Re: [mailop] Any URI whitelists out there?

2019-07-11 Thread Simon Forster via mailop 


> On 11 Jul 2019, at 05:47, Benoit Panizzon via mailop  
> wrote:
> 
> We operate the SWNIOG Blacklists and Spamtraps.
> 
> We fairly often find URI which make it onto the blacklist, which should
> clearly be whitelisted. Like 'apple.com' just this week.
> 
> We do maintain a whitelist, but I start wondering, if there are
> DNS based URI whitelists which we could query to prevent listing
> domains which shouldn't get listed.
> 
> All google dit spit out on my searches were IP whitelists.

Have you taken a look at white.uribl.com:

• white.uribl.com
- This list contains legit domain names that we do not want to show up on any 
other URIBL lists. This list is pretty static, with only a handful of changes 
per day. URIBL white is not currently bitmasked into multi.uribl.com. If you 
want to query it, you have to send a seperate query. This zone rebuilds as 
needed.



I know next to nothing about the list and certainly not in a production 
environment. Nor do I know about licence terms. However, it may match your 
needs.

HTH

Simon





___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Invalument SIP/24

2019-06-27 Thread Simon Forster via mailop 

> On 27 Jun 2019, at 09:17, Dave Holmes via mailop  wrote:
> 
> All email is GDPR EU compliant



What the heck does that mean?

And why should any provider of realtime blocklists care whether the spam being 
sent out by a network is compliant with some legislation — or not?

Providers of “threat intelligence data” (of which realtime blocklists is a 
subset) are providing insight into internet properties — typically IP addresses 
and/or domains. Susbscribers to that data use it to make decisions which are 
best for them / their network.

Them. Their network.

The fact that the sender (remote network) can point to some tick boxes doesn’t 
make anti-social behaviour any better as far as the recipient is concerned.

It’s akin to being pulled over for driving down the motorway at 120 miles per 
hour and then, when pulled over, explaining patiently to the officer that your 
car is fully road legal and has an up to date MOT test[1]. The latter doesn’t 
excuse the former’s behaviour.

Independent facts. No causality.



As someone who gets to see a lot of “explanations” to justify questionable 
behaviour, all a complainant is doing when they explain that they’re GDPR / 
CANSPAM / CASL  compliant is to indicate that they really don’t 
understand the problem. As such, you’re more likely to get a boilerplate reply 
— or perhaps even no reply at all.

Do yourself a favour. Stick to pertinent facts — and acknowledge / own the 
problem. Just trying to explain it away does no one any favours at all.

Simon


[1] Ministry of transport (MOT) test. During an MOT test, important parts on a 
vehicle will be checked to make sure they meet minimum legal standards. 
Required for a car in the UK after three years (from new). An annual test. 
Interestingly, the government department after which the test is named no 
longer exists.___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Anybody from spamhaus i can reach off list

2019-04-05 Thread Simon Forster 
Use the normal channel. Go to >, look up property and follow instructions.

All the best

Simon

> On 5 Apr 2019, at 11:01, Jan Schapmans  wrote:
> 
> Dear,
>  
> we experienced problems with one of our PTR domains on our CSA ips and we had 
> to change it to a new one.
>  
> We got them approved at CSA but now we are running into SBLCSS Spamhaus 
> listings, most likely related to hitting some kind of snowshoe filter on 
> their end.
> If possible, can we talk off list to get this sorted out as we don’t want to 
> start the weekend like this J
>  
>  
> Kind regards,
>  
>  
> JAN SCHAPMANS
> DIRECTOR DELIVERABILITY SERVICES
>  
> mobile +32 498 932 965
> email jan.schapm...@selligent.com 
>  
> SELLIGENT MARKETING CLOUD
> MAXIMIZE EVERY MOMENT
> https://www.selligent.com 
>  
> The information contained in this communication is confidential and is only 
> for the use of the intended addressee. If you have received this 
> communication in error, please destroy it immediately, including all 
> attachments.
>  
>  
>  
> ___
> mailop mailing list
> mailop@mailop.org 
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop 
> 
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] SpamHaus blocking our DNS queries

2018-10-18 Thread Simon Forster 

> On 19 Oct 2018, at 03:41, gustavo  wrote:
> 
> 
> Hi 
> We have a low-traffic email server, receiving around 800 emails/day and   
>  sending about the same 
> number of emails/day. 
> Since some time ago SpamHaus blocks our dns requests, if I check spamhaus' 
> website, the limits for the free service are well above our
> usage. Any clue what may be happening? 
> if i run this query for example
> 
> dig +short TXT 35.191.45.200.zen.spamhaus.org it will timeout
> 
> I can perform queries to the ns servers serving spamhaus.org (dig ns
> spamhaus.org) but not to any of the *.gns.spamhaus.org
> 
> 
> more information about the server  
> - dns queries time out over ipv4 and/or ipv6   - vps hosted 
> in hetzner (AS24940)  - the server is not 
> blacklisted by spamhaus or any other rbl   - server runs unbound to cache dns 
> queries - server hosts mailman for private lists and a bot that bounces 
> emails  you sent back 
> to you

As you are aware, your queries are coming from Hetzner’s IP ranges. After many 
discussions with Hetzner, queries coming from Hetzner IP ranges are ignored by 
the Spamhaus public mirror infrastructure. This move was made by Spamhaus due 
to concerns with respect to misuse of the free public mirror service through 
Hetzner’s recursive DNS resolvers. This is not a problem unique to Hetzner nor 
is it Hetzner’s fault. Put simply, a minority of users funnel large volumes of 
queries through an ISP’s DNS resolvers thus anonymising queries to the free 
service. This abuse of a free service is not sustainable.

To work around this, you may sign up for the Data Query Service using the form 
found at >. We are providing the Datafeed Query 
Service (DQS) free of charge to Hetzner customers under the same conditions as 
for the public mirror service which you were using previously. Please note the 
criteria for using the DQS service for free: 
https://www.spamhaus.org/organization/dnsblusage/ 
.

Once you have applied for DQS you will receive an email from Spamhaus’ 
automated systems which gives you login details to the Spamhaus portal. The 
portal includes details with respect to minor modifications you need to make to 
your MTA configurations to use DQS.

Once a year you will need to renew the subscription — but simply replying to 
the automated email should result in trouble free renewal.

For information, the DQS is somewhat better than the service available through 
the Spamhaus public mirror service as updates are pushed to the service in real 
time. Also, the DQS gives you access to the Zero Reputation Domain (ZRD) 
dataset. More on ZRD can be found at 
https://www.spamhaustech.com/download-centre/files/ZRD-factsheet-001.pdf 

HTH

Simon
[Disclosure: I work for Spamhaus Technology]___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Properly vetting an hosting provider before buying/moving

2017-07-17 Thread Simon Forster 
> On 17 Jul 2017, at 16:59, Stefano Bagnara  wrote:
> 
> On 17 July 2017 at 16:57, Simon Forster  <mailto:simon-li...@ldml.com>> wrote:
>> 
>> On 17 Jul 2017, at 13:28, Stefano Bagnara  wrote:
>> 
>> Senderscore,
>> senderbase, uce-protect, spamhaus, spamcop and other sources are not
>> publishing informations that declare OVH worse than others direct
>> competitor in EU.
>> 
>> 
>> <https://www.spamhaus.org/statistics/networks/>
>> 
>> ovh.net at #9. Some of their listings are fairly obnoxious stuff which
>> should be dealt with quickly.
>> 
>> Summary: Spamhaus seems to be saying they’re quite bad.
> 
> That page is a moving target and I rarely see OVH there, BTW, now that
> I look it I see
> #1 Microsoft
> #4 Amazon
> #9 Google
> #10 OVH
> 
> So, it is clear to me that this is also about volume, so big
> legitimate senders ARE ALSO on the big spam sender list, or Google is
> a worse option than OVH. Is there anyone blocking Google or Microsoft
> network at all? ;-)
> Remeber that OVH is one of the largest sender around, so it is
> expected to be there: that report is just "largest" not "worst". OVH
> is big, like Google and Microsoft and Amazon are big senders... If you
> see "non-big senders" in that list, then THEY are worst spammers, IMO.
> 
> So, IMHO that report is not a report that let us say OVH is worst than
> "Put your other ISP here", unless you think that "big == bad" and in
> that case OVH is in company with Microsoft and Google.
> 
>> PS #1 on the same page is Microsoft — but that looks more like someone
>> finding a way to game their signup process to get snowshoe spamming set up
>> on Microsoft's networks. IIRC, there’s a gang rotating around big providers
>> doing this — so different… quality of problem.
> 
> You don't "convince" me on the "poor microsoft is on that list by
> mistake because someone is tricking them... " neither: if the report
> is good then Microsoft is the worst provider and Amazon and Google are
> worst than OVH, too. Otherwise that report is not to be used for this
> reason.
> Do you have a "quality excuse" for Google and Amazon, too, so that
> they are not to be considered "worse than quite bad”?


So there’s a misalignment of perspective here. Probably my fault ‘cause I was 
picking you up on one point in your original email.

Let’s draw a distinction between “corporate” outbounds, where “corporate” 
outbounds are MTAs managed by the entity concerned, and hosting space. Think 
Gmail and Hotmail outbounds for “corporate” outbounds.

OVH generally has a poor reputation as evinced by others — whether from 
corporate outbounds or just their (hosting) space, others will have to confirm.

Microsoft, Google and Amazon and working hard to get bad reputations for their 
hosting space but I think it’s generally agreed that they do quite a good job 
managing spam from their corporate outbounds. Thing is though, Microsoft and 
Amazon display some indications that they care about abuse of their 
infrastructure — abuse on the hosting side. There seems to be some desire to 
fix the problems.

The reality is that the conversation increasingly is moving away from a pure 
“spam” discussion to broader “badness” indicators — which is why we talk about 
IP and domain reputation rather than simple spam metrics.

But I digress. To an extent your point is fair enough. Big hosters are more 
likely to end up on the “worst” lists. However, there’s a qualitative element 
which is not so readily apparent. You can extrapolate it from some of the 
datasources if you want to but it’s not quite so easy as looking at a top 10 
list.

Also, there’s a number of big hosting outfits failing to make the list. Yeah, 
so maybe you do need to be a big hoster to get on some of these lists but 
comparatively, some of them do a poor job of managing abuse.

And some do a poor job and give every indication of not really caring that 
they’re doing a bad job.

Simon___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] btinternet.com blacklist

2017-07-17 Thread Simon Forster 

> On 17 Jul 2017, at 14:44, Hetzner Blacklist  wrote:
> 
> I’ve been in contact with a number of people this past year and many of
> them have acknowledged that our network no longer deserves a bad
> reputation. However, I can fully understand that not everybody will
> agree, and I believe there are 3 main reasons for that.
> 
> 1) Historical. I wil be the first to admit that in the past we were too
> lenient with spam-handling, and there was more spam leaving our network
> than there should have been. This can mean that if somebody gets spam
> from our network today, they think "great, Hetzner hosting another
> spammer", even though the message was due to a compromised account (see
> point 2), and the overall amount of spam is much lower than it was
> historically.

We talk about IP reputation.

We talk about domain reputation.

Marketing talks about brand reputation.

You’ve got to work at it to get a good reputation. And on the flip side, it’s 
darned difficult to get rid of a bad one.

Bastiaan, another year or two of good work and you may overcome people’s 
perceptions.

Point here being that it’s hard (expensive) to reposition a brand. So for all 
the guys doing it right, keep at it as the commercial side will not like it if 
you end up with a bad reputation. Short term benefit may be good but longer 
term, not so much so.

Simon___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Properly vetting an hosting provider before buying/moving

2017-07-17 Thread Simon Forster 

> On 17 Jul 2017, at 13:28, Stefano Bagnara  wrote:
> 
> Senderscore,
> senderbase, uce-protect, spamhaus, spamcop and other sources are not
> publishing informations that declare OVH worse than others direct
> competitor in EU.

>

ovh.net  at #9. Some of their listings are fairly obnoxious 
stuff which should be dealt with quickly.

Summary: Spamhaus seems to be saying they’re quite bad.

Simon


PS #1 on the same page is Microsoft — but that looks more like someone finding 
a way to game their signup process to get snowshoe spamming set up on 
Microsoft's networks. IIRC, there’s a gang rotating around big providers doing 
this — so different… quality of problem.___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] CBL & c_sludge

2017-07-07 Thread Simon Forster 
My understanding is that this may have been a misfiring heuristic and that it’s 
been suppressed pending further investigation.

Thank you for asking your question.

All the best

Simon


> On 7 Jul 2017, at 14:37, Kirk MacDonald  
> wrote:
> 
> Struggling a bit to understand a development this morning about MTAs being 
> listed on Spamhaus for a CBL listing for something called c_sludge. The 
> Googles has really nothing helpful about what c_sludge is.
> 
> Thoughts? Tips?
> 
> 
> Kirk MacDonald
> System Analyst II
> Internet
> Eastlink
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Malware hosted @ Mailchimp

2017-04-03 Thread Simon Forster 
>

52.85.245.136/32 is listed on the Spamhaus Block List - SBL
2017-04-03 05:11:52 GMT | amazon.com
Malware distribution @52.85.245.136

A website at this IP address is currently being (ab)used by cybercriminals to 
spread malicious software (malware).

Host: gallery.mailchimp.com
URL: 
http://gallery.mailchimp.com/907970247e4b173c3d98f70d0/files/22295f1e-32a3-4206-9266-3363a9b1c932/PO_MA0402.zip
 



> On 3 Apr 2017, at 13:59, Joao Gouveia  wrote:
> 
> Hoping there's someone here from Mailchimp or that can reach them.
> 
> Copy / pasta from another mailing list follows:
> 
> HTML link in email body to 
> hxxps://gallery.mailchimp[.]com/907970247e4b173c3d98f70d0/files/22295f1e-32a3-4206-9266-3363a9b1c932/PO_MA0402.zip
>  
> Zipfile "PO_MA0402.zip" (MD5: 587c2a1b674a4db221414ec35feba9d4)
> VT 8/59 
> https://virustotal.com/en/file/bef5083028f3ed4f3274639efb967c91df9f148e3ebe8aa37187a6aacf4d7761/analysis/
>  
> 
> 
> Contains PE32 executable "PO-MA0402.exe" (MD5: 
> 1d05d44d34834c6426328dd66f1bad60)
> VT 9/61 
> https://virustotal.com/en/file/32f25b3373b16d6ecbd28ee9ae4401d6e3ff2383a5615c9d117639763bde07d7/analysis/
>  
> 
> Hybrid   
> https://www.hybrid-analysis.com/sample/32f25b3373b16d6ecbd28ee9ae4401d6e3ff2383a5615c9d117639763bde07d7
>  
> 
> Triggered Sandbox signatures for Nanocore
> Network traffic to sroom77.ddns[.]net:6060 (213.183.58.10 / AnMaXX RU)
> Network traffic to sroom0.ddns[.]net:1414 (154.16.220.26 / AnMaXX RU)
>  
> Malspam also beacons to wwl1526.daum[.]net:4280 (114.108.152.142, ibi.net 
>  / KIDC KR) with sender, recipient, & Message-ID.
>  
>  
> Relevant Headers:
> Received: from mail-smail-vm30.hanmail.net 
>  (HELO mail-smail-vm30.hanmail.net 
> ) (203.133.180.214); 2 Apr 2017 23:06:50 
> -
> Received: from mail-hmail-was8.s2.krane.9rum.cc 
>  ([10.197.10.50]) by 
> mail-smail-vm30.hanmail.net 
> (8.13.8/8.9.1) with SMTP id 
> v32N6Tnj016338; Mon, 3 Apr 2017 08:06:29 +0900
> Date: Mon, 3 Apr 2017 08:06:35 +0900 (KST)
> From: AL SUOMA TRADING  >
> To: alsoumatrading http://yahoo.com/>>
> Subject: PURCHASE ORDER
> Message-ID: <20170403080635.2lPyQhCZTAeMfh0UBMgECw @ 
> ringbell6180.hanmail.net >
>  
>  
> Body:
> ---
> Please find attached a purchase order.
>  
> Kindly send us your best price,  as per  the  below  specifications.
> We look forward to receiving your confirmation.
>  
> Also appreciate if you could reply to the following :
>Technical Drawings and Data Sheets 
>Confirm the weight & dimension of the shipment box 
>Delivery 
>Payment Terms   
>Warrantee Term 
> Kindly confirm receipt of the PO by return email.
>  
> Best Regards,
>  
> Samir
> Procurement Officer
> PURCHASE
>  ORDER pdf 1411 KB
> www.alsmoumatrading[.]com
>  
>  id="confirmMailBeacon">  &rcpt=redacted%40site.com 
> &msgid=%3C20170403080635.2lPyQhCZTAeMfh0UBMgECw%40ringbell6180.hanmail.net
>  %3E">
> ---
> TLP:Green
>  
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Spamhaus and Spamcop Blacklisting

2016-09-13 Thread Simon Forster 

> On 13 Sep 2016, at 11:56, Rupesh Gohil  wrote:
> 
> Hi 
> 
> What is the process of Spamhaus and Spamcop delisting?

For Spamhaus, it’s quite simple. Go to >, find the listed property and follow the 
instructions for removal. I cannot comment on Spamcop’s process.


> I have gone thorough both website with my accounts and ticket also created 
> for delisting, It's now more than 10 days now with no feedback. 
> 
> Is that any contact number to call Spamhaus and Spamcop team to explain whole 
> situation?
> 
> Just wondering if they have dedicated numbers?

Different news: I have something here that’s broken. How do I fix it? Who do I 
call?

Simon

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] How many more RBL's do we really need?

2016-08-29 Thread Simon Forster 

> On 29 Aug 2016, at 14:45, Bryan Vest  wrote:
> 
> This may have been brought up before and if there is already a group please 
> point me to it, but we need a study group/governing body/RFC to at least put 
> out suggestions on RBL structure.

RFC 6471 - Overview of Best Email DNS-Based List (DNSBL) Operational Practices 
>.___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] automated looking mailchimp opt-ins (confused by)

2016-06-30 Thread Simon Forster 

> On 30 Jun 2016, at 16:52, Vick Khera  wrote:
> 
> For some customers, enabling reCAPTCHA was the solution because of the volume 
> of bogus signups. For everyone else we opportunistically require reCAPTCHA if 
> the submitting IP is on either CBL or minFraud's proxy list. This latter 
> mechanism matches just shy of 75% of the fake signups exhibiting this pattern 
> historically. Some IP's we observe become "bad" after the fact, so I suspect 
> the actual block rate to be a bit lower.

Spamhaus has the AuthBL whose purpose is to mitigate SMTP Auth abuse. It would 
be interesting to see if it’s of any use combatting this latest maliciousness. 
If anyone would like to test, contact me off list  and 
we’ll get you free access for six months to give it a go.

Simon Forster

  Spamhaus Technology Ltd
  London, UK
  https://www.spamhaustech.com/
  skype: srforster
  m: +44 79 0528 8198___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] "Spammer TLDs" and IP addresses without a reverse?

2016-04-21 Thread Simon Forster 
 
On 21 April 2016 at 09:43:53, Paul Smith 
(p...@pscs.co.uk(mailto:p...@pscs.co.uk)) wrote:
> It would be great if limited information was available without rate  
> limiting - eg registration date and registrar ID and possibly a  
> data-quality indicator. That would help a lot with spam reduction.  


Spamhaus has an http API which’ll return the info you want as a JSON string.



{"status":"ok","score":"-106","registrar":"Gandi SAS 
(R42-LROR)","date_created":"1999-10-01","first_seen":"2009-07-17 
21:42:22","last_seen":"2016-04-20 
00:04:44","spamtrap_hits":"yes","anon_whois":"no","ip":[{"ip":"38.229.70.29","last_seen":"2011-12-19
 13:31:15"},{"ip":"72.52.14.56","last_seen":"2014-01-20 
19:09:04"},{"ip":"104.20.24.40","last_seen":"2016-04-20 
00:04:45"},{"ip":"104.20.25.40","last_seen":"2016-04-20 
00:04:45"},{"ip":"141.101.123.93","last_seen":"2015-03-19 
10:33:41"},{"ip":"145.97.20.167","last_seen":"2014-01-08 
16:15:59"},{"ip":"154.35.129.66","last_seen":"2011-12-28 
15:30:15"},{"ip":"154.35.160.11","last_seen":"2013-03-18 
22:43:25"},{"ip":"157.56.178.135","last_seen":"2013-06-29 
12:05:55"},{"ip":"190.93.240.93","last_seen":"2015-03-19 
10:33:41"},{"ip":"190.93.241.93","last_seen":"2015-03-19 
10:33:41"},{"ip":"190.93.242.93","last_seen":"2015-03-19 
10:33:41"},{"ip":"190.93.243.93","last_seen":"2015-03-19 
10:33:41"},{"ip":"190.93.248.56","last_seen":"2013-05-12 
04:20:43"},{"ip":"190.93.248.140","last_seen":"2013-04-03 
00:03:32"},{"ip":"190.93.249.56","last_seen":"2013-05-12 
04:20:43"},{"ip":"190.93.249.140","last_seen":"2013-04-03 
00:03:32"},{"ip":"190.93.250.15","last_seen":"2015-01-09 
23:03:38"},{"ip":"190.93.250.83","last_seen":"2013-09-28 
02:35:51"},{"ip":"190.93.251.15","last_seen":"2015-01-09 
23:03:38"},{"ip":"190.93.251.83","last_seen":"2013-09-28 
02:35:51"},{"ip":"190.93.252.13","last_seen":"2013-07-14 
16:41:01"},{"ip":"190.93.252.86","last_seen":"2014-11-18 
06:38:51"},{"ip":"190.93.253.13","last_seen":"2013-07-14 
16:41:01"},{"ip":"190.93.253.86","last_seen":"2014-11-18 
06:38:51"},{"ip":"192.42.118.103","last_seen":"2014-06-26 
01:00:57"},{"ip":"192.42.118.104","last_seen":"2016-04-20 
00:04:45"},{"ip":"192.150.94.202","last_seen":"2012-06-20 
09:32:19"},{"ip":"213.171.194.34","last_seen":"2012-01-03 17:10:18"}]}

Most fields should be self explanatory. For “score” the smaller the number the 
better. Positive numbers are bad and if high enough, results in a listing in 
Spamhaus’ DBL. The “ip” array is returning a list of IPs seen sending for the 
domain.

As a mail receiver, how you roll that into your environment is left as an 
exercise for you.

If you want more info, I’ve been a lurker here for a while or you can 
communicate with me directly at my work address . So yes, 
I work at Spamhaus Technology Ltd and am not a disinterested party.

HTH

Simon

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop