Re: [mailop] Abusix Potentially Compromised Account Report
I got one of these the other day and I'm scratching my head about it as what's in the report cannot possibly be correct. The report was for a domain we host the website for, but the domain has no email at all. The account referenced is also not a valid website login or anything else I can think of. It's not terribly useful if I'm going to be getting red herrings like that. On 22/3/20 3:34 pm, Udeme Ukutt via mailop wrote: I pinged someone there to take a look. Udeme On Sat, Mar 21, 2020 at 9:17 PM Ted Cooper via mailop mailto:mailop@mailop.org>> wrote: Has anyone run into "Abusix" /potentially/ compromised account notification emails before? Their website "abusix.ai <http://abusix.ai>" looks to be about a week old based on the age of all of the articles. I would have guessed they'd have been around for longer and their name does ring a bell. Blog announcement on Abusix.com would indicate they launched Mar 2019. They've sent us a report from "nore...@abusix.org <mailto:nore...@abusix.org>" to postmaster@ here in some kind of misguided attempt to help us because "Over the last 24 hour period our traps have detected 1 potentially compromised accounts on your domain." In the CSV they attached, apparently the IP address 185.234.219.89 (Poland) attempted to send an email at 2020-03-19T17:59:03.000Z using smtp auth credentials apparently from a domain hosted here. That IP address is not at all related to any networks or servers for the domain. They do provide the first 5 characters of the sha1 of the password that IP address used. I know it used the wrong password because the account in question does not have a password - it's an alias and not an account. Given the number of fraudulent auth attempts we all get every day with wild and whacky unrelated usernames (I get hotmail & others provided as username), why would anyone think it was a good idea to send out spam to stop spam when it was clearly a fraudulent email that didn't even go anywhere? If everyone sent out a spam notification when someone abused a domain we'd all be getting 10x fold increase in spam, all trying to be "helpful". They do ever so helpfully provide an "opt out" link. I am scratching my head as to think when I opted into such a service. /sarcasm. My initial thought was to route their domains and IPs to /dev/null, happy in the thought that I now get one less domain's spam. ___ mailop mailing list mailop@mailop.org <mailto:mailop@mailop.org> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop -- Nick Stallman Technical Director Email n...@agentpoint.com <mailto:n...@agentpoint.com> Phone 02 8039 6820 Website www.agentpoint.com.au <https://www.agentpoint.com.au/> Agentpoint <https://www.agentpoint.com.au/> Netpoint <https://netpoint.group/> 67 Renwick St, Redfern NSW 2009 Facebook <https://www.facebook.com/agentpoint/> Twitter <https://twitter.com/agentpoint> Instagram <https://www.instagram.com/Agentpoint/> Linkedin <https://www.linkedin.com/company/agentpoint-pty-ltd> ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Certain addresses from G Suite going straight to O365 spam
Just a quick update, Michael seems to have sorted my issue out by stirring the secret sauce a little. On 12/3/19 5:04 am, Nick Stallman wrote: Nope this is 100% manual email sent to people who have specifically asked to be contacted (either via website form, phone or email). No templates, cold emails or other nonsense like that at all. The three main people affected was a sales person, someone who does a little bit of sales but not the majority (these two both had Hubspot) and a project manager who's never used any kind of tracking at any point. I'm with you, it would make perfect sense for Office 365 to block automated or semi-automated email like that. That's why it's so puzzling that regular human B2B email would be blocked like this. On 11/3/19 8:18 pm, Laura Atkins wrote: What type of mail are they sending? These wouldn’t happen to be part of your sales team who are sending cold emails to addresses they’ve … acquired through different pathways, would it? Given they’re inserting tracking links from Hubspot, it seems there is some level of outbound cold email going out. And, frankly, good on Office365 for blocking it. I have yet to find a business person who enjoys getting dozens of “hey, we think our product is Just Right For YOU! Schedule a call today! Here’s the link.” If that’s what they’re sending, be happy that Office365 is carefully blocking just their mail, rather than all the mail from your domain. laura On 11 Mar 2019, at 04:35, Nick Stallman <mailto:n...@agentpoint.com>> wrote: Thanks Richelo. I did examine some emails that were being blocked and yep two staff were using Hubspot's email tracking. So that very much is a possibility as being the culprit or a contributing factor. A few weeks ago I told them to disable that tracking however with no improvement. The odd thing is other affected staff haven't used link tracking at all, and there are a lot of staff not affected all on the same domain. On 11/3/19 3:21 pm, Richelo Killian wrote: I have seen something similar for some of our clients, and it turned out to be a Gmail Chrome plugin they used for tracking. I can’t remember the exact plugin, but, it was changing all links in the email to the plugin tracking domain, and that domain was blacklisted at Microsoft. So, first thing is to check if those users have any kind of Chrome plugin for Gmail active and disable them and test again. Not saying this IS the problem, but, it’s a place to start looking ;-) Kind Regards, Richelo Killian From: Nick Stallman <mailto:n...@agentpoint.com> Reply: Nick Stallman <mailto:n...@agentpoint.com> Date: March 11, 2019 at 01:16:19 To: mailop@mailop.org <mailto:mailop@mailop.org> <mailto:mailop@mailop.org> Subject: [mailop] Certain addresses from G Suite going straight to O365 spam Has anyone come across a strange issue with O365's spam filter, where some addresses on a domain go straight to spam but other addresses don't, when they are all G Suite addresses? We've noticed 3 of our staff have their emails reliably going straight to spam for O365 destinations, but everyone else can send emails just fine. The affected users are all using Gmail directly (no email clients), nothing fancy at all and I can't see any reason why they would have been affected. I'm at a bit of a loss as to where to go from here: - DKIM, DMARC and SPF are all set up correctly - G Suite support wasn't much help as the emails are being delivered correctly, and they verified DKIM, DMARC and SPF. - We've got SNDS for our mail server (for our servers) of course, but these emails are being delivered directly through GMail not our own servers. - I can't use the form to open a ticket forOutlook.com <http://outlook.com/>delivery issues as our servers aren't doing the sending, and there aren't any logged errors (the emails aren't being rejected). - No bulk marketing or anything has been sent from the affected users, so I can't imagine anyone would have manually marked emails as spam. - This issue occurs to all client O365 domains, I've looked at about a dozen different destination O365 domains. It's all a very weird scenario. Any suggestions would be appreciated. -- Nick Stallman TECHNICAL DIRECTOR Email n...@agentpoint.com <mailto:n...@agentpoint.com> Phone 02 8039 6820 Website www.agentpoint.com.au <https://www.agentpoint.com.au/> Agentpoint <https://www.agentpoint.com.au/> Netpoint <https://netpoint.group/> Level 3, 100 Harris Street, Pyrmont NSW 2009 Facebook <https://www.facebook.com/agentpoint/>Twitter <https://twitter.com/agentpoint>Instagram <https://www.instagram.com/Agentpoint/>Linkedin <https://www.linkedin.com/company/agentpoint-pty-ltd> ___ mailop
Re: [mailop] Certain addresses from G Suite going straight to O365 spam
Nope this is 100% manual email sent to people who have specifically asked to be contacted (either via website form, phone or email). No templates, cold emails or other nonsense like that at all. The three main people affected was a sales person, someone who does a little bit of sales but not the majority (these two both had Hubspot) and a project manager who's never used any kind of tracking at any point. I'm with you, it would make perfect sense for Office 365 to block automated or semi-automated email like that. That's why it's so puzzling that regular human B2B email would be blocked like this. On 11/3/19 8:18 pm, Laura Atkins wrote: What type of mail are they sending? These wouldn’t happen to be part of your sales team who are sending cold emails to addresses they’ve … acquired through different pathways, would it? Given they’re inserting tracking links from Hubspot, it seems there is some level of outbound cold email going out. And, frankly, good on Office365 for blocking it. I have yet to find a business person who enjoys getting dozens of “hey, we think our product is Just Right For YOU! Schedule a call today! Here’s the link.” If that’s what they’re sending, be happy that Office365 is carefully blocking just their mail, rather than all the mail from your domain. laura On 11 Mar 2019, at 04:35, Nick Stallman <mailto:n...@agentpoint.com>> wrote: Thanks Richelo. I did examine some emails that were being blocked and yep two staff were using Hubspot's email tracking. So that very much is a possibility as being the culprit or a contributing factor. A few weeks ago I told them to disable that tracking however with no improvement. The odd thing is other affected staff haven't used link tracking at all, and there are a lot of staff not affected all on the same domain. On 11/3/19 3:21 pm, Richelo Killian wrote: I have seen something similar for some of our clients, and it turned out to be a Gmail Chrome plugin they used for tracking. I can’t remember the exact plugin, but, it was changing all links in the email to the plugin tracking domain, and that domain was blacklisted at Microsoft. So, first thing is to check if those users have any kind of Chrome plugin for Gmail active and disable them and test again. Not saying this IS the problem, but, it’s a place to start looking ;-) Kind Regards, Richelo Killian From: Nick Stallman <mailto:n...@agentpoint.com> Reply: Nick Stallman <mailto:n...@agentpoint.com> Date: March 11, 2019 at 01:16:19 To: mailop@mailop.org <mailto:mailop@mailop.org> <mailto:mailop@mailop.org> Subject: [mailop] Certain addresses from G Suite going straight to O365 spam Has anyone come across a strange issue with O365's spam filter, where some addresses on a domain go straight to spam but other addresses don't, when they are all G Suite addresses? We've noticed 3 of our staff have their emails reliably going straight to spam for O365 destinations, but everyone else can send emails just fine. The affected users are all using Gmail directly (no email clients), nothing fancy at all and I can't see any reason why they would have been affected. I'm at a bit of a loss as to where to go from here: - DKIM, DMARC and SPF are all set up correctly - G Suite support wasn't much help as the emails are being delivered correctly, and they verified DKIM, DMARC and SPF. - We've got SNDS for our mail server (for our servers) of course, but these emails are being delivered directly through GMail not our own servers. - I can't use the form to open a ticket forOutlook.com <http://outlook.com/>delivery issues as our servers aren't doing the sending, and there aren't any logged errors (the emails aren't being rejected). - No bulk marketing or anything has been sent from the affected users, so I can't imagine anyone would have manually marked emails as spam. - This issue occurs to all client O365 domains, I've looked at about a dozen different destination O365 domains. It's all a very weird scenario. Any suggestions would be appreciated. -- Nick Stallman TECHNICAL DIRECTOR Email n...@agentpoint.com <mailto:n...@agentpoint.com> Phone 02 8039 6820 Website www.agentpoint.com.au <https://www.agentpoint.com.au/> Agentpoint <https://www.agentpoint.com.au/> Netpoint <https://netpoint.group/> Level 3, 100 Harris Street, Pyrmont NSW 2009 Facebook <https://www.facebook.com/agentpoint/>Twitter <https://twitter.com/agentpoint>Instagram <https://www.instagram.com/Agentpoint/>Linkedin <https://www.linkedin.com/company/agentpoint-pty-ltd> ___ mailop mailing list mailop@mailop.org <mailto:mailop@mailop.org> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop _
Re: [mailop] Certain addresses from G Suite going straight to O365 spam
Thanks Richelo. I did examine some emails that were being blocked and yep two staff were using Hubspot's email tracking. So that very much is a possibility as being the culprit or a contributing factor. A few weeks ago I told them to disable that tracking however with no improvement. The odd thing is other affected staff haven't used link tracking at all, and there are a lot of staff not affected all on the same domain. On 11/3/19 3:21 pm, Richelo Killian wrote: I have seen something similar for some of our clients, and it turned out to be a Gmail Chrome plugin they used for tracking. I can’t remember the exact plugin, but, it was changing all links in the email to the plugin tracking domain, and that domain was blacklisted at Microsoft. So, first thing is to check if those users have any kind of Chrome plugin for Gmail active and disable them and test again. Not saying this IS the problem, but, it’s a place to start looking ;-) Kind Regards, Richelo Killian From: Nick Stallman <mailto:n...@agentpoint.com> Reply: Nick Stallman <mailto:n...@agentpoint.com> Date: March 11, 2019 at 01:16:19 To: mailop@mailop.org <mailto:mailop@mailop.org> <mailto:mailop@mailop.org> Subject: [mailop] Certain addresses from G Suite going straight to O365 spam Has anyone come across a strange issue with O365's spam filter, where some addresses on a domain go straight to spam but other addresses don't, when they are all G Suite addresses? We've noticed 3 of our staff have their emails reliably going straight to spam for O365 destinations, but everyone else can send emails just fine. The affected users are all using Gmail directly (no email clients), nothing fancy at all and I can't see any reason why they would have been affected. I'm at a bit of a loss as to where to go from here: - DKIM, DMARC and SPF are all set up correctly - G Suite support wasn't much help as the emails are being delivered correctly, and they verified DKIM, DMARC and SPF. - We've got SNDS for our mail server (for our servers) of course, but these emails are being delivered directly through GMail not our own servers. - I can't use the form to open a ticket for Outlook.com delivery issues as our servers aren't doing the sending, and there aren't any logged errors (the emails aren't being rejected). - No bulk marketing or anything has been sent from the affected users, so I can't imagine anyone would have manually marked emails as spam. - This issue occurs to all client O365 domains, I've looked at about a dozen different destination O365 domains. It's all a very weird scenario. Any suggestions would be appreciated. -- Nick Stallman Technical Director Email n...@agentpoint.com <mailto:n...@agentpoint.com> Phone 02 8039 6820 Website www.agentpoint.com.au <https://www.agentpoint.com.au/> Agentpoint <https://www.agentpoint.com.au/> Netpoint <https://netpoint.group/> Level 3, 100 Harris Street, Pyrmont NSW 2009 Facebook <https://www.facebook.com/agentpoint/> Twitter <https://twitter.com/agentpoint> Instagram <https://www.instagram.com/Agentpoint/> Linkedin <https://www.linkedin.com/company/agentpoint-pty-ltd> ___ mailop mailing list mailop@mailop.org <mailto:mailop@mailop.org> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop -- Nick Stallman Technical Director Email n...@agentpoint.com <mailto:n...@agentpoint.com> Phone 02 8039 6820 Website www.agentpoint.com.au <https://www.agentpoint.com.au/> Agentpoint <https://www.agentpoint.com.au/> Netpoint <https://netpoint.group/> Level 3, 100 Harris Street, Pyrmont NSW 2009 Facebook <https://www.facebook.com/agentpoint/> Twitter <https://twitter.com/agentpoint> Instagram <https://www.instagram.com/Agentpoint/> Linkedin <https://www.linkedin.com/company/agentpoint-pty-ltd> ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
[mailop] Certain addresses from G Suite going straight to O365 spam
Has anyone come across a strange issue with O365's spam filter, where some addresses on a domain go straight to spam but other addresses don't, when they are all G Suite addresses? We've noticed 3 of our staff have their emails reliably going straight to spam for O365 destinations, but everyone else can send emails just fine. The affected users are all using Gmail directly (no email clients), nothing fancy at all and I can't see any reason why they would have been affected. I'm at a bit of a loss as to where to go from here: - DKIM, DMARC and SPF are all set up correctly - G Suite support wasn't much help as the emails are being delivered correctly, and they verified DKIM, DMARC and SPF. - We've got SNDS for our mail server (for our servers) of course, but these emails are being delivered directly through GMail not our own servers. - I can't use the form to open a ticket for Outlook.com delivery issues as our servers aren't doing the sending, and there aren't any logged errors (the emails aren't being rejected). - No bulk marketing or anything has been sent from the affected users, so I can't imagine anyone would have manually marked emails as spam. - This issue occurs to all client O365 domains, I've looked at about a dozen different destination O365 domains. It's all a very weird scenario. Any suggestions would be appreciated. -- Nick Stallman Technical Director Email n...@agentpoint.com <mailto:n...@agentpoint.com> Phone 02 8039 6820 Website www.agentpoint.com.au <https://www.agentpoint.com.au/> Agentpoint <https://www.agentpoint.com.au/> Netpoint <https://netpoint.group/> Level 3, 100 Harris Street, Pyrmont NSW 2009 Facebook <https://www.facebook.com/agentpoint/> Twitter <https://twitter.com/agentpoint> Instagram <https://www.instagram.com/Agentpoint/> Linkedin <https://www.linkedin.com/company/agentpoint-pty-ltd> ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop