Re: [mailop] Increase in virus activity this week @ MXroute (perhaps others?)
(... sorry for top-posting ...)
Dear Jarland,
In the whole story, i feel that you are NICE guy!
NICE(= faithful + technical + reasonable)
Thanks ^^^
Sincerely, Linux fan Byung-Hee
Jarland Donnell via mailop writes:
> It's a good topic, and one I'm fairly passionate about. Obviously at
> small scale it's super easy to tell when anything is off from normal,
> but as you grow it's more difficult to rely on eyes and ears. But that
> was kind of my dream: I want to be as present as though I'm one admin,
> logged into one machine, merely watching it function and asking "Why?"
> when something unusual happens (CPU spike, queue higher than it's been
> this year to date, a flood of connections from X IP, etc). I want to
> scale that, I want to scale me.
>
> So that's really what I do. I just scale me. If you were sitting in an
> SSH session tailing a log and just watching for anything that sets off
> a mental alarm, what would the things be that would trigger that
> mental alarm? I take the answer to that and have automated checks
> which then do one of two things:
>
> 1. Alert me for human review.
> 2. Perform the reaction that I would have performed if I were sitting
> there watching at the time.
>
> It can be kind of a mess but right now I'm at over 14,000 clients
> (exponentially more if counting customers of my customers) and growing
> rapidly. Thus far I've been able to grow myself by way of coding
> checks and balances that operate like I think. That's pretty vague so
> I'll give an example.
>
> In rspamd I have this map configured:
>
> COMPD_RCPT {
> type = "rcpt";
> header = "subject";
> filter = "email";
> map = "${LOCAL_CONFDIR}/local.d/compd_rcpt.map";
> symbol = "COMPD_RCPT";
> prefilter = true;
> action = "reject";
> regexp = true;
> }
>
> Then I have this running on cron:
>
> https://paste.mxrouteapps.com/?6603394e7d823164#4r5qkNXATJTko55DWmwxjrrbTLCvJ9t5ry61cf5zfHE5
>
> Every morning I get up and I check /root/ALERT_RCPT.log and then open
> a ticket with the customer. This is where the next automation will be
> as the scale continues to grow, automatically targeting the user and
> opening a ticket with them.
>
> Now what that map does, it lists the recipient emails used by specific
> spammers who send "test" emails to verify SMTP credentials before they
> start a campaign. Most of them use the same recipient email every
> time, so all I have to do is look for it and know "That user's
> password is compromised."
>
> For even more fun, I have a basic HTML page hidden behind
> authentication which lists two columns. On one side, the top 15
> senders of this hour. On the other side, the top 15 senders of the
> last hour. Forcing yourself to be familiar with the top users of your
> platform by observing how much of your infrastructure they are
> utilizing creates a mental place where you can immediately recognize
> when something is off. Toss it on a monitor, have the entire abuse
> team just stare at it every time they glance away from their
> work. While you might think that would outgrow it's usefulness with
> scale, I've worked at large enough scale that I simply don't think it
> to be so. The top resource users on your platform will change over
> time, but the vast majority will always be too low utilization to be
> noteworthy.
>
> Even still, if it were to be outgrown, a good database system could
> keep track of senders enough to say "This person who only sent 1 email
> a day for the last year just sent 600, might be worth checking the
> logs to see if they're alright."
>
> And that's really where it all comes back to: What do I want to know?
> What would concern me to see? What would I do if I saw it? Then, quite
> simply, turn that logic into code and make it work for you.
>
> Hope that wasn't too vague to be useful!
>
> Jarland
--
^고맙습니다 _布德天下_ 감사합니다_^))//
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
Re: [mailop] Increase in virus activity this week @ MXroute (perhaps others?)
It's a good topic, and one I'm fairly passionate about. Obviously at
small scale it's super easy to tell when anything is off from normal,
but as you grow it's more difficult to rely on eyes and ears. But that
was kind of my dream: I want to be as present as though I'm one admin,
logged into one machine, merely watching it function and asking "Why?"
when something unusual happens (CPU spike, queue higher than it's been
this year to date, a flood of connections from X IP, etc). I want to
scale that, I want to scale me.
So that's really what I do. I just scale me. If you were sitting in an
SSH session tailing a log and just watching for anything that sets off a
mental alarm, what would the things be that would trigger that mental
alarm? I take the answer to that and have automated checks which then do
one of two things:
1. Alert me for human review.
2. Perform the reaction that I would have performed if I were sitting
there watching at the time.
It can be kind of a mess but right now I'm at over 14,000 clients
(exponentially more if counting customers of my customers) and growing
rapidly. Thus far I've been able to grow myself by way of coding checks
and balances that operate like I think. That's pretty vague so I'll give
an example.
In rspamd I have this map configured:
COMPD_RCPT {
type = "rcpt";
header = "subject";
filter = "email";
map = "${LOCAL_CONFDIR}/local.d/compd_rcpt.map";
symbol = "COMPD_RCPT";
prefilter = true;
action = "reject";
regexp = true;
}
Then I have this running on cron:
https://paste.mxrouteapps.com/?6603394e7d823164#4r5qkNXATJTko55DWmwxjrrbTLCvJ9t5ry61cf5zfHE5
Every morning I get up and I check /root/ALERT_RCPT.log and then open a
ticket with the customer. This is where the next automation will be as
the scale continues to grow, automatically targeting the user and
opening a ticket with them.
Now what that map does, it lists the recipient emails used by specific
spammers who send "test" emails to verify SMTP credentials before they
start a campaign. Most of them use the same recipient email every time,
so all I have to do is look for it and know "That user's password is
compromised."
For even more fun, I have a basic HTML page hidden behind authentication
which lists two columns. On one side, the top 15 senders of this hour.
On the other side, the top 15 senders of the last hour. Forcing yourself
to be familiar with the top users of your platform by observing how much
of your infrastructure they are utilizing creates a mental place where
you can immediately recognize when something is off. Toss it on a
monitor, have the entire abuse team just stare at it every time they
glance away from their work. While you might think that would outgrow
it's usefulness with scale, I've worked at large enough scale that I
simply don't think it to be so. The top resource users on your platform
will change over time, but the vast majority will always be too low
utilization to be noteworthy.
Even still, if it were to be outgrown, a good database system could keep
track of senders enough to say "This person who only sent 1 email a day
for the last year just sent 600, might be worth checking the logs to see
if they're alright."
And that's really where it all comes back to: What do I want to know?
What would concern me to see? What would I do if I saw it? Then, quite
simply, turn that logic into code and make it work for you.
Hope that wasn't too vague to be useful!
Jarland
On 2022-04-22 15:28, Cyril - ImprovMX via mailop wrote:
Hi Jarland,
that was very interesting, thank you for sharing these details.
I'm curious to know how you caught this in the first place. It would
be interesting to know some technics on how to catch bad behaviors
before they get out of hand and many of us here might be interested in
the how-tos and might also learn a lot from this (me first).
thank you in advance :)
Best,
Cyril
Le ven. 22 avr. 2022 à 00:57, Jarland Donnell via mailop
a écrit :
Hey friends,
This week at MXroute we saw an increase in compromised email
accounts.
Apologies if you saw virus spam coming from our network. Typically,
these events are caught instantly. In cases that use new patterns
and
techniques, under 1 hour. This time, it went on intermittently for
about
half a day on 4/20 (I wish it was for THAT reason), and it happened
a
few times in the days prior. What we found was that every one of
these
outbound emails contained this virus:
https://www.virustotal.com/gui/file/707d507f138a450fb4c7b5c906f280259f23f5aac808b8dfcd23b66d0d679441/detection
It's not difficult to assume that the users received the same virus
beforehand, whether by email or otherwise. The virus appears to use
each
infected computer as part of a botnet, and each computer is involved
in
authenticating over SMTP and sending out copies of the virus. The
only
thing I never saw was our infected users connecting to our servers
to
send the spam, it was
Re: [mailop] Interesting passage from the new EU Digital Services Act
I'm prone to reading things like that as meaning "if you happen across something" rather than "please go digging and if there's something to find and you don't find it, you're dead." On 2022-04-23 17:55, Jean-François Bachelet via mailop wrote: Hello ^^) Haven't read the full EU stuff yet, but question : How can we be possibly become aware of such possible threats without SPYING -read it all- the email passing by our mail servers ??? only a jackass wana be terrst will put dangerous/alarm trigger stuff in the Subject of his emails. so do the EU wants us to play as NSA for free ? and pursue us if we don't... ... Le 24/04/2022 à 00:17, Jarland Donnell via mailop a écrit : Admittedly I do like the phrase "becomes aware of" as it should in theory place the burden on a third party to prove awareness. Though I can't imagine a lot of people become aware of a serious threat against someone's life and then turn the other way, at least not anyone who wouldn't now simply claim "I wasn't aware of it." On 2022-04-23 15:36, Anne Mitchell via mailop wrote: "Where an online platform becomes aware of any information giving rise to a suspicion that a serious criminal offence involving a threat to the life or safety of persons has taken place, is taking place or is likely to take place, it shall promptly inform the law enforcement or judicial authorities of the Member State or Member States concerned of its suspicion and provide all relevant information available." Hrrrm... I wonder whether the online platforms of which we are ware who know full well that phishing is happening on their platform have promptly informed law enforcement. Note that the DSA explicitly states that it applies to entities outside of the EU as well as within the EU. (Our write-up of our first impressions of how we see the DSA being applied to email is here, and includes the full text of the DSA: https://www.isipp.com/what-the-eus-new-digital-services-act-means-for-email-marketing/) Anne --- Anne P. Mitchell, Esq. CEO Get to the Inbox by SuretyMail Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal email marketing law) Author: The Email Deliverability Handbook Board of Directors, Denver Internet Exchange Dean Emeritus, Cyberlaw & Cybersecurity, Lincoln Law School Prof. Emeritus, Lincoln Law School Chair Emeritus, Asilomar Microcomputer Workshop Counsel Emeritus, MAPS: Mail Abuse Prevention System (now the anti-spam division of TrendMicro) ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Interesting passage from the new EU Digital Services Act
> How can we be possibly become aware of such possible threats without SPYING > -read it all- the email passing by our mail servers ??? only a jackass wana > be terrst will put dangerous/alarm trigger stuff in the Subject of his > emails. so do the EU wants us to play as NSA for free ? and pursue us if we > don't... I'm not sure about the EU (although I'm guessing it's the same) there is often a "knew or should have known" standard (in fact that's the standard in the section of CAN-SPAM that I wrote). So if that is the same in the EU, then people reporting to the provider about the threat would trigger it...remember I'm saying *IF* because I don't know. That said, there are full swaths of text in the DSA that talk about complaints lodged with providers. For anyone wanting the full text, you can find it down at the bottom of the article (https://www.isipp.com/what-the-eus-new-digital-services-act-means-for-email-marketing/) Anne -- Anne P. Mitchell, Attorney at Law CEO ISIPP SuretyMail Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal email marketing law) Author: The Email Deliverability Handbook Board of Directors, Denver Internet Exchange Dean Emeritus, Cyberlaw & Cybersecurity, Lincoln Law School Prof. Emeritus, Lincoln Law School Chair Emeritus, Asilomar Microcomputer Workshop Counsel Emeritus: Mail Abuse Prevention System (MAPS) (now the anti-spam arm of TrendMicro) ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Interesting passage from the new EU Digital Services Act
Hello ^^) Haven't read the full EU stuff yet, but question : How can we be possibly become aware of such possible threats without SPYING -read it all- the email passing by our mail servers ??? only a jackass wana be terrst will put dangerous/alarm trigger stuff in the Subject of his emails. so do the EU wants us to play as NSA for free ? and pursue us if we don't... ... Le 24/04/2022 à 00:17, Jarland Donnell via mailop a écrit : Admittedly I do like the phrase "becomes aware of" as it should in theory place the burden on a third party to prove awareness. Though I can't imagine a lot of people become aware of a serious threat against someone's life and then turn the other way, at least not anyone who wouldn't now simply claim "I wasn't aware of it." On 2022-04-23 15:36, Anne Mitchell via mailop wrote: "Where an online platform becomes aware of any information giving rise to a suspicion that a serious criminal offence involving a threat to the life or safety of persons has taken place, is taking place or is likely to take place, it shall promptly inform the law enforcement or judicial authorities of the Member State or Member States concerned of its suspicion and provide all relevant information available." Hrrrm... I wonder whether the online platforms of which we are ware who know full well that phishing is happening on their platform have promptly informed law enforcement. Note that the DSA explicitly states that it applies to entities outside of the EU as well as within the EU. (Our write-up of our first impressions of how we see the DSA being applied to email is here, and includes the full text of the DSA: https://www.isipp.com/what-the-eus-new-digital-services-act-means-for-email-marketing/) Anne --- Anne P. Mitchell, Esq. CEO Get to the Inbox by SuretyMail Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal email marketing law) Author: The Email Deliverability Handbook Board of Directors, Denver Internet Exchange Dean Emeritus, Cyberlaw & Cybersecurity, Lincoln Law School Prof. Emeritus, Lincoln Law School Chair Emeritus, Asilomar Microcomputer Workshop Counsel Emeritus, MAPS: Mail Abuse Prevention System (now the anti-spam division of TrendMicro) ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] [E] $GOOG
Dnia 23.04.2022 o godz. 14:48:05 Dan Mahoney via mailop pisze: > > I would LOVE there to be legal structure to say “Gee, Equifax, you failed > to demonstrate the basic opsec of paying some junior admin to type `yum > upgrade apache-struts`, so you don’t get to keep my PII anymore.” I would > love if there was an option to simply put a flag on my SSN that says > “gather/sell no data” to any of the dozens of agencies that harvest this > (radaris et al) and package it up neatly. Isn't European GDPR something that is supposed to achieve exactly this? Yes, it doesn't work perfectly, and there are multiple companies that try to go around it in multiple ways, but it's a step in good direction IMHO. At least at the moment when GDPR came into effect I observed a BIG drop in amount of spam coming to my server. And still, after several years, it didn't return to pre-GDPR quantities yet... Of course YMMV, especially outside Europe... -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Interesting passage from the new EU Digital Services Act
Admittedly I do like the phrase "becomes aware of" as it should in theory place the burden on a third party to prove awareness. Though I can't imagine a lot of people become aware of a serious threat against someone's life and then turn the other way, at least not anyone who wouldn't now simply claim "I wasn't aware of it." On 2022-04-23 15:36, Anne Mitchell via mailop wrote: "Where an online platform becomes aware of any information giving rise to a suspicion that a serious criminal offence involving a threat to the life or safety of persons has taken place, is taking place or is likely to take place, it shall promptly inform the law enforcement or judicial authorities of the Member State or Member States concerned of its suspicion and provide all relevant information available." Hrrrm... I wonder whether the online platforms of which we are ware who know full well that phishing is happening on their platform have promptly informed law enforcement. Note that the DSA explicitly states that it applies to entities outside of the EU as well as within the EU. (Our write-up of our first impressions of how we see the DSA being applied to email is here, and includes the full text of the DSA: https://www.isipp.com/what-the-eus-new-digital-services-act-means-for-email-marketing/) Anne --- Anne P. Mitchell, Esq. CEO Get to the Inbox by SuretyMail Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal email marketing law) Author: The Email Deliverability Handbook Board of Directors, Denver Internet Exchange Dean Emeritus, Cyberlaw & Cybersecurity, Lincoln Law School Prof. Emeritus, Lincoln Law School Chair Emeritus, Asilomar Microcomputer Workshop Counsel Emeritus, MAPS: Mail Abuse Prevention System (now the anti-spam division of TrendMicro) ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Interesting passage from the new EU Digital Services Act
It doesn't apply to phishing. Its very clear its about emergencies, ergo threats about violence, bombs and such. Phishing is definitely not a "threat to the life or safety of persons" as it only poses a threat to property, ergo money. -Ursprungligt meddelande- Från: Anne Mitchell via mailop Skickat: den 23 april 2022 22:38 Till: Michael Orlitzky via mailop Ämne: [mailop] Interesting passage from the new EU Digital Services Act "Where an online platform becomes aware of any information giving rise to a suspicion that a serious criminal offence involving a threat to the life or safety of persons has taken place, is taking place or is likely to take place, it shall promptly inform the law enforcement or judicial authorities of the Member State or Member States concerned of its suspicion and provide all relevant information available." Hrrrm... I wonder whether the online platforms of which we are ware who know full well that phishing is happening on their platform have promptly informed law enforcement. Note that the DSA explicitly states that it applies to entities outside of the EU as well as within the EU. (Our write-up of our first impressions of how we see the DSA being applied to email is here, and includes the full text of the DSA: https://www.isipp.com/what-the-eus-new-digital-services-act-means-for-email-marketing/) Anne --- Anne P. Mitchell, Esq. CEO Get to the Inbox by SuretyMail Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal email marketing law) Author: The Email Deliverability Handbook Board of Directors, Denver Internet Exchange Dean Emeritus, Cyberlaw & Cybersecurity, Lincoln Law School Prof. Emeritus, Lincoln Law School Chair Emeritus, Asilomar Microcomputer Workshop Counsel Emeritus, MAPS: Mail Abuse Prevention System (now the anti-spam division of TrendMicro) ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] [E] $GOOG
> >> I am not >> familiar with the lawsuits, but the general solution to all reputation >> services, whether IP-reputation, consumer credit, or any other business >> that collects information about other subjects (the building block of >> surveillance capitalism!) is consent: if the subject does not consent, >> do not collect/report. No reporting, no cause for legal action. >> Provide reputation certificates for subjects that opt into the service >> and let recipients decide how to deal with the absence of such >> reputation ceritificate(s). > > your unfamiliarity extends demonstrably beyond the lawsuits. if you choose to > do some research and ask some informed questions, i'd love to hear them and > try to engage further. This will be off-topic for mailop, but…I remember Vixie giving a talk at MeetBSD, at the same moment that I found out that the latest-at-the-time equifax breach had exposed my information a few years back. I would LOVE there to be legal structure to say “Gee, Equifax, you failed to demonstrate the basic opsec of paying some junior admin to type `yum upgrade apache-struts`, so you don’t get to keep my PII anymore.” I would love if there was an option to simply put a flag on my SSN that says “gather/sell no data” to any of the dozens of agencies that harvest this (radaris et al) and package it up neatly. This is not the place to get into what dystopias being able to fully “opt out” would lead to, except that in either case (IP or PII), a lack of fingerprint would surely also be regarded as suspicious and approached with gated, minimal trust, if any at all. More on topic, however: Consent or no, for all the intelligence sources you know about (on mxtoolbox’s multi-rbl checker, etc), there are dozens, possibly hundreds more, private ones. Some in a manually maintained DB, some in a bayesian statistical DB based on how likely your domain is to spam based on email volume and SPF/DKIM records, and some that model way more data that you can imagine, that only exist in the mind of an AI that’s completely opaque, even to the people that coded it. I strongly believe one such black box exists inside G, and that it's not the only place. The best thing you can do is learn the correct inputs to the black box, at the time. Build your own statistics of what your netblock is doing, and actually read and report on them before someone else does. Email is no longer “set it and forget it” and hasn’t been for decades or more. -Dan ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
[mailop] Interesting passage from the new EU Digital Services Act
"Where an online platform becomes aware of any information giving rise to a suspicion that a serious criminal offence involving a threat to the life or safety of persons has taken place, is taking place or is likely to take place, it shall promptly inform the law enforcement or judicial authorities of the Member State or Member States concerned of its suspicion and provide all relevant information available." Hrrrm... I wonder whether the online platforms of which we are ware who know full well that phishing is happening on their platform have promptly informed law enforcement. Note that the DSA explicitly states that it applies to entities outside of the EU as well as within the EU. (Our write-up of our first impressions of how we see the DSA being applied to email is here, and includes the full text of the DSA: https://www.isipp.com/what-the-eus-new-digital-services-act-means-for-email-marketing/) Anne --- Anne P. Mitchell, Esq. CEO Get to the Inbox by SuretyMail Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal email marketing law) Author: The Email Deliverability Handbook Board of Directors, Denver Internet Exchange Dean Emeritus, Cyberlaw & Cybersecurity, Lincoln Law School Prof. Emeritus, Lincoln Law School Chair Emeritus, Asilomar Microcomputer Workshop Counsel Emeritus, MAPS: Mail Abuse Prevention System (now the anti-spam division of TrendMicro) ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
