Re: [mailop] Strange mail delivery from microsoft

[Klaus Ethgen via mailop]

Am Di den 20. Jun 2023 um  3:21 schrieb Ángel via mailop:
> I blame them by using a big amount of IPs to deliver mails even for
> > the same mail and for giving a host for malicious hosts that try to
> > get spam out. I blame them also for doing connections that are
> > absolute not needed and a wast of bandwidth.
> 
> Microsoft spreading their connection attempts through a large amount of
> IP addresses seems precisely suited for someone limiting the number of
> connections/mails by IP, as you are doing.

Well, it is for a reason. Microsoft is one of the most prominent spam
sender. I don't want that they try to deliver mar...@ethgen.ch or
k...@ethgen.ch, they do not exist as well as all that other spammers.

Unfortunately there are few people still have their main mail on
hotmail. Otherwise I would block them completely as I do with
digitalocean.

> > Moreover, the mail server is a low trafic server so 10/hour should be
> > ok for the most delivery systems.
> 
> I get 2-4 mails from 40.92.*  **per day**

I even less. But have major connections from them trying to deliver
spam.

Gruß
   Klaus
-- 
Klaus Ethgen   http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16Klaus Ethgen 
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C


signature.asc
Description: PGP signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [EXTERNAL] Re: Strange mail delivery from microsoft

[Klaus Ethgen via mailop]

Am Mo den 19. Jun 2023 um 21:55 schrieb Michael Wise via mailop:
> If you're using GreyListing, know that a given email will not be coming from 
> the same IP address twice.
> 
> The outgoing IP address is randomized for ... reasons.

I substitute "no".

That is absolutely ignorant to tell the people that you do mail in a
broken way and tell them it is for a reason, you don't want to tell.

On the same time being one of the biggest spam provider.

Gruß
   Klaus
-- 
Klaus Ethgen   http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16Klaus Ethgen 
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C


signature.asc
Description: PGP signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Strange mail delivery from microsoft

[Klaus Ethgen via mailop]

Am Mo den 19. Jun 2023 um  6:33 schrieb Hans-Martin Mosner via mailop:
> I'm inclined to repeat what I said before: If your setup breaks mail
> consistently, it's likely your setup that's to blame. Others seem to be able
> to receive Outlook mail just fine. Microsoft didn't ask you to implement an
> arbitrary connection rate limit,

Well, they do some kind. They host attacking hosts.

Moreover, the mail server is a low trafic server so 10/hour should be ok
for the most delivery systems.

> blaming them for your inability to receive
> mails from their customers isn't really appropriate. There are enough actual
> faults Microsoft can be blamed for :-)

I blame them by using a big amount of IPs to deliver mails even for the
same mail and for giving a host for malicious hosts that try to get spam
out. I blame them also for doing connections that are absolute not
needed and a wast of bandwidth.

Gruß
   Klaus
-- 
Klaus Ethgen   http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16Klaus Ethgen 
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C


signature.asc
Description: PGP signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Strange mail delivery from microsoft

[Klaus Ethgen via mailop]

I have some update..

Greylisting was not the problem I had/have with microsoft. Due to
ongoing attacks (especially also from big clouds like microsoft) I have
a limit of 10 connections per IP and hour. That seems not enough for
microsoft to deliver 1 or 2 mails per days relyable.

What a shity provider!

Gruß
   Klaus
-- 
Klaus Ethgen   http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16Klaus Ethgen 
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C


signature.asc
Description: PGP signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Strange mail delivery from microsoft

[Klaus Ethgen via mailop]

Hi,

I have tighten my firewall a bit and seen many attacks from Microsoft
(40.92.0.0/16). They contact once from a IP and then never again. If I
greylist them, the will try to deliver from a different address which
gets greylisted again and so on.

Could you please tell me how to handle that broken mail delivery? It
triggers all, my mailserver attack filter as well as greylisting.

Unfortunately I have some contacts on hotmail. Otherwise I would not
care about.

Regards
   Klaus
-- 
Klaus Ethgen   http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16Klaus Ethgen 
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C


signature.asc
Description: PGP signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Microsoft/O365 SPF failures

[Klaus Ethgen via mailop]

Hi,

thanks for the info.

Am Do den 20. Jan 2022 um 19:52 schrieb joemai...@nym.hush.com:
> That is intentional/by design.
>
> The source is inside 40.95.0.0/16 which is their "relay pool". It is 
> documented here - 
> https://docs.microsoft.com/microsoft-365/security/office-365-security/high-risk-delivery-pool-for-outbound-messages.
> Scroll down to the relay pool subheader and read up more about it.

That means, Microsoft ist intentional breaking mail.

> Hope this helps.

Well, as I am not the sender than the recipient, no, it does not.

When it is not part of SPF pool and they have '-all' in SPF record, then
the mail could not be delivered.

Only Microsoft is blamable for breaking it and only they can fix it.

Regards
   Klaus
-- 
Klaus Ethgen   http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16Klaus Ethgen 
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C


signature.asc
Description: PGP signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Microsoft/O365 SPF failures

[Klaus Ethgen via mailop]

Hi,

since several weeks I see more and more SPF-Errors for mails coming from
O365. It seems that when mails gets relayed, they use outbound mail
servers that are not valid for sending from the (relaying, not origin)
mail address.

My O365 account where I have relaying active is an academic account.

The last failure comes from IP 40.95.92.45 and is trying to deliver
mails from klaus_eth...@stud.phzh.ch (my academic account).

   > spfquery -ip 40.95.92.45 -sender klaus_eth...@stud.phzh.ch
   fail
   Please see 
http://www.openspf.org/Why?id=klaus_ethgen%40stud.phzh.ch&ip=40.95.92.45&receiver=spfquery
 : Reason: mechanism
   spfquery: domain of stud.phzh.ch does not designate 40.95.92.45 as permitted 
sender
   Received-SPF: fail (spfquery: domain of stud.phzh.ch does not designate 
40.95.92.45 as permitted sender) client-ip=40.95.92.45; 
envelope-from=klaus_eth...@stud.phzh.ch;

It is pretty impudent from microsoft to write in the deliver failure:
   It's likely that only the recipient's email admin can fix the
   problem. Unfortunately, it's unlikely Office 365 Support will be able
   to help with these kinds of externally reported errors.

No, it IS solely the fault of Microsoft not be able to manage SMTP
correctly.

Any ways to get them to correct their SMTP setup?

Regards
   Klaus

Ps. Could it be, that http://www.openspf.org/Why is broken? I get
connection refused.
-- 
Klaus Ethgen   http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16Klaus Ethgen 
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C


signature.asc
Description: PGP signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Digital Ocean spoofing activity

[Klaus Ethgen via mailop]

Hi,

I used to block OVH and DO not only caused by mail abuse than of a bad
reputation of hosting many bot nets.

Unfortunately I always find other networks of them that is not in my
blocklist.

Does anybody have a complete list of IP ranges relating to OVH and DO?

Regards
   Klaus
-- 
Klaus Ethgen   http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16Klaus Ethgen 
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C


signature.asc
Description: PGP signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DMARC reports - was Re: New server email being treated as spam by Google

[Klaus Ethgen via mailop]

Am So den 22. Nov 2020 um 13:56 schrieb Andrew C Aitchison:
> 1 That isn't what a DMARC report tells you.
> The report tells you:
>  a) that Google are receiving messages claiming to be from you,
>  b) when others are mailing google user and faking that you sent it, and
>  c) if genuine mail from you fails the DMARC checks.

Ok, here is the last:
   
   
 
   google.com
   noreply-dmarc-supp...@google.com
   
https://support.google.com/a/answer/2466580
   12460447340488768949
   
 1605916800
 1606003199
   
 
 
   ethgen.ch
   s
   s
   quarantine
   quarantine
   100
 
 
   
 5.9.7.51
 2
 
   none
   pass
   pass
 
   
   
 ethgen.ch
   
   
 
   ethgen.ch
   pass
   mail
 
 
   ethgen.ch
   pass
 
   
 
   

Everything pass and ok. But the mail was in spam.

(I can only guess, if it refers to the mail I sent as they don't give
any reference to the mail.)

> 2 Google are not spamming you; you asked for those reports, and can stop
> asking for them by removing your address from your DMARC DNS records.

I only ask for mails going to quarantine but from the report, the mail
is normal delivered.

Regards
   Klaus
-- 
Klaus Ethgen   http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16Klaus Ethgen 
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C


signature.asc
Description: PGP signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] New server email being treated as spam by Google

[Klaus Ethgen via mailop]

Hi Paul,

I have the same problem for years. Even more, I get dmarc messages from
google that everything is pass but the mails are delivered to spam box.

I resigned. There is nothing, one can do to get mails delivered not to
spam. Maybe you have to bribe google or such. I don't know.

When I send mail to people who are on google, I usually send a SMS at
the same moment for them to look into the spam folder.

Google is a very bad competitor in e-mail business. Even microsoft is
not that bad.

I have that problems long time now. I implemented dmarc and dkim to get
the problem solved. But it didn't help. Moreover, it broke some mailing
lists I am subscribed to.

At the begin, Google was delivering my mail to spam for no reason. Now
the mails are delivered to spam AND google is spamming me with dmarc
reports that everything is fine.

Regards
   Klaus
-- 
Klaus Ethgen   http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16Klaus Ethgen 
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C


signature.asc
Description: PGP signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Google and Spam detection

[Klaus Ethgen via mailop]

Hi Phil,

many thanks for your very helpfull explanation.

Just a few comments...

Am Fr den 24. Jul 2020 um 20:40 schrieb Phil Pennock via mailop:
> With a poor IP-based reputation, you need to see if you can score a
> better domain-based reputation.  This is where DKIM comes into play:
> once you can provably link a message to really be from a given domain,
> then even if you don't send much mail you can benefit from stuff like
> "not on day-old-bread domain-lists".  But having DKIM and then a DMARC
> record does help (and I'm no fan of DMARC).

I will give it a try. Even that I am no fan either. ;-)

> For the mail-server's TLS: for that to count in your favor instead of
> being a wash, I strongly suspect that it needs to be a certificate which
> senders can verify.  For those people scoring up for "better TLS", those
> senders using DANE will be happy with a TLSA record in DNSSEC for your
> CACert anchor.

I already implemented that. At least for my .ch domains, the .de domain
is registered with hetzner and even that my DNS is configured to add
DNSSEC to it, I am unable to configure the glue in hetzner GUI.

Unfortunately the Lookaside Validation is not in use anymore so I have
no way to use DNSSEC with my .de domain.

> At that point, CACert is not going to cut it.  You'd need to
> try Let's Encrypt instead.

I will never, never ever use Let's Encrypt! They did destroy every left
over of trust you could ever have in the whole CA system.

The fact, that Let's Encrypt certificates are only valid for 3 months
makes it impossible to check the cert manually every time you use that
side. And I would not trust any CA, not Let's Encrypt, nor others.
CACert was the only one that has earned SOME trust but giving the nature
of the CA system that any rotten CA out there can issue a certificate
for your domain, I can not trust the CA system at all.

DNSSEC is and was the answer that could ever solve the misery but it is
actively denied by the big players, all in front mozilla with firefox
making it even impossible for the tlsa check addon to still work. It
would in fact helps a lot if browsers would start using DNSSEC but I
think, mozilla (and the others) have high interest that this secure
solution will die. It would be the death of all that rotten CAs out
there.

By the way, you not only find TLSA record for my mail server than also
for my web addresses.

Finally, yea, I could install that tool to issue a new cert every month
with Let's Encrypt. But I don't like to give that company the control
over my working system.

So, no, I will never, never ever use Let's Encrypt at all!

>+ avoid `-all` at the end because with the sole exception of "this
>  domain never sends email" records, it tends to be a sign of
>  over-enthusiasm and counts slightly against you;

That is something that I do not understand. This is the only
legitimisation of SPF to have a -all at the end. Otherwise SPF has no
use at all.

>+ remember to have an SPF record for your HELO hostname, because when
>  you send a "bounce" rejection, this is the thing which will be
>  looked up (since there's no domain in `<>`).

A good measurement is to never send bounces out of your system. If you
would need to send bounces, don't accept the mail in the begin.

Every bouncing could be misused for bacscatters. And I seen a lot of
that shit.

>  * Seeing if you can get your IP onto one of the open DNS-based
>allow-lists (also called "whitelists" but some folks are moving away
>from that term), such as  or Spamhaus's SWL.

Side note, I use the marketing tags there on the whitelist as blacklist.
I will never accept marketing mails so it is a pretty good measurement.
   header RCVD_IN_DNSWL_SPAM  
eval:check_rbl_sub('dnswl-firsttrusted', '^127\.0\.15\.\d+')
   describe   RCVD_IN_DNSWL_SPAM  Selftagged Marketing mailer
   score  RCVD_IN_DNSWL_SPAM  10.00

>  * If your communications base includes people using OpenPGP with email,
>then set up WKD to publish PGP keys for your domain too.  This is
>just a fixed schema for laying out keys for HTTPS retrieval.

There is a different system to have the cert in DNS (secured with
DNSSEC):
   host -t cert 4iwmtum663r8xnewtn7ugkdixws1d1n8._pka.ethgen.ch

>  * The moment you start specifying "must be TLS-secured" it's worth
>adding CAA records into DNS, so that CAs which are broadly trusted
>will refuse to issue for your domain unless you list them.

That CAA record is broken from the begin and idiotic measurement at all.
If you don't implement DNSSEC, you cannot trust it and if you DO
implement DNSSEC, there is no need for it, just use TLSA.

Regards
   Klaus
-- 
Klaus Ethgen   http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16Klaus Ethgen 
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C


signature.asc
Description: PGP signature

Re: [mailop] Google and Spam detection

[Klaus Ethgen via mailop]

Am Fr den 24. Jul 2020 um 15:51 schrieb Michael Peddemors via mailop:
> We have found that the FIRST thing you need to do is put a sane SPF record
> in place for IPv4 traffic.. This has resolved the issue for most of the
> cases we have seen for clients.

Not the issue. The SPF is fully correct.

I debugged with Bjørn Bürger (thanks for helping) and found out that the
error is "weist große Ähnlichkeit zu früheren Spam Nachrichten auf". As
I never sent spam at all, it seems that this google crap is a self
fullfilling oracle.

I think it might happen that in past hetzner (my hosting provider) was
in some blacklist. That might have been a reason for past mails to end
in spam folder. Now. as how stupid is the most of gmail users (present
excluded), I think that they just read the mail in the spam folder and
did delete them or just kept them there. As the result, now all new
mails end in spam too.

And I am afraid that there is nothing I can do to solve that. :-(

Regards
   Klaus
-- 
Klaus Ethgen   http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16Klaus Ethgen 
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C


signature.asc
Description: PGP signature
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Google and Spam detection

[Klaus Ethgen via mailop]

Hi,

Am Fr den 24. Jul 2020 um 14:20 schrieb Faisal Misle via mailop:
> I also strongly recommend you start signing with DKIM. You may not have had a 
> use for it, but now you do.

I did it now and fallen in all misstakes one could do.
- First I tried out a ed25519 key. That worked very fast but it seems to
  be not that wide supported.
- Well fine, lets create a RSA 4096. But why the hell is my Bind
  stopping to resolve the zone!? It seems that it is not possible to
  create lines longer than 255 bytes. You have to concate them with
  spaces in between. Well, how good that bind does write that good log
  messages. (NONE!!!)

GRML

Regards
   Klaus
-- 
Klaus Ethgen   http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16Klaus Ethgen 
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C


signature.asc
Description: PGP signature
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Google and Spam detection

[Klaus Ethgen via mailop]

Am Fr den 24. Jul 2020 um 15:34 schrieb Thomas Hochstein via mailop:
> In my experience, most problems concerning mail delivery
> to Google disappear as soon as you deliver mail over ipv4
> (instead of ipv6).

I knew about that issue. But my mail server is still IPv4 only so no
issue for me.

Regards
   Klaus
-- 
Klaus Ethgen   http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16Klaus Ethgen 
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C


signature.asc
Description: PGP signature
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Google and Spam detection

[Klaus Ethgen via mailop]

Hi folks,

Recently, I heard often that my mails to friends on gmail ended up in
spam.

As my mails are always plain text, signed by PGP and coming from a mail
server that I can assure is never sending spam or even high amount of
mails, that is not in any blacklist, I wonder, what makes it google to
believe that my mails should be in spam? (On the other side, the left
clear spams sent by amavis, mailchimp or others in the inbox.)

Is there any I can do to prevent google to hide the mails from my
friends?

Ah yes, before you ask, I hav a strong SPF record, my mailserver forces
encryption (with a cacert certificate) but I didn't implement DKIM as I
see no use for it.

I do mails for long time now but it is a mystery for me what google is
doing wrong here. As a private person with low traffic mail server I
also have not the power to negotiate this with google.

Regards
   Klaus
-- 
Klaus Ethgen   http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16Klaus Ethgen 
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C


signature.asc
Description: PGP signature
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop