Re: [mailop] AT&T Blocklist

[Jeff Peng via mailop]

On 2024-06-19 10:11, Scott Mutter via mailop wrote:
On Tue, Jun 18, 2024 at 8:31 PM Jeff Peng via mailop 


wrote:


Mike is right.

  mx1.amscomputer.com has an A RR 107.181.229.51 which points back its
PTR to zephyr.wznoc.com.

the two domains are not matched, hence messages sent from this server
will be rejected by postfix's such configuration:

smtpd_sender_restrictions = reject_unknown_client_hostname

I believe many postmasters (including me) are using this setup in 
their

postfix.



Not sure why this has shifted focus to amscomputer.com.



sorry my mistake.  your IP seems right for me.

$ dig -x 107.181.229.51 +short
zephyr.wznoc.com.

$ dig zephyr.wznoc.com +short
107.181.229.51

regards.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] AT&T Blocklist

[Scott Mutter via mailop]

On Tue, Jun 18, 2024 at 8:31 PM Jeff Peng via mailop 
wrote:

> Mike is right.
>
>   mx1.amscomputer.com has an A RR 107.181.229.51 which points back its
> PTR to zephyr.wznoc.com.
>
> the two domains are not matched, hence messages sent from this server
> will be rejected by postfix's such configuration:
>
> smtpd_sender_restrictions = reject_unknown_client_hostname
>
> I believe many postmasters (including me) are using this setup in their
> postfix.
>
>
Not sure why this has shifted focus to amscomputer.com.

But the MX record for tls-mail.com points to mail.tls-mail.com.
mail.tls-mail.com resolves to 20.120.225.36.  20.120.225.36 reverses to
tls-mail.westus2.cloudapp.azure.com.

I'd very much like to learn why it's wrong for me, but right for you.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] AT&T Blocklist

[Jeff Peng via mailop]

On 2024-06-19 07:18, Michael Peddemors via mailop wrote:

https://wznoc.com/

With a obscure page like that, you are asking for trouble..
Just like the pages many of the bullet proof hosters throw up..

Why not use amscomputer.com in the PTR records, if these are your 
servers?


https://www.amscomputer.com/



Mike is right.

 mx1.amscomputer.com has an A RR 107.181.229.51 which points back its 
PTR to zephyr.wznoc.com.


the two domains are not matched, hence messages sent from this server 
will be rejected by postfix's such configuration:


smtpd_sender_restrictions = reject_unknown_client_hostname

I believe many postmasters (including me) are using this setup in their 
postfix.


Thanks.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] AT&T Blocklist

[Scott Mutter via mailop]

On Tue, Jun 18, 2024 at 6:18 PM Michael Peddemors via mailop <
mailop@mailop.org> wrote:

> https://wznoc.com/
>
> With a obscure page like that, you are asking for trouble..
> Just like the pages many of the bullet proof hosters throw up..
>
> Why not use amscomputer.com in the PTR records, if these are your servers?
>

I work in the shared web hosting industry, which may be foreign to a lot of
people on this list.

With shared hosting, 1 physical server and 1 IP address hosts 100s of other
websites and email accounts.  And some of those accounts are resold
accounts that don't need to be aware of the amscomputer.com brand.  That's
why we use the generic wznoc.com domain.

I can assure you that we're not the only ones that operate this way.  Take
a stroll down the shared hosting industry and you'll find that this is the
way it operates.  I understand that for the majority of people that are on
this Mailops list, they still tend to gravitate towards "one IP address
means one domain means one email server."  That's not how shared hosting
works.  The days of one IP address being tied to one domain name being tied
to one physical or pseudo-physical server are way in the past.

I also would very much like to understand how what a domain's website shows
has any bearing at all towards the reputation of a mail sending IP.  I'll
pose the question to Mailops... do you build your reputation list by
visiting the website of the hostname of the reverse DNS of a mailing
sending IP and gauge its well-being on the look and feel of that website?

Might be a fun exercise, take a look at some of the domains people are
writing from on this mailing list.  Do an IP address lookup of those domain
names.  Then do a reverse DNS lookup of those IP addresses - do they always
return the same domain name the individual is writing from?  What happens
if you add an http:// before those IP addresses and try to visit the
website of the IP address - does it always show the website for the domain
that the individual is writing from?

My experience has shown that almost ALL of the blacklisting, blockings, and
outright rejection of emails has to do solely with the IP address.
Obviously you have to have proper FCrDNS - if you don't have that then that
would be grounds for email rejection.  Proper SPF, DKIM, and DMARC for the
sending domains are also needed.  But none of that means a hill of beans if
one of the big email service providers want to block or blacklist your
sending IP address.

One of the things I absolutely hate is the fact that none of the major
email service providers (AT&T in this case, Outlook, Yahoo, Gmail) provide
no way of checking to see if an IP address is on their blacklist.  You only
find out that the IP is on their blacklist when a customer tries to send an
email to an email address at one of these providers.  The first thing I do
with any new server or IP address is check it for blacklists at
https://multirbl.valli.org - now these IPs may be listed on a couple of
blacklists - rbl.rbldns.ru and SPFBL.net RBL - but every IP in existence is
on these blacklists.  Nothing stands out to me from the reports from
multirbl.valli.org that indicates widespread problems.

If these IPs were on a bunch of blacklists as reported at multirbl.valli.org
then I wouldn't be so upset with the IPs being listed at AT&T (or Microsoft
or Yahoo whenever those cases may be).  But when an IP address is seemingly
only listed at one email service provider, that provides no way to check
this - AND THEN proceeds to include an email address for assistance that
never gets checked.  Yea.. I get upset.  Every single person on this
mailing list would get upset if they were in those same shoes.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] AT&T Blocklist

[Michael Peddemors via mailop]

https://wznoc.com/

With a obscure page like that, you are asking for trouble..
Just like the pages many of the bullet proof hosters throw up..

Why not use amscomputer.com in the PTR records, if these are your servers?

https://www.amscomputer.com/

Inquiring minds would like to know.

CIDR:   173.209.54.176/29
NetName:GLOBOTECH-173-209-54-176
NetHandle:  NET-173-209-54-176-1
Parent: GTCOMM (NET-173-209-32-0-1)
NetType:Reassigned
OriginAS:
Customer:   AMS Computer Service, Inc (C10862387)
RegDate:2024-06-03
Updated:2024-06-03

I see that you just recently started using these IPs correct?

There is a history of some bad customers using your providers's IP 
space, so it could be historical triggers that make AT&T more suspicious.


Don't know what email domain you are mailing from, but double check your 
SPF records, especially when using new IPs.


On 2024-06-18 13:25, Scott Mutter via mailop wrote:

What's going on with AT&T?

They're blocking our mail servers left and right (IPs aren't on any 
other blacklist mind you) and not hearing a peep from 
abuse_...@abuse-att.net .


What's the point of having your blocked message state to send an email 
to abuse_...@abuse-att.net  if nobody is 
going to monitor abuse_...@abuse-att.net ?


IPs in question are:
173.209.54.179
67.222.148.107
173.225.104.91

All have the same error message

553 5.3.0 flph832 DNSBL:RBL 521< 173.209.54.179 >_is_blocked.For 
assistance forward this error to abuse_...@abuse-att.net 

553 5.3.0 flpd591 DNSBL:RBL 521< 67.222.148.107 >_is_blocked.For 
assistance forward this error to abuse_...@abuse-att.net 

553 5.3.0 alph767 DNSBL:RBL 521< 173.225.104.91 >_is_blocked.For 
assistance forward this error to abuse_...@abuse-att.net 



Emails were sent (to abuse_...@abuse-att.net 
) on June 14th and June 17th - I've not 
heard so much as a confirmation that they got those messages.


This isn't the first time I've had issues with AT&T's blacklist.  It's 
just frustrating, if you're going to block IPs for no apparent reason, 
at least have someone check the email address you give for assistance or 
find some other way to provide assistance.


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop



--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Reg. TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [E] Re: AT&T Blocklist

[Lili Crowley via mailop]

Yep thanks!


*Lili Crowley*

she/her

Postmaster








On Tue, Jun 18, 2024 at 5:25 PM Faisal Misle via mailop 
wrote:

> In the past few weeks Lili has replied to *various* threads about ATT
> blockings. Have you tried reaching out off list to her?
> On 6/18/24 9:25 PM, Scott Mutter via mailop wrote:
>
> What's going on with AT&T?
>
> They're blocking our mail servers left and right (IPs aren't on any other
> blacklist mind you) and not hearing a peep from abuse_...@abuse-att.net.
>
> What's the point of having your blocked message state to send an email to
> abuse_...@abuse-att.net if nobody is going to monitor
> abuse_...@abuse-att.net?
>
> IPs in question are:
> 173.209.54.179
> 67.222.148.107
> 173.225.104.91
>
> All have the same error message
>
> 553 5.3.0 flph832 DNSBL:RBL 521< 173.209.54.179 >_is_blocked.For
> assistance forward this error to abuse_...@abuse-att.net
> 553 5.3.0 flpd591 DNSBL:RBL 521< 67.222.148.107 >_is_blocked.For
> assistance forward this error to abuse_...@abuse-att.net
> 553 5.3.0 alph767 DNSBL:RBL 521< 173.225.104.91 >_is_blocked.For
> assistance forward this error to abuse_...@abuse-att.net
>
> Emails were sent (to abuse_...@abuse-att.net) on June 14th and June 17th
> - I've not heard so much as a confirmation that they got those messages.
>
> This isn't the first time I've had issues with AT&T's blacklist.  It's
> just frustrating, if you're going to block IPs for no apparent reason, at
> least have someone check the email address you give for assistance or find
> some other way to provide assistance.
>
> ___
> mailop mailing listmailop@mailop.orghttps://list.mailop.org/listinfo/mailop 
> 
>
> ___
> mailop mailing list
> mailop@mailop.org
>
> https://urldefense.com/v3/__https://list.mailop.org/listinfo/mailop__;!!Op6eflyXZCqGR5I!Hi_1fZn6i_1BYe5HJM4oUOjFIdt_Ew4csJhp58AARZXyWmE3O9rDHWMzDc5Z4ypUH31Z5mYCZxAE8Jb75Rs$
>
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] AT&T Blocklist

[Faisal Misle via mailop]

In the past few weeks Lili has replied to *various* threads about ATT 
blockings. Have you tried reaching out off list to her?


On 6/18/24 9:25 PM, Scott Mutter via mailop wrote:

What's going on with AT&T?

They're blocking our mail servers left and right (IPs aren't on any 
other blacklist mind you) and not hearing a peep from 
abuse_...@abuse-att.net.


What's the point of having your blocked message state to send an email 
to abuse_...@abuse-att.net if nobody is going to monitor 
abuse_...@abuse-att.net?


IPs in question are:
173.209.54.179
67.222.148.107
173.225.104.91

All have the same error message

553 5.3.0 flph832 DNSBL:RBL 521< 173.209.54.179 >_is_blocked.For 
assistance forward this error to abuse_...@abuse-att.net
553 5.3.0 flpd591 DNSBL:RBL 521< 67.222.148.107 >_is_blocked.For 
assistance forward this error to abuse_...@abuse-att.net
553 5.3.0 alph767 DNSBL:RBL 521< 173.225.104.91 >_is_blocked.For 
assistance forward this error to abuse_...@abuse-att.net


Emails were sent (to abuse_...@abuse-att.net) on June 14th and June 
17th - I've not heard so much as a confirmation that they got those 
messages.


This isn't the first time I've had issues with AT&T's blacklist.  It's 
just frustrating, if you're going to block IPs for no apparent reason, 
at least have someone check the email address you give for assistance 
or find some other way to provide assistance.


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] AT&T Blocklist

[Scott Mutter via mailop]

What's going on with AT&T?

They're blocking our mail servers left and right (IPs aren't on any other
blacklist mind you) and not hearing a peep from abuse_...@abuse-att.net.

What's the point of having your blocked message state to send an email to
abuse_...@abuse-att.net if nobody is going to monitor
abuse_...@abuse-att.net?

IPs in question are:
173.209.54.179
67.222.148.107
173.225.104.91

All have the same error message

553 5.3.0 flph832 DNSBL:RBL 521< 173.209.54.179 >_is_blocked.For assistance
forward this error to abuse_...@abuse-att.net
553 5.3.0 flpd591 DNSBL:RBL 521< 67.222.148.107 >_is_blocked.For assistance
forward this error to abuse_...@abuse-att.net
553 5.3.0 alph767 DNSBL:RBL 521< 173.225.104.91 >_is_blocked.For assistance
forward this error to abuse_...@abuse-att.net

Emails were sent (to abuse_...@abuse-att.net) on June 14th and June 17th -
I've not heard so much as a confirmation that they got those messages.

This isn't the first time I've had issues with AT&T's blacklist.  It's just
frustrating, if you're going to block IPs for no apparent reason, at least
have someone check the email address you give for assistance or find some
other way to provide assistance.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] t-online.de spam

[Michael Rathbun via mailop]

On Tue, 18 Jun 2024 11:33:48 -0700, Michael Peddemors via mailop
 wrote:

>Just an FYI, the list admin's prefer NOT to have the list used for 
>reporting spam.. It's okay to report generic trends, or 
>misconfigurations, or visibility into something new.. (And of course, 
>you are welcome to provide evidence of that.. ) but the list can quickly 
>get consumed if every spam was reported..

Aye.  I don't need more copies of spam I've already received (or which my
users have reported).  Perhaps a Public Shaming is intended, but public
shaming doesn't appear to be one of the published purposes of the list.

I, by myself, could multiply the volume on this list by at least ten if I only
reported a fraction of the hostile attempts to use the mail service I provide.
Lemme tell you about that new spam gang that is infesting Salesforce, for
instance.  They have forge-subscribed me to over sixty of their "brands" in
the past two months, and I now get around sixty pieces per day, and climbing.

mdr
-- 
   Those who can make you believe absurdities 
   can make you commit atrocities.
-- Voltaire

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] t-online.de spam

[Michael Peddemors via mailop]

Hey Benny,

Just an FYI, the list admin's prefer NOT to have the list used for 
reporting spam.. It's okay to report generic trends, or 
misconfigurations, or visibility into something new.. (And of course, 
you are welcome to provide evidence of that.. ) but the list can quickly 
get consumed if every spam was reported..


To add context to your email?

* Is this something new?
* Who is the audience you are appealing to?
* Appears to be an African IP abusing their Webmail service?
* How prevalent is this type of spam?

Always thought a more public list specifically for spam reports and 
trends might be in order; I know our team is looking at public email 
parsers and reporting tools.


Do you have any suggestions on how you would like cases like this 
handled? (Don't get me started on the Too Big to Block issues)


-- Michael --

PS, if you DO feel the need to share spam, add a little color and 
perspective ;) We all do get frustrated though sometimes..




On 2024-06-18 10:49, Benny Pedersen via mailop wrote:
Received: from mailout11.t-online.de (mailout11.t-online.de 
[194.25.134.85])

 by mx.junc.eu (Postfix) with ESMTPS id 22CFA83FCF
 for ; Tue, 18 Jun 2024 00:45:39 +0200 (CEST)
Received: from fwd80.aul.t-online.de (fwd80.aul.t-online.de 
[10.223.144.106])

 by mailout11.t-online.de (Postfix) with SMTP id B96C29426;
 Tue, 18 Jun 2024 00:45:26 +0200 (CEST)
Received: from spica32.mgt.mul.t-online.de ([172.20.102.122]) by 
fwd80.aul.t-online.de

 with esmtp id 1sJL6C-2EQTRo0; Tue, 18 Jun 2024 00:45:17 +0200
Received: from 102.67.201.50:12681 by cmpweb12.aul.t-online.de with 
HTTP/1.1 (Lisa V7-8-5-4.0 on API V5-53-6-0); Tue, 18 Jun 24 00:45:16 +0200
Received: from 172.20.102.136:30512 by spica32.mgt.mul.t-online.de:8080; 
Tue, 18 Jun 2024 00:45:16 +0200 (CEST)

Date: Tue, 18 Jun 2024 00:45:16 +0200 (CEST)
From: Rigspolitiets 
Sender: Rigspolitiets 
Reply-To: "politi...@cyber-wizard.com" 
To: "politi...@cyber-wizard.com" 
Message-ID: 
<1718664316391.525677.c03fd6aa2986756a88d5bb34e59af094d26c3...@spica.telekom.de>

Subject: Politiets Indkaldelsesbrev
MIME-Version: 1.0
Content-Type: multipart/mixed;
 boundary="=_Part_870331_1440770260.1718664316628"
X-UMS: email
X-TOI-EXPURGATEID: 150726::1718664317-45395322-ADDCC750/19/8112569519 
SUSPECT MAIL-COUNT

X-TOI-MSGID: 05600d8f-8a47-4159-8da7-8acc7cf9db12

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop



--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Reg. TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] t-online.de spam

[Benny Pedersen via mailop]

Received: from mailout11.t-online.de (mailout11.t-online.de 
[194.25.134.85])

by mx.junc.eu (Postfix) with ESMTPS id 22CFA83FCF
for ; Tue, 18 Jun 2024 00:45:39 +0200 (CEST)
Received: from fwd80.aul.t-online.de (fwd80.aul.t-online.de 
[10.223.144.106])

by mailout11.t-online.de (Postfix) with SMTP id B96C29426;
Tue, 18 Jun 2024 00:45:26 +0200 (CEST)
Received: from spica32.mgt.mul.t-online.de ([172.20.102.122]) by 
fwd80.aul.t-online.de

with esmtp id 1sJL6C-2EQTRo0; Tue, 18 Jun 2024 00:45:17 +0200
Received: from 102.67.201.50:12681 by cmpweb12.aul.t-online.de with 
HTTP/1.1 (Lisa V7-8-5-4.0 on API V5-53-6-0); Tue, 18 Jun 24 00:45:16 
+0200
Received: from 172.20.102.136:30512 by spica32.mgt.mul.t-online.de:8080; 
Tue, 18 Jun 2024 00:45:16 +0200 (CEST)

Date: Tue, 18 Jun 2024 00:45:16 +0200 (CEST)
From: Rigspolitiets 
Sender: Rigspolitiets 
Reply-To: "politi...@cyber-wizard.com" 
To: "politi...@cyber-wizard.com" 
Message-ID: 
<1718664316391.525677.c03fd6aa2986756a88d5bb34e59af094d26c3...@spica.telekom.de>

Subject: Politiets Indkaldelsesbrev
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="=_Part_870331_1440770260.1718664316628"
X-UMS: email
X-TOI-EXPURGATEID: 150726::1718664317-45395322-ADDCC750/19/8112569519 
SUSPECT MAIL-COUNT

X-TOI-MSGID: 05600d8f-8a47-4159-8da7-8acc7cf9db12

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Another 'Verified Email' service on AWS EC2

[L. Mark Stone via mailop]

FWIW, we use Fail2Ban to block all AWS EC2 IPs that have an 
"ec2-xxx.compute...amazonaws.com" PTR record, and another Fail2Ban rule to 
block hosts that HELO with "127.0.0.1".

We ourselves host on AWS successfully (for more than six years now) and have 
filed a number of complaints with their security team for similar bad behavior, 
most of which have resulted in a "behavior mitigated" notice.

I think they know they have a problem; two other customers I've recently 
endeavored to migrate to AWS were put through the wringer to get their port 25 
outbound restriction lifted.  One was successful; the other was told they could 
relay out through SES only; given their history (despite big and necessary 
changes in IT...), no port 25 restriction lifting was possible -- even after a 
re-review.

Regards, 
Mark 
_ 
L. Mark Stone, Founder 
North America's Leading Zimbra VAR/BSP/Training Partner 
For Companies With Mission-Critical Email Needs

- Original Message -
| From: "Michael Peddemors via mailop" 
| To: "mailop" 
| Sent: Tuesday, June 18, 2024 1:12:18 PM
| Subject: [mailop] Another 'Verified Email' service on AWS EC2

| Jun 18 09:58:03 be msd[1959712]: CONN: 34.229.185.73 -> 25 GeoIP = [US]
| PTR = ec2-34-229-185-73.compute-1.amazonaws.com OS = Linux 2.2.x-3.x
| Jun 18 09:58:04 be msd[1959712]: HELO command received, args: [127.0.0.1]
| Jun 18 09:58:04 be msd[1959712]: RSET command received, args:
| Jun 18 09:58:04 be msd[1959712]: MAIL command received, args:
| FROM:
| 
| * No custom PTR record
| * HELO is obviously bad..
| 
| Love the link on their website, trusted by professionals at Amazon,
| Cisco, Adobe..
| 
| Fortunately our spam auditing team's DRE (Dynamic Rule Engine) and DFS
| (Distributed Feedback Systems) find these IPs, so they can be shared
| with the community at large.. Of course, our systems don't actually let
| those systems do any email scraping or verification ..
| 
| Just another trend on Amazon's EC2 that is getting really old really fast.
| 
| 
| 
| On another note, not putting up a full state of the union this week, but
| of course Google/o365 fake procurement is still high on the lists..
| 
| Digital Ocean IP Space continues to see more types of attacks, from
| spammers, phishing, #BEC attacks, WordPress attacks etc.. The line to
| 'Bullet Proof' hoster is getting very blurry, and our threat teams are
| getting more aggressive.
| 
| If you have no customers using Digital Ocean, we strongly recommend
| blocking all authentications from their IP space..
| 
| For the record, stay tuned.. our teams are looking to make more of our
| threat data publicly available.. to the general public. Stay tuned.
| 
| 
| --
| "Catch the Magic of Linux..."
| 
| Michael Peddemors, President/CEO LinuxMagic Inc.
| Visit us at http://www.linuxmagic.com @linuxmagic
| A Wizard IT Company - For More Info http://www.wizard.ca
| "LinuxMagic" a Reg. TradeMark of Wizard Tower TechnoServices Ltd.
| 
| 604-682-0300 Beautiful British Columbia, Canada
| ___
| mailop mailing list
| mailop@mailop.org
| https://list.mailop.org/listinfo/mailop
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Another 'Verified Email' service on AWS EC2

[Michael Peddemors via mailop]

Jun 18 09:58:03 be msd[1959712]: CONN: 34.229.185.73 -> 25 GeoIP = [US] 
PTR = ec2-34-229-185-73.compute-1.amazonaws.com OS = Linux 2.2.x-3.x

Jun 18 09:58:04 be msd[1959712]: HELO command received, args: [127.0.0.1]
Jun 18 09:58:04 be msd[1959712]: RSET command received, args:
Jun 18 09:58:04 be msd[1959712]: MAIL command received, args: 
FROM:


* No custom PTR record
* HELO is obviously bad..

Love the link on their website, trusted by professionals at Amazon, 
Cisco, Adobe..


Fortunately our spam auditing team's DRE (Dynamic Rule Engine) and DFS 
(Distributed Feedback Systems) find these IPs, so they can be shared 
with the community at large.. Of course, our systems don't actually let 
those systems do any email scraping or verification ..


Just another trend on Amazon's EC2 that is getting really old really fast.



On another note, not putting up a full state of the union this week, but 
of course Google/o365 fake procurement is still high on the lists..


Digital Ocean IP Space continues to see more types of attacks, from 
spammers, phishing, #BEC attacks, WordPress attacks etc.. The line to 
'Bullet Proof' hoster is getting very blurry, and our threat teams are 
getting more aggressive.


If you have no customers using Digital Ocean, we strongly recommend 
blocking all authentications from their IP space..


For the record, stay tuned.. our teams are looking to make more of our 
threat data publicly available.. to the general public. Stay tuned.



--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Reg. TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] salesforce phishing emails

[Jarland Donnell via mailop]

My experience is similar. My observation has been that Salesforce does 
not care about abuse, that almost all of the mail coming from their 
platform is unsolicited marketing email, and that they're a trash spam 
company worth blocking.


On 2024-06-13 12:09, Michael Peddemors via mailop wrote:

On 2024-06-13 08:28, Anne P. Mitchell, Esq. via mailop wrote:



On Jun 12, 2024, at 11:40 PM, Hans-Martin Mosner via mailop 
 wrote:


Am 12.06.24 um 18:04 schrieb Anne P. Mitchell, Esq. via mailop:


  I've also always found abuse@ to be responsive there, and it's 
peopled by a real person, who gives real responses (at least that 
was the case as recently as 12/21/23.


That's interesting, I've been sending lots of abuse reports to that 
address before and never received a response (or noticed a change in 
the pattern). But then I'm not a lawyer ;-þ


That's interesting - it _could_ be in part that I'm a lawyer (and 
perhaps more relevantly a known anti-spam lawyer), however I also 
wonder if it has to do with volume - I report to SF quite sparingly 
(simply because the amount of spam we get here, while copious, is 
rarely from SF).  If you are sending a lot of complaints, I wonder if 
that's a factor (granted it *shouldn't* be a factor, but I wonder 
if...).


Anne

---
Anne P. Mitchell, Esq.


It's you ;) Everyone answers YOUR emails ... hehehe

But seriously, yes we are seeing too many cases of emails of obviously 
'harvested' email databases from SalesForce..


And no, we aren't going to report every case that we see.  Thing is, 
anyone using harvested databases should be triggering all kinds of 
alarm bells at the ESP, eg hi bounce rates etc..


If their teams aren't reacting to those internal checks and balances, 
it is unlikely that an abuse report will carry much weight (Unless it 
is from Anne)


Unfortunately, history has taught us the only real way to get attention 
is when they end up on rejection lists.. All the way back to the SPEWS 
days..


And in some cases *cough* (SendGrid) even that is not enough to make 
change happen.


Speaking of what Business Drivers are required to enact change.. 
Curious.. what business drivers would be needed to have Cox and Verizon 
and Comcast to action compromised CPE equipment on their networks?


Not that hard to detect, (heck, I am sure others like us might even 
share that data) and I am sure that aside from the fact that it 
stealing customer data, and slowing their connections to a crawl, there 
must be a business driver for ISP's to let customers know about threats 
on their networks, or actually remove/replace those devices.


Comments?

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Microsoft SNDS website not working

[Bjoern Franke via mailop]

Hi,



Keep hitting refresh, it will eventually load (at least it does for 
me).  But I believe this is indicative of some problems on the backend 
of this website and maybe of the entire Microsoft 
postmaster/SNDS/JMRPP system.  It's been quite literally months since 
I've received anything from Microsoft's JMRPP.




Hitting refresh "fixed" it and I got even the verification mail - which 
showed no problems with an IP from which mails got sorted as junk.


So I tried to use https://olcsupport.office.com/ which does not on 
submission, but btw, what's the correct URL for O365 customers?


Regards
Bjoern

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop