Re: [mailop] SMTP noise from *.bouncer.cloud
It appears that Michael Peddemors via mailop said: >But I do of course understand the temptation to simply block them, if >you dont' know what they are doing. I do know what they are doing, and I have no interest in helping them do it. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] SMTP noise from *.bouncer.cloud
For those of us out of the loopwhat is this? On 8/31/22 3:22 PM, Michael Peddemors via mailop wrote: For the record, I should note in this thread, that in this case it is an actual company behind this (was reached out offlist by a principle) and many on the list are aware of this person. https://www.linkedin.com/company/usebouncer/ Who/what/where their clients are, and for what purpose of course, is not likely something we will find out unless they like to share more, but we can continue discussing this in terms of all the operators out there, and what constitutes the good vs the ugly. But I do of course understand the temptation to simply block them, if you dont' know what they are doing. But of course recommended that they be more transparent, both in the use of IP space clearly indicating they are the operator (rwhois or SWIP) and the domain used should have an associated URL where contact information can be found. Those recommendations would apply to all the AWS ones, and other companies equally. -- Michael -- On 2022-08-31 10:15, Jarland Donnell via mailop wrote: Nice find. Here's the IP list I pulled for them as well: https://clbin.com/Fr1IH Probably not worth blocking by IP but some blacklistings might alert hosts to abusive behavior more than "yet another ignored abuse complaint." On 2022-08-31 08:56, Michael Peddemors via mailop wrote: Not just OVH, on LeaseWeb as well.. Script at least is sane, even though it simply does a RCPT TO, then QUIT. Suggest it is another email validator, or list washer.. without transparency. Aug 31 04:38:13 be msd[603032]: Linux Magic SMTPD started: connection from 212.7.193.14 (192.168.0.118:25) Linux 2.2.x-3.x Aug 31 04:38:13 be msd[603032]: Created UUID 65a11bb8-2921-11ed-a12c-272390e3399e for message Aug 31 04:38:13 be msd[603032]: CONN: 212.7.193.14 -> 25 GeoIP = [NL] PTR = lw-mail-14.bouncer.cloud OS = Linux 2.2.x-3.x Aug 31 04:38:13 be msd[603032]: EHLO command received, args: lw-mail-14.bouncer.cloud Aug 31 04:38:13 be msd[603032]: MAIL command received, args: FROM: Aug 31 04:38:13 be msd[603032]: MAIL FROM address: [hello@lw-mail-14.bouncer.cloud] Aug 31 04:38:13 be msd[603032]: Doing server-wide checks Aug 31 04:38:13 be msd[603032]: rfc_mail_from(hello@lw-mail-14.bouncer.cloud) Aug 31 04:38:13 be msd[603032]: Done server-wide checks Aug 31 04:38:13 be msd[603032]: RCPT command received (212.7.193.14), args: TO: Aug 31 04:38:13 be msd[603032]: from domain country code[lw-mail-14.bouncer.cloud] = "**" Aug 31 04:38:13 be msd[603032]: helo domain country code[lw-mail-14.bouncer.cloud] = "**" Aug 31 04:38:13 be msd[603032]: Doing server-wide checks Aug 31 04:38:13 be msd[603032]: Looking up domain lw-mail-14.bouncer.cloud (this may take a while) Aug 31 04:38:14 be msd[603032]: Done server-wide checks Aug 31 04:38:14 be msd[603032]: RCPT address [SNIPPED] is local Aug 31 04:38:14 be msd[603032]: User spam rules loaded successfully Aug 31 04:38:14 be msd[603032]: Doing domain-wide checks Aug 31 04:38:14 be msd[603032]: Done domain-wide checks Aug 31 04:38:14 be msd[603032]: User spam checking enabled Aug 31 04:38:14 be msd[603032]: SPAM HIT: block_lists: 41 Aug 31 04:38:14 be msd[603032]: Adding flag for quarantine. Aug 31 04:38:14 be msd[603032]: QUIT command received, args: Aug 31 04:38:14 be msd[603032]: Session ending: Client issued QUIT Aug 31 04:38:14 be msd[603032]: Exiting (bytes in: 118 out: 177) On 2022-08-31 04:49, Andreas S. Kerber via mailop wrote: Noticing lot's of noise from OVH adress ranges with "bouncer.cloud" PTR and HELO. Often they are trying only one recipient and seem to move on then. Can anyone shed some light on what these people are trying to accomplish? Could there be any kind of legitimacy, or are just plain bad guys? Seems like a lot of effort to push spam this way and that's what's holding me back from blocking them.. SPF pass: ip=135.125.128.56, fqdn=de1-mail-173.bouncer.cloud, helo=de1-mail-173.bouncer.cloud, from= SPF pass: ip=91.121.50.199, fqdn=sbg5-mail-160.bouncer.cloud, helo=sbg5-mail-160.bouncer.cloud, from= SPF pass: ip=51.89.19.107, fqdn=de1-mail-35.bouncer.cloud, helo=de1-mail-35.bouncer.cloud, from= SPF pass: ip=51.68.178.58, fqdn=de1-mail-5.bouncer.cloud, helo=de1-mail-5.bouncer.cloud, from= SPF pass: ip=46.105.33.125, fqdn=sbg5-mail-141.bouncer.cloud, helo=sbg5-mail-141.bouncer.cloud, from= SPF pass: ip=37.59.67.40, fqdn=sbg5-mail-37.bouncer.cloud, helo=sbg5-mail-37.bouncer.cloud, from= SPF pass: ip=178.32.167.75, fqdn=sbg5-mail-150.bouncer.cloud, helo=sbg5-mail-150.bouncer.cloud, from= SPF pass: ip=54.36.212.178, fqdn=sbg5-mail-147.bouncer.cloud, helo=sbg5-mail-147.bouncer.cloud, from= SPF pass: ip=135.125.224.91, fqdn=de1-mail-233.bouncer.cloud, helo=de1-mail-233.bouncer.cloud, from= SPF pass: ip=135.125.145.35, fqdn=de1-mail-185.bouncer.cloud, helo=de1-mail-185.bouncer.cloud, from= SPF pass: ip=188.165.49.25, fqdn=sbg5-mail-27.bouncer.cloud,
Re: [mailop] SMTP noise from *.bouncer.cloud
On 2022-08-31 at 15:22:33 UTC-0400 (Wed, 31 Aug 2022 12:22:33 -0700) Michael Peddemors via mailop is rumored to have said: For the record, I should note in this thread, that in this case it is an actual company behind this (was reached out offlist by a principle) and many on the list are aware of this person. I fail to comprehend how being an "actual company" makes the slightest difference. They exist for the purpose of abusive behaviors. https://www.linkedin.com/company/usebouncer/ Not accessible. I assume it's also .com? Not a legitimate business. Hope they go broke and their principals and investors all starve in the street. Who/what/where their clients are, and for what purpose of course, is not likely something we will find out unless they like to share more, but we can continue discussing this in terms of all the operators out there, and what constitutes the good vs the ugly. Their intended service is the problem. 3rd-party address verification services are inherently bad for email. They are selling an intrinsicallky shoddy product that should not be available in any quality to anyone. No one who could find their 'service' useful should be mailing anyone anything. But I do of course understand the temptation to simply block them, if you dont' know what they are doing. I understand what they are doing and will thwart/misinform/block them when and where I can. They are a net negative contributor to existence. A company with negative value, providing a service of negative value, to customers of negative value. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] SMTP noise from *.bouncer.cloud
For the record, I should note in this thread, that in this case it is an actual company behind this (was reached out offlist by a principle) and many on the list are aware of this person. https://www.linkedin.com/company/usebouncer/ Who/what/where their clients are, and for what purpose of course, is not likely something we will find out unless they like to share more, but we can continue discussing this in terms of all the operators out there, and what constitutes the good vs the ugly. But I do of course understand the temptation to simply block them, if you dont' know what they are doing. But of course recommended that they be more transparent, both in the use of IP space clearly indicating they are the operator (rwhois or SWIP) and the domain used should have an associated URL where contact information can be found. Those recommendations would apply to all the AWS ones, and other companies equally. -- Michael -- On 2022-08-31 10:15, Jarland Donnell via mailop wrote: Nice find. Here's the IP list I pulled for them as well: https://clbin.com/Fr1IH Probably not worth blocking by IP but some blacklistings might alert hosts to abusive behavior more than "yet another ignored abuse complaint." On 2022-08-31 08:56, Michael Peddemors via mailop wrote: Not just OVH, on LeaseWeb as well.. Script at least is sane, even though it simply does a RCPT TO, then QUIT. Suggest it is another email validator, or list washer.. without transparency. Aug 31 04:38:13 be msd[603032]: Linux Magic SMTPD started: connection from 212.7.193.14 (192.168.0.118:25) Linux 2.2.x-3.x Aug 31 04:38:13 be msd[603032]: Created UUID 65a11bb8-2921-11ed-a12c-272390e3399e for message Aug 31 04:38:13 be msd[603032]: CONN: 212.7.193.14 -> 25 GeoIP = [NL] PTR = lw-mail-14.bouncer.cloud OS = Linux 2.2.x-3.x Aug 31 04:38:13 be msd[603032]: EHLO command received, args: lw-mail-14.bouncer.cloud Aug 31 04:38:13 be msd[603032]: MAIL command received, args: FROM: Aug 31 04:38:13 be msd[603032]: MAIL FROM address: [hello@lw-mail-14.bouncer.cloud] Aug 31 04:38:13 be msd[603032]: Doing server-wide checks Aug 31 04:38:13 be msd[603032]: rfc_mail_from(hello@lw-mail-14.bouncer.cloud) Aug 31 04:38:13 be msd[603032]: Done server-wide checks Aug 31 04:38:13 be msd[603032]: RCPT command received (212.7.193.14), args: TO: Aug 31 04:38:13 be msd[603032]: from domain country code[lw-mail-14.bouncer.cloud] = "**" Aug 31 04:38:13 be msd[603032]: helo domain country code[lw-mail-14.bouncer.cloud] = "**" Aug 31 04:38:13 be msd[603032]: Doing server-wide checks Aug 31 04:38:13 be msd[603032]: Looking up domain lw-mail-14.bouncer.cloud (this may take a while) Aug 31 04:38:14 be msd[603032]: Done server-wide checks Aug 31 04:38:14 be msd[603032]: RCPT address [SNIPPED] is local Aug 31 04:38:14 be msd[603032]: User spam rules loaded successfully Aug 31 04:38:14 be msd[603032]: Doing domain-wide checks Aug 31 04:38:14 be msd[603032]: Done domain-wide checks Aug 31 04:38:14 be msd[603032]: User spam checking enabled Aug 31 04:38:14 be msd[603032]: SPAM HIT: block_lists: 41 Aug 31 04:38:14 be msd[603032]: Adding flag for quarantine. Aug 31 04:38:14 be msd[603032]: QUIT command received, args: Aug 31 04:38:14 be msd[603032]: Session ending: Client issued QUIT Aug 31 04:38:14 be msd[603032]: Exiting (bytes in: 118 out: 177) On 2022-08-31 04:49, Andreas S. Kerber via mailop wrote: Noticing lot's of noise from OVH adress ranges with "bouncer.cloud" PTR and HELO. Often they are trying only one recipient and seem to move on then. Can anyone shed some light on what these people are trying to accomplish? Could there be any kind of legitimacy, or are just plain bad guys? Seems like a lot of effort to push spam this way and that's what's holding me back from blocking them.. SPF pass: ip=135.125.128.56, fqdn=de1-mail-173.bouncer.cloud, helo=de1-mail-173.bouncer.cloud, from= SPF pass: ip=91.121.50.199, fqdn=sbg5-mail-160.bouncer.cloud, helo=sbg5-mail-160.bouncer.cloud, from= SPF pass: ip=51.89.19.107, fqdn=de1-mail-35.bouncer.cloud, helo=de1-mail-35.bouncer.cloud, from= SPF pass: ip=51.68.178.58, fqdn=de1-mail-5.bouncer.cloud, helo=de1-mail-5.bouncer.cloud, from= SPF pass: ip=46.105.33.125, fqdn=sbg5-mail-141.bouncer.cloud, helo=sbg5-mail-141.bouncer.cloud, from= SPF pass: ip=37.59.67.40, fqdn=sbg5-mail-37.bouncer.cloud, helo=sbg5-mail-37.bouncer.cloud, from= SPF pass: ip=178.32.167.75, fqdn=sbg5-mail-150.bouncer.cloud, helo=sbg5-mail-150.bouncer.cloud, from= SPF pass: ip=54.36.212.178, fqdn=sbg5-mail-147.bouncer.cloud, helo=sbg5-mail-147.bouncer.cloud, from= SPF pass: ip=135.125.224.91, fqdn=de1-mail-233.bouncer.cloud, helo=de1-mail-233.bouncer.cloud, from= SPF pass: ip=135.125.145.35, fqdn=de1-mail-185.bouncer.cloud, helo=de1-mail-185.bouncer.cloud, from= SPF pass: ip=188.165.49.25, fqdn=sbg5-mail-27.bouncer.cloud, helo=sbg5-mail-27.bouncer.cloud, from= SPF pass: ip=51.38.116.69, fqdn=de1-mail-1.bouncer.cloud, helo=de1-mai
Re: [mailop] SMTP noise from *.bouncer.cloud
Nice find. Here's the IP list I pulled for them as well: https://clbin.com/Fr1IH Probably not worth blocking by IP but some blacklistings might alert hosts to abusive behavior more than "yet another ignored abuse complaint." On 2022-08-31 08:56, Michael Peddemors via mailop wrote: Not just OVH, on LeaseWeb as well.. Script at least is sane, even though it simply does a RCPT TO, then QUIT. Suggest it is another email validator, or list washer.. without transparency. Aug 31 04:38:13 be msd[603032]: Linux Magic SMTPD started: connection from 212.7.193.14 (192.168.0.118:25) Linux 2.2.x-3.x Aug 31 04:38:13 be msd[603032]: Created UUID 65a11bb8-2921-11ed-a12c-272390e3399e for message Aug 31 04:38:13 be msd[603032]: CONN: 212.7.193.14 -> 25 GeoIP = [NL] PTR = lw-mail-14.bouncer.cloud OS = Linux 2.2.x-3.x Aug 31 04:38:13 be msd[603032]: EHLO command received, args: lw-mail-14.bouncer.cloud Aug 31 04:38:13 be msd[603032]: MAIL command received, args: FROM: Aug 31 04:38:13 be msd[603032]: MAIL FROM address: [hello@lw-mail-14.bouncer.cloud] Aug 31 04:38:13 be msd[603032]: Doing server-wide checks Aug 31 04:38:13 be msd[603032]: rfc_mail_from(hello@lw-mail-14.bouncer.cloud) Aug 31 04:38:13 be msd[603032]: Done server-wide checks Aug 31 04:38:13 be msd[603032]: RCPT command received (212.7.193.14), args: TO: Aug 31 04:38:13 be msd[603032]: from domain country code[lw-mail-14.bouncer.cloud] = "**" Aug 31 04:38:13 be msd[603032]: helo domain country code[lw-mail-14.bouncer.cloud] = "**" Aug 31 04:38:13 be msd[603032]: Doing server-wide checks Aug 31 04:38:13 be msd[603032]: Looking up domain lw-mail-14.bouncer.cloud (this may take a while) Aug 31 04:38:14 be msd[603032]: Done server-wide checks Aug 31 04:38:14 be msd[603032]: RCPT address [SNIPPED] is local Aug 31 04:38:14 be msd[603032]: User spam rules loaded successfully Aug 31 04:38:14 be msd[603032]: Doing domain-wide checks Aug 31 04:38:14 be msd[603032]: Done domain-wide checks Aug 31 04:38:14 be msd[603032]: User spam checking enabled Aug 31 04:38:14 be msd[603032]: SPAM HIT: block_lists: 41 Aug 31 04:38:14 be msd[603032]: Adding flag for quarantine. Aug 31 04:38:14 be msd[603032]: QUIT command received, args: Aug 31 04:38:14 be msd[603032]: Session ending: Client issued QUIT Aug 31 04:38:14 be msd[603032]: Exiting (bytes in: 118 out: 177) On 2022-08-31 04:49, Andreas S. Kerber via mailop wrote: Noticing lot's of noise from OVH adress ranges with "bouncer.cloud" PTR and HELO. Often they are trying only one recipient and seem to move on then. Can anyone shed some light on what these people are trying to accomplish? Could there be any kind of legitimacy, or are just plain bad guys? Seems like a lot of effort to push spam this way and that's what's holding me back from blocking them.. SPF pass: ip=135.125.128.56, fqdn=de1-mail-173.bouncer.cloud, helo=de1-mail-173.bouncer.cloud, from= SPF pass: ip=91.121.50.199, fqdn=sbg5-mail-160.bouncer.cloud, helo=sbg5-mail-160.bouncer.cloud, from= SPF pass: ip=51.89.19.107, fqdn=de1-mail-35.bouncer.cloud, helo=de1-mail-35.bouncer.cloud, from= SPF pass: ip=51.68.178.58, fqdn=de1-mail-5.bouncer.cloud, helo=de1-mail-5.bouncer.cloud, from= SPF pass: ip=46.105.33.125, fqdn=sbg5-mail-141.bouncer.cloud, helo=sbg5-mail-141.bouncer.cloud, from= SPF pass: ip=37.59.67.40, fqdn=sbg5-mail-37.bouncer.cloud, helo=sbg5-mail-37.bouncer.cloud, from= SPF pass: ip=178.32.167.75, fqdn=sbg5-mail-150.bouncer.cloud, helo=sbg5-mail-150.bouncer.cloud, from= SPF pass: ip=54.36.212.178, fqdn=sbg5-mail-147.bouncer.cloud, helo=sbg5-mail-147.bouncer.cloud, from= SPF pass: ip=135.125.224.91, fqdn=de1-mail-233.bouncer.cloud, helo=de1-mail-233.bouncer.cloud, from= SPF pass: ip=135.125.145.35, fqdn=de1-mail-185.bouncer.cloud, helo=de1-mail-185.bouncer.cloud, from= SPF pass: ip=188.165.49.25, fqdn=sbg5-mail-27.bouncer.cloud, helo=sbg5-mail-27.bouncer.cloud, from= SPF pass: ip=51.38.116.69, fqdn=de1-mail-1.bouncer.cloud, helo=de1-mail-1.bouncer.cloud, from= SPF pass: ip=178.33.42.186, fqdn=sbg5-mail-25.bouncer.cloud, helo=sbg5-mail-25.bouncer.cloud, from= SPF pass: ip=51.89.47.230, fqdn=de1-mail-108.bouncer.cloud, helo=de1-mail-108.bouncer.cloud, from= ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions p
Re: [mailop] SMTP noise from *.bouncer.cloud
It appears that Michael Peddemors via mailop said: >Not just OVH, on LeaseWeb as well.. They're obviously doing listwashing. Nice of them to give us a reliable signal to block them. 2022-06-10 12:51:20.947844500 tcpserver: ok 4064 mail1.iecc.com:64.57.183.56:25 de1-mail-178.bouncer.cloud:135.125.140.170::45197 2022-06-10 12:51:21.301446500 mailfront[4064]: ESMTP HELO de1-mail-178.bouncer.cloud 2022-06-10 12:51:21.461134500 mailfront[4064]: MAIL FROM: 2022-06-10 12:51:21.475629500 mailfront[4064]: assigned seq 697586005 2022-06-10 12:51:21.633353500 mailfront[4064]: RCPT TO: 2022-06-10 12:51:21.634123500 mailfront[4064]: 550 5.1.1 Sorry, that recipient does not exist. 2022-06-10 12:51:21.743825500 mailfront[4064]: bytes in: 132 bytes out: 330 2022-06-10 12:51:21.744883500 tcpserver: end 4064 status 0 2022-06-10 12:51:21.175035500 tcpserver: pid 4066 from 51.89.127.166 2022-06-10 12:51:21.630905500 tcpserver: ok 4066 mail1.iecc.com:64.57.183.56:25 de1-mail-99.bouncer.cloud:51.89.127.166::52355 2022-06-10 12:51:21.883588500 mailfront[4066]: ESMTP HELO de1-mail-99.bouncer.cloud 2022-06-10 12:51:21.978857500 mailfront[4066]: MAIL FROM: 2022-06-10 12:51:21.987864500 mailfront[4066]: assigned seq 697586006 2022-06-10 12:51:22.170280500 mailfront[4066]: RCPT TO: 2022-06-10 12:51:22.276703500 mailfront[4066]: bytes in: 125 bytes out: 316 2022-06-10 12:51:22.277810500 tcpserver: end 4066 status 0 2022-06-10 12:51:21.388017500 tcpserver: pid 4068 from 5.196.98.237 2022-06-10 12:51:21.760790500 tcpserver: ok 4068 mail1.iecc.com:64.57.183.56:25 sbg5-mail-44.bouncer.cloud:5.196.98.237::49129 2022-06-10 12:51:22.044963500 mailfront[4068]: ESMTP HELO sbg5-mail-44.bouncer.cloud 2022-06-10 12:51:22.140702500 mailfront[4068]: MAIL FROM: 2022-06-10 12:51:22.150948500 mailfront[4068]: assigned seq 697586007 2022-06-10 12:51:22.283755500 mailfront[4068]: RCPT TO: 2022-06-10 12:51:22.390697500 mailfront[4068]: bytes in: 127 bytes out: 316 2022-06-10 12:51:22.391747500 tcpserver: end 4068 status 0 ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] SMTP noise from *.bouncer.cloud
Not just OVH, on LeaseWeb as well.. Script at least is sane, even though it simply does a RCPT TO, then QUIT. Suggest it is another email validator, or list washer.. without transparency. Aug 31 04:38:13 be msd[603032]: Linux Magic SMTPD started: connection from 212.7.193.14 (192.168.0.118:25) Linux 2.2.x-3.x Aug 31 04:38:13 be msd[603032]: Created UUID 65a11bb8-2921-11ed-a12c-272390e3399e for message Aug 31 04:38:13 be msd[603032]: CONN: 212.7.193.14 -> 25 GeoIP = [NL] PTR = lw-mail-14.bouncer.cloud OS = Linux 2.2.x-3.x Aug 31 04:38:13 be msd[603032]: EHLO command received, args: lw-mail-14.bouncer.cloud Aug 31 04:38:13 be msd[603032]: MAIL command received, args: FROM: Aug 31 04:38:13 be msd[603032]: MAIL FROM address: [hello@lw-mail-14.bouncer.cloud] Aug 31 04:38:13 be msd[603032]: Doing server-wide checks Aug 31 04:38:13 be msd[603032]: rfc_mail_from(hello@lw-mail-14.bouncer.cloud) Aug 31 04:38:13 be msd[603032]: Done server-wide checks Aug 31 04:38:13 be msd[603032]: RCPT command received (212.7.193.14), args: TO: Aug 31 04:38:13 be msd[603032]: from domain country code[lw-mail-14.bouncer.cloud] = "**" Aug 31 04:38:13 be msd[603032]: helo domain country code[lw-mail-14.bouncer.cloud] = "**" Aug 31 04:38:13 be msd[603032]: Doing server-wide checks Aug 31 04:38:13 be msd[603032]: Looking up domain lw-mail-14.bouncer.cloud (this may take a while) Aug 31 04:38:14 be msd[603032]: Done server-wide checks Aug 31 04:38:14 be msd[603032]: RCPT address [SNIPPED] is local Aug 31 04:38:14 be msd[603032]: User spam rules loaded successfully Aug 31 04:38:14 be msd[603032]: Doing domain-wide checks Aug 31 04:38:14 be msd[603032]: Done domain-wide checks Aug 31 04:38:14 be msd[603032]: User spam checking enabled Aug 31 04:38:14 be msd[603032]: SPAM HIT: block_lists: 41 Aug 31 04:38:14 be msd[603032]: Adding flag for quarantine. Aug 31 04:38:14 be msd[603032]: QUIT command received, args: Aug 31 04:38:14 be msd[603032]: Session ending: Client issued QUIT Aug 31 04:38:14 be msd[603032]: Exiting (bytes in: 118 out: 177) On 2022-08-31 04:49, Andreas S. Kerber via mailop wrote: Noticing lot's of noise from OVH adress ranges with "bouncer.cloud" PTR and HELO. Often they are trying only one recipient and seem to move on then. Can anyone shed some light on what these people are trying to accomplish? Could there be any kind of legitimacy, or are just plain bad guys? Seems like a lot of effort to push spam this way and that's what's holding me back from blocking them.. SPF pass: ip=135.125.128.56, fqdn=de1-mail-173.bouncer.cloud, helo=de1-mail-173.bouncer.cloud, from= SPF pass: ip=91.121.50.199, fqdn=sbg5-mail-160.bouncer.cloud, helo=sbg5-mail-160.bouncer.cloud, from= SPF pass: ip=51.89.19.107, fqdn=de1-mail-35.bouncer.cloud, helo=de1-mail-35.bouncer.cloud, from= SPF pass: ip=51.68.178.58, fqdn=de1-mail-5.bouncer.cloud, helo=de1-mail-5.bouncer.cloud, from= SPF pass: ip=46.105.33.125, fqdn=sbg5-mail-141.bouncer.cloud, helo=sbg5-mail-141.bouncer.cloud, from= SPF pass: ip=37.59.67.40, fqdn=sbg5-mail-37.bouncer.cloud, helo=sbg5-mail-37.bouncer.cloud, from= SPF pass: ip=178.32.167.75, fqdn=sbg5-mail-150.bouncer.cloud, helo=sbg5-mail-150.bouncer.cloud, from= SPF pass: ip=54.36.212.178, fqdn=sbg5-mail-147.bouncer.cloud, helo=sbg5-mail-147.bouncer.cloud, from= SPF pass: ip=135.125.224.91, fqdn=de1-mail-233.bouncer.cloud, helo=de1-mail-233.bouncer.cloud, from= SPF pass: ip=135.125.145.35, fqdn=de1-mail-185.bouncer.cloud, helo=de1-mail-185.bouncer.cloud, from= SPF pass: ip=188.165.49.25, fqdn=sbg5-mail-27.bouncer.cloud, helo=sbg5-mail-27.bouncer.cloud, from= SPF pass: ip=51.38.116.69, fqdn=de1-mail-1.bouncer.cloud, helo=de1-mail-1.bouncer.cloud, from= SPF pass: ip=178.33.42.186, fqdn=sbg5-mail-25.bouncer.cloud, helo=sbg5-mail-25.bouncer.cloud, from= SPF pass: ip=51.89.47.230, fqdn=de1-mail-108.bouncer.cloud, helo=de1-mail-108.bouncer.cloud, from= ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
[mailop] X-MS-Exchange-CrossTenant-* headers gone?
Apparently ExchangeOnline is not adding the X-MS-Exchange-CrossTenant-* headers any more. Lots of fun if you have tools in your outbound mail flow that interact with multiple MS365 tenants and separates them based on the X-MS-Exchange-CrossTenant-id header (amongst other use cases). So far we’ve seen it with customers hosted in the german MS365 cloud, but not with customers in the swiss cloud. Any other observations? — Matthias -- Matthias Leisi Katzenrütistrasse 68, 8153 Rümlang Mobile +41 79 377 04 43 matth...@leisi.net ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
[mailop] SMTP noise from *.bouncer.cloud
Noticing lot's of noise from OVH adress ranges with "bouncer.cloud" PTR and HELO. Often they are trying only one recipient and seem to move on then. Can anyone shed some light on what these people are trying to accomplish? Could there be any kind of legitimacy, or are just plain bad guys? Seems like a lot of effort to push spam this way and that's what's holding me back from blocking them.. SPF pass: ip=135.125.128.56, fqdn=de1-mail-173.bouncer.cloud, helo=de1-mail-173.bouncer.cloud, from= SPF pass: ip=91.121.50.199, fqdn=sbg5-mail-160.bouncer.cloud, helo=sbg5-mail-160.bouncer.cloud, from= SPF pass: ip=51.89.19.107, fqdn=de1-mail-35.bouncer.cloud, helo=de1-mail-35.bouncer.cloud, from= SPF pass: ip=51.68.178.58, fqdn=de1-mail-5.bouncer.cloud, helo=de1-mail-5.bouncer.cloud, from= SPF pass: ip=46.105.33.125, fqdn=sbg5-mail-141.bouncer.cloud, helo=sbg5-mail-141.bouncer.cloud, from= SPF pass: ip=37.59.67.40, fqdn=sbg5-mail-37.bouncer.cloud, helo=sbg5-mail-37.bouncer.cloud, from= SPF pass: ip=178.32.167.75, fqdn=sbg5-mail-150.bouncer.cloud, helo=sbg5-mail-150.bouncer.cloud, from= SPF pass: ip=54.36.212.178, fqdn=sbg5-mail-147.bouncer.cloud, helo=sbg5-mail-147.bouncer.cloud, from= SPF pass: ip=135.125.224.91, fqdn=de1-mail-233.bouncer.cloud, helo=de1-mail-233.bouncer.cloud, from= SPF pass: ip=135.125.145.35, fqdn=de1-mail-185.bouncer.cloud, helo=de1-mail-185.bouncer.cloud, from= SPF pass: ip=188.165.49.25, fqdn=sbg5-mail-27.bouncer.cloud, helo=sbg5-mail-27.bouncer.cloud, from= SPF pass: ip=51.38.116.69, fqdn=de1-mail-1.bouncer.cloud, helo=de1-mail-1.bouncer.cloud, from= SPF pass: ip=178.33.42.186, fqdn=sbg5-mail-25.bouncer.cloud, helo=sbg5-mail-25.bouncer.cloud, from= SPF pass: ip=51.89.47.230, fqdn=de1-mail-108.bouncer.cloud, helo=de1-mail-108.bouncer.cloud, from= ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
[mailop] Anyone at Freemail.hu?
Hello folks, If there’s anyone from freemail.hu on this list, could you please contact me regarding a delivery issue? Or if anyone can share any contacts it will be very much appreciated. Thank you! Daniel Baqueiro | DELIVERABILITY CONSULTANT | Adobe ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] State of the Union - Update due to activity..
On 8/30/2022, Michael Peddemors via mailop wrote: Normally, we could simply post this on a blog, but the traffic is significant enough that other mail operators might be interested.. Last couple of days a LOT of new IP Address abuse from the same actors using throwaway domains, on the typical suspect hosting providers, but the sheer volume should be noticible. Of course, this actor is pretty spammy in nature, and decent filtering should be catching it anyways, but it is worth noting his methods given the sheer volume. Sampling of Activity (Sorry for the long scroll) I've only glanced at this, but it smells like PredictLabs to me. SgtChains ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop