. As the proactive type
> that prefers to prevent spamming instead of ignoring it for profit, I do
> like to know if anyone is emitting spam from any of our IP space.
> Feedback loops based on our IP ranges help with that goal, and provide
> effective evidence of AUP violations.

> I can't do that with DKIM. Feedback loops are also faster than waiting
> for someone to email abuse@ after looking in whois, if anyone bothers to
> go that far. If my abuse@ is already in whois, then why should I not be
> allowed to request automated reporting of the same?


I think there is a subset of people that don't really understand how
widespread IP space is being shared.  That subset seems to believe that 1
IP address means 1 domain name and 1 individual.  But that's just simply
not the case.

1 IP address may be sending out mail for 500 or more domain names - each
that may have 10 to 20 email accounts.  And that means there's a lot of
mail being sent out from a single IP address that doesn't necessarily
relate to each other.  The majority of these email account owners and
domain name owners care nothing about DKIM, DMARC reports, or any feedback
loop reports.  The people that do care?  They're the ones that serve as
server administrators (i.e. have root access) to those servers.  That is
who these reports need to be aimed at.  It then becomes the server
administrator's responsibility to keep those 500 domain names or 10,000
email email accounts in line when it comes to spamming or abuse.

There also needs to be a distinction made between the "owner" of an IP
address and the "administrator" responsible for the server using that IP
address.  I don't own any of the IP addresses that are used to send out
mail from our servers, but I administer all the servers we use.  If spam is
sent from one of our servers - the IP address of one of our servers - it's
me you ultimately want to contact, not the owner of the IP address.  If you
contact the owner of the IP address - they don't have root access to the
server - they will have to filter that report down to me, for me to take
action. And whether or not if that happens or if that happens in a timely
manner is anybody's guess.

Now, it's entirely possible that I'm the one that has tunnel vision with
this... but this is how I see things.  Maybe there are a lot of folks that
host one domain name on one IP address.  Or maybe everyone on this list
owns the IP address space that they send out mail from.  I don't know.  But
I think it's at least worth an open-mind in looking at how IP address space
is used and dispersed amongst people that can actually take actionable
changes from that IP address space.

My advice would be to have a centralized database of IP addresses that
lists 1) a human contact email address (or probably a form to disguise the
actual email address) and 2) a feedback loop address (which again would be
disguised).  Force server administrators of these IP addresses to verify
these email addresses (or I suppose you could do a callback URL) once a
month to ensure that the information remains up to date.  Then when spam is
identified as being sent from an IP address it is sent to the FBL address
listed in this central database.

Back in the day, AOL had a great feedback loop system.  This system was
immensely helpful for us, because it allowed us to find spammers on our
servers very quickly.  But either that feedback loop system died off or AOL
diminished in use (I suspect the latter).  Microsoft is suppose to have the
JMRP that was supposed to be similar, but I never found it useful - I very,
very rarely ever got anything from those reports, yet our servers would get
blocked by Microsoft - and it was a hassle to sign up for (again the
distinction between OWNER of the IP address and ADMINISTRATOR of the server
using the IP address).  Google also allegedly has a feedback loop system -
but I've never, ever received anything in that system, I'm guessing maybe
we don't have the volume of mail to gmail to register for this?

The bottom line is that the IP address is the only thing that is common
throughout the whole email infrastructure when it comes to identifying
abuse.  Every email message received, every spam message received, was sent
to the recipient's server by another server with an IP address.  So that's
the structure that makes sense for identifying where abuse is coming from.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [E] Re: IP based reporting for Yahoo feedback loop gone?

[Seth Mattinen via mailop]

On 12/28/20 1:22 PM, Marcel Becker via mailop wrote:


Your example is in fact addressing part of the “sense” question: Why 
should you be getting all abuse reports for an IP when it’s shared and 
all you really should be getting is the stuff for your own domain you 
are responsible for.





I don't think so. I'm primarily a datacenter operator and 
commercial-only ISP and my AUP says no spamming. As the proactive type 
that prefers to prevent spamming instead of ignoring it for profit, I do 
like to know if anyone is emitting spam from any of our IP space. 
Feedback loops based on our IP ranges help with that goal, and provide 
effective evidence of AUP violations.


I can't do that with DKIM. Feedback loops are also faster than waiting 
for someone to email abuse@ after looking in whois, if anyone bothers to 
go that far. If my abuse@ is already in whois, then why should I not be 
allowed to request automated reporting of the same?



BTW: Some ESPs solve the “not practical” problem by double signing their mail with their own DKIM domain. 


I can't double sign emails that are coming from IP space reassigned to 
customers. (And before someone says filter port 25 this is not 
residential or dynamic IP.)


But I also understand that other mail operators don't want to maintain a 
system that can work with IP-based reporting. My only point is that it's 
helpful to those of us that want to help prevent spam.

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] microsoft rejects mail to live.de but accepts for hosted exchange - 116.203.31.6 - part of their network is on our block list (S3140)

[Stefan Bauer via mailop]

Hi,



anyone aware of a bigger block at the moment?



We're having a single IP 116.203.31.6 but microsofts reject-message looks like 
there is a bigger block ongoing. Network is from hetzner (DE).



737675DD1E: to=, 
relay=eur.olc.protection.outlook.com[104.47.14.33]:25, delay=3.4, 
delays=0.01/3/0.37/0.02, dsn=5.7.1, status=bounced (host 
eur.olc.protection.outlook.com[104.47.14.33] said: 550 5.7.1 Unfortunately, 
messages from [116.203.31.6] weren't sent. Please contact your Internet service 
provider since part of their network is on our block list (S3140). You can also 
refer your provider tohttp://mail.live.com/mail/troubleshooting.aspx#errors. 
 
[VI1EUR04FT034.eop-eur04.prod.protection.outlook.com] (in reply to MAIL FROM 
command))



Mails to domains, hosted at exchange online however are accepted:



relay=mbccgroup-com01b.mail.protection.outlook.com[104.47.5.36]:25, delay=81, 
delays=75/3/0.65/2.4, dsn=2.6.0, status=sent (250 2.6.0 
 [InternalId=39771397163184, 
Hostname=VI1PR08MB4336.eurprd08.prod.outlook.com] 16779310 bytes in 1.202, 
13631.165 KB/sec Queued mail for delivery)



Dec 31 16:02:50 mx3 
relay=customer2-eu.mail.protection.outlook.com[104.47.1.36]:25, delay=5.1, 
delays=0.03/3/0.33/1.7, dsn=2.6.0, status=sent (250 2.6.0 
<20201231150245.CB90B5DD1C@mail> [InternalId=15504831938757, 
Hostname=AM6PR07MB5303.eurprd07.prod.outlook.com] 8446 bytes in 0.115, 71.226 
KB/sec Queued mail for delivery)



SDNS still shows IP as blocked.



Any ideas?



Stefan
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] observation - *OLC.PROTECTION.outlook.com does not offer STARTTLS when IP is blocked

[André Peters via mailop]

Yes, I have seen this. Quite annoying when you enforce TLS outbound. :)

> Am 31.12.2020 um 10:48 schrieb Stefan Bauer via mailop :
> 
> 
> Hi,
> 
> one of our pub-ip seems to be blocked by MS. Side effect is, that 
> olc.protection... is not offering starttls in this case.
> Anyone else seen that?
> 
> # telnet eur.olc.protection.outlook.com. 25
> Trying 104.47.18.161...
> Connected to eur.olc.protection.outlook.com.
> Escape character is '^]'.
> 220 AM7EUR06FT011.mail.protection.outlook.com Microsoft ESMTP MAIL Service 
> ready at Thu, 31 Dec 2020 09:21:40 +
> ehlo mydomain.com
> 250-AM7EUR06FT011.mail.protection.outlook.com Hello [116.203.31.6]
> 250-SIZE 49283072
> 250-PIPELINING
> 250-DSN
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250-BINARYMIME
> 250-CHUNKING
> 250 SMTPUTF8
> 
> SNDS reports:
> 
> 116.203.31.6,116.203.31.6,Yes,Blocked due to user complaints or other 
> evidence of spamming
> 
> However the real data is only available the next day on 
> https://sendersupport.olc.protection.outlook.com/snds/data.aspx
> . How does one deal with that situation?
> 
> We monitor our outgoing mails but did not catch/see any malicious/spammy mail 
> recently from this node/host.
> 
> Stefan
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] observation - *OLC.PROTECTION.outlook.com does not offer STARTTLS when IP is blocked

[Stefan Bauer via mailop]

Hi,



one of our pub-ip seems to be blocked by MS. Side effect is, that 
olc.protection... is not offering starttls in this case.

Anyone else seen that?



# telnet eur.olc.protection.outlook.com. 25
Trying 104.47.18.161...
Connected to eur.olc.protection.outlook.com.
Escape character is '^]'.
220 AM7EUR06FT011.mail.protection.outlook.com Microsoft ESMTP MAIL Service 
ready at Thu, 31 Dec 2020 09:21:40 +
ehlo mydomain.com
250-AM7EUR06FT011.mail.protection.outlook.com Hello [116.203.31.6]
250-SIZE 49283072
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 SMTPUTF8



SNDS reports:



116.203.31.6,116.203.31.6,Yes,Blocked due to user complaints or other evidence 
of spamming



However the real data is only available the next day on 
https://sendersupport.olc.protection.outlook.com/snds/data.aspx

. How does one deal with that situation?



We monitor our outgoing mails but did not catch/see any malicious/spammy mail 
recently from this node/host.



Stefan
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop