Re: [mailop] Echospoofing

2024-08-01 Thread Michael via mailop 
45.137.126.85, known spam source.. But yeah, Cloudmark is no longer the 
same quality as it used to be..


On 8/1/24 14:36, Mark Alley via mailop wrote:

On 8/1/2024 4:18 PM, Scott Q. via mailop wrote:

CloudFilter is Proofpoint, right ?

We still gets tons of Spam from them. Not sure if this is related to 
this echospoofing but we just got a pretty big wave


Received: from omta040.useast.a.cloudfilter.net 
(omta040.useast.a.cloudfilter.net [44.202.169.39])
by mx.emailarray.com (Haraka/2.8.21) with ESMTPS id 
6075B447-619F-4FE2-94FB-B6B586F92374.3
envelope-from
(version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 verify=FAIL);
Thu, 01 Aug 2024 16:19:30 -0400
Received: from eig-obgw-6009a.ext.cloudfilter.net ([10.0.30.184])
by cmsmtp with ESMTPS
id ZYIHspqDRnNFGZcGnsTR6p; Thu, 01 Aug 2024 20:19:29 +
Received: from cp-in-14.webhostbox.net ([103.50.162.147])
by cmsmtp with ESMTPS
id ZcGksNXf0oaMiZcGlsDN9r; Thu, 01 Aug 2024 20:19:28 +
X-Authority-Analysis: v=2.4 cv=deKG32Xe c=1 sm=1 tr=0 ts=66abedd0
  a=+OZ35jC+7F35rNibgVyYDA==:117 a=jZ5zol7y3lBdV6rxEGevAg==:17
  a=MKtGQD3n3ToA:10 a=yoJbH4e0A30A:10 a=5KLPUuaC_9wA:10 a=M51BFTxLslgA:10
  a=A4EqBspgoKYA:10 a=n9Fe_nV6:8 a=x8JhEuIrCajjPMggPtkA:9
  a=PEF53iIozS7NwpkX:21 a=_W_S_7VecoQA:10 a=lqcHg5cX4UMA:10
  a=xOl7BDxbbtdmDN2MprIA:9 a=HXjIzolwW10A:10 a=T6a71-JsGAwA:10
  a=wlHTxKAh8-WCeF7hZiUK:22 a=WVAGjVSKdBBTa5aWMILr:22 a=WIq2oDtJ_6PiUi2x2ys3:22
Received: from [45.137.126.85] (port=62285 helo=[185.198.243.176])
by cp-in-14.webhostbox.net with esmtpsa  (TLS1.2) tls 
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(Exim 4.96.2)
(envelope-from)
id 1sZcGi-002goN-2w



Technically yes, that's Cloudmark (owned by Proofpoint) - but no, 
"Echospoofing" has nothing to do with Cloudmark at all.


To my knowledge, .pphosted.com (hosted Proofpoint enterprise mail 
clusters) were the primary affected targets.


- Mark Alley


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic

A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" is a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Best practices for VPS providers?

2024-07-15 Thread Michael via mailop 

They best way is to address that in the egress router.
Most routers nowadays can have alerts and triggers based on traffic, so 
simply create a router policy that sends an alert when too many tcp syn 
packets out from an IP attempt to connect to remote IPs on port 25.


You can do this for many different ports of course, including port 
465/587 etc.. to detect auth attacks from your VPS servers.


On 7/12/24 12:36, Mark E. Jeftovic via mailop wrote:


On 2024-07-12 2:21 PM, Marco Moock wrote:

Am 12.07.2024 um 10:57:15 Uhr schrieb Mark E Jeftovic via mailop:

Implement a policy that if big amounts of spam are going out you can
immediately block outgoing port 25.
Is there anything commonly used for monitoring the level of outbound 
SMTP? Or are vendors forcing all outbound through an egress server to 
scan everything, or homerolling wireshark, tcpdump, web flo scripts.


You'd need to be able to break down which unit is generating the spam.

- mark

-
Mark E. Jeftovic 
Co-founder & CEO easyDNS Technologies Inc.
+1-(416)-535-8672 ext 225

/"Never expect a thing you do not want,
and never desire a thing you do not expect."
-- Bob Proctor /

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic

A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" is a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Another 'Verified Email' service on AWS EC2

2024-06-26 Thread Michael via mailop 



On 6/26/24 04:24, Jeff Peng via mailop wrote:

On 2024-06-26 15:11, Gellner, Oliver via mailop wrote:

On 26.06.2024 at 00:24  Jeff Pang via mailop wrote:

since aws ses was blocked, other esp such as mailchannel, mailgun, 
sendgrid can be blocked also?



That's a good idea, except when you have to deal with companies like
Everbridge Inc or Tencent QQ, which apparently think it's a good 
idea to

  rent VMs at various cloud providers and run them with their default
config.


Amazon SES does not use email servers with PTR records that end with 
compute-1.amazonaws.com, so it is not affected. 
ec2-.compute-1.amazonaws.com is the default name of AWS instances 
and only used where the owner did not specify his own domain. This is 
akin to people sending emails from @...onmicrosoft.com or 
@...azurewebsites.net or @...vps.ovh.




My mail server for domain simplemail.co.in has a ptr with the azure 
domain as value:


$ dig mx.simplemail.co.in +short
20.120.225.36

$ dig -x 20.120.225.36 +short
tls-mail.westus2.cloudapp.azure.com.

do you think if I should change the ptr value to something other like my 
own domain?


Yes, the domain in the PTR record should reflect the responsible party..
There are M3AAWG Best Practices articles that can go into more details..

But, for example.. this is your responsibility, not Azure's when you 
have a spam leakage.  If you want ordinary people to notify you, they 
will go to your  website as reflected in the domain in the PTR, to look 
for contact information.


This is even more important than FCrDNS



Thanks.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic

A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" is a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Delivery issues with libero.it / virgilio.it (IOL)

2024-04-03 Thread Michael via mailop 

You do realize you forgot to provide your IP Address ;)

On 4/3/24 15:56, Claudio Faoro via mailop wrote:

Hi everyone,

a couple of weeks ago I configured a new Postfix server, it's used 
exclusively by a newsletter service with 2 subscribers.
The newsletter service has been active for more than 10 years on a very 
old server running qmail.
Unfortunately, I had to decommission the old qmail server in a few days, 
replacing it with the new one. It was not possible to keep the same IP 
address.
I've correctly configured the SPF, DKIM, DMARC and PTR records 
(mail-tester.com gives me 10/10).
The first few days, I had problems delivering mail to several providers 
due to the amount of messages. I guess it's partly due to the new IP.

For example:

Mar 30 15:37:00 mx1 postfix/smtp[2021]: 6940F7FF09: to=, 
relay=mx-eu.mail.am0.yahoodns.net[188.125.72.74]:25, delay=3473, 
delays=0.47/3472/0.71/0.04, dsn=4.7.0, status=deferred (host 
mx-eu.mail.am0.yahoodns.net[188.125.72.74] said: 421 4.7.0 [TSS04] 
Messages from REDACTED temporarily deferred due to unexpected volume or 
user complaints - 4.16.55.1; see 
https://postmaster.yahooinc.com/error-codes (in reply to MAIL FROM command))


After a few mailings, the situation seems to have stabilized, Yahoo no 
longer gave me problems.
Unfortunately, a good percentage of our subscribers use an email address 
from Italiaonline/IOL (libero.it, virgilio.it, iol.it, inwind.it, etc...).

Most of the emails to IOL get bounced:

Mar 30 00:15:40 mx1 postfix/smtp[51700]: 509762617D: to=, 
relay=smtp-in.libero.it[213.209.1.129]:25, delay=116950, 
delays=116848/101/0.09/1.1, dsn=4.0.0, status=deferred (host 
smtp-in.libero.it[213.209.1.129] said: 451 too many messages, slow down. 
[smtp-22.iol.local; LIB_650] (in reply to end of DATA command))


The limit is triggered very quickly and it's removed after several hours.
I tried to throttle the sending to IOL addresses on Postfix 
(destination_concurrency_limit = 2 and destination_rate_delay = 300s), 
but I keep getting capped after a while.
I don't have much information regarding the old qmail server, but it 
seems that there were not all these problems (there wasn't even DKIM and 
DMARC configured!).


I don't understand how to resolve these problems with the libero.it 
mailboxes (and more generally, with all Italiaonline mailboxes). Do you 
have a contact in Italiaonline who can help me?

Any info would help me, thanks in advance.

Regards,
Claudio

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic

A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" is a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Meta outgoing servers in black list (SORBS, 0SPAM...)

2024-02-01 Thread Michael via mailop 
It would be helpful if Meta used a better PTR naming convention for 
these servers.. ;)


host 66.220.155.136
136.155.220.66.in-addr.arpa domain name pointer 
66-220-155-136.mail-mail.facebook.com.


Not sure who dreamed up that one..

On 2/1/24 02:18, Philip Paeps via mailop wrote:

On 2024-02-01 17:32:14 (+0800), Eduardo Díaz Comellas via mailop wrote:
I've got a customer complaining that they doan't receive emails from 
Meta for password reset. We have tracked down this to see that a lot 
of this servers are blacklisted in popular blacklists.


[...]

I usually don't care when the sender is blacklisted, as our policy is 
that the sender has to deal with their own problems, but this 
particular customer has a point.


I think "don't care: it's the sender's problem" is a sound policy.

I temper and denylists I use with allowlists.  DNSWL is a popular one. 
Abusix has a good one too.  There are others.


Check https://multirbl.valli.org


Btw, how do you deal with this big players' blacklist problems?


The same way I deal with other players.

Philip



--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic

A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" is a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Spamcop from a forwarding standpoint

2024-01-25 Thread Michael via mailop 
Interesting note in passing, some customers who also had spamcop in 
their RBL listing has noted that even some Microsoft outgoing IPs are 
appearing on that RBL.. (cannot confirm)


Not that they don't deserve it, but rejecting based on that RBL might 
cause some grief, better to use it as a scoring flag..


Still, love what SpamCop does.. our cluster has even had the odd report 
over the last couple years, and though maybe not timely, it was usually 
an accurate report of a compromised user we had already actioned 
automatically.


On 1/25/24 01:30, Andy Smith via mailop wrote:

Hi,

On Thu, Jan 25, 2024 at 09:58:17AM +0100, Cyril - ImprovMX via mailop wrote:

Unfortunately for us, Spamcop believe we are the one sending spam when they
trace back the Received headers, because we are the last hop before landing
to that user's inbox.

Is there a way to tell in the headers that we are merely forwarding emails
(we do have spam protection in place, but some of them always manage to get
through) ?


There's no way for you to do this, because SpamCop has no way to
know that you are "part of" the recipient's infrastructure.

SpamCop instructs its users not to ever report forwarded email if
you like I should think you could continue marking every report as
resolved or not applicable due to the fact that it's forwarded and
SpamCop would side with you (I've no special knowledge on this).

Something that a SpamCop user CAN do is register (with them) the
forwarding path, and then SpamCop will know about that. Here's the
help for that:

 
https://forum.spamcop.net/forum/7-mailhost-configuration-of-your-reporting-account/

That's something only the SpamCop user can do though, and if they're
not understanding the issue and blindly hitting "report" then that
won't help you.

The exact same problem happens when people report spam that they
received through a mailing list. The SpamCop user needs to be a bit
careful.

Thanks,
Andy



--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic

A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" is a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] SMTP dictionary attacks from 20.42.100.251 (one of Microsoft's IP addresses)

2024-01-02 Thread Michael via mailop 
For the record,it's all of the Azure, Google, AWS Cloud, Tencent and 
many other cloud providers that are now abused for BEC Email Compromise, 
and dictionary attacks.


Since very few 'servers' are used for email authentication/clients it is 
quite effective to block email auth from those providers by default.


MagicMail servers allow blocking AUTH from those ranges by default, 
except for allowed exemptions, for the last couple years as it has got 
that bad.


There is a difference between an email client, and other devices, so 
various fingerprinting and identification tricks in the SMTP and IMAP 
servers can help.


But there are edge cases to consider, eg desktop in the cloud, and IMAP 
monitoring SaaS tools, but in general.. blocking AUTH from cloud 
providers that don't quickly respond to abuse complaints, is the way to 
go ;0


Happy New Year All..



On 1/1/24 02:05, Marco Moock via mailop wrote:

Am 01.01.2024 um 01:46:44 Uhr schrieb Randolf Richardson, Postmaster
via mailop:


Is anyone seeing large numbers of dictionary attacks from
20.42.100.251 (which is owned by Microsoft)?  I'm curious if they're
engaging in large-scale targeting.


Doesn't have a PTR, so no regular mail server.
I assume it is one of their Azure customers servers that has been
hacked or is rented by an abuser.


P.S.:  I don't bother reporting abuse directly to Microsoft anymore
because in the past they just bounced every message sent to their
postmaster@ and abuse@ accounts.


For what reason did the bounce those messages?
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic

A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" is a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Bounces

2023-11-16 Thread Michael via mailop 
Always terrible when big ESP's simply say 'Remove Us' and think it will 
happen because they are big, instead of 'asking' why you are being 
flagged, and what can you do to improve your reputation..


Especially as a 'Financial Services' related business, the onus is on 
you to ensure that you are at the top of your game, and have clear 
transparency..


And on this list, you better be willing to share exactly what 
email/domain/ip is having the problem, if you want the community to help 
you out..


On 11/16/23 03:46, Polath, Kiran via mailop wrote:

Hello Team,

We at Broadridge Financial Solutions sends millions of email as 
financial customer communication on behalf of our clients .We see our 
emails are frequently getting blocked by charter.net 
 & rr.com, this is impacting our reputation . Can you take it as high priority and remediate this as it is very important to our customers to have this resolved. please find the below reasons


550 5.1.0 ...@ ... sender rejected. Please see 
https://www.spectrum.net/support/internet/{hash}-{hash} 
for 
more information. AUP#In-1310




2023-11-15 02:52:11 EST



charter.net

550 5.1.0 ...@ ... sender rejected. Please see 
https://www.spectrum.net/support/internet/{hash}-{hash} 
for 
more information. AUP#In-1310




2023-11-15 02:52:11 EST



wi.rr.com

550 5.1.0 ...@ ... sender rejected. Please see 
https://www.spectrum.net/support/internet/{hash}-{hash} 
for 
more information. AUP#In-1310




2023-11-15 02:52:11 EST



charter.net

550 5.1.0 ...@ ... sender rejected. Please see 
https://www.spectrum.net/support/internet/{hash}-{hash} 
for 
more information. AUP#In-1310




2023-11-15 02:52:10 EST



wi.rr.com

550 5.1.0 ...@ ... sender rejected. Please see 
https://www.spectrum.net/support/internet/{hash}-{hash} 
for 
more information. AUP#In-1310




2023-11-15 02:52:10 EST



wi.rr.com

Regards,

*Kiran Kumar Polath*| ICS-Email Operations | Broadridge Financial 
Solutions (India) Private Limited
Adjacent to Cyber Towers, Hi-Tech City, Madhapur | Hyderabad 500081 
Telangana | India | m +91 8008297767| m +91 9154044691




broadridge.com __

This message and any attachments are intended only for the use of the 
addressee and may contain information that is privileged and 
confidential. If the reader of the message is not the intended recipient 
or an authorized representative of the intended recipient, you are 
hereby notified that any dissemination of this communication is strictly 
prohibited. If you have received this communication in error, please 
notify us immediately by e-mail and delete the message and any 
attachments from your system.


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic

A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" is a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] suggested max received headers/hop limit

2022-03-09 Thread Michael via mailop 
Remember, those limits were set in a 286/1200 baud world, but a sane limit 
should still be observed, 30-50 hops is plenty

On Wed, 9 Mar 2022 17:05:38 -0800
Brandon Long via mailop  wrote:
> Ours was set to 50 years ago, and we renamed our internal hops to
> X-Received to avoid issues with external receivers with stricter limits.
> 
> The number of hops for most consumer mail isn't high, but enterprise
> messages can have some really extended hops if it goes through nested
> mailing lists and multiple third party relays for various services.
> 
> Brandon
> 
> On Wed, Mar 9, 2022 at 4:00 PM Kelsey Cummings via mailop 
> wrote:
> 
>> Greetings, we've been seeing some issues in our mail infrastructure with
>> regular users hitting >25 hops on messages and I'm wondering if there's
>> a general consensus that the old default of 25 is too low given modern
>> mail flows.
>>
>> Have any of you had to increase it?  Any one know what major ESP's have
>> it limited to?
>>
>> --
>> kelsey.cummi...@sonic.com sonic.net, inc.
>> System Architect  2260 Apollo Way
>> 707.522.1000   Santa Rosa,
>> CA
>> ___
>> mailop mailing list
>> mailop@mailop.org
>> https://list.mailop.org/listinfo/mailop
>>
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
> 


--
-- 
"Catch the Magic of Linux..." 
 
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
 
A Wizard IT Company - For More Info http://www.wizard.ca 
"LinuxMagic" is a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Anyone else notice that MS Hotmail/o365 might not be following RFC?

2021-11-24 Thread Michael via mailop 
Umm.. not helpful, and if you are going to make inflammatory remarks, please 
sign it with your name..

Really isn't fair to call out Qmail, Dan Bernstein did an incredible amount of 
good in his day, and what version of Qmail are you using?  Tell me if you see 
this happening in your logs, and if you do, go ahead and fix Qmail, it's open 
source... But in all honesty, comparing Qmail of 20 years ago, and a Multi 
billion dollar company.. 

Anyways, rest my case.. otherwise this turns into a flame war.. 

Just a really unproductive comment.. and completely out of line.

On Thu, 25 Nov 2021 04:51:05 +
ml+mailop--- via mailop  wrote:
> On Wed, Nov 24, 2021, Michael Peddemors via mailop wrote:
> 
>> And then it terminates the connection, SSL collapses, without waiting for
>> the remote mail server to acknowledge the QUIT.
> 
> Just like qmail?
> 
> Maybe it's time to change the RFC?
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
> 


--
-- 
"Catch the Magic of Linux..." 
 
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
 
A Wizard IT Company - For More Info http://www.wizard.ca 
"LinuxMagic" is a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] IMAP and SMTP in the same or separated IPs?

2021-10-15 Thread Michael via mailop 
Its a little different running a hobby mail server. vs being responsible for 
say an ISP with 100,000's of end users.

And while technically, there isnt' many old computers that dont' support Let's 
Encrypt any more, nothing is free.. eg I heard it's estimated that Gmail makes 
between $2 and $3 dollars for each 'free' gmail account.  I prefer to think 
that the company I pay $$ to for a cert, makes enough they don't have to sell 
our data.  Remember, each lookup against Let's Encrypt shares information, that 
can be resold. 

How does that saying go, about free?

Some companies worry about sharing customer behavior patterns. 



On 16 Oct 2021 02:41:37 -
John Levine via mailop  wrote:
> According to Michael Peddemors via mailop :
>>Put everything under mail.yourdomain.com
>>
>>Unless you have some strange firewall rule requirements, there is no 
>>real technical advantage, and some real technical disadvantages.. 
>>(including paying for multiple certs)
> 
> Who pays for certs these days?  I have over 100 for my MTA, all free
> from Let's Encrypt.
> 
> R's,
> John
> 
> 
> -- 
> Regards,
> John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for 
> Dummies",
> Please consider the environment before reading this e-mail. https://jl.ly
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
> 


--
-- 
"Catch the Magic of Linux..." 
 
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
 
A Wizard IT Company - For More Info http://www.wizard.ca 
"LinuxMagic" is a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [FEEDBACK] Azure Spammer Activity

2021-01-14 Thread Michael via mailop 
Opening up another pet peeve I see.. 

Yes, (and absolutely no reflection on the MS lurkers on this list) this is a 
pain point, of our team as well.

A lot of attention was given to Microsoft's role in take down's of miscreants 
that are attacking them, but when the attacker is on Azure, the story is quite 
different.  But this is not just about Microsoft, but about several big cloud 
providers. Not only is it very difficult to get a response, but when you do it 
is usually "We have notified the customer", or even worse, "We have notified 
the reseller" and that's where it ends.  Hackers are turning more often to 
these providers simply because of the slow take downs.

Now, with spammers it is pretty simple, block the source IP, but when the 
spammer is sending malicious materials, like virus' and ransomware, there needs 
to better take downs, otherwise the bad actor simply continues on.  We see 
there is also a big trend towards AUTH attacks, using Azure IP Space to hack 
email accounts, BEC (Business Email Attacks), and other activity that is 
dangerous and illegal.

These threats as a community we should NOT tolerate.  IF the server was hacked, 
and the owner is not  at fault, it should STILL be taken down, it is dangerous 
every second it is up, and the hacker is making money every second, and the 
longer he can do that, the more he will try again.

Now, don't get me wrong, I think I understand WHY takedowns practices is so 
bad.  Aside from the very low budget given to abuse teams, when you have 
management telling you that all you can do is 'let the customer know', as an 
abuse person you would get pretty jaded.. hard to respond to a complaint, when 
your know your hands are tied. This isn't a new phenonom, the problem is over 
20 year old, "Don't do anything that could possible affect a paying customer" 
We still have ISP's that aren't blocking port 25 outbound from dynamic IP 
space. 

But I boldly predict that this is the year that things will change.  Attitudes 
are changing.  (The removal of Trump from Twitter is a good example) The last 
few years too much emphasis has been placed on 'privacy' protection and user 
rights, and the bad guys are benefiting from those practices.  

It isn't hard to stop, many of us in the infosec field could be giving data 
feeds to the big players, if they can't see it themselves, (sure maybe these 
;arge providers should contribute more to these infosec players), but I am sure 
many would offer it for free, IF they knew it would have an impact.  I know our 
team has probably not bothered to even report these to Azure anymore, because 
it is a waste of time, and that's sad.  I mean, the volume we see everyday it's 
simply impossible to go through the standard 'reporting channels'. I know many 
others who have given up.  And this means more 'last resort' activity instead, 
and by that I mean 'blacklisting' or blocking traffic of those that don't 
respond to take down requests.

Speaking to the cyber crimes people in my circle, I hear it more and more. They 
are simply fed up.  They are going to get more aggresive and simply start with 
take down orders, when a provider doesn't seem to co-operate.  You can expect a 
lot more.. how best to describe it.. heavy handed approaches.

You can help, you can lobby your politicians to allow more to be done, and you 
can expect that "this is the year where providers will start becoming 
responsible for the activity on their networks", legally...

Sure, the ISP's and Hosting companies are fighting that, but it's on their own 
heads.  If they would have done more on their own, it would not have reached 
this point.

There is too much damage being done, the criminals are too successful.. This is 
the year when people are going to get fed up I predict, and are going to demand 
change.  We already are seeing faster take down's of dark web sites, more 
networks getting shutdown, and more domain names being shutdown.. but the next 
step is coming.. 

2021 is going to be a great year everyone! Let's all do what we can to make the 
world a safer place.





On Thu, 14 Jan 2021 12:34:27 +0100
Peter Nicolai Mathias Hansteen via mailop  wrote:
> 
> 
>> 14. jan. 2021 kl. 12:20 skrev Hans-Martin Mosner via mailop :
>> 
>> Am 09.12.20 um 08:43 schrieb Hans-Martin Mosner via mailop:
>>> Today we got a response to our abuse reports requesting that we report 
>>> these to j...@office365.microsoft.com - I
>>> would've thought that within one corporation, forwarding of abuse tickets 
>>> should work somehow.
>> 
>> Well it looks like reporting to j...@office365.microsoft.com is completely 
>> useless. No response, no reaction, no
>> reduction in spam.
>> 
>> Is there a reporting address for azure that is read and acted upon?
> 
> I tend to include abuse at the parent domains (hotmail.com , outlook.com  and 
> Microsoft.com) as cc:. You probably will not get any response other than the 
> automated one from «The Outlook team», but the flow has de

[mailop] sendgrid.net

2020-09-25 Thread Michael via mailop 
What's the consensus on sendgrid.net? I don't know anything about them, 
but I had the impression that they were a reputable company. Lately, 
I've noticed a lot of phishing emails coming from them. Does anyone just 
block them completely?


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Hotmail blacklist

2020-04-21 Thread Michael via mailop 
Thank you all for the feedback. Yes, it's an AWS server I've had for 
several years. I don't think any actual spam has been sent from the 
server. I don't watch everything my users do, but they just communicate 
with other people they know. We don't send any marketing emails or 
anything unsolicited. My first assumption was that Hotmail had just 
blocked a block of IPs and I got caught up in it, so maybe that's it. 
I'll keep replying to that ticket and see if I can get anywhere.


Interestingly, I'm set up for the Hotmail junk reporting emails for my 
work organization as well, and I notice that a lot of clearly legitimate 
email gets marked as spam. I don't know why recipients do that, maybe 
there's something about Hotmail's UI that leads people to it.




On 2020-04-21 11:05 am, Michael Peddemors via mailop wrote:

I notice that you are using an AWS address..

NetRange:   52.0.0.0 - 52.31.255.255
CIDR:   52.0.0.0/11
NetName:AT-88-Z
NetHandle:  NET-52-0-0-0-1
Parent: NET52 (NET-52-0-0-0-0)
NetType:Direct Allocation
OriginAS:
Organization:   Amazon Technologies Inc. (AT-88-Z)
RegDate:1991-12-19
Updated:2015-03-20
Ref:https://rdap.arin.net/registry/ip/52.0.0.0

Amazon has been REALLY bad lately, and more companies are blocking
larger parts of the AWS space.

Insist that Amazon provide you with 'rwhois' or that they address this
issue for you?  If you are 100% certain you aren't sending suspicious
email activity from that IP Address.

On 2020-04-21 8:52 a.m., Norbert Bollow via mailop wrote:

Maybe it's not specifically you server's IP that's on the blacklist,
but an IP range belonging to your ISP (which includes your server)?

Greetings,
Norbert


On Tue, 21 Apr 2020 10:35:38 -0500
Michael via mailop  wrote:


My server's IP is on the hotmail blacklist. I can't find any details
as to why. I only have four users and we don't send any bulk mail.
Mostly just a small law firm communicating with clients. I'm set up
with SNDS but I don't see any details there that let me track down
the source of the blacklisting. I just set up the junk mail
reporting. I thought I had already done that but I don't remember
ever getting any reports.

Is there any way to get off this list?


I filled out a support request and received this response:

We have completed reviewing the IP(s) you submitted. The following
table contains the results of our investigation.

Not qualified for mitigation
52.10.9.48
Our investigation has determined that the above IP(s) do not qualify
for mitigation.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop





--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and 
intended
solely for the use of the individual or entity to which they are 
addressed.
Please note that any views or opinions presented in this email are 
solely
those of the author and are not intended to represent those of the 
company.


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Hotmail blacklist

2020-04-21 Thread Michael via mailop 
My server's IP is on the hotmail blacklist. I can't find any details as 
to why. I only have four users and we don't send any bulk mail. Mostly 
just a small law firm communicating with clients. I'm set up with SNDS 
but I don't see any details there that let me track down the source of 
the blacklisting. I just set up the junk mail reporting. I thought I had 
already done that but I don't remember ever getting any reports.


Is there any way to get off this list?


I filled out a support request and received this response:

We have completed reviewing the IP(s) you submitted. The following table 
contains the results of our investigation.


Not qualified for mitigation
52.10.9.48
Our investigation has determined that the above IP(s) do not qualify for 
mitigation.


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] AWS IPs and SNDS Frustration

2020-04-10 Thread Michael via mailop 
Frankly, AWS abuse has to step up their game.  Long take down cycles, not 
sharing information, no SWIP/rwhois for customers, all of these things have 
contributed to more and more reputation problems.

Not that Azure or others are completely better, but this will have to be 
something AWS customers start demanding, or their customers will vote with 
their pocket books.

This is not just spamming activity, but many other forms of abuse.

But getting a PTR, and adding it to your SPF will slowly enable you to use the 
IP, however speak loudly, and demand 'rwhois' so that it is clear and 
transparent who the responsible party is.


On Fri, 10 Apr 2020 13:17:33 -0700
Luke via mailop  wrote:
> If the sender has established reputation on previous IP address(es), you
> might be able to ask for the "preemptive accommodation" form. I've never
> tried it under these specific circumstances, but it could be a workaround.
> 
> Luke
> 
> On Fri, Apr 10, 2020 at 1:02 PM Brad Slavin via mailop 
> wrote:
> 
>> Happy Quarantine Friday to all...
>>
>> I have spent almost two weeks in groundhogs day with SNDS and AWS IPs
>> trying to get 10 clean IPs in the Frankfurt and Oregon regions.
>>
>> My conclusion is that AWS IPs are almost impossible to provision that are
>> clean on SNDS. And even if you request removal from the SNDS blocked list
>> the response from MS is that the IPs cannot be mitigated.
>>
>> Its painful, time consuming and nearly fruitless. I have tried over 300
>> IP's, a lot of these are blacklisted on other lists so I did not even both
>> but of the 180 that were submitted to SNDS... I got four that were clean.
>>
>> You have to request rdns, which takes a day.
>> Then monitor against all publishing blacklists - this takes a few hours
>> Add to SNDS - wait 24-36 hours for a result.
>> Find the blocked IP's
>> Request removal of the rdns from AWS or you cant release the IPs from your
>> account.
>> Remove from SNDS
>>
>> I get that people recycle AWS IPs and burn their reputations, but is there
>> any way to work with Microsoft and let them know that this address is
>> associated with a completely new customer?  (Yes I know that spammers can
>> setup multiple accounts) ... is this Microsoft just being anti-competitive
>> with AWS/Azure or is there a timeline that IP's can be placed on so that if
>> there has not been email sent that MS will reconsider?
>>
>> Other than BYOIP or moving from AWS what is the way forward?
>>
>> Brad
>>
>>
>>
>> ___
>> mailop mailing list
>> mailop@mailop.org
>> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
> 


--
-- 
"Catch the Magic of Linux..." 
 
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
 
A Wizard IT Company - For More Info http://www.wizard.ca 
"LinuxMagic" is a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] UCEPROTECT - AWS Block

2019-12-20 Thread Michael via mailop 
Based on all the activity our team has seen of late, not surprising, make sure 
you get dedicated IP for sending, with correct PTR record reflecting your 
company

Merry Xmas all the great peeps on this list from the beaches of Mexico!

On Fri, 20 Dec 2019 16:51:35 -0800
Brad Slavin via mailop  wrote:
> It seems that AWS has found their way onto the UCEPROTECT Level 3 list.
> 
> Affected messages are being rejected with this banner:
> 
> 550 Your ISP AMAZON-02 - Amazon.com
> , Inc.,
> US/AS16509 is UCEPROTECT-Level3 listed for hosting a total of 10163 abusers.
> 
> Thankfully over the past few days we have had only 7 messages rejected
> list, but our RBL monitors are going crazy.
> 
> What are the appropriate escalation steps to resolve this issue? It's my
> belief that this is collateral damage.
> 
> Thank you,
> 
> Brad
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
> 


--
-- 
"Catch the Magic of Linux..." 
 
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
 
A Wizard IT Company - For More Info http://www.wizard.ca 
"LinuxMagic" is a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Gmail marking email from me as spam

2019-10-14 Thread Michael via mailop 
As much as I would like this thread to die, had to point out..  yes, probably 
gmail does a great job of inbound spam protection, had an ESP recently tell me 
40% of all addresses they engaged with were gmail addresses, so it behooves 
them to do well, wish as much attention was paid to outbound, including 
business class spammers and marketers using gmail, and of course the recent 
spike in hacking/brute force attacks from google cloud instances, the original 
problem of hosting on a provider that doesn’t do well at keeping net blocks 
clean, will not, and should not disappear. 

Yes, the poor person who signed up without knowing that the whole world has 
already made up their mind about the reputation of traffic from the network he 
finds his IP on might seem unfair, the only way these hosting companies will 
clean up their act, is when customers talk with their wallet, and go elsewhere. 
But in reality when any IPv4 address is worth $100 bucks a year, and climbing 
some companies won’t care, as long as they keep them “in use” until someone 
buys them will be a problem. 

So don’t kill the messengers, or expect things to change, simply  google for 
providers which care about their reputation and use them for email services 
people want, but don’t try to change people’s minds when you send 
communications people don’t want, and let’s move on to more important things in 
the world...

-sip- one more bowl of hot saki, and plane trip at 7am to Vegas to help deal 
with much bigger problems so cheers all, don’t bother responding to comments on 
list as “thread is dead” to me ;)

On Mon, 14 Oct 2019 18:29:02 -0700
Brandon Long via mailop  wrote:
> On Mon, Oct 14, 2019 at 3:54 PM Michael Orlitzky via mailop <
> mailop@mailop.org> wrote:.
> [snip]
> 
>> They don't care if you or anyone else can send/receive mail, because
>> that's not how they make money. You're not going to convince them to
>> care, and so long as they don't, your problems are only going to get
>> worse. No one's going to tell you how to fix *this* issue because there
>> is no solution -- that's why you're getting the next best thing, namely
>> advice to switch providers and pray that Google doesn't feel like
>> blocking your new host, too.
>>
> 
> It seems like Gmail wouldn't last long as an email provider if no one could
> send/receive email
> to it.
> 
> Instead, many folks seem to think that we do a really good job with
> handling spam and delivery.
> Which isn't to say there isn't room for improvement, of course, and we need
> to stay on top of
> it, we can't just rest on our laurels.
> 
> The other option is to complain to your hosting provider.  The reputation
> of your netblock is still
> getting worse, though it's not a high volume problem.  Your provider
> probably has a mail relay you
> can use that they can de-spam, and so keep a better reputation... a quick
> look shows OVH's relays
> have higher reputation than the IP discussed here.
> 
> Brandon
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
> 


--
-- 
"Catch the Magic of Linux..." 
 
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
 
A Wizard IT Company - For More Info http://www.wizard.ca 
"LinuxMagic" is a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop