Re: [mailop] Liking our research guys tools.. just sharing an interesting spammer method.. (att. MailChimp as well)

2022-07-29 Thread Matt Gilbert via mailop 
Hi Michael,

We're taking a look at this regarding the signup form. I've found a couple 
accounts related to that "blankventures" subdomain which we'll investigate, but 
if you could share the full form URL with me off-list that would help our 
investigation efforts.

Thanks,
Matt Gilbert
Deliverability Engineer
matthew.gilb...@mailchimp.com

> On Jul 26, 2022, at 5:21 PM, Michael Peddemors via mailop  
> wrote:
> 
> Interesting spammer technique.. One of our researcher's tools tends to find 
> this guy every time he fires up.. In general, this guy comes and goes in 
> spurts..
> 
> (ask off list for sample domains, or more details than provided)
> 
> Generally, all his domains are registered about 15-20 days before his spam 
> run using NAMECHEAP, and he likes using various hosting companies, known for 
> more liberal policies.
> 
> He/They start off with a simple spam run, that looks like an affiliate 
> spammer, eg.. (paraphrase) you win something from a big brand retailer, which 
> sends the lure link.. That lure link uses a 'dynserv.org' URL, which 
> translates to a GoDaddy registered domain..
> 
> That gets translated to a domain that points to a OVH customer (one which has 
> a known history of spamming, share offlist), and the file that is retrieved 
> is a simple JS file link..
> 
> That link is hosted on a GoDaddy server..
> 
> host 68.178.244.182
> 182.244.178.68.in-addr.arpa domain name pointer 
> ip-68-178-244-182.ip.secureserver.net
> 
> Interesting, they use blank.com for this.. hits a 301, assume it redirects 
> based on the GEO of the victim, or other metric, to finally load a page, 
> which is simply a MAILCHIMP sign-up form..
> 
> Interesting way to gather 'opt-in' email addresses ;)
> 
> \
>\ action="https://blankventures.us14.list-manage.com/subscribe/... .
> 
> 
> I leave it to the reader to judge what is going on here..
> 
> Of course, without access to the actual servers involved, a little hard to 
> DOX the operator of this, or whether the 'blankventures' is really involved, 
> or simply a victim of a 'we get you subscribers' service, or whether the 
> redirect sends them over here just to hide their real intentions if you were 
> their target..
> 
> But of course, he burns IP space reputation really quickly.. note, the 
> hosting companies SHOULD be able to see this type of customer for what they 
> are, if they cared.. but giving them /29's all the time, doesn't take long 
> before all your IPs are dirty..
> 
> Hope you enjoyed the read..
> 
> -- 
> "Catch the Magic of Linux..."
> 
> Michael Peddemors, President/CEO LinuxMagic Inc.
> Visit us at http://www.linuxmagic.com @linuxmagic
> A Wizard IT Company - For More Info http://www.wizard.ca
> "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
> 
> 604-682-0300 Beautiful British Columbia, Canada
> 
> This email and any electronic data contained are confidential and intended
> solely for the use of the individual or entity to which they are addressed.
> Please note that any views or opinions presented in this email are solely
> those of the author and are not intended to represent those of the company.
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Interesting question from a team member, MX chaining, list-manage.com

2022-07-01 Thread Matt Gilbert via mailop 
Hi y’all,

Thanks for bringing this up! It looks like this is an oversight from an old 
setup that hadn't been updated rather than being intentional. We’ll get that 
updated so that there’s a proper MX record host for list-manage.

--
Matt Gilbert
Deliverability Engineer
matthew.gilb...@mailchimp.com

> On Jul 1, 2022, at 9:44 AM, Bill Cole via mailop  wrote:
> 
> On 2022-07-01 at 04:52:32 UTC-0400 (Fri, 1 Jul 2022 09:52:32 +0100)
> Laura Atkins via mailop 
> is rumored to have said:
> 
>>> On 30 Jun 2022, at 22:00, Michael Peddemors via mailop  
>>> wrote:
>>> 
>>> I know this doesn't look professional, but the question from the team 
>>> member does this contravene any rules or best practices.
>>> 
>>> list-manage.com
>>> 
>>> This domain does not have any A records.
>> 
>> If there’s no website it doesn’t need an A record. Given how that particular 
>> domain is used there isn’t a lot of reason to host a website there.
> 
> Absolutely.
> 
>> 
>>> It has a single MX record pointed at:
>>> 
>>> mail.admin.mailchimp.com
>>> 
>>> That hostname exists, but it doesn't have an A RECORD.
>> 
>> Again, what’s the problem? Not every mailserver needs to have a 
>> corresponding website.
> 
> No, but every name that is used as a RHS in a MX record MUST have an A record 
> so sending SMTP clients know where to connect. The defining RFC for the MX 
> record (974) makes that explicitly clear, even before the days of formally 
> defined 'MUST' et al.
> 
> 
>>> It in turn has just a single MX Record.
>>> 
>>> inbound-mx1.mailchimpapp.net
>>> 
>>> Kind of a strange MX delegation.. I assume to avoid CNAME's
>>> 
>>> But it does seem very strange.  Comments anyone? I didn't have an answer 
>>> for him..
>> 
>> What’s so strange about it?
> 
> It won't generally work. It is specifically called out as wrong in a relevant 
> RFC.
> 
> RFC974 sayeth:
> 
> 
>   Implementors should understand that the query and interpretation of
>   the query is only performed for REMOTE.  It is not repeated for the
>   MX RRs listed for REMOTE.  You cannot try to support more extravagant
>   mail routing by building a chain of MXs.  (E.g. UNIX.BBN.COM is an MX
>   for RELAY.CS.NET and RELAY.CS.NET is an MX for all the hosts in .IL,
>   but this does not mean that UNIX.BBN.COM accepts any responsibility
>   for mail for .IL).
> 
> 
> 
> -- 
> Bill Cole
> b...@scconsult.com or billc...@apache.org
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> Not Currently Available For Hire
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] is caniuseapurchasedemaillist.com down?

2022-04-28 Thread Matt Gilbert via mailop 
Hi y'all!

My team has been happy to see that you have enjoyed the site. The old DO 
droplet had been decommissioned as part of other work, but we should have the 
replacement for caniuseapurchasedlist up soon.

Also, thank you for the alternate site Al, your version is very nice.


Thanks,
Matt Gilbert
Deliverability Engineer - Mailchimp

> On Apr 28, 2022, at 2:01 PM, John Levine via mailop  wrote:
> 
> It appears that Andrew C Aitchison via mailop  said:
>> On Wed, 27 Apr 2022, Simon Luger via mailop wrote:
>> 
>>> Hi
>>> 
>>> i need this page from time to time.
>>> 
>>> caniuseapurchasedemaillist.com
> 
> The http version returns 404, and the https version fails in any normal
> browser because it still is doing SSLv3.
> 
> This tells us that nobody has maintained that site in a very long time.
> 
> WHOIS says it belongs to Mailchimp, so perhaps someone could pass the word.
> 
> R's,
> John
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Interesting fallout from the FaceBook outage?

2021-10-08 Thread Matt Gilbert via mailop 
I wonder if the jump in DNS traffic was due to all the websites out there that 
have Facebook analytics tracking or other Facebook widgets installed. Then 
add-in all the mobile devices that have the Facebook app and other apps that 
include Facebook tracking. All that combined would be a lot of clients trying 
to resolve Facebook.com.


Regards,

Matt Gilbert
Deliverability Engineer - Mailchimp
matthew.gilb...@mailchimp.com


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DKIM+DMARC at t-online.de (Deutsche Telekom's ISP branche)

2021-04-08 Thread Matt Gilbert via mailop 
Hi Florian,

Do you have this information posted anywhere online such as in a blog post or 
support article?

The information shared in this mailing list is a little disjointed and 
difficult to follow, so having an article that we can reference that includes 
the precise requirements you're establishing, and examples would be very 
helpful. Also, do you have a date for when you are going to begin enforcing 
this new policy?


Thanks,

Matt Gilbert
- Deliverability Engineer
- Mailchimp

> On Apr 6, 2021, at 5:36 AM, Florian.Kunkel--- via mailop  
> wrote:
> 
> !
> * to all those sending email without their very own static IP-Address,
> * and all newly set up MTA infrastructure
> ... especially ESPs using IP pools professionally for their numerous 
> customers' mail.
> !
> 
> As you might already have observed we are evaluating DKIM signatures 
> @t-online.de for a while now.
> We are starting to expect aforementioned IP infrastructure to have all 
> messages DKIM signed conforming DMARC, so header from and mail from must be 
> aligned.
> unsigned messages, unaligned or messages failing validation otherwise, will 
> be rejected while in SMTP session.
> 
> worst come first
> Expect this procedure to hit you the earlier, the more traffic we are already 
> used to reject from your infrastructure.
> 
> Do not expect DMARC reports anytime soon.
> Equally we won't check for DMARC policies at the moment; ... but p=reject 
> could become an option.
> 
> 
> Cheers
> 
> Florian
> E-Mail Engineering
> 
> Deutsche Telekom AG
> Deutsche-Telekom-Allee 9, 64295 Darmstadt, Germany
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Anyone else noticing comcast.net backing up....

2020-10-21 Thread Matt Gilbert via mailop 
We're seeing issues as well for both mx1 and mx2:

delivery temporarily suspended: lost connection with 
mx2.comcast.net[68.87.20.5] while receiving the initial server greeting
delivery temporarily suspended: connect to mx1.comcast.net[96.114.157.80]:25: 
Connection timed out


Thanks,

Matt Gilbert
Deliverability Engineer III, Mailchimp

> On Oct 21, 2020, at 2:07 PM, Russell Clemings via mailop  
> wrote:
> 
> Seeing a lot of this:
> 
> Connecting to mx1.comcast.net  [96.114.157.80]:25 
> ...  failed: Connection timed out (timeout=5m)
> Connecting to mx2.comcast.net  [68.87.20.5]:25 ...  
> connected
> H=mx2.comcast.net  [68.87.20.5]: Remote host closed 
> connection in response to initial connection
> 
> My guess is that mx1 is down and mx2 is struggling to pick up the extra load. 
> Mail does seem to get through after a couple of tries. I think there's a 
> Comcast person on the list so maybe we will hear something more definitive 
> soon.
> 
> 
> 
> 
> 
> On Wed, Oct 21, 2020 at 10:39 AM David Landers via mailop  > wrote:
> Yes, seeing a lot of timeouts and delayed mail for Comcast traffic in the 
> last few hours.
> 
> On Wed, Oct 21, 2020 at 12:34 PM Eric Tykwinski via mailop  > wrote:
> Seems like they are having some smtp issues, lots of timeouts on a few 
> servers I’ve checked.
> 
> Philadelphia, Montreal, and Paris so doesn’t seem regional.
> 
>  
> 
> Sincerely,
> 
>  
> 
> Eric Tykwinski
> 
> TrueNet, Inc.
> 
> P: 610-429-8300
> 
>  
> 
> ___
> mailop mailing list
> mailop@mailop.org 
> https://list.mailop.org/listinfo/mailop 
> 
> 
> 
> -- 
> David Landers
> Deliverability Operations Specialist | GROUPON
> dland...@groupon.com 
> ___
> mailop mailing list
> mailop@mailop.org 
> https://list.mailop.org/listinfo/mailop 
> 
> 
> 
> -- 
> ===
> Russell Clemings
> mailto:russ...@clemings.com>>
> ===
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] list bombing

2019-11-26 Thread Matt Gilbert via mailop 
I discussed this briefly with our Abuse Prevention team, but I’d love it if I 
could get some more info. Is Mailchimp signup email included in the spike you 
are seeing? If so would you mind sending me some examples so that I can share 
those with the Abuse Prevention team to make sure nothing is slipping through 
the cracks on our end?


Thanks,
Matt Gilbert
--
Deliverability Engineer | Mailchimp
delivery.mailchimp.com


> On Nov 25, 2019, at 1:07 PM, rps462 via mailop  wrote:
> 
> We've seen a big spike in list bombing in the last few weeks. Individual 
> mailboxes receiving 10k+ "confirm your subscription" emails, all from 
> legitimate ESPs. So we heavily rate limited them  thinking/hoping that ESPs 
> would see their queues build up, prompting them to look and see what wasn't 
> getting delivered, perhaps even detect the abuse and stop it!! (I know, I'm 
> dreaming.) 
> 
> List bombing isn't anything new. I figured most would have had something in 
> place to detect this by now. Perhaps a new technique is being used by the 
> abuser? These attacks are spread across hundreds of ESPs, but each individual 
> one is sending anywhere from 30 to 150 unique confirmation messages per hour 
> .. to the SAME rcpt. That should be pretty detectable.
> 
> Anyway, if you're an ESP and you find yourself being heavily rate limited by 
> one or more US/CA/EU ISPs then you might want to check for some list bombing 
> abuse.
> 
> Thanks,
> -R. Smith
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] list bombing

2019-11-26 Thread Matt Gilbert via mailop 
Hey Carl,

Thanks for noticing that. We’re going to get that header included in the 
signature shortly.


Thanks,
Matt Gilbert
--
Deliverability Engineer | Mailchimp
delivery.mailchimp.com


> On Nov 25, 2019, at 9:50 PM, Carl Byington via mailop  
> wrote:
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
> 
> On Mon, 2019-11-25 at 10:32 -0800, Kurt Andersen (b) via mailop wrote:
>> Are you seeing any significant portion of these messages bearing the
>> Form-Sub header? (documented in https://tools.ietf.org/html/draft-
>> levine-mailbomb-header-01)
> 
> On a low volume mail server, the only messages I see with that header
> are also dkim signed by mail*.mcsignup.com. MailChimp are using
> 
> h=From:Reply-To:To:Date:Message-ID:Sender:Subject:MIME-Version: Content-
> Type;
> 
> So their signature does not include the Form-Sub: header, contrary to
> the recommendation in that draft.
> 
> 
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2.0.14 (GNU/Linux)
> 
> iEYEAREKAAYFAl3cksAACgkQL6j7milTFsG9zQCdE6YkaHRj+a4I+79b/quTXZrc
> CsoAn1kB22Ss/Q34UIsR4zg7SIlheRC8
> =LF9o
> -END PGP SIGNATURE-
> 
> 
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Anyone from Mandrill/Mailchimp here?

2019-02-27 Thread Matt Gilbert via mailop 
Hi Mark,

My main intent with my response was simply to let y’all know that we are aware 
of and acting on the phishing. But, I’ll take a moment to address your response 
as well since you took the time to offer some tips.

We offer many or most of (or at least similar) features to what you’ve 
mentioned on a per-account basis within Mandrill. We’ve recommended MFA for 
user logins in both Mandrill and Mailchimp for years. There are also other 
anti-abuse mechanisms that sit above user accounts that are being tweaked to 
help address this as well. Obviously when we identify a compromised Mandrill 
account, in addition to disabling the API key, we strongly advise that they 
enable as many of the additional security features as practical to prevent 
future abuse.

Rest assured that we have some of the best security and anti-abuse people 
around working on this. We take any abuse of our systems and users very 
seriously.

Thanks,
Matt Gilbert
--
Deliverability Engineer | Mailchimp
delivery.mailchimp.com


> On Feb 27, 2019, at 4:07 PM, Mark Foster  wrote:
> 
> Forgive my ignorance, but for anything user-interactive, can you mandate
> MFA and/or comment on the viability and/or success in doing so?
> 
> For API interaction, can you mix both keys and credentials or use some
> other method for achieving similar ends?
> 
> What about other sorts of controls, (for example perhaps) geo-locking of
> user accounts and/or API interfaces so that their sudden use from another
> country is at least logged/flagged, if not blocked outright?
> 
> Obviously, generating spam via a compromised account is extremely common
> and makes mail systems accessible from anywhere very attractive; in the
> userspace we recommend MFA as a significant control for compromised
> credentials, i'll admit to being less familiar with the applicability of
> this approach for anything API driven.  But for a commercial mail-sending
> operation these sorts of controls would seem to becoming more and more
> relevant, as the impact of a reputation hit on your IP ranges, etc, is
> much more far-reaching than a private system?
> 
> Cheers
> Mark.
> 

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Anyone from Mandrill/Mailchimp here?

2019-02-27 Thread Matt Gilbert via mailop 
I realized I sent this to Paul, but forgot to CC the list. So I’m sending this 
again.

Hi Paul (et al),

Thank you for mentioning this. In the interest of being transparent, and 
because the folks here are more savvy to these types of issues, our anti-abuse 
team has been tracking a group of malicious actors who are using Mandrill user 
account credentials that were collected from outside of our systems to send the 
phishing mail you saw. The current batch of compromised accounts have been 
suspended until credentials are changed and secured, and we are monitoring for 
further cases. We are also proactively forcing password resets on any targeted 
Mailchimp users to ensure that these bad actors can’t gain access to the 
targeted victims. So don’t be surprised if you will need to reset your password 
for your Mailchimp account, Paul.

For the emails that had used our click tracking, we are breaking the 302 
redirects on our end, so that if a link is clicked it will error. But there are 
many that were sent that aren’t using our click tracking, and so we don’t have 
control over the links. For the cases where the phishing domain is using a 
cousin domain to Mailchimp, our legal team is also issuing takedowns with the 
web hosts.

Unfortunately, some mail is still able to slip through the net. We are also 
unable to identify these compromised accounts before the malicious mail is 
sent, because the Mandrill account credentials are being harvested from sources 
outside of our systems, so we have no insight into vulnerable accounts until 
there is abuse. Generally speaking we advise all users to secure their 
passwords and API keys, but sometimes mistakes are made, like posting an API 
key on a publicly shared GitHub repo.

I understand how frustrating this can be for you who have received one of these 
emails, and I personally thank you for keeping those tinfoil hats on tight.



Thanks,
Matt Gilbert
--
Deliverability Engineer | Mailchimp
delivery.mailchimp.com


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Questions about Interia.pl deferrals

2019-01-08 Thread Matt Gilbert via mailop 
Yes, we are aware of the policy with many of the .pl ISPs. Without getting into 
too much detail here, I had questions/concerns that the current deferrals my be 
unrelated to those policies. Luckily, someone here (thank you) was able to 
forward my question to a contact at Interia, so hopefully I’ll hear something 
soon.


Thanks,
Matt Gilbert
--
Deliverability Engineer | Mailchimp
delivery.mailchimp.com


> On Jan 8, 2019, at 4:05 AM, Benjamin BILLON  wrote:
> 
> Hi Matt, 
>  
> I'm afraid this isn't a good news.
> This and other Polish ISPs are deferring emails on purpose, to encourage 
> senders to pay for delivery.
>  
> --
> Benjamin
> 
>  
> From: mailop  On Behalf Of Matt Gilbert via mailop
> Sent: lundi 7 janvier 2019 18:14
> To: mailop@mailop.org
> Subject: [mailop] Questions about Interia.pl deferrals
>  
> Hi Mailop!
>  
> I was hoping there was someone from Interia.pl here that could reach out to 
> me off list about an elevated deferral rate we’ve been seeing for a couple of 
> weeks.
>  
>  
> Thanks,
> Matt Gilbert
> --
> Deliverability Engineer | Mailchimp
> delivery.mailchimp.com <http://delivery.mailchimp.com/>
>  
> ___
> mailop mailing list
> mailop@mailop.org <mailto:mailop@mailop.org>
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop 
> <https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Questions about Interia.pl deferrals

2019-01-07 Thread Matt Gilbert via mailop 
Hi Mailop!

I was hoping there was someone from Interia.pl here that could reach out to me 
off list about an elevated deferral rate we’ve been seeing for a couple of 
weeks.


Thanks,
Matt Gilbert
--
Deliverability Engineer | Mailchimp
delivery.mailchimp.com


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Just Make It Stop

2018-12-13 Thread Matt Gilbert via mailop 
Hi John,

I’m sorry to hear about your father. Feel free to send me his address off-list 
and I’ll get him taken care of.


Thanks,
Matt Gilbert
--
Deliverability Engineer | Mailchimp
delivery.mailchimp.com


> On Dec 13, 2018, at 1:19 PM, John Levine  wrote:
> 
> My elderly father is no longer able to handle his own e-mail, so I'm
> doing it.  He gets a mountain of junk mail, from every organization
> with which he has ever done business, from the local community theater
> to auto parts.
> 
> I don't want to close his mailbox because he gets useful mail such as
> the water bill and notices about doctors' appointments, and mail from
> actual human friends.  (We read him those.)  But he will never respond
> to e-mailed solicitations because he will never see them.  They're a
> pure waste of electrons, and of my time.  I've wasted a lot of time
> clicking a lot of opt-out links, and would prefer not to waste much
> more.
> 
> I can tell that the majority of the junk is from Mailchimp and
> Constant Contact, with a lot also from Sendgrid and Exact Target.
> Anyone I can contact there to Just Make It Stop?
> 
> R's,
> John
> 
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Expires SSL cert for mailop

2018-09-12 Thread Matt Gilbert via mailop 
Hey gang,

I was showing mailop to a new member of my team, and when I went to show them 
where to request signup to the list, I noticed that the SSL certificate has 
expired, which causes most (all?) current browsers to block the page loading. I 
figured you’d want to know.

> chilli.nosignal.org uses an invalid security certificate.
> The certificate expired on July 25, 2018, 7:59:59 PM GMT-4. The current time 
> is September 12, 2018, 9:21 AM.
> Error code: SEC_ERROR_EXPIRED_CERTIFICATE


Thanks,
Matt Gilbert
--
Deliverability Engineer | MailChimp
delivery.mailchimp.com


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop