[mailop] [INFORMATIONAL] State of the Union from the spam auditor desk.
Not enough time in the day anymore.. Haven't posted one of these in a little while, so a rare midweek post. Patterns we are seeing this week: * High Gmail spam leakage numbers (couple new techniques) * SendGrid very bad still, eg Canada Post phishing et al - MailGun? "My name is Alexei Navalny from Russia" - MailChimp, lot's of stripped email addresses * Router BotNet Auth Attacks on increase again * High number of Amazon AWS IP(s) in spam and other attacks * High number of GoogleContent IP(s) in spam attacks * Digital Ocean IPs still trying (cloudwayapps.com) * Large reduction in Brazilian router attacks (stopped or takedown?) * Snowshoe spammers finding new IP space * Register.it and Aruba.it, still can't get it together, high compromise account spammers Now, again of course, all this can be prevented, but still surprising how little is being done at the source. Most of it is really obvious, and so easy to detect at the sending side. And of course, the compromise accounts we see worldwide could really benefit from simple little things, authentication checks should be improved, and of course not allowing authentication from known hack bots, if you aren't checking safe RBL's which list attack sources (eg SpamRats RATS-AUTH) or do not route lists such as RATS-NULL (there are others that are freely available, I think SpamHaus also has an authentication RBL). They're free to use, why not use them.. Multiple ways to do look ups. Oh, and while this might make the 'privacy' advocates shudder, if you DO present the authenticating IP(s) in your headers, those companies in the threat detection and mitigation space can find new attackers in play. Share the IP(s) authenticating, in today's world of NAT and shared IP(s) there is very little risk of exposing 'new' PPI, and it quickly helps every one from being the next victim of known offenders. Authentication-Results: h2847185.stratoserver.net; spf=pass (sender IP is 193.56.29.194) Received: from asianlife.com.np (ec2-3-38-252-15.ap-northeast-2.compute.amazonaws.com [3.38.252.15]) by mail1.asianlife.com.np (Postfix) with ESMTPSA At least have good trace headers.. But better yet, the user@ip format enables threat mitigation specialists to notify you when you have compromised accounts sending spam, with more precise details to address the problem. -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Our experience on Gmail blacklisting our IPs range
Thank you everyone for your response. I don't mind the false positives, it's part of the game and shows that it's not perfect. But not having a way to interact with it and not having a way to reach out, explain the situation and know more about what is happening/what will happen is a pita. We sometimes get our emails listed at Sorbs, and no matter what, they always respond, and even in time. I believe that email is one of the last remaining protocols that was built in the beginning to be open and impartial, and many big players are trying to rig the game in their favor. Running an MTA today requires a lot of knowledge and ideally a big team with investment to support all the tricks. It shouldn't be the case. @Todd, thank you for that link! It seems that it was exactly the issue we were facing. I'll seek to implement ways to mitigate these in the future (but already, banning the free domains helped a lot) Le mer. 6 avr. 2022 à 08:40, Todd Herr via mailop a écrit : > > On Tue, Apr 5, 2022 at 6:35 AM Cyril - ImprovMX via mailop < > mailop@mailop.org> wrote: > >> >> After a discussion with OVH about this potential issue, I discovered that >> the problem was worst than that. By comparing all the emails from >> Spamcop.net reports, I discovered that they were from a few emails, but >> then, they had new headers added on top. This included a new "To", >> "Subject" and "Date" header. An email sent 4 days ago was sent again, with >> an updated date. The initial "Subject" was basic things like "hello" and >> the new Subject added at the top was more spammy (the typical horny stuff). >> >> Clearly, someone used the reputation of ImprovMX.com to deliver emails by >> forging them before delivery. >> >> > What you're describing sounds exactly like a DKIM replay attack. > > Socketlabs, among others, have some ideas on how to mitigate such things. > Perhaps you might find those ideas useful - > https://www.socketlabs.com/blog/dkim-replay-attacks-preventive-measures-to-protect-email-deliverability/ > > -- > > *Todd Herr * | Technical Director, Standards and Ecosystem > *e:* todd.h...@valimail.com > *m:* 703.220.4153 > > This email and all data transmitted with it contains confidential and/or > proprietary information intended solely for the use of individual(s) > authorized to receive it. If you are not an intended and authorized > recipient you are hereby notified of any use, disclosure, copying or > distribution of the information included in this transmission is prohibited > and may be unlawful. Please immediately notify the sender by replying to > this email and then delete it from your system. > ___ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop > ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Our experience on Gmail blacklisting our IPs range
On Tue, Apr 5, 2022 at 6:35 AM Cyril - ImprovMX via mailop < mailop@mailop.org> wrote: > > After a discussion with OVH about this potential issue, I discovered that > the problem was worst than that. By comparing all the emails from > Spamcop.net reports, I discovered that they were from a few emails, but > then, they had new headers added on top. This included a new "To", > "Subject" and "Date" header. An email sent 4 days ago was sent again, with > an updated date. The initial "Subject" was basic things like "hello" and > the new Subject added at the top was more spammy (the typical horny stuff). > > Clearly, someone used the reputation of ImprovMX.com to deliver emails by > forging them before delivery. > > What you're describing sounds exactly like a DKIM replay attack. Socketlabs, among others, have some ideas on how to mitigate such things. Perhaps you might find those ideas useful - https://www.socketlabs.com/blog/dkim-replay-attacks-preventive-measures-to-protect-email-deliverability/ -- *Todd Herr * | Technical Director, Standards and Ecosystem *e:* todd.h...@valimail.com *m:* 703.220.4153 This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop