Re: [mailop] Malware waves from hotmail.com
Hello Scott, Azure's IP space, updated once a week with one week lead before they go live - https://www.microsoft.com/en-us/download/details.aspx?id=56519 From the looks of the json filename, it is changed after each release, so I wouldn't recommend re-downloading the below json file for new updates - https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20210531.json AWS - https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html - If the download URL doesn't change (doesn't seem to me that it does), you can go straight to https://ip-ranges.amazonaws.com/ip-ranges.json. If you have an AWS account, you can sign up for notifications when new subnets are added. (It requires using their SNS service.) GCP - https://cloud.google.com/compute/docs/faq#find_ip_range - If the download URL doesn't change (doesn't seem to me that it does), you can go straight to https://www.gstatic.com/ipranges/cloud.json -joe On 6/5/2021 at 7:22 AM, "Michael Peddemors via mailop" wrote: > >Sorry, bit laid up and typing with one hand, but luckily all the >top >three publicly list their IP(s), unfortunately they do it via web >URLs' >that you need to parse instead of via say a rwhois entry. > >(some are listed at various services you can query in RBL format >such as >RATS-AZURE) > >Some you can check via PTR naming conventions, and others you can >do an >ASN lookup. > >don't have the URL's handy, but welcome to reach out off list. > > > >On 2021-06-04 4:08 p.m., Scott Mutter via mailop wrote: >> On Fri, Jun 4, 2021 at 1:24 PM Michael Peddemors via mailop >> mailto:mailop@mailop.org>> wrote: >> >> With apache, you can use modsecurity quite easily, and you >can block >> all >> azure (and other cloud providers ranges) from certain >services like >> wordpress, or contact forms etc.. (you can even do dns based >checks or >> rbldnsd) .. >> >> >> Are there any links for this? AFAIK mod_security is just a >module - to >> actually do anything it requires a ruleset. Further from that, >how does >> it determine what is Azure and what is not? Is it just blocking >IP >> addresses? Seems you'd need a list of all of the Azure IP >address >> space. And from what I have seen the offending IPs are all over >the place: >> >> 157.55.39.138 >> 207.46.13.5 >> 20.83.33.136 >> 20.94.247.9 >> 40.124.141.27 >> 40.124.141.27 >> 40.124.193.244 >> 40.76.220.206 >> >> Are just a few. >> >> But if there's a way to block Azure and other cloud based >services, I'd >> be interested in that. But I'd suspect you'd need a list of all >of >> their IP address spaces - is that information available some >where? >> >> >> ___ >> mailop mailing list >> mailop@mailop.org >> https://list.mailop.org/listinfo/mailop >> > > > >-- >"Catch the Magic of Linux..." >--- >- >Michael Peddemors, President/CEO LinuxMagic Inc. >Visit us at http://www.linuxmagic.com @linuxmagic >A Wizard IT Company - For More Info http://www.wizard.ca >"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices >Ltd. >--- >- >604-682-0300 Beautiful British Columbia, Canada > >This email and any electronic data contained are confidential and >intended >solely for the use of the individual or entity to which they are >addressed. >Please note that any views or opinions presented in this email are >solely >those of the author and are not intended to represent those of the >company. >___ >mailop mailing list >mailop@mailop.org >https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Malware waves from hotmail.com
Sorry, bit laid up and typing with one hand, but luckily all the top three publicly list their IP(s), unfortunately they do it via web URLs' that you need to parse instead of via say a rwhois entry. (some are listed at various services you can query in RBL format such as RATS-AZURE) Some you can check via PTR naming conventions, and others you can do an ASN lookup. don't have the URL's handy, but welcome to reach out off list. On 2021-06-04 4:08 p.m., Scott Mutter via mailop wrote: On Fri, Jun 4, 2021 at 1:24 PM Michael Peddemors via mailop mailto:mailop@mailop.org>> wrote: With apache, you can use modsecurity quite easily, and you can block all azure (and other cloud providers ranges) from certain services like wordpress, or contact forms etc.. (you can even do dns based checks or rbldnsd) .. Are there any links for this? AFAIK mod_security is just a module - to actually do anything it requires a ruleset. Further from that, how does it determine what is Azure and what is not? Is it just blocking IP addresses? Seems you'd need a list of all of the Azure IP address space. And from what I have seen the offending IPs are all over the place: 157.55.39.138 207.46.13.5 20.83.33.136 20.94.247.9 40.124.141.27 40.124.141.27 40.124.193.244 40.76.220.206 Are just a few. But if there's a way to block Azure and other cloud based services, I'd be interested in that. But I'd suspect you'd need a list of all of their IP address spaces - is that information available some where? ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Feedback Loop in Gmail Postmaster tools does not show anything
On Fri, Jun 4, 2021 at 6:31 AM Tim Düsterhus, WoltLab GmbH via mailop < mailop@mailop.org> wrote: > Hi Jaroslaw > > On 6/3/21 10:47 PM, Jaroslaw Rafa via mailop wrote: > >> Does anyone of you have practical experience with Google's feedback > >> loop mechanism and might be able to identify if we are doing > >> anything wrong or if it's just the low volume? > > > > What I can recommend from my own experience: > > 1) create some actual test account on Gmail > > 2) make your customer send an email to this account using your process > > 3) access the Gmail account and see if message actually went to Spam > folder. > > If yes: > > 4) check if Gmail indicates all three SPF, DKIM and DMARC on the message > as > > PASS. If not, you need to fix the one that is failing on your side and > > re-try. > > 5) If yes, send the headers of the message that was incorrectly > classified > > as spam (the headers as received on that Gmail account) to Google using > this > > form: https://support.google.com/mail/contact/bulk_send_new . They > > explicitly say in the form that they won't reply to you, but it often > really > > helps and your messages are no more going to Spam (at least that was in > my > > case). > > Thank you, this is useful. I was not aware of that form. I'll add it to > my bookmarks. > > We checked your suggestions back when setting up the system, but I just > rechecked registering an account with my personal Gmail in a sandbox > instance we use to test this type of stuff. The double opt-in > confirmation mail was delivered just fine directly into the inbox. > > Checking the email shows a PASS for both SPF and DKIM for > bounce.woltlab.cloud. We don't do DMARC, as explained in my sibling > reply. Gmail shows "Sender Name via > bounce.woltlab.cloud" as the sender which is expected for our set-up and > nothing unusual, I have seen this for other newsletters I subscribed to > as well. > > However unfortunately this does not answer my specific question > regarding the 'Feedback-ID' header / Feedback Loop (i.e. > https://support.google.com/mail/answer/6254652/feedback-loop). The "Spam > Rate" dashboard in Google Postmaster Tools specifically explains: > > > Dieses Dashboard zeigt den Prozentsatz der von aktiven Nutzern als Spam > gemeldeten E-Mails im Vergleich zu den an den Posteingang gesendeten > E-Mails. [...] E-Mails, die direkt an den Spamordner zugestellt werden, > zählen nicht dazu. > > This translates as: > > "This dashboard shows the percentage of emails reported as spam compared > to all emails delivered into the INBOX. [...] Emails delivered directly > into the spam folder will not be counted here." > > So one (or more) recipients *actively* hit the "This is Spam" button on > ~27% of mails we delivered that one day. I wanted to use the Feedback > Loop mechanism *to find out* which of our customers sent those emails to > investigate in more detail. This is the entire purpose of the Feedback > Loop as implemented by Gmail, but it does not work for us due to reasons > that are unclear to me. > Generally speaking, when the dashboard shows you no data, there isn't enough data to show you. There are minimum levels of data required before it shows you anything in order not to be gamed or make it easy to find out specific accounts that are involved. I don't remember off the top of my head, but I think it's either 100 or 500 different accounts in the bucket you're looking at before there is data to be shown to you. Ie, the answer is never "one recipient". Brandon (it's been years since I've looked at the code and it's possible things have changed, so take it with a grain of salt) ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
