Re: [mailop] Spamhaus contact?

2024-01-18 Thread hg user via mailop 
Sorry, just to add that since monday we have also some problems with
checkpoint (the firewall) categorization filters. One of our public IP has
been flagged as adult only... then also IP from hpe (to download firmware),
from X and onedrive.

Since most RBLs exchange data, if one screws up, the other will also
publish that wrong data. My doubt is: someone made an error or is it a
poisoning attack?


On Tue, Jan 16, 2024 at 1:19 AM Randolf Richardson, Postmaster via mailop <
mailop@mailop.org> wrote:

> > On Mon, Jan 15, 2024 at 11:00AM Udeme  wrote:
> >
> > > Mark: looks like as of seconds ago the SBL´s been resolved & removed
> from
> > > the SBL?
> >
> > Yes! That's great, but unfortunately and confusingly, it's switched to a
> > different listing instead:
> https://www.spamhaus.org/query/ip/66.175.222.108
>
> You'll likely be interested in the reputation score, which is
> presently showing as "Poor" for that IP address (66.175.222.108):
>
> Reputation Lookup || Cisco Talos Intelligence Group
>
> https://www.talosintelligence.com/reputation_center/lookup?search=66.175.222.108
>
> If any of your lists don't satisfy the "confiremd opt-in"
> requirement, then correcting that will help over time.  (If you need
> any assistance with this, feel free to contact me off-list.)
>
> --
> Postmaster - postmas...@inter-corporate.com
> Randolf Richardson, CNA - rand...@inter-corporate.com
> Inter-Corporate Computer & Network Services, Inc.
> Vancouver, British Columbia, Canada
> https://www.inter-corporate.com/
>
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Spamhaus contact?

2024-01-18 Thread hg user via mailop 
These are business email received by a tour operator from workers of
airlines and hotels, not from customers.

I will send some IP samples later
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Spamhaus contact?

2024-01-18 Thread Jay Hennigan via mailop 

On 1/18/24 13:33, hg user via mailop wrote:
I also saw a spike in IP reported as malicious by spamhaus: IPs that 
have been sending emails for years: standard, business emails from 
personal accounts of people in airlines and hotels are now triggering 
spamhaus IP rbl... those IPs are NOT from big email providers.


Airline and hotel IPs probably should be characterized similarly to 
dynamic or residential IPs. It's unlikely that legitimate mail will 
originate there as SMTP. Users of these facilities typically use port 
587 to relay mail through an authenticated smarthost.


--
Jay Hennigan - j...@west.net
Network Engineering - CCIE #7880
503 897-8550 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Anyone else noticing an increase in spam from Office365 distribution lists?

2024-01-18 Thread Randolf Richardson, Postmaster via mailop 
I'm seeing in today's logs plenty of blocking of hosts ending with 
".onmicrosoft.com" but also plenty of SMTP connections not being 
blocked.

Those MS-Miscreants seem to have moved on from mixing names of farm 
animals and car brands to names that seem like they could be for 
professional firms like "jlrlawcorp.onmicrosoft.com" ... and none of 
the names like that - but in the form of "jlrlawcpro.com" - are even 
registered, so they might just be figments of some spammer's 
imagination, or made up by an algorithm (AI would be overkill, but 
someone's probably wasting resources on that too).

So far, the spot checks I've done include quite a bit of legitimate 
eMail -- some from schools, health/medical service providers, various 
government agencies, and a smattering of different businesses that 
are providing professional services and which I don't believe are 
using spam to do marketing.

The common thing I'm noticing with all of these senders is that 
they're sending from their own domain names, even though the 
HELO/EHLO string ends with .onmicrosoft.com.

The blacklists seem to be blocking mostly the ones that send 
directly from @.onmicrosoft.com addresses, which 
should make filtering easy if we can confirm for certain that no 
legitimate eMail has these as the sender -- that is, not in the 
"Return-Path:" header and not in the "From:" header.

> I see in today's logs that Spamhaus is now blocking (for us) hundreds of 
> these onmicrosoft.com subdomains.
> 
> Regards, 
> Mark 
> _ 
> L. Mark Stone, Founder 
> North America's Leading Zimbra VAR/BSP/Training Partner 
> For Companies With Mission-Critical Email Needs
> 
> - Original Message -
> From: "Hans-Martin Mosner via mailop" 
> To: "mailop" 
> Sent: Thursday, January 18, 2024 5:13:30 PM
> Subject: Re: [mailop] Anyone else noticing an increase in spam from Office365 
> distribution lists?
> 
> Am 17.01.24 um 15:35 schrieb Hans-Martin Mosner via mailop: 
> 
> 
> 
> Am 17.01.24 um 15:20 schrieb Paul Menzel via mailop: 
> 
> BQ_BEGIN
> With this in mind, did somebody compile a block list yet? Or should I just 
> create a whitelist? 
> 
> 
> 
> A block list does not make sense, as new domains are added continuously. It's 
> just too simple. 
> BQ_END
> 
> 
> Maybe it's still a possible approach, I've noticed a number of domains which 
> were used multiple times yesterday and today, so that could be a start. 
> 
> Cheers, 
> Hans-Martin 
> akwvsldz.onmicrosoft.com
> bekoduwa.onmicrosoft.com
> btowk.onmicrosoft.com
> calmaa.onmicrosoft.com
> cwonvkes.onmicrosoft.com
> elimf.onmicrosoft.com
> es01ms.onmicrosoft.com
> exlzbuch.onmicrosoft.com
> hwmaevdc.onmicrosoft.com
> icloudwater.onmicrosoft.com
> jymmgqxbugfoo.onmicrosoft.com
> kalinzo.onmicrosoft.com
> lnhvu.onmicrosoft.com
> lxebaifv.onmicrosoft.com
> muvzwtns.onmicrosoft.com
> nmvukcow.onmicrosoft.com
> nrhhwdliwprctsbbugfoo.onmicrosoft.com
> nwvakomb.onmicrosoft.com
> oemdxabu.onmicrosoft.com
> ohzxuawl.onmicrosoft.com
> okawas220.onmicrosoft.com
> omvehxsk.onmicrosoft.com
> or02ms.onmicrosoft.com
> or03ms.onmicrosoft.com
> or05ms.onmicrosoft.com
> oxzdtluw.onmicrosoft.com
> skdwbmot.onmicrosoft.com
> skeeepur.onmicrosoft.com
> sp001ms.onmicrosoft.com
> sp003ms.onmicrosoft.com
> svnvb.onmicrosoft.com
> t021ms.onmicrosoft.com
> t024ms.onmicrosoft.com
> troggue.onmicrosoft.com
> tszlrhwn.onmicrosoft.com
> us01ms.onmicrosoft.com
> vknhsutl.onmicrosoft.com
> vlaucbde.onmicrosoft.com
> vocldbut.onmicrosoft.com
> wuleu.onmicrosoft.com
> x24m2v2.onmicrosoft.com
> x337i94.onmicrosoft.com
> x6472u0.onmicrosoft.com
> x6m471q.onmicrosoft.com
> xbyybto.onmicrosoft.com
> xcoulsth.onmicrosoft.com
> xjuj241.onmicrosoft.com
> xpfyc9f.onmicrosoft.com
> xx31656.onmicrosoft.com
> xxkm2i6.onmicrosoft.com
> xyl9v2y.onmicrosoft.com
> zeusshow.onmicrosoft.com 
> 
> 
> ___ 
> mailop mailing list 
> mailop@mailop.org 
> https://list.mailop.org/listinfo/mailop 
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop


-- 
Postmaster - postmas...@inter-corporate.com
Randolf Richardson, CNA - rand...@inter-corporate.com
Inter-Corporate Computer & Network Services, Inc.
Vancouver, British Columbia, Canada
https://www.inter-corporate.com/


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Anyone else noticing an increase in spam from Office365 distribution lists?

2024-01-18 Thread Michael Rathbun via mailop 
On Wed, 17 Jan 2024 15:35:42 +0100, Hans-Martin Mosner via mailop
 wrote:

>Am 17.01.24 um 15:20 schrieb Paul Menzel via mailop:
>> With this in mind, did somebody compile a block list yet? Or should I just 
>> create a whitelist? 
>
>A block list does not make sense, as new domains are added continuously. It's 
>just too simple.

I have noticed the predominance of "x.onmicrosoft.com" domains in the spam
sump here.  In many cases, the envelope from and the "friendly" from contain
different x- domains, and these rotate rapidly.  They are either created
algorithmically, or by persons diddling their fingers on a keyboard.

Twelve years back, when I was on the team that theoretically combated
electronic used food both entering and exiting the Office 365 system, we saw
the same evolving set of tricks that some of us had encountered back in the
Dialup Epoch.  I wrote the front end for a lights-out dialup account creation
and provisioning system, and before long the volume of code designed to
prevent new accounts far exceeded that devoted to establishing new accounts.
After the Company changed hands, this focus was removed from the system that
replaced mine.

All of this is to say, you must have an active rather than reactive response
to hostile usage of your system, whether there is definite and immediate
revenue loss, or not.  

My diagnosis of MSFT's problem in doing anything effective is that the
fundamental model of the service does not entertain the notion of a strong
focus on being a constructive member of the net.community.  I don't know the
current situation, but our quest to discover who actually reads and acts upon
messages to postmas...@microsoft.com or ab...@microsoft.com eventually
returned the answer "nobody, really".  

mdr
-- 
  Ad finem pugnabo.

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Anyone else noticing an increase in spam from Office365 distribution lists?

2024-01-18 Thread L. Mark Stone via mailop 
I see in today's logs that Spamhaus is now blocking (for us) hundreds of these 
onmicrosoft.com subdomains.

Regards, 
Mark 
_ 
L. Mark Stone, Founder 
North America's Leading Zimbra VAR/BSP/Training Partner 
For Companies With Mission-Critical Email Needs

- Original Message -
From: "Hans-Martin Mosner via mailop" 
To: "mailop" 
Sent: Thursday, January 18, 2024 5:13:30 PM
Subject: Re: [mailop] Anyone else noticing an increase in spam from Office365 
distribution lists?

Am 17.01.24 um 15:35 schrieb Hans-Martin Mosner via mailop: 



Am 17.01.24 um 15:20 schrieb Paul Menzel via mailop: 

BQ_BEGIN
With this in mind, did somebody compile a block list yet? Or should I just 
create a whitelist? 



A block list does not make sense, as new domains are added continuously. It's 
just too simple. 
BQ_END


Maybe it's still a possible approach, I've noticed a number of domains which 
were used multiple times yesterday and today, so that could be a start. 

Cheers, 
Hans-Martin 
akwvsldz.onmicrosoft.com
bekoduwa.onmicrosoft.com
btowk.onmicrosoft.com
calmaa.onmicrosoft.com
cwonvkes.onmicrosoft.com
elimf.onmicrosoft.com
es01ms.onmicrosoft.com
exlzbuch.onmicrosoft.com
hwmaevdc.onmicrosoft.com
icloudwater.onmicrosoft.com
jymmgqxbugfoo.onmicrosoft.com
kalinzo.onmicrosoft.com
lnhvu.onmicrosoft.com
lxebaifv.onmicrosoft.com
muvzwtns.onmicrosoft.com
nmvukcow.onmicrosoft.com
nrhhwdliwprctsbbugfoo.onmicrosoft.com
nwvakomb.onmicrosoft.com
oemdxabu.onmicrosoft.com
ohzxuawl.onmicrosoft.com
okawas220.onmicrosoft.com
omvehxsk.onmicrosoft.com
or02ms.onmicrosoft.com
or03ms.onmicrosoft.com
or05ms.onmicrosoft.com
oxzdtluw.onmicrosoft.com
skdwbmot.onmicrosoft.com
skeeepur.onmicrosoft.com
sp001ms.onmicrosoft.com
sp003ms.onmicrosoft.com
svnvb.onmicrosoft.com
t021ms.onmicrosoft.com
t024ms.onmicrosoft.com
troggue.onmicrosoft.com
tszlrhwn.onmicrosoft.com
us01ms.onmicrosoft.com
vknhsutl.onmicrosoft.com
vlaucbde.onmicrosoft.com
vocldbut.onmicrosoft.com
wuleu.onmicrosoft.com
x24m2v2.onmicrosoft.com
x337i94.onmicrosoft.com
x6472u0.onmicrosoft.com
x6m471q.onmicrosoft.com
xbyybto.onmicrosoft.com
xcoulsth.onmicrosoft.com
xjuj241.onmicrosoft.com
xpfyc9f.onmicrosoft.com
xx31656.onmicrosoft.com
xxkm2i6.onmicrosoft.com
xyl9v2y.onmicrosoft.com
zeusshow.onmicrosoft.com 


___ 
mailop mailing list 
mailop@mailop.org 
https://list.mailop.org/listinfo/mailop 

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Anyone else noticing an increase in spam from Office365 distribution lists?

2024-01-18 Thread Hans-Martin Mosner via mailop 

Am 17.01.24 um 15:35 schrieb Hans-Martin Mosner via mailop:

Am 17.01.24 um 15:20 schrieb Paul Menzel via mailop:
With this in mind, did somebody compile a block list yet? Or should I just create a whitelist? 


A block list does not make sense, as new domains are added continuously. It's 
just too simple.

Maybe it's still a possible approach, I've noticed a number of domains which were used multiple times yesterday and 
today, so that could be a start.


Cheers,
Hans-Martin

akwvsldz.onmicrosoft.com
bekoduwa.onmicrosoft.com
btowk.onmicrosoft.com
calmaa.onmicrosoft.com
cwonvkes.onmicrosoft.com
elimf.onmicrosoft.com
es01ms.onmicrosoft.com
exlzbuch.onmicrosoft.com
hwmaevdc.onmicrosoft.com
icloudwater.onmicrosoft.com
jymmgqxbugfoo.onmicrosoft.com
kalinzo.onmicrosoft.com
lnhvu.onmicrosoft.com
lxebaifv.onmicrosoft.com
muvzwtns.onmicrosoft.com
nmvukcow.onmicrosoft.com
nrhhwdliwprctsbbugfoo.onmicrosoft.com
nwvakomb.onmicrosoft.com
oemdxabu.onmicrosoft.com
ohzxuawl.onmicrosoft.com
okawas220.onmicrosoft.com
omvehxsk.onmicrosoft.com
or02ms.onmicrosoft.com
or03ms.onmicrosoft.com
or05ms.onmicrosoft.com
oxzdtluw.onmicrosoft.com
skdwbmot.onmicrosoft.com
skeeepur.onmicrosoft.com
sp001ms.onmicrosoft.com
sp003ms.onmicrosoft.com
svnvb.onmicrosoft.com
t021ms.onmicrosoft.com
t024ms.onmicrosoft.com
troggue.onmicrosoft.com
tszlrhwn.onmicrosoft.com
us01ms.onmicrosoft.com
vknhsutl.onmicrosoft.com
vlaucbde.onmicrosoft.com
vocldbut.onmicrosoft.com
wuleu.onmicrosoft.com
x24m2v2.onmicrosoft.com
x337i94.onmicrosoft.com
x6472u0.onmicrosoft.com
x6m471q.onmicrosoft.com
xbyybto.onmicrosoft.com
xcoulsth.onmicrosoft.com
xjuj241.onmicrosoft.com
xpfyc9f.onmicrosoft.com
xx31656.onmicrosoft.com
xxkm2i6.onmicrosoft.com
xyl9v2y.onmicrosoft.com
zeusshow.onmicrosoft.com

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Spamhaus contact?

2024-01-18 Thread Michael Peddemors via mailop 

Examples?

On 2024-01-18 13:33, hg user via mailop wrote:
I also saw a spike in IP reported as malicious by spamhaus: IPs that 
have been sending emails for years: standard, business emails from 
personal accounts of people in airlines and hotels are now triggering 
spamhaus IP rbl... those IPs are NOT from big email providers.


On Tue, Jan 16, 2024 at 10:43 PM Gellner, Oliver via mailop 
mailto:mailop@mailop.org>> wrote:



 > On 16.01.2024 at 22:16 Atro Tossavainen via mailop wrote:
 >
 > 
 >>>
https://www.talosintelligence.com/reputation_center/lookup?search=66.175.222.108 

 >> Thanks for this; I wasn't familiar with Talos Intelligence. Do
they publish
 >> a blocklist?
 >
 > Paying users only. Paying users include the Finnish government's
 > internal outsourcing center (Valtori) and Telia (our largest telco).
 > Their error messages are shit, you don't even know where to look:
 >
 > /var/log/old/maillog-20220410.gz
 >
 > Apr  7 12:47:44 mail postfix/smtp[11896]: 52E23100EBBCA:
to=mailto:postmas...@teliacompany.com>>, relay=mail.cm.telia.net
[80.74.207.118]:25, delay=0.54,
delays=0.09/0/0.14/0.31, dsn=5.0.0, status=bounced (host
mail.cm.telia.net [80.74.207.118] said:
554 Your access to this mail system has been rejected due to poor
reputation of a domain used in message transfer (in reply to end of
DATA command))

As a side note because our replies overlapped: This specific error
message at the end of DATA is not about a low Senderbase Reputation
Score, which I mentioned in my other reply. It refers to a domain
which Talos considers not trustworthy, usually located in the From
or Reply-To header. So it’s not about the MTA IP address, which the
thread starters problem originally was about.

—
BR Oliver


dmTECH GmbH
Am dm-Platz 1, 76227 Karlsruhe * Postfach 10 02 34, 76232 Karlsruhe
Telefon 0721 5592-2500 Telefax 0721 5592-2777
dmt...@dm.de > * www.dmTECH.de
>
GmbH: Sitz Karlsruhe, Registergericht Mannheim, HRB 104927
Geschäftsführer: Christoph Werner, Martin Dallmeier, Roman Melcher

Datenschutzrechtliche Informationen
Wenn Sie mit uns in Kontakt treten, beispielsweise wenn Sie an unser
ServiceCenter Fragen haben, bei uns einkaufen oder unser dialogicum
in Karlsruhe besuchen, mit uns in einer geschäftlichen Verbindung
stehen oder sich bei uns bewerben, verarbeiten wir personenbezogene
Daten. Informationen unter anderem zu den konkreten
Datenverarbeitungen, Löschfristen, Ihren Rechten sowie die
Kontaktdaten unserer Datenschutzbeauftragten finden Sie
hier>.
___
mailop mailing list
mailop@mailop.org 
https://list.mailop.org/listinfo/mailop



___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop



--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Spamhaus contact?

2024-01-18 Thread hg user via mailop 
I also saw a spike in IP reported as malicious by spamhaus: IPs that have
been sending emails for years: standard, business emails from personal
accounts of people in airlines and hotels are now triggering spamhaus IP
rbl... those IPs are NOT from big email providers.

On Tue, Jan 16, 2024 at 10:43 PM Gellner, Oliver via mailop <
mailop@mailop.org> wrote:

>
> > On 16.01.2024 at 22:16 Atro Tossavainen via mailop wrote:
> >
> > 
> >>>
> https://www.talosintelligence.com/reputation_center/lookup?search=66.175.222.108
> >> Thanks for this; I wasn't familiar with Talos Intelligence. Do they
> publish
> >> a blocklist?
> >
> > Paying users only. Paying users include the Finnish government's
> > internal outsourcing center (Valtori) and Telia (our largest telco).
> > Their error messages are shit, you don't even know where to look:
> >
> > /var/log/old/maillog-20220410.gz
> >
> > Apr  7 12:47:44 mail postfix/smtp[11896]: 52E23100EBBCA: to=<
> postmas...@teliacompany.com>, relay=mail.cm.telia.net[80.74.207.118]:25,
> delay=0.54, delays=0.09/0/0.14/0.31, dsn=5.0.0, status=bounced (host
> mail.cm.telia.net[80.74.207.118] said: 554 Your access to this mail
> system has been rejected due to poor reputation of a domain used in message
> transfer (in reply to end of DATA command))
>
> As a side note because our replies overlapped: This specific error message
> at the end of DATA is not about a low Senderbase Reputation Score, which I
> mentioned in my other reply. It refers to a domain which Talos considers
> not trustworthy, usually located in the From or Reply-To header. So it’s
> not about the MTA IP address, which the thread starters problem originally
> was about.
>
> —
> BR Oliver
> 
>
> dmTECH GmbH
> Am dm-Platz 1, 76227 Karlsruhe * Postfach 10 02 34, 76232 Karlsruhe
> Telefon 0721 5592-2500 Telefax 0721 5592-2777
> dmt...@dm.de * www.dmTECH.de
> GmbH: Sitz Karlsruhe, Registergericht Mannheim, HRB 104927
> Geschäftsführer: Christoph Werner, Martin Dallmeier, Roman Melcher
> 
> Datenschutzrechtliche Informationen
> Wenn Sie mit uns in Kontakt treten, beispielsweise wenn Sie an unser
> ServiceCenter Fragen haben, bei uns einkaufen oder unser dialogicum in
> Karlsruhe besuchen, mit uns in einer geschäftlichen Verbindung stehen oder
> sich bei uns bewerben, verarbeiten wir personenbezogene Daten.
> Informationen unter anderem zu den konkreten Datenverarbeitungen,
> Löschfristen, Ihren Rechten sowie die Kontaktdaten unserer
> Datenschutzbeauftragten finden Sie hier<
> https://www.dm.de/datenschutzerklaerung-kommunikation-mit-externen-493832
> >.
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop