Re: [mailop] Massive Spam Incident @ Outlook.com?

[Carl Byington via mailop]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Wed, 2022-10-12 at 13:01 +, Slavko via mailop wrote:
> I did some experiments with that (not mail related) in past and most
> often
> user's response was something as -- "They are big, they are doing
> things
> right!" The most of us known, that "big" and "right" are independent
> cases...

Google for "MS365 ECB" and point them to any of the many articles about
the issue. Yes, MS is big, but it does not prevent them from doing
brain-dead things.


-BEGIN PGP SIGNATURE-

iHMEAREKADMWIQSuFMepaSkjWnTxQ5QvqPuaKVMWwQUCY0yYWRUcY2FybEBmaXZl
LXRlbi1zZy5jb20ACgkQL6j7milTFsENpwCfY+yRebsjwh5ggT0k+2P9oz102SMA
nA9Snc6IGi8UmOXQQYJ7iTWE+2FH
=I/o5
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] SMTP noise from *.bouncer.cloud

[Carl Byington via mailop]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Sun, 2022-09-04 at 19:49 +, Radek Kaczynski via mailop wrote:
> Regarding the list of IPs - I'd prefer to send it to the interested
> people directly.
> I'd like to have a track of record to whom I have exposed it and


You realize of course that when you connect to a mail server, we can see
the ip address you are using, and the dns naming convention that you
use. From that it is a simple script to generate the list below of
almost 1000 ip addresses.


> how they plan to act on it.

Feed the firewall, of course.

5.39.122.67 sbg5-mail-144.bouncer.cloud.
5.135.32.66 sbg5-mail-40.bouncer.cloud.
5.135.80.107 sbg5-mail-41.bouncer.cloud.
5.135.120.254 sbg5-mail-39.bouncer.cloud.
5.196.58.154 sbg5-mail-42.bouncer.cloud.
5.196.58.239 sbg5-mail-43.bouncer.cloud.
5.196.98.237 sbg5-mail-44.bouncer.cloud.
37.59.67.40 sbg5-mail-37.bouncer.cloud.
37.59.88.176 sbg5-mail-38.bouncer.cloud.
37.59.219.241 sbg5-mail-36.bouncer.cloud.
37.187.190.8 sbg5-mail-35.bouncer.cloud.
37.187.190.123 sbg5-mail-32.bouncer.cloud.
37.187.190.125 sbg5-mail-33.bouncer.cloud.
37.187.190.127 sbg5-mail-34.bouncer.cloud.
46.105.33.125 sbg5-mail-141.bouncer.cloud.
46.105.36.159 sbg5-mail-142.bouncer.cloud.
46.105.164.19 sbg5-mail-153.bouncer.cloud.
46.105.234.21 sbg5-mail-143.bouncer.cloud.
51.38.103.170 de1-mail-189.bouncer.cloud.
51.38.103.179 de1-mail-190.bouncer.cloud.
51.38.103.250 de1-mail-73.bouncer.cloud.
51.38.105.9 de1-mail-193.bouncer.cloud.
51.38.105.10 de1-mail-191.bouncer.cloud.
51.38.105.11 de1-mail-192.bouncer.cloud.
51.38.105.52 de1-mail-274.bouncer.cloud.
51.38.107.29 de1-mail-136.bouncer.cloud.
51.38.107.30 de1-mail-137.bouncer.cloud.
51.38.107.31 de1-mail-138.bouncer.cloud.
51.38.107.32 de1-mail-139.bouncer.cloud.
51.38.107.52 de1-mail-142.bouncer.cloud.
51.38.107.54 de1-mail-143.bouncer.cloud.
51.38.107.57 de1-mail-275.bouncer.cloud.
51.38.116.69 de1-mail-1.bouncer.cloud.
51.38.116.70 de1-mail-2.bouncer.cloud.
51.38.116.79 de1-mail-276.bouncer.cloud.
51.38.117.3 de1-mail-29.bouncer.cloud.
51.38.117.50 de1-mail-30.bouncer.cloud.
51.38.118.38 de1-mail-246.bouncer.cloud.
51.38.119.171 de1-mail-194.bouncer.cloud.
51.38.119.172 de1-mail-195.bouncer.cloud.
51.38.119.173 de1-mail-196.bouncer.cloud.
51.38.120.201 de1-mail-3.bouncer.cloud.
51.38.120.216 de1-mail-4.bouncer.cloud.
51.38.120.249 de1-mail-141.bouncer.cloud.
51.38.121.166 de1-mail-197.bouncer.cloud.
51.68.160.36 de1-mail-33.bouncer.cloud.
51.68.160.181 de1-mail-277.bouncer.cloud.
51.68.162.245 de1-mail-222.bouncer.cloud.
51.68.163.58 de1-mail-75.bouncer.cloud.
51.68.178.9 de1-mail-199.bouncer.cloud.
51.68.178.58 de1-mail-5.bouncer.cloud.
51.68.178.63 de1-mail-198.bouncer.cloud.
51.68.187.159 de1-mail-74.bouncer.cloud.
51.75.82.12 de1-mail-8.bouncer.cloud.
51.75.82.27 de1-mail-93.bouncer.cloud.
51.75.82.49 de1-mail-280.bouncer.cloud.
51.75.84.157 de1-mail-223.bouncer.cloud.
51.75.84.158 de1-mail-254.bouncer.cloud.
51.75.84.161 de1-mail-281.bouncer.cloud.
51.75.101.182 sbg5-mail-2.bouncer.cloud.
51.75.101.183 sbg5-mail-3.bouncer.cloud.
51.75.101.187 sbg5-mail-4.bouncer.cloud.
51.75.101.188 sbg5-mail-1.bouncer.cloud.
51.75.101.240 sbg5-mail-5.bouncer.cloud.
51.75.101.242 sbg5-mail-6.bouncer.cloud.
51.75.101.244 sbg5-mail-7.bouncer.cloud.
51.75.101.247 sbg5-mail-8.bouncer.cloud.
51.75.101.248 sbg5-mail-9.bouncer.cloud.
51.75.101.249 sbg5-mail-10.bouncer.cloud.
51.75.101.252 sbg5-mail-11.bouncer.cloud.
51.75.101.253 sbg5-mail-12.bouncer.cloud.
51.75.104.8 sbg5-mail-15.bouncer.cloud.
51.75.104.56 sbg5-mail-13.bouncer.cloud.
51.75.104.57 sbg5-mail-14.bouncer.cloud.
51.75.153.68 de1-mail-6.bouncer.cloud.
51.75.153.69 de1-mail-7.bouncer.cloud.
51.75.154.78 de1-mail-251.bouncer.cloud.
51.75.154.88 de1-mail-252.bouncer.cloud.
51.75.154.91 de1-mail-253.bouncer.cloud.
51.75.154.92 de1-mail-278.bouncer.cloud.
51.75.154.104 de1-mail-247.bouncer.cloud.
51.75.154.105 de1-mail-248.bouncer.cloud.
51.75.154.106 de1-mail-249.bouncer.cloud.
51.75.154.114 de1-mail-250.bouncer.cloud.
51.75.155.157 de1-mail-79.bouncer.cloud.
51.75.155.158 de1-mail-80.bouncer.cloud.
51.75.155.167 de1-mail-81.bouncer.cloud.
51.75.155.168 de1-mail-82.bouncer.cloud.
51.75.155.169 de1-mail-83.bouncer.cloud.
51.75.155.170 de1-mail-84.bouncer.cloud.
51.75.155.171 de1-mail-85.bouncer.cloud.
51.75.155.172 de1-mail-86.bouncer.cloud.
51.75.155.173 de1-mail-87.bouncer.cloud.
51.75.155.174 de1-mail-88.bouncer.cloud.
51.77.77.185 de1-mail-37.bouncer.cloud.
51.77.77.186 de1-mail-38.bouncer.cloud.
51.77.77.187 de1-mail-39.bouncer.cloud.
51.77.77.188 de1-mail-40.bouncer.cloud.
51.77.77.189 de1-mail-41.bouncer.cloud.
51.77.77.190 de1-mail-42.bouncer.cloud.
51.77.77.191 de1-mail-43.bouncer.cloud.
51.77.77.192 de1-mail-44.bouncer.cloud.
51.77.77.193 de1-mail-45.bouncer.cloud.
51.77.77.194 de1-mail-46.bouncer.cloud.
51.77.77.195 de1-mail-47.bouncer.cloud.
51.77.77.196 de1-mail-48.bouncer.cloud.
51.77.77.197 de1-mail-49.bouncer.cloud.
51.77.77.198 de1-mail-50.bouncer.cloud.

Re: [mailop] SMTP noise from *.bouncer.cloud

[Carl Byington via mailop]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Sun, 2022-09-04 at 00:43 +0200, Radek Kaczynski via mailop wrote:
> If any of you would like to get a full list of our IP addresses and
> domains so that you can block Bouncer's requests - please feel free to
> email me at ra...@usebouncer.com.

Probably easier just to post it here.


-BEGIN PGP SIGNATURE-

iHMEAREKADMWIQSuFMepaSkjWnTxQ5QvqPuaKVMWwQUCYxPahxUcY2FybEBmaXZl
LXRlbi1zZy5jb20ACgkQL6j7milTFsHurwCfdx61FTKS+ojFTEWYHLsTfdaFBm4A
n2hadXNEhOVjlpeJfEt3o7TX6pf8
=5NsA
-END PGP SIGNATURE-


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] smtp dane/tlsa

[Carl Byington via mailop]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Sat, 2022-09-03 at 17:41 +, ml+mailop--- via mailop wrote:
> How did you notice that "something is now broken"?

A former client was trying to setup Fedora 36 sendmail with dane
validation. F36 comes with sendmail 8.17.1 which is supposed to support
dane, but they get verify=fail talking to my mail servers. So I googled
for some dane test site, and found

https://www.huque.com/bin/danecheck-smtp

which also claims fail - so I assumed something in my config was broken.

> "works for me" - I just tried it with an MTA that supports DANE:

Thanks for that test! Perhaps both F36 sendmail and the gotls tool have
the same bug with respect to the expired CA.

https://dane.sys4.de/smtp/five-ten-sg.com says everything is ok.


-BEGIN PGP SIGNATURE-

iHMEAREKADMWIQSuFMepaSkjWnTxQ5QvqPuaKVMWwQUCYxPZ4RUcY2FybEBmaXZl
LXRlbi1zZy5jb20ACgkQL6j7milTFsHueQCfegkSaw9Slh+WbOStk/ajBboNftIA
nidR4grj8q0Ky6RYrwOk6tG4qo0j
=6H2N
-END PGP SIGNATURE-


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] smtp dane/tlsa

[Carl Byington via mailop]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Fri, 2022-09-02 at 18:42 +, ml+mailop--- via mailop wrote:
> Are you sure you want 3 0 1 and not 3 1 1?

Yes. We are publishing the hash of the full certificate. Note there are
two tlsa records, one corresponding to the previous LE certificate, and
one corresponding to the current LE certificate. That handles the TTL
issues associated with updating the certificate.




-BEGIN PGP SIGNATURE-

iHMEAREKADMWIQSuFMepaSkjWnTxQ5QvqPuaKVMWwQUCYxJpChUcY2FybEBmaXZl
LXRlbi1zZy5jb20ACgkQL6j7milTFsHPRwCgherG0ih144lVSsL414+qK5sU9ZgA
n0c5ctQxTurl4AGfI7z9KAz/Sg2N
=CRwO
-END PGP SIGNATURE-


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] smtp dane/tlsa

[Carl Byington via mailop]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Years ago I setup automation for tlsa records to support smtp dane here.
However, something is now broken, and I am not sure what is wrong.

_25._tcp.mail3.five-ten-sg.com. IN TLSA 3 0 1 (
  834d710b2feb790cc9b2c6d251c65b1fedc24c51a4149bdfeae4d40e0be11892
)

https://www.huque.com/bin/danecheck-smtp shows DANE TLSA 3 0 1
[834d710b..]: not checked and a failed result.

https://www.huque.com/bin/gen_tlsa generates the same tlsa record as
above.


-BEGIN PGP SIGNATURE-

iHMEAREKADMWIQSuFMepaSkjWnTxQ5QvqPuaKVMWwQUCYxIeQxUcY2FybEBmaXZl
LXRlbi1zZy5jb20ACgkQL6j7milTFsHM2ACfTg9SapnyB1xUOgTNdZ+Je4tNM/wA
n2dqXpXFoh1PaeFJEIDxQPpPsUmY
=4Xm6
-END PGP SIGNATURE-


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] So, Sendgrid / Zoom, planning on actually doing anything about webinar spams?

[Carl Byington via mailop]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Wed, 2022-07-20 at 12:41 -0600, Brie via mailop wrote:
> It's still going on even though it was 'being looked into'.

Fixed here by blacklisting the DKIM signature from zoom.us


-BEGIN PGP SIGNATURE-

iHMEAREKADMWIQSuFMepaSkjWnTxQ5QvqPuaKVMWwQUCYttJkRUcY2FybEBmaXZl
LXRlbi1zZy5jb20ACgkQL6j7milTFsGGygCeJBuMa1jhYyuR9AAnTbcJimqqpEcA
niiNBogb6ZVt3ukVVjkglWeC7s5h
=nLAT
-END PGP SIGNATURE-


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Google's Request to the FEC about Allowing Political Email to Bypass Spam Filtering

[Carl Byington via mailop]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Sat, 2022-07-09 at 17:22 -0600, Anne Mitchell via mailop wrote:
> "It shall be unlawful for an operator of an email service to use a
> filtering algorithm to apply a label to an email sent to an email
> account from a political campaign unless the owner or user of the
> account took action to apply such a label."

Do you have an opinion on the meaning of "apply a label"? We don't apply
labels - we either accept or reject incoming mail. Does the smtp
response "550 5.7.1 ESAD" count as applying a label?


-BEGIN PGP SIGNATURE-

iHMEAREKADMWIQSuFMepaSkjWnTxQ5QvqPuaKVMWwQUCYsoo5BUcY2FybEBmaXZl
LXRlbi1zZy5jb20ACgkQL6j7milTFsHjKgCbBBY3SlBpSSvE4UZ3N4FmcjMmHtYA
n1EuGPvSH7CFOMcM6O/ALU8e4j96
=gSvj
-END PGP SIGNATURE-


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] AT blocking IP addresses

[Carl Byington via mailop]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Wed, 2022-03-30 at 10:55 -0700, Michael Peddemors via mailop wrote:
> Imagine the day where you can't use email unless you use Gmail or
> o356.

If that happens, there will be two mail systems (gmail/o365) and
(everyone else). If the (gmail/o365) folks will only accept mail from
each other, then there is no reason for (everyone else) to accept mail
from them.

So folks that want to apply to a college won't be able to do it from a
gmail account. So everyone will have at least two addreses, one in each
side of the partition.



-BEGIN PGP SIGNATURE-

iHMEAREKADMWIQSuFMepaSkjWnTxQ5QvqPuaKVMWwQUCYkUjrRUcY2FybEBmaXZl
LXRlbi1zZy5jb20ACgkQL6j7milTFsFj1gCfSMketrxUOin+zderNpZQUJZR69QA
n1BtQf8Udr66MTYLYoEEjpL2rnqW
=ZbkV
-END PGP SIGNATURE-


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Can someone from google/gmail contact me offlist?

[Carl Byington via mailop]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Wed, 2022-03-30 at 09:56 -0500, Al Iverson via mailop wrote:
> Since this specifically refers to domain reputation I'd make sure all
> mail is properly signing with DKIM. Domain rep can also fall back to
> the return-path domain, so if that's different from your visible from
> domain, that could be the domain with a poor rep. And domain in this
> context can also mean subdomain.

The bind-users list arriving here via lists.isc.org is similar to this
list (mailop), in that outgoing list mail is not DKIM signed by
respectively isc.org or mailop.org.

Both lists have the dmarc workaround. Perhaps it has nothing to do with
the list email.


-BEGIN PGP SIGNATURE-

iHMEAREKADMWIQSuFMepaSkjWnTxQ5QvqPuaKVMWwQUCYkThNhUcY2FybEBmaXZl
LXRlbi1zZy5jb20ACgkQL6j7milTFsGspgCfeOvNyD8Vjd2Iw3OTNCPLf1O51ukA
nRfWjXKDixLIORnLtWetiUllIhh8
=a378
-END PGP SIGNATURE-


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] So uh... Zoom/Sendgrid... How's that webinar spam investigation coming?

[Carl Byington via mailop]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Wed, 2021-08-04 at 16:40 -0700, Luke via mailop wrote:
> Bounces and spam report percentages dropped.

I am probably not the only one that has SA blocking all mail from some
of those senders.

header SENDGRID4 X-Entity-ID =~ /7mxhBNMkQ9yfwz0A5\+NG7Q==/

So are you tracking rejects where the recipient mail server replies with
something like

550 5.7.1 Mail rejected - spam assassin score 19

as a response to the smtp DATA command?


-BEGIN PGP SIGNATURE-

iHMEAREKADMWIQSuFMepaSkjWnTxQ5QvqPuaKVMWwQUCYQsx7hUcY2FybEBmaXZl
LXRlbi1zZy5jb20ACgkQL6j7milTFsEB7QCeIwIThGL0IEt08IIYGqRNY94P55oA
n3MM3JYt8yimMmYMcoLNslCKBRVI
=qfGU
-END PGP SIGNATURE-


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Contact for Zoom webinar spam sent via Sendgrid (ugh)

[Carl Byington via mailop]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Thu, 2021-07-08 at 09:14 -0700, Luke via mailop wrote:
> Both of the accounts reported by Michael have been suspended.

DATE: 07/11/21 07:00:22 PDT
IP: o5.sg.zoom.us :::149.72.199.144
env_From: bounces+21079884-d4de-..
X-Entity-ID: 7mxhBNMkQ9yfwz0A5+NG7Q==

That one is still active. Google translate says the subject is

OPPORTUNITIES FOR INTELLIGENT BUYERS WHEN THE POLICY OF SUPPORTING 100%
LOANING APARTMENTS STRONGLY DEVELOPES IN THE REAL EST MARKET.


-BEGIN PGP SIGNATURE-

iHMEAREKADMWIQSuFMepaSkjWnTxQ5QvqPuaKVMWwQUCYOsJLxUcY2FybEBmaXZl
LXRlbi1zZy5jb20ACgkQL6j7milTFsHgaQCePmU55G7bFLlzDzdAZ+kKzDDUheUA
nRRmEWuXDpo2BM/94E3wzqnxQPed
=Iyx4
-END PGP SIGNATURE-


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Contact for Zoom webinar spam sent via Sendgrid (ugh)

[Carl Byington via mailop]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Thu, 2021-07-08 at 09:31 +0300, Atro Tossavainen via mailop wrote:
> That one is Zoom.us itself.

> Received: from o5.sg.zoom.us (o5.sg.zoom.us [149.72.199.144])

> Received: from o12.ptr3622.sg.zoom.us (o12.ptr3622.sg.zoom.us
> [167.89.93.232])

Yes, the mail arrives from systems with rdns of *.sg.zoom.us, but my
understanding is that the X-Entity-ID points to a sendgrid user. And the
headers include stuff like:

Received: by filter1889p1las1.sendgrid.net with SMTP id
filter1889p1las1-10585-60DE6FD0-E
2021-07-02 01:45:52.506187482 + UTC m=+23969.518969155
Received: from MjEwNzk4ODQ (unknown)
by geopod-ismtpd-3-2 (SG) with HTTP id W8YVLKQPT6CK1S2NPi9CbA

Which looks like the original submission was via a sendgrid web
interface. A reply-to address in .vn, and a subject line (google
translate from Vietnamese) of "Why real estate can make you rich?".

Just more crap that sendgrid is leaking, this time sending their
outbound spam via zoom.us servers.



-BEGIN PGP SIGNATURE-

iHMEAREKADMWIQSuFMepaSkjWnTxQ5QvqPuaKVMWwQUCYOcXoxUcY2FybEBmaXZl
LXRlbi1zZy5jb20ACgkQL6j7milTFsGmiACfRob62kkNRCYmCuGVToI/xg+IjSkA
n0KwN05UTZa35wOzW7Pzkl4wbvr6
=+QB+
-END PGP SIGNATURE-


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Contact for Zoom webinar spam sent via Sendgrid (ugh)

[Carl Byington via mailop]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Tue, 2021-07-06 at 23:59 +0300, Atro Tossavainen via mailop wrote:
> X-Entity-ID: 7mxhBNMkQ9yfwz0A5+NG7Q==

>   Return-Path: https://list.mailop.org/listinfo/mailop

Re: [mailop] protection.outlook.com refusing to accept mail with misleading temp error message

[Carl Byington via mailop]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Tue, 2021-06-01 at 21:46 -0400, yuv via mailop wrote:
> but I do like the fact that if someone puts
> a letter with my address in a post office box anywhere in the world,
> it
> makes its way to my snail box within a reliable service standard.

Your mileage may vary. Around here several clients and vendors moved to
Zelle or other electronic payment mechanisms due to persistent problems
with snail mailed checks never arriving. Some parts of the US Post
Office seems to be dropping some of the mail on the floor.


-BEGIN PGP SIGNATURE-

iHMEAREKADMWIQSuFMepaSkjWnTxQ5QvqPuaKVMWwQUCYLgRvxUcY2FybEBmaXZl
LXRlbi1zZy5jb20ACgkQL6j7milTFsGG8QCfWWyb9634kcm9PGPyYNVvr1vuTnMA
niUL8k1NYIHLgv5wNaDOgGUSweY6
=7kDq
-END PGP SIGNATURE-


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Microsoft antispam

[Carl Byington via mailop]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Fri, 2021-02-05 at 10:04 -0600, Lyle Giese via mailop wrote:
> I just looked at the dns entries for foddi.net. The A and 
> records for mx1.mail.foddi.net has a TTL of 120 seconds. For many mail
> providers that indicates a dynamic IP address.  It's been my
> experience that 12 hrs is minimum(some prefer 24 hrs) TTL's on these
> records.

dig microsoft.com mx
microsoft.com. 3600 IN  MX  10 microsoft-
com.mail.protection.outlook.com.

dig microsoft-com.mail.protection.outlook.com.
microsoft-com.mail.protection.outlook.com. 10 IN A 104.47.54.36



dig gmail.com mx
gmail.com.  3600IN  MX  5 gmail-smtp-in.l.google.com.

dig gmail-smtp-in.l.google.com.
gmail-smtp-in.l.google.com. 300 IN  A   74.125.137.26



dig yahoo.com mx
yahoo.com.  1800IN  MX  1 mta5.am0.yahoodns.net.


dig mta5.am0.yahoodns.net.
mta5.am0.yahoodns.net.  60  IN  A   67.195.204.72
...



-BEGIN PGP SIGNATURE-

iHMEAREKADMWIQSuFMepaSkjWnTxQ5QvqPuaKVMWwQUCYCCv8xUcY2FybEBmaXZl
LXRlbi1zZy5jb20ACgkQL6j7milTFsF3SwCdF768QhomPyZUdyLMPqDXlr3b/54A
n2hf2hE4uZABBxZuYAOzFlplnhVQ
=Ytwz
-END PGP SIGNATURE-


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] cloudapp.azure.com?

[Carl Byington via mailop]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Thu, 2020-12-17 at 07:28 -0800, Michael Peddemors via mailop wrote:
> But yeah, it's ugly on Azure right now..

41.201.224.52.list.dnswl.org. 10800 IN  TXT "cloudapp.azure.com
https://dnswl.org/s/?s=53622;
41.201.224.52.list.dnswl.org. 10800 IN  A   127.0.5.0

You might reach out to dnswl.org and see if they will pull those
whitelisting entry.


-BEGIN PGP SIGNATURE-

iHMEAREKADMWIQSuFMepaSkjWnTxQ5QvqPuaKVMWwQUCX9uCdhUcY2FybEBmaXZl
LXRlbi1zZy5jb20ACgkQL6j7milTFsF6qgCeKdzhNJrq3JDsXPp4iPUie3CK3HYA
njzYJrMUu5ja2ecUbxlo8wlMqLBi
=zuhh
-END PGP SIGNATURE-


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Just how does SendGrid fail this badly?

[Carl Byington via mailop]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Tue, 2020-08-18 at 12:03 +, Andy Smith via mailop wrote:
> From: "chiark.greenend.org.uk" 

So sendgrid account 15204622 was sending mail as:

Received: from dhl.com (unknown)
by ismtpd0005p1lon1.sendgrid.net (SG)
with ESMTP id 0c6xV8agQF6yK8GOsXvJLw
for <$munged>;
Tue, 18 Aug 2020 05:18:02.219 + (UTC)
From: DHL 
Subject: Shipment for $munged

They allow outbound mail with a from: header in dlh.com, even though:

dig _dmarc.dhl.com txt +short
reject.valimail.dmarc.dhl.com.
"v=DMARC1; p=reject; fo=0; rua=mailto:dmarc-
repo...@dhl.com,mailto:dmarc_agg@vali.email;;

dhl is asking folks to reject that mail, but sendgrid tries to send it
anyway.



-BEGIN PGP SIGNATURE-

iHMEAREKADMWIQSuFMepaSkjWnTxQ5QvqPuaKVMWwQUCXzxJQxUcY2FybEBmaXZl
LXRlbi1zZy5jb20ACgkQL6j7milTFsF+zwCeIBJRw3/ZgyaPCN/kJlrI/GwJUQAA
n1iFbtwcnyTT5DMfm6iD6GDY78BM
=LLN0
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Just how does SendGrid fail this badly?

[Carl Byington via mailop]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Tue, 2020-08-18 at 15:23 +0300, Atro Tossavainen via mailop wrote:
> The SendGrid account sending these yesterday is 13999362.

Where do you find that account number in the headers? I see some from
today with "Upgrade (FINAL WARNING)" in the subject, but no indication
of any sendgrid account number.


-BEGIN PGP SIGNATURE-

iHMEAREKADMWIQSuFMepaSkjWnTxQ5QvqPuaKVMWwQUCXzwT2hUcY2FybEBmaXZl
LXRlbi1zZy5jb20ACgkQL6j7milTFsFoigCeONxnBFkM/QJI3Mky1A9XafBR+IQA
oIUMyZCHGvGEjasL9fCb22Njyfer
=+kBp
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Google and Spam detection

[Carl Byington via mailop]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Fri, 2020-07-24 at 22:08 -0400, John Levine via mailop wrote:
> Depends whether you consider Comcast to be big. They sure have a lot
> of customers.

If five-ten-sg.com wants to deliver to comcast.net, my publishing tlsa
records for _25._tcp.mail3.five-ten-sg.com probably won't affect whether
comcast accepts my mail.

I can look at their _25._tcp.mx1.comcast.net tlsa record when deciding
whether the TLS connection to their mail server meets my outgoing
standards.

They can look at my _25._tcp.mail3.five-ten-sg.com tlsa record when
sending mail to me, but again, that won't affect my deliverability to
them.


-BEGIN PGP SIGNATURE-

iHMEAREKADMWIQSuFMepaSkjWnTxQ5QvqPuaKVMWwQUCXxuhlhUcY2FybEBmaXZl
LXRlbi1zZy5jb20ACgkQL6j7milTFsFmAACbBc2KnHl/hl4usFRhJ5HvaE8+fBQA
ni76KWPMAI+7OVLa1ajyw8d1KWQo
=lvON
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Is there a contact for ono.com

[Carl Byington via mailop]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Thu, 2020-07-16 at 00:07 +0300, Atro Tossavainen via mailop wrote:
> Since https://www.ono.com/ is equally unaccessible from my domestic
> Internet connection (also in Finland), I'd say #1 sounds more likely
> to me.

I can ping www.ono.com == 62.42.230.18, but traceroute to it dies after
de-cix.mad.vodafone.es and four 10/8 addresses. So it does not look like
routing to me.

But 62.42.230.18 won't answer on port 80, and 62.42.230.22 won't answer
on port 25.


-BEGIN PGP SIGNATURE-

iHMEAREKADMWIQSuFMepaSkjWnTxQ5QvqPuaKVMWwQUCXw+xfBUcY2FybEBmaXZl
LXRlbi1zZy5jb20ACgkQL6j7milTFsFztQCfWswYVuQ+SxQ9DjnD3SKm/gVmsgIA
n0tPxf1Hoz3jrHZ5Fm0d65GvvnLD
=tXbk
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] SPF strict / DMARC interaction / "big" provider behavior...

[Carl Byington via mailop]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Wed, 2020-06-17 at 16:45 -0400, Bill Cole via mailop wrote:
> > This problem is part of why DMARC was developed. Very few people are
> adequately confident of their understanding of DMARC and of its
> reliability to make it the root cause of mail rejections that they do
> not intend.

Someone in the US State Department is apparently very confident, but
mistaken.

dig _dmarc.state.gov txt +short
"v=DMARC1; p=reject; rua=mailto:dmarcrepor...@state.gov,
mailto:repo...@dmarc.cyber.dhs.gov;

Yet they send mail out via Mailchimp, with a from: header of
From: =?utf-8?Q?The=20Office=20of=20Foreign=20Missions?=


and only a single DKIM signature from d=mailchimpapp.net.


-BEGIN PGP SIGNATURE-

iHMEAREKADMWIQSuFMepaSkjWnTxQ5QvqPuaKVMWwQUCXuq5+xUcY2FybEBmaXZl
LXRlbi1zZy5jb20ACgkQL6j7milTFsG7vACdFs0oYQODlWd+GygjGZQ21ZujilMA
oIvX4F+BMFrIrVPxfakf9pDvn/q8
=uLoA
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Sendgrid and phishing

[Carl Byington via mailop]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Wed, 2020-06-17 at 08:55 -0500, Michael Rathbun via mailop wrote:
> > Pointing out to users reporting these that blocking Sendgrid
> entirely
> (the temptation arises) would take out the SG traffic that is highly
> desired (at least 70%).

Two months ago we started treating mail arriving with a DKIM signature
from sendgrid.net as a moderated mailing list, with a few exceptions for
known senders. The resulting mail volume is low enough, combined with
the high value phishing targets, that we can do manual moderation. In
the last 24 hours:

2 recipients Failure Account Verification Message***Secure Immediately**
4 recipients Remove Your Criminal Convictions
1 recipient  Up To $2,000,000 In Capital
4 recipients Immediate Email Update
4 recipients Account Verification
1 recipient  Important Email Verification
1 recipient  Important Security Notice


-BEGIN PGP SIGNATURE-

iHMEAREKADMWIQSuFMepaSkjWnTxQ5QvqPuaKVMWwQUCXupRAxUcY2FybEBmaXZl
LXRlbi1zZy5jb20ACgkQL6j7milTFsEmZwCghtTG5kkAqV9dpohH5Og27kVH1bwA
nAiPDWod3X8GU7jzCHTeoKitHUzh
=jgq/
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] SendGrid Abuse unresponsive

[Carl Byington via mailop]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Tue, 2020-05-05 at 15:06 -0700, Jay Hennigan via mailop wrote:
> On 5/5/20 14:30, Blake Hudson via mailop wrote:
> > Been getting a variety of Amex scams for several weeks via SendGrid.
> > Wish they had a better reporting mechanism.

> The reporting mechanism is fine. There just isn't anyone who cares on
> the other end of it.

It also seems that there is NO outbound spam filtering at all. Consider
this one, a standard lottery commission spam:

Subject: Claim Winning Now!
From: Elizabeth 
Date: Sun, 10 May 2020 18:42:30 + (UTC)
Reply-To: mallettte...@yahoo.com

Really sendgrid - you allow a From: header of xx@yy ??


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAl64WAYACgkQL6j7milTFsG+OgCcDLWxhx92xN9Uuc/Nxg0Y344S
ufoAn3Z+togXTmc3S2tyAgvIwu1CJbZE
=qP1n
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [OFF TOPIC] Any WindStream abuse team members on here?

[Carl Byington via mailop]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Wed, 2020-05-06 at 23:39 -0500, Michael Rathbun via mailop wrote:

> > The one we see from that group is 183.136.225.44, currently knocking
> at the
> door but being halted by the "all 183.128.0.0/11 refuse" rule.

183.136.225.45 and 183.136.225.46 are currently port scanning here.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAl60dyoACgkQL6j7milTFsHadwCbBgb7X5G5Sz5uUyxSYUko14eh
0asAnilzHDbXExnkLZCAuW9qzw7ngdc8
=b0QL
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] SendGrid Abuse unresponsive

[Carl Byington via mailop]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Tue, 2020-05-05 at 07:48 -0700, Michael Peddemors via mailop wrote:
> This is a little too obvious, and while historically SendGrid ran a
> tight ship, and got a little lee way from spam auditors.. it's getting
> very bad, and going on for too long.. risking loosing any preferential
> treatment..

It is bad enough that our local spamassassin rules add 5 points if the
message is dkim signed by sendgrid.net.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAl6x36kACgkQL6j7milTFsE2OgCeLwhoqVz9/Zxbc8HWq9W7AeWW
ubQAn3sD3yvE8pN57i75feThvdyDVBM5
=5ki/
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Weekly Update on SpamAuditor reports

[Carl Byington via mailop]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Fri, 2020-04-17 at 09:28 -0700, Michael Peddemors via mailop wrote:
> * SendGrid compromised accounts sending phishing

> Seeing a lot more cases of this occurring again, mostly phishing
> attacks.

Yup.

IP: wrqvbqzd.outbound-mail.sendgrid.net :::149.72.180.237
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sendgrid.net;
From: "Wells Fargo Online" <$probablyfor...@stmartinsepiscopal.org>

Really sendgrid - you cannot detect that on your outbound servers??

It has gotten bad enough that we have some accounts here that are
blacklisting the d=sendgrid.net dkim signature. Anything you sign gets
rejected by those accounts during the smtp transaction.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAl6cfxcACgkQL6j7milTFsFI0ACfeNF3S6w5dbPFgXxGsTgqmRaI
sAcAn1v5PDs75RJJwnFqV2kmOs0Scuwp
=C9Vp
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] list bombing

[Carl Byington via mailop]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Mon, 2019-11-25 at 10:32 -0800, Kurt Andersen (b) via mailop wrote:
> Are you seeing any significant portion of these messages bearing the
> Form-Sub header? (documented in https://tools.ietf.org/html/draft-
> levine-mailbomb-header-01)

On a low volume mail server, the only messages I see with that header
are also dkim signed by mail*.mcsignup.com. MailChimp are using

h=From:Reply-To:To:Date:Message-ID:Sender:Subject:MIME-Version: Content-
Type;

So their signature does not include the Form-Sub: header, contrary to
the recommendation in that draft.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAl3cksAACgkQL6j7milTFsG9zQCdE6YkaHRj+a4I+79b/quTXZrc
CsoAn1kB22Ss/Q34UIsR4zg7SIlheRC8
=LF9o
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] delivery problems from mimecast.com

[Carl Byington via mailop]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Thu, 2019-11-21 at 17:09 +0100, Claus Assmann via mailop wrote:
> I wasted several hours to set up one host to get a Let's Encrypt cert,
> configured my server to use that for connections from mimecast, and
> ... still get the same error.

My servers have Let's Encrypt certs for sendmail, and receive a fair bit
of mail from mimecast.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAl3Wwk8ACgkQL6j7milTFsF4OgCfSdGCpH+s9NGXp24L2h3/aqPP
yyUAoIsrc/YlVUh1n8OyzOrOfay9AXyp
=5hb+
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Gmail marking email from me as spam

[Carl Byington via mailop]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Thu, 2019-10-10 at 22:06 -0400, John Levine via mailop wrote:
> In article <1570757713.1030.53.ca...@16bits.net> you write:
> >Count me too as someone with a tiny server that Gmail automatically
> >files in spam with apparently no reason.
> >There are so few mails sent there (at most, 7 mails *per month*,
> often

> I took a look at the logs to see what mail comes to my mail server
> from the network at Frantech where your server is.  Surprise, it's
> 100% spam.  Lie down with dogs and all that.

199.195.249.54 chinanetregistry.net.dbl.spamhaus.org listed
199.195.249.96 Arunaputiie2Roijmans.top.dbl.spamhaus.org listed
199.195.249.217 naktolk.win.multi.surbl.org listed


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAl2hFE8ACgkQL6j7milTFsFxiwCfRDQ+wxbHWCr+SvvM6h72Caag
6NsAn1CdVIEJLhIAUX9C9XKBSmwb8Uji
=uSbt
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] booking.com dmarc

[Carl Byington via mailop]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Mon, 2019-06-03 at 16:10 -0700, Alan Hodgson via mailop wrote:
> You can sign with a sub-domain or parent domain as long as they share
> the same organizational domain.

My understanding was incorrect. Page 10 of RFC7489 says "In relaxed
mode, the Organizational Domains of both ... must be equal", so

from=a...@sub.sub.example.com -can be signed by example.com, or any
subdomain thereof including joe.example.com.

from=a...@example.com can also be signed by example.com, or any subdomain
thereof including joe.example.com.

Thank you for the correction.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlz2ioUACgkQL6j7milTFsG8YgCfS5Ye4wkGSO5aqG/14YfPEN+Z
OXwAn3rruPZxXdkpa0aLW/JLPlXbTucV
=a9gC
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] What is the story with QQ.COM?

[Carl Byington via mailop]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Sun, 2019-06-02 at 20:12 +, Benjamin BILLON via mailop wrote:
> If those emails seem to be sent from botnets, I believe they're not
> sent from QQ.com. They have a SPF -all policy, a p=none DMARC policy,
> and I can't check if they have DKIM but it's quite possible.

We get a little legit email from qq.com, but it is all DKIM signed. We
don't directly check dmarc policy records, but the milter(1) here has
the ability to essentially enforce a dmarc-like requirement. The end
result is that we reject any mail claiming to be from qq.com that is not
signed by qq.com, essentially changing their p=none to p=reject.

(1) https://www.five-ten-sg.com/dnsbl/

We can (manually) compensate for errors in dmarc records. For example,
booking.com has a p=reject, but we see mail "From:.*@booking.com" dkim
signed by sg.booking.com. Strict dmarc would reject that. We enforce a
requirement that mail from booking.com be signed by either booking.com
or sg.booking.com. There are other domains with similar errors.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlz1oTkACgkQL6j7milTFsEdEgCbBIJGU31kAaHGJ+lQGuf0pXFN
ZRYAn3YpgZgXCyRCu/09Hw/IUSMWFJNs
=upff
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] DigitalOcean calling for social media s* storm? (Re: Why is it so hard to have takedown's performed..)

[Carl Byington via mailop]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Mon, 2019-04-29 at 16:49 -0700, Michael Peddemors via mailop wrote:
> PPS, You know the IP(s) can change at any time ;)

That is what cron is for. So far, synapp.io has been very good about
listing *only* their own address validators in their spf records. Daily
spf resolution of the known domains, combined with automated greps of
the mail logs for "ehlo mta-wk-[0-9].mk[0-9]" to discover new domains as
they are added, and feed that into firewall scripts.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlzHvJsACgkQL6j7milTFsHrHACfSbSEBY9X6vZxuLQH01/Jq7M5
XRwAnAm6wJmBmXszX7Al0GSZzKA48u9V
=UbUQ
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] DigitalOcean calling for social media s* storm? (Re: Why is it so hard to have takedown's performed..)

[Carl Byington via mailop]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Mon, 2019-04-29 at 09:12 -0700, Michael Peddemors via mailop wrote:

> Speaking of.. anyone have any insight into these guys?
> They keep popping up on various CDN's eg, DO, AZURE, etc..

> 45.32.138.192   (M)   1   mta-wk-3.mk3.ipruz.com
> 45.76.246.69(M)   2   mta-wk-3.mk1.uulio.com
> 45.76.246.127(M)   1   mta-wk-5.mk3.uulio.com
> 45.77.5.861   mta-wk-0.mk1.ipruz.com

http://www.synapp.io

resolve spf records for all those domain names and merge the results,
followed by firewall rules of your choice.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlzHfUAACgkQL6j7milTFsEA1ACeM1yJR7LuGqPGeKVHjwxZLDkg
AaYAoIODCVKxr2k3hILMp8yTURAgdYlC
=5vqk
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] The (not so) Good Guys

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Fri, 2018-12-28 at 19:31 -0500, John Levine wrote:
> For people who would like more search keys, the spam all came from
> 38.107.108.240, envelope return address i...@email.thegoodguys.com.au.

One delivery attempt here to a non-existent address,
Dec 25 16:25:37 ... 553 5.3.0 ... No such user here


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlwpFqMACgkQL6j7milTFsF7aQCfUa3edQ7KV2MX+4X4FE0js2Qv
urgAn1c6y2rFPVNoqVP6XmNEaPUE32YP
=KX/X
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Pet Peeve of the day, Bulk Notice Mailers from Do Not Reply.

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Wed, 2018-11-28 at 10:26 -0800, Michael Peddemors wrote:
> (Seems that they must have some automated system adding a line break
> in the middle, breaking the one entry..)

No, that is normal. RHS of a TXT record is a sequence of strings, each
of which can be up to 255 bytes long. The client that interprets TXT
records needs to concatenate them.

See _spf3.yahoo.com and many others.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlv/OloACgkQL6j7milTFsHNvACfXCsT6NwcLqxCTTLce9I2Nzpf
FZsAn1O9BwN7UQwkMvQ2zh9dfzyJGHDo
=8reY
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] including dkim private key as a header?

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

That does not seem to be wise.

IP: drone154.ral.icpbounce.com :::207.254.213.211
HELO: drone154.ral.icpbounce.com
env_From: bounces+1035701.49998965.544...@icpbounce.com
mail_host=icpbounce.com



DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=default;
d=icontactmail3.com; .

Date: Wed, 24 Oct 2018 19:31:04 -0400

X-DKIM-Key: -BEGIN RSA PRIVATE KEY-
MIICXAIBAAKBgQC//RGTYFDm7IkGi3fCXW87OPq1Hiy/5Llcb4+vq5D33Qn1zvzP
XNJOUglEyLhDP/uBWVUSIkz/IngcrjEgLYfNYIfv8tYyAvknqeTbMuF1ogoRKWMH
..




-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlvRPHIACgkQL6j7milTFsHdJgCfYuSbr9ISRg8iGI6G5R8d9MKE
ecUAnihY1V8z7eo7ocIccicp5N4Hx9e/
=+hTr
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Monumetric - unabated spamming through Google / GTT

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Fri, 2018-09-21 at 10:24 -0700, Michael Peddemors wrote:
> Return-Path: 
> Return-Path: 
> Return-Path: 
> A lot of 'selling Databases of email address' spam..
> Obviously randomly constructed email addresses, all pushing the same
> thing

I have not seen that one, but the following DKIM signers have all sent
spam trying to sell email address lists:

accucompany-us.20150623.gappssmtp.com
aimdigitalpros-com.20150623.gappssmtp.com
btobpath-com.20150623.gappssmtp.com
clienthubmarketing-com.20150623.gappssmtp.com
diziprospects-com.20150623.gappssmtp.com
dynamicaims-com.20150623.gappssmtp.com
ecocontacts-com.20150623.gappssmtp.com
edataplus-com.20150623.gappssmtp.com
etecbizleads-com.20150623.gappssmtp.com
expodatallc-com.20150623.gappssmtp.com
expotechlist-com.20150623.gappssmtp.com
leadmarketershere-com.20150623.gappssmtp.com
primebiz4u-com.20150623.gappssmtp.com
procuredata-net.20150623.gappssmtp.com
prospectsmarketer-com.20150623.gappssmtp.com
reply2setup-com.20150623.gappssmtp.com
webmarketingvendors-com.20150623.gappssmtp.com


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlusJtQACgkQL6j7milTFsGdDgCfX2JLMHa9QXB8cUQ5Hri1XuhK
uYcAniWfmEzXiUfp6yPuQ6VIUi20Oj7T
=yjOv
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] anyone from psu.edu ?

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512


> which is interesting, since that name has a cname, but no A record.
> Anyone know what list they are actually checking against?

I should have mentioned that the address 69.167.152.152 is not listed on
the public lookup at https://www.ers.trendmicro.com/reputations


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAltrHy0ACgkQL6j7milTFsGYcwCeIe791erPaG5r5v47gelobeAs
9MUAn0ARgzdIYTT0TBzQPpRxJqaSN10R
=rrEb
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] anyone from psu.edu ?

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

The psu.edu mail servers are returning an error message:

reason: 551 5.7.1 $IP blacklisted due to listing on www.mail-abuse.org

which is interesting, since that name has a cname, but no A record.
Anyone know what list they are actually checking against?


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAltrGmoACgkQL6j7milTFsFw8wCfQbPCBU6cMVi5nLDZ7VeWQhzI
pi8An104CkpSCDAijsq7tc1icK6qaZ/9
=tXby
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Gmail change DMARC Policy?

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Thu, 2018-08-02 at 14:49 -0400, Bill Cole wrote:
> The 'd=' domains don't use DNSSEC. This means that the immediate
> validity of the signature at delivery time is dependent on trusting a
> key which may be spoofed. The DKIM TXT record has a TTL of one day, so
> it is hard to be certain whether the signer today is the same entity
> as the signer tomorrow.

If you only trust DKIM signatures from DNSSEC domains, then you can only
enforce DMARC p=reject for a trivially small number of domains. The
largest providers that I have seen with DMARC p=reject are aol.* and
yahoo.*, none of which use DNSSEC. We reject a lot of spam based on
their p=reject setting.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAltkqSsACgkQL6j7milTFsHOsgCeJP2N2pgoVZOvVVZXsmt7wkrb
rRYAoIKj8n+pmpetUtiVS2qwV4YHlekt
=kajG
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] DKIM headers - which do you sign and why?

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Mon, 2018-07-23 at 15:28 -0700, Kurt Andersen (b) wrote:

> On Mon, Jul 23, 2018 at 3:04 PM, Laura Atkins
>  wrote:

>> Spammers poisoned that particular well a while ago. +all listings
>> are treated as heavily suspicious by ISPs.

> Deeply suspicious or egregiously stupid. Overly broad SPF ranges are
> definitely an indicator of badness of some sort - even /16 is
> considered outrageous.../0 would be more so.

Anyone that uses include:spf.protection.outlook.com will have imported
ip4:52.100.0.0/14 and ip4:40.92.0.0/14


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAltcl8YACgkQL6j7milTFsFMwQCfT3X8prKeYAf9B6Z94rfQ5pVq
PR4An3uLPQru/3IugvA7GariJLQditkx
=fNax
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Comcast contact? bounce.care.comcast.com

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

bounce.care.comcast.com has

"v=spf1 include:cust-spf.exacttarget.com ip4:76.96.68.101
ip4:76.96.68.102 ip4:76.96.68.103 ip4:69.252.76.7 ip4:69.252.76.8
ip4:69.252.76.9 -all"

Note the -all, but at least some mail is arriving here via resqmta-po-
04v.sys.comcast.net == 96.114.154.163 not listed in the above spf
record. You might want to fix that.

Also, the DKIM signature from mdp.comcast.net is broken -
reason="signature verification failed".


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlsxE2YACgkQL6j7milTFsHZlQCfQ7i8CCsnP+Jy5R1lrFjw7A//
VyQAn3yFmOu5o/0HTCDnMUWHyH78DS48
=XKZW
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Yahoo DKIM Signing, not folding the header..

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Thu, 2018-05-24 at 18:02 -0400, John Levine wrote:
> By the way, I sent myself a message from my AOL account, and it
> showed up with a DKIM signature all tidily folded.

Signatures with d=mx.aol.com seem to be wrapped.

Signatures with d=aol.com seem to be one long line.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlsHQUcACgkQL6j7milTFsGKrQCgiFhruEyHK3Ye1dIjmcs8VdYh
L2EAn0g0uMzi7j8O+mkSmvHgB1uZSxxB
=NXwg
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] spf and mx: tokens

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

While checking dmarc, we check for dkim signatures. If that fails, we
look for spf records. A very small number of those contain mx: tokens.
While chasing a bug in my code, it became obvious that almost everyone
misuses those, and they really meant to use a:some.name

So we could (do what they want) interpret mx:mail.example.com as if it
were a:mail.example.com - we won't be rejecting mail that the sending
domain intended for us to accept. But that just hides their error and
possibly increases the chances of yet more folks making the same
mistake.

What does your code do when it sees mx:mail.example.com, where there is
no mx record, but there is an a record?


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlrOgRIACgkQL6j7milTFsHgpQCeMBsUmcz/5adrHRFZ3X5vrfL8
2QkAoIRxFWUB1Ln5DTQbsnOAsDWz39Cu
=6wlm
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Extreme amounts of SMTP auth from microsoft/outlook IPs

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Fri, 2018-02-09 at 22:22 +, Michael Wise via mailop wrote:
> It's being ... investigated.

4 days later - still probing an account here every 3 seconds.
40.97.0.0/16 is currently firewalled. In the last month I have not seen
any actual mail delivery from that block. Has anyone else seen real mail
delivery from that /16?


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlqDHLgACgkQL6j7milTFsH8UgCaAtlHKdR6TWKFltbg7+1IxyKE
Sq0AnjKnc6eW6smAJy9YVBWMxaYyDvoI
=VmXH
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Issues With the way Google Groups unsubscribe is used in headers..

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Thu, 2018-02-08 at 01:32 +, Brandon Long via mailop wrote:
> And this is a direct message from the list to the one attempting to
> unsubscribe?

Not sure about that one, but I have a very similar sample, DKIM signed
by work-web-press.20150623.gappssmtp.com


X-Spam-Checked-In-Group: emailss0@work-web.press
X-Google-Group-Id: 1064089360714
List-Post: , 
List-Help: ,
 
List-Archive: 
List-Unsubscribe: ,
 


That was sent to someone who has no google accounts of any sort, but the
URL redirects to a google login page.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlp7uWsACgkQL6j7milTFsFNrwCfZO0fPCkzsCib7J9/nPJLsRyU
Jt8An3GmcHMDsbsJJnDCL1A3xSm6KjTf
=T/yH
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Spam originating from Office 365

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Mon, 2018-02-05 at 03:00 +, Shane Clay via mailop wrote:
> For our customers, the bulk majority of spam they actually receive
> (over 90% of whats delivered and more than 40% of whats blocked) now
> days comes from Office 365. Do others see these same trends?

The percentage is not that high here, but are you using something to
reject mail containing SFV:SPM ?  For example, spamassassin:

header OPOC X-Forefront-Antispam-Report =~ /SFV\:SPM/
score  OPOC 10


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlp6EtIACgkQL6j7milTFsHanQCdGcolXjZX8k7spvScKIhmWjxE
JL0An2iAyx4Qtw40XymR5FsEZACLN6g0
=XYJn
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Anyone from Fasthosts.co.uk on here?

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Wed, 2018-01-24 at 09:30 -0500, Al Iverson wrote:
> Smells like a Fasthosts misconfiguration from here.

If they are doing ip queries against the DBL for all connections, they
will be refusing all incoming email. One might think that would be
quickly noticed and corrected. Perhaps they only do those queries for
some subset of the inbound mail.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlpqUE0ACgkQL6j7milTFsGNjACfYSmydzRYtgQFnFZ6y/VIE/lE
gkAAn17pVxqmSW6Pbr+ozUxSfJKbTRLS
=UIp5
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] anyone from emaildl.att-mail.com ?

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=emaildl.att-
mail.com;


From:  "AT " 
Subject:  AT Customer Awareness: Equifax Breach


You might want to change that DKIM signature to use relaxed/relaxed. We
are seeing dkim=fail reason="signature verification failed" on those
messages.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlnPH64ACgkQL6j7milTFsH35QCeLuWyQqMi8MA80GhSmSsxj7tv
ftsAn3jMzw0e7ABYvhSOv6WUEbS22Nse
=rbHy
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] amusing dns failure, pgsurveying.com

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Thu, 2017-08-31 at 12:00 +0200, David Hofstee wrote:
> Interesting setup. What do you mean by 'clever'? Because I am not sure
> what this setup will gain them.

Sorry, that was a bit of snark. This setup gains them nothing - but it
does randomly break their spf record. I doubt that is what they want.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlmoN88ACgkQL6j7milTFsFvmACfT5y0chdZwmeBcRaVGq8qieNG
ju4AnRM1fDmfAUTYMTDQL/q0bjD+nfzf
=lbZ8
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Google NS servers listed in Spamhaus

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Thu, 2017-08-17 at 14:11 +, Andrew Wingle wrote:
> Anyone else encountering this mess? It came to light due to a
> SpamAssassin rule "Contains an URL's NS IP listed in the SBL blocklist
> [URIs: googleapis.com]." Any message using "googleapis.com" (used for
> fonts) is showing up as a proxy listing.

Yes. I removed those listings with a local bind rpz zone.

*.32.239.216.zen.spamhaus.org   CNAME   .
*.34.239.216.zen.spamhaus.org   CNAME   .
*.36.239.216.zen.spamhaus.org   CNAME   .
*.38.239.216.zen.spamhaus.org   CNAME   .

My sendmail dnsbl milter also looks for URL hostnames with NS ip
addresses on the SBL (actually zen).


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlmXNXgACgkQL6j7milTFsEd1QCdEPspEZ2hKE0fwurfgZyrzino
09YAn1A1MW5VEWdWA9nrAzUzXtUucEgG
=fxuV
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] exacttarget vs amazon.com dmarc/dkim

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Amazon.com asks that mail with header from: of amazon.com that fails
dkim should be quarantined.

dig _dmarc.amazon.com txt +short
"v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc-
repo...@bounces.amazon.com; ruf=mailto:dmarc-repo...@bounces.amazon.com;


ExactTarget is sending such mail with a dkim key that is not published
in DNS.

dig 200608._domainkey.amazon.com txt +short


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAll/WH8ACgkQL6j7milTFsGp+ACfSDPqTczAz6cmdlFC+wBxFzol
CU0An3DbDS2x761JbF+N2W0qd93Ve+7I
=qLF/
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] hetzner and the btinternet.com blacklist

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Tue, 2017-07-11 at 19:50 +, John Levine wrote:

> Doesn't matter -- the "transparent" filters force all of the
> connections to the provider's filtering host, so if there's a TLS
> connection, it terminates at the filtering host.

That sort of proxy will break some of your outbound mail if your mail
server checks for DNSSEC/TLSA records, and the recipient domain has
published those. Try sending mail to comcast.net from such a connection.
Of course, using mail software that uses the TLSA records.


dig comcast.net mx +short
5 mx2.comcast.net.
5 mx1.comcast.net.

dig _25._tcp.mx1.comcast.net tlsa +short
3 1 1 90E2F742B459860C0BBF1343B5A36BC5842A3F45056D30BF25DBB475 A62ECA47


But the provider can still count the number of outbound TCP SYN packets
to port 25.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlllSBgACgkQL6j7milTFsH3ygCeIKAsfN/sGnTC06fqIF3BD029
8acAn0fPPLo7UtN24FER0AKfCLWLoK/N
=opHr
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] AOL temp failing (some?) .pdf attachments

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

We are getting one of:

421 4.2.1 Dragnet Timeout
421 4.2.1 "Service unavailable. Please try again later."

sending a .pdf attachment to a verizon.net user. Other mail to that
address is being accepted by the AOL servers.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlldC2YACgkQL6j7milTFsHPhgCdF9KWtCEqhKVnZJxlUpZAp+lD
AbAAnRdE4H8e0SCRF/qRBgOg9vxAQ6en
=e76M
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] dkim signature failures sendmail/opendkim

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Fri, 2017-05-26 at 18:38 +0300, Vladimir Dubrovin wrote:
> In most cases, DKIM check fails because message was improperly
> formatted and was normalized by MTA before sending after DKIM
> signature is applied.

We changed the mail flow so the path looks like:

MUA -> sendmail with SMTP AUTH for outbound relaying
-> sendmail w/ opendkim signing
-> outbound targets

The dkim failures shown on aggregate reports have almost completely
disappeared. One or more of the common mail user agents is clearly
sending slightly malformed mail, which sendmail is fixing after signing.

It would be nice if sendmail had an option to override *all* the fixups,
but that could easily cause more problems. In particular, receiving
8BITMIME over ESMTP, but relaying to a mail server that only supports
SMTP which needs 8->7 conversion.



-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlk9asgACgkQL6j7milTFsHZTACePrfsujhz0y3ZG3V8Hi75fM4S
40YAn1BYw7BWx0tYtabl9gB8I1TCNMW0
=KtlT
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] dkim signature failures sendmail/opendkim

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Fri, 2017-05-26 at 17:09 -0400, valdis.kletni...@vt.edu wrote:
> How many of the user agents are running on non-servers that don't have
> NTP?

Does that matter? The dkim signature (with t=) is generated on the mail
server, which has the proper time.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlkoso0ACgkQL6j7milTFsHMJQCdGqiI08u1KY+7zkVqBwYDsR0q
FUIAn3ZMZg1zqJemJkowlnaZ+MH2mA9i
=G6EC
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] dkim signature failures sendmail/opendkim

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Fri, 2017-05-26 at 18:38 +0300, Vladimir Dubrovin via mailop wrote:
> - Lines longer than 998 octets (unicode character takes few octets)
> - Missed Date:, Message-ID: or another required header
> - Unencoded 8-bit character in the header
> - Malformed From: header (with missed domain e.g. From: mailer-daemon
> or with unescaped special characters)
> - Invalid line termination (e.g. LF instead of CRLF)
> - Missed CRLF at the end of the message
> Last 2 are important if you have "simple" canonization for message
> body (use relaxed).

> DKIM can also fail due to clock skew, if you have t= in DKIM-
> Signature.

Yes, we have t= in the signature, but all the servers have clocks
corrected by NTP. We are using relaxed/relaxed canonization.

I should have mentioned that all this mail is generated by a wide
variety of user agents (Outlook, Thunderbird, various iThings, etc). It
is all normal corporate 1-1 individual mail - not transactional stuff
generated by some web form.

I doubt anyone but me is using Evolution, but I have not been able to
reproduce any of the dkim failures using that.

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlkolRsACgkQL6j7milTFsEeLgCfRPA7v9DNcN40NO9zuwzTKL3+
waQAn1zY/wDeydOb68KuU6wHBvT4BeNc
=TBxE
-END PGP SIGNATURE-


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] dkim signature failures sendmail/opendkim

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Using sendmail with opendkim for signing mostly works, but I have a few
domains with dmarc p=reject, and looking at the aggregate reports, I am
seeing some dkim=fail, spf=pass on a small amount of mail going to
google, comcast, etc. The aggregate reports show that mail is signed
with the right selector (default._domainkey.lynchexhibits.com).

lynchexhibits.com mail leaving ns27.routerdog2.com.

I have been unable to reproduce this by sending test messages to my
google test account. It may not be specific to sendmail/opendkim, since
I also see the same infrequent errors with another domain:

mbmg-media.com mail leaving *.outbound.protection.outlook.com.

Of course, that mail was never touched by sendmail/opendkim.

Any ideas for debugging this?


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlkoQtUACgkQL6j7milTFsHSsgCfbj5PElLpglQ+u0hHAqIuixMa
/O4An3burc+9UDe7ao9F6Ruvju5rdrPj
=zk4K
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] SPF record

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Sun, 2017-05-21 at 12:02 -0500, frnk...@iname.com wrote:
> Same here -- many of my customers, for example those who go to O365,
> aren't
> aware of the implications when they add Microsoft's suggested SPF
> record,
> and then wonder why some emails (originated from a non-O365 system)
> aren't
> being received.  Fortunately our helpdesk is very attuned to these
> issues
> and can suggest tweaks to their SPF record to resolve the issue.

https://technet.microsoft.com/en-us/library/dn789058(v=exchg.150).aspx

MS apparently thinks the SPF failures caused by forwarding are less
important than the human failures caused by receiving forged mail.

The cynic might think their commercial interests are advanced by such
forwarding failures, adding pressure to move more clients into O365.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlkh2QsACgkQL6j7milTFsFSYQCggtHJLIXl2FctBztbWSReX3qd
hmQAniDUE1Vti5NYIU5ItBHFnlZlcZqq
=vpEF
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Many SPF failures lately

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Fri, 2017-05-19 at 03:49 -0500, frnk...@iname.com wrote:
> Most well-known cuplprit is Travelocity and their flight change
> notifications.

The only travelocity mail I see here is from
traveloc...@ac.travelocity.com via 192.161.140.0/24. Are the flight
change notifications from some other system?

ac.travelocity.com CNAME -> travelocity.neolane.net
travelocity.neolane.net TXT -> redirect p140.neolane.net
p140.neolane.net TXT "v=spf1 ip4:192.161.140.0/24 -all"

Even if spf fails, we would accept those based on the DKIM signature by
ac.travelocity.com which is listed in our local policy database.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlkfI0oACgkQL6j7milTFsF0QgCfU/e06B6EOZ9sOLGOUX+HBtpV
X1UAnjCwr/FwQXA3jbew/nHT1IVC2apB
=Iv5/
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Speaking of too many SPF, Many SPF failures lately

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Thu, 2017-05-18 at 08:53 -0700, Luis E. Munoz wrote:
> It looks not bad, successive lookups to 3 parts.. and they all look
> > good. Don't like this part of course.. include:sharepointonline.com
> >
> > ip4:52.104.0.0/14

> Right there!

Anyone hosting mail on office 365 will probably have an spf that
includes spf.protection.outlook.com which lists 40.92.0.0/14


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlkegYgACgkQL6j7milTFsHqswCfSSytyvttuYojwPm77UljS+GO
nEkAnAx0oXARTZUSwAEJdOq34We8Qw1o
=4juJ
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Come on protection.outlook.com, don't send me messages even you think are SPAM

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Sat, 2017-04-29 at 00:01 -0700, Mark Milhollan wrote:
> But some have an X-Forefront-Antispam-Report header with SFV:SPM which
> has been said is their indicator of a message they consider to be
> SPAM.

Yes, and we take MS at their word, and via SA flatly reject such
messages (at least for users that have spam filtering contexts that
include our standard SA setup).

/etc/mail/spamassassin/local.cf

header OPOC_LEAKING X-Forefront-Antispam-Report =~ /SFV\:SPM/
score  OPOC_LEAKING 10.0


Zero complaints so far about missing messages.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlkIE/AACgkQL6j7milTFsG5MACeMosO99WNiOU3JSLw4PceDayJ
zv8An38l/1YBLHhv+YD2ifqKzSR7eNh+
=iBAn
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] dmarc failure reports

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

We are receiving aggregate reports, and I am trying to diagnose some
intermittent failures. So I added ruf=, but we have not received any
failure reports. Do any of the large providers (aol, yahoo, gmail, etc)
send failure reports? Perhaps I have something misconfigured.

_dmarc.lynchexhibits.com


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlj0/EUACgkQL6j7milTFsEz0gCffSWgfPiakOdg/d3+glJjVSzC
khgAnjYti4kMFoIN42GZjEfumnfrh3ad
=3mY5
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Spammers mining SPF records (of all things)

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Sat, 2017-03-11 at 19:19 -0500, Rich Kulawiec wrote:
> I'm not saying they're not doing it: of course they are.  I've done
> some manipulation of WHOIS and DNS records in order to track it, so
> I've got proof in hand.  I'm sure others do as well.  I'm just saying
> that it's not one of the more productive approaches.

But selling the list is probably productive. Spam sample from sparkpost:


IP: mta589b.sparkpostmail.com :::52.37.207.53
HELO: mta589b.sparkpostmail.com

From: DownloadWhois.com 
Subject: WHOIS DataBase Special For 72 Hours

Whois Database Special for the Months of January & February 2017

Get the entire whois database for the Month of January or February
2017 for ONLY $25.00 each

Regular Price - $99.95 each

Did you know that the big registrars and hosting companies
sends millions of emails every day to customers of other
registrars and hosting companies to switch over.

This is the best kept secret on how these Big Registrars get bigger.

Download newly registered domain names and whois for the
entire Month of January or February for ONLY $25.00 each




-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAljHdm8ACgkQL6j7milTFsFXcgCfQVw9baz7YP9J6j9CSfbqKH+E
1ksAn3ZoG/ApftsLH5og8rYQtF+hL6MY
=WBqY
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] some pphosted (proofpoint) outbound mail failing dkim validation

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

About 10% of the mail from invista.com is failing validation. That mail
has two signatures from from invista.com and kochind.onmicrosoft.com.
Either both signatures validate, or they both fail. It seems there is
something in the pphosted mail flow that is breaking some of those
signatures.

The same error is there for other *.onmicrosoft.com signatures,
including Fox news FNN.onmicrosoft.com, although that one is failing
about 30% of the time.

Are other folks seeing the same validation failures?


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAliEEXkACgkQL6j7milTFsFUAwCeL0U82O8dtqNmb5Sewxgg3L2s
vAEAnj9SHrCMR5LfJnEWxeiE66PeaQ7F
=qNFh
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Many spams from *.outbound.protection.outlook.com

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Thu, 2016-12-01 at 18:40 -0500, Matt Vernhout wrote:
> Also seeing a ton from this Mail From Domain:
> workexact.onmicrosoft.com

In November 2013, this was discussed here. At that time, I put in an
rpz/bind override such that (locally) *.onmicrosoft.com simply does not
exist. Of course that totally stopped that spam flow here. In the last
three years, we added 6 exceptions to that for various clients.

The logs for the last month don't show any mail here from
*.onmicrosoft.com. It looks like MS managed to stop that leak.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlhEpSMACgkQL6j7milTFsHibQCfaYKr8EoyQ7nMS4ewKK2JL+9I
egsAnA12HQpiCX1pBS87qYOlY96pPNGF
=Rk48
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Anyone from Yahoo - icmpv6 filtering breaks login.yahoo.com MTU detection

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Fri, 2016-11-18 at 16:52 -0500, valdis.kletni...@vt.edu wrote:
> And you identified that the problem was at Yahoo, and not one or more
> of the hops between the far end of your tunnel and Yahoo, how,
> exactly?

Taking the top 1000 sites from Alexa, for those domain names $n where
www.$n has at least one  record $ip, and where "nmap -6 -Pn -p 443
$ip" shows that something seems to be running https there, we try

echo -e 'GET / HTTP/1.0\n' | \
openssl s_client -servername www.$n -ign_eof -connect "[$ip]:443"


In general, even if the TLS certificate is small enough to fit into
about 1500 bytes, the home page is almost always larger that that. So
something in that request would result in the server trying to send a
large packet, getting an icmpv6 "too big", and resending with a smaller
MSS.

Of the 220 sites identified above, 218 of them manage to see the icmpv6
packet and respond by resending with a packet that makes it thru the
tunnel. I suspect that packets from at least one of those 218 sites goes
thru many of the same systems as the packets from login.yahoo.com.

https://www.mega.nz and https://www.1fichier.com seem to have the same
icmpv6 filtering issue.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlgwfrkACgkQL6j7milTFsFCAwCfQHnivoU5QlBvmfABC8swnutz
QR8AnRIsSUaCIw6dh1Jr92+5/FgXeSqq
=Hx/k
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Anyone from Yahoo - icmpv6 filtering breaks login.yahoo.com MTU detection

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Fri, 2016-11-18 at 15:41 -0500, valdis.kletni...@vt.edu wrote:

> Did you do anything to specifically identify Yahoo's routers as the
> offenders?

> Hint: If there's a tunnel in the path, it will be *your* end of the
> tunnel
> that sends back the "can't frag" ICMP.  So the filtering is happening
> somewhere
> between your end of the tunnel and you.

This happens very early in the TLS handshake. The tcp (syn,syn-ack,ack)
handshake works; my system sends a 286 byte TLS client hello, and the
response to that will be a bunch of full size packets from Yahoo with
the certificate, etc. The *far* end of my tunnel will be sending the
icmpv6 "packet too big" back to Yahoo.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlgvbDcACgkQL6j7milTFsEI/QCdFDIewzPza2v7vqQVhqfq1iZS
tv0An3gJgoPqYx1A0Gx9W2o1tTkKWFOZ
=qCzk
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Anyone from Yahoo - icmpv6 filtering breaks login.yahoo.com MTU detection

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

https://login.yahoo.com

If you have IPv6 connectivity thru a tunnel, with a smaller MTU, that
will fail. With a 1500 byte MTU, it works. The TCP handshake works - it
then hangs during the TLS handshake which sends full size packets.

echo -e 'GET / HTTP/1.0\n' | \
openssl s_client -servername login.yahoo.com -ign_eof -connect \
'[2001:4998:c:e33::50]:443'

Please stop filtering icmpv6 packets going to your servers.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlgvXXcACgkQL6j7milTFsFrLgCeM8kQB9bM2h4CpRKtA31E2sbB
+aoAnRR6fkVOA1x8HKCGZzOcthUMq/8K
=AMOT
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Anyone from cableone.net here?

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

I am trying to resolve

550 5.7.1 [C10] RBL restriction: Blacklisted by Internal Reputation
Service - 208.88.52.226


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAleFEK8ACgkQL6j7milTFsHIOwCfXk6L9AvoSnn1vsZLZ2NfLwG0
8PkAn2QtE5G6yhbOgnf5i/1eQd4adOhH
=oTEx
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] deprecating rc4 & ssl3

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Mon, 2016-05-16 at 16:07 -0700, Brandon Long via mailop wrote:

> The numbers are small enough that we're not doing any mitigation,
> there is no fall back on ssl negotiation failure, there is no
> whitelist of hosts we will allow these protocols from.

Thank you! It makes it much easier for us to do the same - when folks
complain we can say - well, you cannot deliver mail to google either -
fix your system.

On a related topic, are you doing any fallback to plain text on DH key
length? What is the minimum DH key length you require for mail? Our
systems currently require 1024 bit keys, but will fallback to plain text
after 8 hours. The delay encourages folks to upgrade their DH keys, but
I have not seen such a fallback in the last few weeks.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlc6XlIACgkQL6j7milTFsGjdgCfZIBj+9bu6aLW/NgVkeY2ZaPI
u5EAoIInmgeHAU7KXNgGqFF/AnPFA3CR
=U6Ad
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] amazon vs starttls

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

relay=amazon-smtp.amazon.com. [207.171.189.228], dsn=4.0.0,
stat=Deferred: 421 #4.4.5 Too many TLS sessions at this time

So amazon accepts the inbound port 25 connection, advertises starttls in
response to ehlo, and then complains when we try to use tls. What, you
don't have enough cpu power to run tls on all your inbound connections,
even with your amazon cloud?


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlcrjWsACgkQL6j7milTFsFTMACdGJ7qUJYOjVybvKigWi+Tj9jd
WDYAn3iNcafYvD9ffr9oz8HKwhgUMeTQ
=4zDM
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] DNS Errors for Microsoft Hostnames

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512


> For it to be blocked as spam, the system must have seen many copies...
> I guess enough people are sending out DCC hashes that enough of them
> added up and the direct email was blocked?

Apparently so; unless some recipient is marking the list as spam. I
think the following is correct:

The dcc clients report fuzzy hashes and a recipient count to the dcc
servers. If the recipient count is 'many', that effectively marks that
message as bulk for all other users of the dcc.

That message was marked as 'many', rather than some smaller recipient
count in the thousands.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlcn1R8ACgkQL6j7milTFsEljgCfaAxy3Fy8yQip/cZQThQXKPFD
z3AAn3TS0AQ5fx5ngKTSv/2tSzHC6qfe
=vp3s
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] DNS Errors for Microsoft Hostnames

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Thu, 2016-04-28 at 21:56 +, Michael Wise wrote:
> So is the FORMERR ... just the resolver noting that EDNS is not
> supported?

Yes.


If so, I'm uncertain of the issue.

> We don't use EDNS here, so that's what the "our" servers should be
> doing, yes?

Yes. I don't think the MS dns servers are doing anything wrong. I rather
suspect it is something in the dns client that is sometimes getting
tripped up on the combination of short TTLs on a server that does not
support edns.


> Traffic to a mailinglist is scored with DCC?

That would be me. The mailing list servers are whitelisted here for this
list, but the MS servers are not. So the direct copy went thru the DCC
filtering.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlcnxMYACgkQL6j7milTFsHAwACfVbhMx920pYN+rWexwCFCBaFV
EN4AoIlItXaDz6e79TFLwY0DtXE34pNk
=G40z
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] DNS Errors for Microsoft Hostnames

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Thu, 2016-04-28 at 20:57 +, Michael Wise wrote:
> If the "Aware" flag expired, would best practice not be to check that
> first rather than presuppose that the facility does exist?

The check for "edns aware" involves sending the query with edns
extensions. If the reply is formerr (or possibly others?), then you can
remember that this server does not understand edns, and repeat the query
without it.

If you just do the first query without edns, there is no mechanism to
then learn that that server does indeed understand edns.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlcifY8ACgkQL6j7milTFsEyTgCfbLe36v3LuECg+Ma4/mjxq52c
C9oAnjFeZYZjl2//eCsWM3NvkeWwthUy
=H2pv
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] DNS Errors for Microsoft Hostnames

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Thu, 2016-04-28 at 20:01 +, Michael Wise wrote:
> " All this is stating is that DNS++ does not support RFC 2671 EDNS
> protocol extensions.
> " DNS++ is responding per the RFC by sending the FORMERR back to the
> requestor.  I believe this is OK.  Maybe we don't understand the
> issue?

> DNS++ is apparently what we're using on our end.
> Is this behavior not according to the RFC?

;; ANSWER SECTION:
pitt-edu.mail.protection.outlook.com. 10 IN A   207.46.163.247
pitt-edu.mail.protection.outlook.com. 10 IN A   207.46.163.215
pitt-edu.mail.protection.outlook.com. 10 IN A   207.46.163.138

;; ANSWER SECTION:
ns1-proddns.glbdns.o365filtering.com. 30 IN A   65.55.169.42
ns1-proddns.glbdns.o365filtering.com. 30 IN A   207.46.100.42
ns1-proddns.glbdns.o365filtering.com. 30 IN A   207.46.163.143


Many dns servers cache the "edns aware" state of authoritative server,
but that cache entry might expire with the 30 second ttl above. And the
pitt-edu A record would also have expired then. So on the next lookup,
the recursive resolver might try talking edns, and need to repeat the
query without edns. Combined with the short TTL, that might be enough to
cause operational problems.

However, it looks like all your customers *.mail.protection.outlook.com
are setup the same way, with the same short TTLs. So if this is really a
DNS compatibility issue (possibly between DNS++ and Bind), I would
expect a LOT more failures.

Of the folks having problems delivering to (for example) pitt-edu, it
would be interesting to know the exact version of the recursive dns
resolver used by their outbound mail server.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlcidXoACgkQL6j7milTFsH+MgCfS1h1zcxga6PM4/mDbhStKvy0
MpwAmgMmWYr2vxf3kKDZQ9ZqHFWoGgIb
=Ibgl
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] DNS Errors for Microsoft Hostnames

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Thu, 2016-04-28 at 11:41 -0700, Steve Atkins wrote:
> Looks like (some of) the Microsoft authoritative servers are confused
> by dnssec.

> ~ ? dig +dnssec @ns1-proddns.glbdns.o365filtering.com pitt-
> edu.mail.protection.outlook.com

confused by edns:

dig pitt-edu.mail.protection.outlook.com +edns
@ns1-proddns.glbdns.o365filtering.com

;; WARNING: EDNS query returned status FORMERR - retry with '+noedns'



See https://ednscomp.isc.org/compliance/summary.html


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlciXlAACgkQL6j7milTFsGSTwCfW2EsZWC7A/Pyv6ncUd6IbQ1f
R20An10rS/a/rn6EZraiz1v1y86W0Bzi
=m9M0
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Should I be disappointed with Reflexion?

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Tue, 2016-04-12 at 13:48 -0700, Steve Atkins wrote:
> It's also possible that Reflexion is just sending terribly structured
> mail that "looks like" spam - not unusual amongst companies who build
> their own mail software - but I'd need to see the mail they're sending
> before judging that.

I just asked reflexion to send me an encrypted mail to test some of
this.

They indeed send an email with an embedded link asking the user to go to
a web site to retrieve the actual content. But they don't send any
password in the email. I needed to "register" with them by picking my
own password, and could then read the mail. So anyone that can intercept
that first message owns that mail address as far as reflexion is
concerned. Also anyone that can guess what password the user picked.

This particular message expires in two weeks, so presumably anyone that
grabs an entire mailbox won't be able to see very old messages, even if
they know the key.

It was dkim signed, but dkim=fail reason="key not found in DNS". It was
signed with s=default d=securemail.reflexion.net, so that should be

dig default._domainkey.securemail.reflexion.net txt +short

if I have done that correctly.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlcP//AACgkQL6j7milTFsGpPgCfbwHxJReWEFESo4kOMpqZJ7dH
r+QAnjqyW1/ZAUHASRr6vsxqzMYoKlKi
=kWXx
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Should I be disappointed with Reflexion?

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Thu, 2016-04-14 at 12:56 -0400, Henry Yen wrote:
> >   6. If the information is of particularly high value, look at what
> the more competent end of banks and other financial institutions do to
> add trust

> Both Chase bank (jpmchase) and Barclays bank send me emails with
> direct links in them, from a bigfootinteractive mailserver. Does that
> violate these three suggestions?

Yes. I have never seen a bank that did otherwise, so per Steve Atkins I
have never seen a competent (wrt email) bank. Every bank for which I
have email samples does the same - they are training their users to be
phished. And that training seems to be working.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlcPzg4ACgkQL6j7milTFsHfXwCeK8qm4wLZGozACHbmprsPQRii
tN0An0pTt4rhKQD7inm9BBduNTHBjtUI
=0vHM
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Gmail red open padlock composing message

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Sat, 2016-04-02 at 11:42 -0500, frnk...@iname.com wrote:
> Anyone aware of email servers that take the approach that CloudFlare
> has, which is not allow the lowest common denominator or cleartext to
> be used if there's a better/more-secure cipher, but still support the
> old stuff (in CloudFlare's case, SHA-1) if that's all it can do?

> https://blog.cloudflare.com/sha-1-deprecation-no-browser-left-behind/

I think that is "server preference" for the cipher ordering.

https://github.com/jvehent/cipherscan

For example, gmail (on incoming mail) supports RC4-MD5 over ssl3, and
they also have the server control the cipher ordering. But please, why
do they prefer RC4-MD5/TLS1.2 over ECDHE-RSA-AES256-GCM-SHA384/TLSv1.2
?? I don't understand that. Google might know that the only clients that
ask for rc4-md5 don't support anything better.

My notes say that Outlook 2011 on Mac OSx needs sslv3/rc4-sha.

Sendmail with a modern openssl:

LOCAL_CONFIG
dnl enable sslv3 on the server side for RC4-SHA
O CipherList=...whatever you want
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3

We support sslv3 on incoming connections, but not on outgoing
connections.



> I think most would agree it's better to accept receiving email from
> Exchange servers using RC4 than clear text, but that we should be
> aiming for TLSv1.1 or greater.


I agree.

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlcAA+gACgkQL6j7milTFsHBvQCfdPhgBJZ5/bXWLrAd88VQOMQQ
SuMAn0xdPr0+9AdMvSpttd48PbK6v6E+
=GRa9
-END PGP SIGNATURE-


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Gmail rate limit

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Sat, 2016-04-02 at 09:58 +1000, Ted Cooper wrote:
> Is this another one of those fun DNSSEC issues? I'm not particularly
> good at reading these, but it looks like the PTR lookup is denied
> existence at 136.in-addr.arpa.

> http://dnsviz.net/d/250.119.243.136.in-addr.arpa/dnssec/

I don't think so.

136.in-addr.arpa is signed. The nsec stuff is proving that 119.243.136
.in-addr.arpa does NOT have a DS record, so that part of the arpa tree
is unsigned/insecure.

Google 8.8.8.8 (a resolver that does dnssec validation) agrees:

dig 250.119.243.136.in-addr.arpa ptr @8.8.8.8 +short
web11.kk-software.de.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlb/GT0ACgkQL6j7milTFsFFUQCferYv9OuLWOOBAnTBxrNUrLmg
o9UAn0eKz4XIOxpxMcvY7lps2j27N6cm
=PVkd
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] yahoo feedback loop signup?

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

I am trying to help a very small isp with a yahoo.com delivery issue.
They are getting "421 4.7.0 [TS02] Messages from 208.88.52.225
temporarily deferred - 4.16.56.1; see
http://postmaster.yahoo.com/errors/421-ts02.html; errors.

Volume is less than 50 total messages per day going to yahoo.com
addresses. Clients use their own domain names.

https://help.yahoo.com/kb/account/yahoo-complaint-feedback-loop-
service-faq-sln26007.html says "For bulk commercial senders or senders
of transactional mail, DomainKeys or DKIM is the best option. ISPs
should contact Yahoo for other options.", but gives no contact address
for an ISP. Is that a mistake? Is the Yahoo feedback loop only available
for folks that DKIM sign outbound mail?



-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlb5qy0ACgkQL6j7milTFsHaOQCbBS7FforwdSURhEDfSn9p6ujK
n+wAoIFRSmuzrqFH+pmcHDS5luzS5koJ
=79zs
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Google DNS Servers not returning results for Hotmail today?

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Mon, 2016-03-07 at 22:44 +, Tony Bunce wrote:
> I'm far from a DNSSEC expert but I think the issue is with the entire
> 65.in-addr.arpa zone.  I can reproduce the issue on any PTR record
> inside of 65.0.0.0/8.

Yes, arin.net failed to renew the dnssec signatures on 65.in-addr.arpa.
They have expired, and anyone behind a dnssec enforcing resolver can no
longer see ptr records in that tree.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlbeB/8ACgkQL6j7milTFsGHhQCfb6T+P9SV3UClUAYIYSnWHzfx
edcAnjyFA50U5gkUXd5+RxempM7GoBuk
=0ymm
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] New method of blocking spam

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Fri, 2016-01-22 at 09:01 -0700, Brielle Bruns wrote:
> I'm trying to find that checklist that the spam fighting regulars used
> to post whenever someone is all excited about their end-game to spam
> filtering...   Anyone remember a URL for it?

Possibly http://www.rhyolite.com/anti-spam/you-might-be.html


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlaiXKkACgkQL6j7milTFsHTzwCdHU0iBh6xx8p43FPz/KCvpWpg
G68An39MhXIHXtzJWjmf9iVZR2WUD9K0
=OiDq
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] IBM SPF vs smtp.notes.na.collabserv.com

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Fri, 2016-01-08 at 16:39 +, John Levine wrote:
> They publish -all and it makes sense.

dig paypal.com txt +short | grep spf

"v=spf1 include:pp._spf.paypal.com include:3ph1._spf.paypal.com
include:3ph2._spf.paypal.com include:3ph3._spf.paypal.com
include:3ph4._spf.paypal.com include:c._spf.ebay.com ~all"


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlaP6tYACgkQL6j7milTFsGk4wCeNgVAlCkYLq5a9VmrpQ6oDcwf
KKgAniAXjqhJTcZxSqTA+N9XJb3e3aqy
=tWc9
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] android 5.0.2, sendmail, starttls, custom CA

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Does anyone have Android 5.0.2 clients talking to sendmail with
starttls, using a mail server certificate signed by a custom CA? Our
custom CA certificate is installed in the device, and the inbound imap
side (dovecot) trusts the server certificate. The outbound smtp side
(sendmail) fails with:

STARTTLS=server, error: accept failed=0, SSL_error=5, errno=0

Is there some cipher order that is needed for Android 5.0.2?

Other Android versions, in particular 5.1, work properly.

mail3.mbmg-media.com
http://www.five-ten-sg.com/util/ca510.cert.pem


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEARECAAYFAlYdPOcACgkQL6j7milTFsFi/gCdHDz5Bkiejlp0680RCu/njFNM
9f4An3TEV2O1sn32yJ1O6bZ3hQOQUHac
=0d99
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
http://chilli.nosignal.org/mailman/listinfo/mailop

Re: [mailop] Apple, iPhone setup, attempts SSL on port 587

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Robert Mueller wrote:
 Are you absolutely sure this is happening on port 587?

Yes.

 Is there anything else logged before or after this from the same IP
 (maybe get a tcpdump)? Does it actually attempt plaintext + STARTTLS
 upgrade after the direct TLS/SSL connection fails?

Yes. This is an iPhone 5 MD658LL/A running iOS 8.4 12H143. Full details
at:

http://www.five-ten-sg.com/mapper/blog/iphone
http://www.five-ten-sg.com/mapper/blog/

tl;dr - During setup, the phone will attempt a raw SSL connection to
port 587 on the mail server. That probe may trigger adaptive firewalls
and result in the phone losing all connectivity to the mail server.

My guess is that Apple simply changed their probe of port 465 to a probe
of port 587 without realizing those two ports run different protocols.
465 (obsolete) starts with a raw binary SSL handshake; 587 starts in
ascii text mode with an optional (via STARTTLS) transition to binary.

Note that the phone never probed port 465, which is good.



Dave Warren da...@hireahit.com wrote:

 What domain? It's possible that there was some autodiscovery DNS
 records (or hard-coded server names in Apple's database) that is
 misconfigured.

The client is a user on tesley.org - the mail server used in the test
above was mail4.five-ten-sg.com. The phone never made any autodiscovery
or SRV or TLSA queries.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEARECAAYFAlW8UH4ACgkQL6j7milTFsFR5QCgg6uaae91fnoMTNz+/xrJS0lR
S1YAn2HYWDQE478N6mAYdWrg8QEYLjsQ
=V8dl
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
http://chilli.nosignal.org/mailman/listinfo/mailop

Re: [mailop] Blog: Logjam, Openssl and Email Deliverability

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thu, 2015-06-25 at 00:09 +0100, Brandon Long wrote:
 Not in front of a computer to check if we see failures like this, but
 we (google) stopped falling back to unencrypted connections 2y ago.

 This had an impact on a small number of misconfigured sites.

Does google have strength limits on the DH key size like openssl. In
particular, will gmail deliver to a server with a 512 bit DH key? I no
longer have access to such a machine for testing since we upgraded all
the DH keys.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEARECAAYFAlWLPLcACgkQL6j7milTFsFCYACfW0QzJWqUmBo2DFiA2d41JqR9
7s4AnjcqVr+/f9MTiSunE5u0sS2ugB4r
=b5os
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
http://chilli.nosignal.org/mailman/listinfo/mailop