Re: [mailop] strange sender
On Sat, 29 Jun 2024, Jeff Pang wrote: Jun 30 06:20:51 mx postfix/smtpd[1081379]: NOQUEUE: reject: RCPT from unknown[193.37.41.106]: 550 5.7.25 Client host rejected: cannot find your hostname, [193.37.41.106]; from= to= proto=ESMTP helo=<[193.37.41.106]> do you know what is the sender "t...@sxyprn.com" and what's the purpose of him? Seems like a simple open relay test, though whether white, grey, or black hat is unknown but a To of img03 suggests a compromised web site is possible. There is currently a PTR for that address, of logpeach-tell.maximumglitter.com, though whether it appeared recently or your resolver failed isn't certain. /mark ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] strange sender
It depends on your configuration and if you're installing it in Postfix or down the line in a milter like rspamd. I added their query zones in postfix's main.cf in the `smtpd_recipient_restrictions` parameter. Generates this bounce (domain and IP have been redacted): NOQUEUE: reject: RCPT from example.com[127.0.0.2]: 554 5.7.1 Service unavailable; Client host [127.0.0.2] blocked using Abusix Mail Intelligence; https://lookup.abusix.com/search?q=127.0.0.2; from= to= proto=ESMTP helo= You can read their docs here: https://docs.abusix.com/abusix-mail-intelligence/gbG8EcJ3x3fSUv8cMZLiwA On 6/30/24 1:06 AM, Jeff Pang via mailop wrote: does that list reject submission requests as well? This list is generated by monitoring the behavior of hosts that connect to our traps and our partner's mail services. It includes any IP address that exhibits behavior specific to compromised hosts, botnet/virus infections, proxies, VPNs, TOR exit nodes, or IPs that are NAT'ing for these hosts. These behaviors are not expected from a genuine SMTP client. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] strange sender
does that list reject submission requests as well? This list is generated by monitoring the behavior of hosts that connect to our traps and our partner's mail services. It includes any IP address that exhibits behavior specific to compromised hosts, botnet/virus infections, proxies, VPNs, TOR exit nodes, or IPs that are NAT'ing for these hosts. These behaviors are not expected from a genuine SMTP client. -- Jeff Pang jeffp...@aol.com ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] strange sender
It appears that Jeff Pang via mailop said: >I have two different mailservers. >both them continue to get the requests from a sender as the following. > >Jun 30 06:20:51 mx postfix/smtpd[1081379]: NOQUEUE: reject: RCPT from >unknown[193.37.41.106]: 550 5.7.25 Client host rejected: cannot find >your hostname, [193.37.41.106]; from= >to= proto=ESMTP helo=<[193.37.41.106]> > > >do you know what is the sender "t...@sxyprn.com" and what's the purpose >of him? Sure looks like a lame attempt to find open relays. I still get a fair number of them. You might write to ab...@secureanalitics.com which is the RIPE abuse contact for that IP and ask why they keep probing your mail servers. R's, John ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] strange sender
Probably random botnets trying to deliver spam. I see a bunch of connections from that IP, but they're all getting dropped as soon as they connect because they're listed by Abusix Mail Intelligence as 'exploit'. You will see a lot of that when managing a mail server. Per Abusix: This list is generated by monitoring the behavior of hosts that connect to our traps and our partner's mail services. It includes any IP address that exhibits behavior specific to compromised hosts, botnet/virus infections, proxies, VPNs, TOR exit nodes, or IPs that are NAT'ing for these hosts. These behaviors are not expected from a genuine SMTP client. On 6/30/24 12:24 AM, Jeff Pang via mailop wrote: I have two different mailservers. both them continue to get the requests from a sender as the following. Jun 30 06:20:51 mx postfix/smtpd[1081379]: NOQUEUE: reject: RCPT from unknown[193.37.41.106]: 550 5.7.25 Client host rejected: cannot find your hostname, [193.37.41.106]; from= to= proto=ESMTP helo=<[193.37.41.106]> do you know what is the sender "t...@sxyprn.com" and what's the purpose of him? Thanks. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] strange sender
They're also on the Spamhaus DROP list (the worst of the worst) https://check.spamhaus.org/results/?query=SBL642455 On 6/30/24 12:24 AM, Jeff Pang via mailop wrote: I have two different mailservers. both them continue to get the requests from a sender as the following. Jun 30 06:20:51 mx postfix/smtpd[1081379]: NOQUEUE: reject: RCPT from unknown[193.37.41.106]: 550 5.7.25 Client host rejected: cannot find your hostname, [193.37.41.106]; from= to= proto=ESMTP helo=<[193.37.41.106]> do you know what is the sender "t...@sxyprn.com" and what's the purpose of him? Thanks. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] strange sender
$ sudo tail -1 /var/log/mail.log|grep t...@sxyprn.com|wc -l 608 this guy did send a lot of requests to us, though they are all rejected by DNS policy. both them continue to get the requests from a sender as the following. -- Jeff Pang jeffp...@aol.com ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
[mailop] strange sender
I have two different mailservers. both them continue to get the requests from a sender as the following. Jun 30 06:20:51 mx postfix/smtpd[1081379]: NOQUEUE: reject: RCPT from unknown[193.37.41.106]: 550 5.7.25 Client host rejected: cannot find your hostname, [193.37.41.106]; from= to= proto=ESMTP helo=<[193.37.41.106]> do you know what is the sender "t...@sxyprn.com" and what's the purpose of him? Thanks. -- Jeff Pang jeffp...@aol.com ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Request: UTF-8 email address?
It appears that Benny Pedersen via mailop said: >Christine Borgia via mailop skrev den 2024-06-27 21:55: >> Does anyone here have a UTF-8 email address you'd let me send some >> test messages to? > >so you know any dns servers that support utf-8 ? No, but since IDNA doesn't put UTF-8 into the DNS records, that's not surprising. >dns servers that set the glue record must support utf-8, not just idn, That is, as they say, not even wrong. Sheesh. R's, John PS: before you tell me I don't know what I'm talking about, you might take a look at this: https://uasg.tech/download/uasg-030-evaluation-of-eai-support-in-email-software-and-services-report-en/ ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Amazon SES senders
Hi, Dňa 29. júna 2024 17:08:33 UTC používateľ Al Iverson via mailop napísal: >I'm currently testing using Amazon SES for my outbound list mail. Thanks for reply >Maybe the first nine digits are some sort of client identifier? I am not I checked your theory right now, and i afraid that it is not as simple, as i see grow in the first 9 hex numbers, eg. (unique values): 0100018fe... 0100018ff... 010001900... 010001901... 010001902... Seems to be some sort of counter... >Also, it's very, very easy to set a custom return-path subdomain in SES. I afraid, that real spammer will not want to use as easy identifier ;-) >Mine is customized, as you can see above. Thus you could take the stance >that you'll block @amazonses.com and anybody who wants to get past that can I don't want to be as agressive on return-path, it is (can be) shared and not all people are aware of two "From" in email, but yes, i already assing high score if that domain appears in MIME From:, but i didn't remember/notice any yet :-) regards -- Slavko https://www.slavino.sk/ ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Amazon SES senders
I'm currently testing using Amazon SES for my outbound list mail. Here's a few different return-path addresses from posts to a mailing list I host. 010f019064d51828-cebd1304-0d90-4bc4-9681-6c3133c15f62-000...@email.xnnd.com 010f0190649e24fd-3c217ff4-5c4b-4087-b2ec-4069ce5833da-000...@email.xnnd.com 010f01906482b197-52d7232d-a79d-496c-8c3f-888e873db34f-000...@email.xnnd.com 010f019060f84e64-8db83eef-8c80-4f0f-8b90-9560f9491cf9-000...@email.xnnd.com Maybe the first nine digits are some sort of client identifier? I am not sure if it's just a counter, or an encoded client ID, or encoded recipient ID. Also, it's very, very easy to set a custom return-path subdomain in SES. Mine is customized, as you can see above. Thus you could take the stance that you'll block @amazonses.com and anybody who wants to get past that can configure their custom return-path domain. Is that wise or kind, I'm not prepared to judge. Just saying that it is something somebody could potentially choose to do, just like when people block *.exacttarget.com to reject mail from any Salesforce Marketing Cloud client that doesn't have a custom domain implemented. Cheers, Al Iverson On Sat, Jun 29, 2024 at 11:59 AM Slavko via mailop wrote: > Hi all, > > please, is there some logic in AmazonSES sender? > > I (my user) recently start to get spams with envelope sender in form > (last item): > > > 01000190647ae455-a250a7c4-5c6b-4b0d-82a5-94f06382aa1f-000...@amazonses.com > > Mails has valid "amazonses.com" & "ionixdev.com" DKIM, they has > "@ionixdev.com" in MIME From, which has not SPF nor DMARC records. > I found near to zero public info about ionixdev.com domain... > > I don't expect to know who is sender, i want to know if their customers > has attached some form of ID, which can be used to identify, that it is > the same and reject it at RCPT stage. Is it possible? > > I checked multiple these senders and i fail to see pattern in it. I see the > same Feedback-ID: header value, but that is too late... > > thanks > > -- > Slavko > https://www.slavino.sk/ > ___ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop > -- Al Iverson // 312-725-0130 // Chicago http://www.spamresource.com // Deliverability http://www.aliverson.com // All about me https://xnnd.com/calendar // Book my calendar ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
[mailop] Amazon SES senders
Hi all, please, is there some logic in AmazonSES sender? I (my user) recently start to get spams with envelope sender in form (last item): 01000190647ae455-a250a7c4-5c6b-4b0d-82a5-94f06382aa1f-000...@amazonses.com Mails has valid "amazonses.com" & "ionixdev.com" DKIM, they has "@ionixdev.com" in MIME From, which has not SPF nor DMARC records. I found near to zero public info about ionixdev.com domain... I don't expect to know who is sender, i want to know if their customers has attached some form of ID, which can be used to identify, that it is the same and reject it at RCPT stage. Is it possible? I checked multiple these senders and i fail to see pattern in it. I see the same Feedback-ID: header value, but that is too late... thanks -- Slavko https://www.slavino.sk/ ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop