Re: [mailop] $GOOG
Hi, Dňa Thu, 14 Apr 2022 12:43:12 -0400 Bill Cole via mailop napísal: > Basic robustness demands that after a 250-at-EoD, the receiving > system should not simply drop a message but either deliver it or > bounce it. Failures should not be silent. Delivery to somewhere other > than the INBOX is not a silent failure. Yes, that is what i wrote, but you was more quick to send ;-) regards -- Slavko https://www.slavino.sk pgp0WEQ8_d1F3.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] After years of accepting messages, yahoo suddenly stops
Dňa 27. marca 2022 4:48:06 UTC používateľ Mike via mailop napísal: >The question would be, in my mind, why would not yahoo not seem to care >if mail is not delivered to its customers? IMO, it is really simple. First ask yourself, who is interested in email delivery? Sender or recipient? While it can depends, in most cases (email marketing, etc) it is a sender. But sender is not Yahoo's customer, your brother is, but until you will notice he by another channel, he have no chance to know, that he didn't get that email, then he cannot complain. Yahoo didn't received complain, its customer do not know about missing email, all seems OK. The only not satisfied are you, but (again) you aren't yahoo's customer, thus still all is OK (from their point of view)... The only way which i can imagine is, that your brother (its customer) will complain, but i can guess the response which he will get (if any), especially if he is free service user... regards -- Slavko https://www.slavino.sk pgpKfMmKLY0vU.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] sorbs DNS problems
Ahoj, Dňa Sat, 12 Mar 2022 10:09:43 +1000 Noel Butler via mailop napísal: > Secondly, like most DNSBL's they probably use rbldnsd, this does not > support TCP, only UDP Sure, that is true for their rbldnsX.sorbs.net (they even responds to version chaos), but not true for their nsX.sorbs.net (at least for those which responds). regards -- Slavko https://www.slavino.sk pgpo4WY_nYC5h.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] sorbs DNS problems
Ahoj, Dňa Fri, 11 Mar 2022 20:20:23 -0500 Luis E. Muñoz via mailop napísal: > Just wrapping up a trial with them for a traffic sample. We saw no > issues in processing north of 300 million messages. Care to share > what issues did you see? The sorbs.net provides 15 NS records, from which at least 4 does not respond at all, thus recursive server has problem to get responses. The unbound (as caching recursive DNS), after it reaches certain count of errors, disables that domain for some time. When it is lucky to select working NS, then it gets response for dnsbl.sorbs.net, which yields another 18 NS, from which 10 doesn't responds. And the disabling repeats. When it is lucky to get that response, then unbound caches it and then it works for some time, until TTL expires. Then it start lottery again from start. This persist for long time, while i did not try to collect exact counts before. > We configured a private secondary for this and experienced exactly > zero issues. We are talking about their public DNS, your private mirror is, ehm, your private mirror. regards -- Slavko https://www.slavino.sk pgpHaS6EK9ae7.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] sorbs DNS problems
Ahoj, Dňa Fri, 11 Mar 2022 11:20:24 -0800 Dan Mahoney via mailop napísal: > Why are you instead not doing a dig against these ips? It's clear > you understand that ICMP may be blocked, so why not use a check > method that actually uses the protocol you'd use to query them? (send only to Dan accidentally, resend to ML) I did it manually previous, without results collected, i tried to tcptraceroute too (expecting that they responds to TCP requests), etc. I used ping output to demonstrate the problem. I do not know what dig's return code 9 means: ns0.sorbs.net. 113.52.8.11 dig fail 9 ns2.sorbs.net. 87.106.246.125 dig fail 9 ns4.sorbs.net. 78.153.202.24 dig OK ns5.sorbs.net. 72.12.198.241 dig OK ns1175.dns.dyn.com. 108.59.166.201 dig OK ns2174.dns.dyn.com. 108.59.168.201 dig OK ns3179.dns.dyn.com. 108.59.170.201 dig OK ns4151.dns.dyn.com. 108.59.172.201 dig OK ns9.sorbs.net. 169.48.121.207 dig OK rbldns10.sorbs.net. 185.87.186.55 dig OK rbldns7.sorbs.net. 88.208.216.85 dig OK rbldns0.sorbs.net. 113.52.8.50 dig fail 9 rbldns17.sorbs.net. 210.50.3.173 dig fail 9 rbldns3.sorbs.net. 74.208.146.124 dig fail 9 rbldns16.sorbs.net. 74.53.186.252 dig fail 9 rbldns8.sorbs.net. 89.150.195.2 dig fail 9 rbldns4.sorbs.net. 78.153.202.22 dig OK rbldns15.sorbs.net. 87.106.246.154 dig fail 9 rbldns2.sorbs.net. 72.12.198.247 dig OK rbldns18.sorbs.net. 72.12.198.248 dig OK rbldns14.sorbs.net. 194.134.35.168 dig fail 9 rbldns12.sorbs.net. 74.208.146.124 dig fail 9 rbldns13.sorbs.net. 113.52.8.157 dig fail 9 rbldns6.sorbs.net. 194.134.35.204 dig fail 9 rbldns1.sorbs.net. 78.153.202.21 dig OK rbldns11.sorbs.net. 216.12.212.155 dig fail 9 rbldns9.sorbs.net. 169.48.121.206 dig OK While i didn't compare it side by side with ping, it +- corresponds with ping results, at least in mean, that some responds and some not. Here is one example of result with code 9: ; <<>> DiG 9.11.5-P4-5.1+deb10u6-Debian <<>> @113.52.8.11 163.44.213.129.safe.dnsbl.sorbs.net ; (1 server found) ;; global options: +cmd ;; connection timed out; no servers could be reached regards -- Slavko https://www.slavino.sk pgpZ2a9arNbcW.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] sorbs DNS problems
Ahoj, Dňa Fri, 11 Mar 2022 13:41:27 -0600 Michael Rathbun via mailop napísal: > They frequently fail the timeout setting on a DNSBL checker tool I > use. Running the tool again pulls the records in cache that arrived > after the timeout. The resolver is a local instance of bind. I use local unbound, and yes i see responses later, but they are mostly response about timeout from my unbound, which comes after my script's DNS timeout, which is shorted. The collected results was done via another forwarding DNS, which forwards to ISP's DNS at my job's server (not mail). But, as i stated, they corresponds with results from my unbound. regards -- Slavko https://www.slavino.sk pgpx0CRKTqWbh.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
[mailop] sorbs DNS problems
Hi, for relative long time (some weeks) i have troubles with SORBS RBL. I do not use it at MTA nor rspamd level, but only in my script, which i run only manually when i need to inspect some IP status in depth, thus i cannot exceed any limits. But queries to SORBS (concrete to safe.dnsbl.sorbs.net) are sometime success (in mean no timeout), but mostly fails with timeout (message from my script): safe.dnsbl.sorbs.net: The DNS operation timed out after 5.105137348175049 seconds I collect related NS records and try to ping them from another IP (different ISP), to be sure that they are not blocked by me nor by my ISP, and results corresponds with my experiences: ns0.sorbs.net. 113.52.8.11 ping fail ns2.sorbs.net. 87.106.246.125 ping fail ns4.sorbs.net. 78.153.202.24 ping OK ns5.sorbs.net. 72.12.198.241 ping fail ns1175.dns.dyn.com. 108.59.166.201 ping fail ns2174.dns.dyn.com. 108.59.168.201 ping fail ns3179.dns.dyn.com. 108.59.170.201 ping fail ns4151.dns.dyn.com. 108.59.172.201 ping fail ns9.sorbs.net. 169.48.121.207 ping OK rbldns10.sorbs.net. 185.87.186.55 ping OK rbldns7.sorbs.net. 88.208.216.85 ping fail rbldns0.sorbs.net. 113.52.8.50 ping fail rbldns17.sorbs.net. 210.50.3.173 ping fail rbldns3.sorbs.net. 74.208.146.124 ping fail rbldns16.sorbs.net. 74.53.186.252 ping fail rbldns8.sorbs.net. 89.150.195.2 ping fail rbldns4.sorbs.net. 78.153.202.22 ping OK rbldns15.sorbs.net. 87.106.246.154 ping fail rbldns2.sorbs.net. 72.12.198.247 ping OK rbldns18.sorbs.net. 72.12.198.248 ping OK rbldns14.sorbs.net. 194.134.35.168 ping fail rbldns12.sorbs.net. 74.208.146.124 ping fail rbldns13.sorbs.net. 113.52.8.157 ping fail rbldns6.sorbs.net. 194.134.35.204 ping fail rbldns1.sorbs.net. 78.153.202.21 ping OK rbldns11.sorbs.net. 216.12.212.155 ping fail rbldns9.sorbs.net. 169.48.121.206 ping OK As any can see, some responds, and some not... I do not know, if they are not accessible or have ICMP blocked, but i will expect, that if they block ICMP, they will block all not only some hosts. Please, encounter someone else this? Are here some problems on their side? thanks -- Slavko https://www.slavino.sk pgpkXHhusWEoI.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Best email server for home use...
Ahoj, Dňa Wed, 23 Feb 2022 13:10:56 + "Sinclair, John via mailop" napísal: > to rolling and hosting my own email server for the family. What's I use own mail server for some years (5 or so), using exim (+ rspamd now) and dovecot (+ xapian FTS & roundcube) on Debian Linux, which starts for one user only, but then some friends and family members want account too and now are satisfied, without any issues with deliverability of emails, even to big providers, which are know to be restrictive (Microsoft & Google in my case). Having own server gives more privacy, as one don't need to share info with email providers and proves great possibilities to customize SPAM filter, as here is only small number of users. But, on other side, one have to have some knowledge in nowadays email's word, as properly deal with PTR, SPF, DKIM, DMARC, TLS, etc. And requires some knowledge. And one must be prepared to attacks - i deal with ongoing distributed login attack for more than 8 months, and today i am under some SPAM bomb attack, with about 2000 (yet) attempts to send the same scam email to (existing & not existing) users from "their" address. Another tasks, which one have to do includes monitoring, backups, regular security upgrades and other standard admin things. If you have not enough enthusiasm and/or knowledge to play with it, stay with some provider... But when you are brave (and IMO one have to) to do it itself, do not worry, it is not as hard (while it is not setup and forget) as it is described by some email providers in its PR articles and one cat get great experience and privacy, with full customization to own needs. When you abandon ClamAV idea, you do not need to worry about server power and for small amount of users (emails) can be managed even on very cheap hardware (i even starts it on Raspberry Pi 2, but that was bad idea). regards -- Slavko https://www.slavino.sk pgpZqMnphj1rr.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] What a drag it is sending DMARC reports
Ahoj, Dňa Fri, 7 Jan 2022 11:18:21 -0800 Brandon Long via mailop napísal: > Google is providing a service to users at a price with a set of > limits. There are many > limits to the system, as there are limits to the mail systems other > companies provide. I had two simple questions and you respond with tons of words with explaining basic or generally known things, from which i understand: google's users cannot expect, that legitimate mails will be delivered (at all, not delayed), if it come in burst even with other's mailboxes To concretize it to this topic: goggle's mailbox is not reliable for receiving DMARC reports, even for low traffic individuals/SMBs. regards -- Slavko https://www.slavino.sk pgpKjcAV2a7jo.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] What a drag it is sending DMARC reports
Ahoj, Dňa Thu, 6 Jan 2022 11:02:48 -0800 Brandon Long via mailop napísal: > On Thu, Jan 6, 2022 at 5:55 AM Alessandro Vesely > wrote: > > > For a different question, if google has proper methods and checks to > > receive DMARC reports, why doesn't it deploy them for hosted domains > > too? There could be a dmarc-rua check box, for example. > > > > I don't think accepting reports is all that useful by itself, it's > the UI for displaying > them and the intelligence you can bring to bear about the particular > rejects. perhaps i am too stupid to get it, but please, how report data can appear in any UI, when report itself is rejected, thus not delivered? Yes, i remember, that you suggested to use external service for DMARC reports, but that is user choice, right? And it doesn't matter, if user choose gmail mailbox for receiving reports because he/she don't know what is doing or have some (good) reason for it. Or google knows better what is best for particular user? regards -- Slavko https://www.slavino.sk pgpPjKHfig9VH.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] What a drag it is sending DMARC reports
Hi, Dňa Tue, 4 Jan 2022 15:32:57 -0800 Brandon Long via mailop napísal: > For anyone who cares about their dmarc reports, I'd highly recommend > using a third party service for analyzing them, they will be better > set up to handle the load. please, is this suggestion meant universally, or it is mainly targeted for google's (or similar rate limited) users/mailboxes? I have no problem to receive DMARC reports on my low traffic mail server... regards -- Slavko https://www.slavino.sk pgpq_lzhupiWO.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Roundcube client IPs → dovecot, postfix
Ahoj, Dňa Thu, 30 Dec 2021 17:00:57 +0100 Nicolas JEAN via mailop napísal: > So I really want dovecot to know the originating IP for the _first_ > login attempt. I tried the proposed patch and it works, that mean the remote ip is set from first (login) request. That is indeed best solution. > Brute-force protection can also be achieved by fail2ban, as mentioned > by others. Bruteforcing from ONE host only, for distributed and/or slow attempts it is useless. But stopping password guess attempts is only part of defense, as password can be obtained by other ways too. > In such cases of fail2ban bypassing, having a second banning > mechanism can bring additional security, or peace of mind -- at least > it does for me. Moving protection from end apps to central auth service has many advantages. They includes two most important things: + one can define rules at one place and do not care what end apps supports or do not supports + one can count attempts to different service at one place That is exact job for dovecot's auth policy daemon, which can do a lot of things, not only IP based, but it can also work with user/password (hash) and distinguish between success, policy rejected and failed logins. The only part, which is missing for me, is that current dovecot's implementation cannot distinguish between not existent user and failed password, but it is not big problem. My policy daemon can not only block login for bad hosts, but it can eg. blacklist user, when success logins come from many different IP, which can indicate leaked password and thus minimize damage. regards -- Slavko https://www.slavino.sk pgpeocGbz0gfj.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Roundcube client IPs → dovecot, postfix
Ahoj, Dňa Tue, 28 Dec 2021 18:08:24 +0100 Nicolas JEAN via mailop napísal: > Did you encounter the issue of the first IMAP connection not > forwarding the actual client IP to dovecot? OK, i try it, and i see it: imap-login: Login: user=, method=PLAIN, rip=::1, ... imap-login: Login: user=, method=PLAIN, rip=2001:...::1:1, ... I removed timestamps (to short them), but these two lines appears immediately one after other. And now i refresh my memory, that i saw this when i installed (and test) that plugin. I am not sure if that matters. IMO , when dovecot's auth policy will reject the later (with real RIP), the roundcube's content will be empty (at least i hope), and client's IP will be blocked by fail2ban soon or latter. Or i am wrong? regards -- Slavko https://www.slavino.sk pgp0OCwrHe87f.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Roundcube client IPs → dovecot, postfix
Dňa 28. decembra 2021 17:08:24 UTC používateľ Nicolas JEAN via mailop napísal: >Did you encounter the issue of the first IMAP connection not forwarding >the actual client IP to dovecot? (the one sent from roundcube's login page) Terrible to tell now, as i didn't care before and i am not at PC to see server's log now. If i will not forget, i will try tomorrow. In really nobody uses my roundcube, only as fallback or to edit sieve rules from time to time... Slavko ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Roundcube client IPs → dovecot, postfix
Dňa 28. decembra 2021 15:55:57 UTC používateľ Nicolas JEAN via mailop napísal: >Still, even if I'm going to have all legalities cleared and my terms of >service updated... >My conclusion is that today, there's no technical way to forward client >IPs from roundcube to dovecot/postfix. At least with dovecot you can use https://gitlab.com/takerukoushirou/roundcube-dovecot_client_ip which can add client's IP to login information (via IMAP's ID command). I use it with my dovecot's auth policy daemon. regards Slavko ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Gmail rejects multiple From:'s. Who else?
Hi, Dňa Mon, 13 Dec 2021 09:51:48 -0800 Brandon Long napísal: > Basically, yes, DMARC doesn't handle multiple from addresses, > otherwise one could do From: m...@whatever.com, accou...@google.com and > which domain would this > be considered from? I guess one could evaluate DMARC for both. > Sure, one can evaluate both, but which policy have to be followed, if one will be eg. reject and other success? Especially, if the failing will be bank.com and success will be attacker.com? IMO, this will negate DMARC's purpose. regards -- Slavko https://www.slavino.sk pgpF0kSkdIK4j.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Gmail rejects multiple From:'s. Who else?
Hi, Dňa Mon, 13 Dec 2021 18:19:07 +0100 Alessandro Vesely via mailop napísal: > Is it customary to reject messages with multiple addresses in From:? > Why? AFAIK, DMARC works with only one From: address, thus sites which are verifying DMARC tends to reject multiple addresses in it. regards -- Slavko https://www.slavino.sk pgpxlHNecMD6g.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] postmaster: envelope vs header
Hi, Dňa Sun, 5 Dec 2021 19:51:15 + ml+mailop--- via mailop napísal: > "What's the problem you are trying to solve?" Basically no problem here. I never seen message with unqualified postmaster (RCPT). To be honest, i miss this part of RFC before. I only try to understand, how to deal with unqualified postmaster in To: header, when it is required to accept in RCPT command. If it is OK to reject that message due wrong To: header syntax, or it is needed to manage it in different (special) way as exception in qualification requirements to satisfy this simple way to contact postmaster. regards -- Slavko https://www.slavino.sk pgpjvDz5og80Y.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] postmaster: envelope vs header
Hi, Dňa Sun, 5 Dec 2021 11:24:04 + ml+mailop--- via mailop napísal: > Anyway, my mail was only about a clear violation of the (SMTP) RFC > by comcast. Yes, i understand that, and my question was not to you only (sorry, if it was not clean). I think a little about it, but i cannot find other way than do not use To: header at all, which will be penalized in my anti-spam SW latter. My understanding the To: header syntax is, that it must be qualified, but then there is no reason to not use that address in RCPT command too. Or i miss something? I really do not know... -- Slavko https://www.slavino.sk pgpdtWLUM8O75.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] [EXTERNAL] comcast.net MX
Hi, Dňa Sun, 5 Dec 2021 10:12:24 + ml+mailop--- via mailop napísal: > RFC 5321 SMTP October > 2008 > >o The reserved mailbox name "postmaster" may be used in a RCPT > command without domain qualification (see Section 4.1.1.3) and > MUST be accepted if so used. > But, please, what about header: To: postmaster When i enable verify = header_syntax in exim, it is rejected: ... rejected after DATA: header syntax: unqualified address not permitted: failing address in "To:" header is: postmaster But i found nothing about postmaster in RFC 5322... -- Slavko https://www.slavino.sk pgpWHrixpjcQr.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Postfix / DNSblog Query Problems with various RBLs running in timeouts
Hi, Dňa Fri, 3 Dec 2021 11:55:21 + Glowfish Domainadministrator via mailop napísal: > nslookup 96.63.189.196.spam.spamrats.com > Server: 127.0.0.53 > Address:127.0.0.53#53 I use systemd's resolver as cache too (on one machine) and i meet DNSSEC problems with it too. I didn't investigate it too deeply (as i consider it as wasting of time), i simple disabled DNSSEC at all in it, as i have own validating recursive DNS, thus invalid DNS replies will not reach it. regards -- Slavko https://www.slavino.sk pgp1Tm4UejAv4.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Google DNS Quad 8 Outage tonight (Grant Taylor)
Hi, Dňa Mon, 22 Nov 2021 22:43:49 +0100 Jaroslaw Rafa via mailop napísal: > In some countries (for example in my country) ISPs are legally > required to block domains that are on government's "block list" in > their resolvers. These domains are resolved to an IP address of a > website with generic "this domain has been blocked" message. In my > country this governmental block list contains domains of > gambling-related services that don't have local license to operate in > Poland Some question comes in my minds: a) is your MTA gambler? (or how it is related to mailop?) b) are not these open resolvers contributing to illegal activities? c) are you promoting illegal activities? regards -- Slavko https://www.slavino.sk pgp2RGkF5AM05.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Is there any analysis on root causes of mail account break-ins?
Hi, Dňa Wed, 17 Nov 2021 13:31:50 -0600 Scott Mutter via mailop napísal: > Unless you are sending an encrypted password to your mail server (in > which case, the compromiser still has the necessary to log into your > email account) then this has to be decrypted some how by the email > application. Again, if you're not entering anything to decrypt this > then that means the necessary information to decrypt the encrypted > stored password is on the system in some manner. I agree in principle, but it becomes real problem if that software is used by 60 % of Internet users (hi Chrome), if it is used by 0,00x % users, it must be really targeted attack, otherwise its success will be very very low. Question remains, how valuable will be success targeted attack against **regular** users -- IMO more theoretical than real (and some people still consider me as paranoid ;-) ). regards -- Slavko https://www.slavino.sk pgpRSuoWg7Eyj.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Is there any analysis on root causes of mail account break-ins?
Ahoj,
Dňa Wed, 17 Nov 2021 11:51:46 -0600 Scott Mutter via mailop
napísal:
> Don't forget local compromises - keyloggers, spyware, and other
> malware - running on an end-user's system.
If one use good email client/browser, locally stored passwords are not a
problem as they are encrypted:
{AES-256-CBC,5}nzTZHRh...snip...2sbjH9/O/XoG
If you have passwords stored in plaintext, no malware is needed, as
some OS are posting all personal files to its vendor, often hidden as
telemetry, and often cannot be fully disabled... But when you cannot
believe your OS, then no "telemetry" is needed, as OS can see all your
typing anyway...
No, i do not want to tell, that these OS's vendors are participating on
passwords leaks, but these files can be stolen from them by attackers
or employees (they are people too).
And if someone provides, in these days, still plain access (110/tcp,
143/tcp, 25/tcp with or without STARTTLS) for you (do not matter if
as primary or as fallback only), nobody have to care about files in your
PC.
regards
--
Slavko
https://www.slavino.sk
pgpIO_s_4qkzG.pgp
Description: Digitálny podpis OpenPGP
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
Re: [mailop] 0spam.org DNSBL SERVFAIL
Ahoj, Dňa Sun, 14 Nov 2021 10:02:31 + Simon Arlott via mailop napísal: > In this case, the signature is for the SOA with serial 2021110401 but > the current SOA serial is 2021110501: > https://gist.github.com/nomis/239c16f5f2321600e9397933b193d955 Please, i am curious, how did you get the original (validating) SOA serial? -- Slavko https://www.slavino.sk pgpg_vj5lBLzL.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] 0spam.org DNSBL SERVFAIL
Ahoj, Dňa Sun, 14 Nov 2021 10:40:01 +1000 Noel Butler via mailop napísal: > On 13/11/2021 21:58, Renaud Allard via mailop wrote: > > > It fails here too > > > > # time dig 2.0.0.127.bl.0spam.org > > > > ; <<>> dig 9.10.8-P1 <<>> 2.0.0.127.bl.0spam.org > > ;; global options: +cmd > > ;; connection timed out; no servers could be reached > > 0m15.04s real 0m00.01s user 0m00.01s system > > ~# dig 2.0.0.127.bl.0spam.org > > ; <<>> DiG 9.16.22 <<>> 2.0.0.127.bl.0spam.org > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58252 > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: dig 2.0.0.127.bl.0spam.org ; <<>> DiG 9.17.19-1-Debian <<>> 2.0.0.127.bl.0spam.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37343 ^^^ ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;2.0.0.127.bl.0spam.org.IN A ;; ANSWER SECTION: 2.0.0.127.bl.0spam.org. 900 IN A 127.0.0.2 ;; Query time: 0 msec ;; SERVER: 192.168.10.13#53(192.168.10.13) (UDP) ;; WHEN: Sun Nov 14 09:29:41 CET 2021 ;; MSG SIZE rcvd: 67 dig 1.0.0.127.bl.0spam.org ; <<>> DiG 9.17.19-1-Debian <<>> 1.0.0.127.bl.0spam.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 48097 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;1.0.0.127.bl.0spam.org.IN A ;; Query time: 1740 msec ;; SERVER: 192.168.10.13#53(192.168.10.13) (UDP) ;; WHEN: Sun Nov 14 09:29:50 CET 2021 ;; MSG SIZE rcvd: 51 regards -- Slavko https://www.slavino.sk pgpEhk21TyjUO.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Large volume of script spam related to liberachat false-flag
Dňa 14. novembra 2021 8:00:26 UTC používateľ "Dan Mahoney (Gushi) via mailop" napísal: >It didn't look very sophisticated -- basic port 25 blast with no response >parsing. Missing message-ids. I reject remote mails without Message-ID header, but here they are rare. Most of scripts do not respecting SMTP 5xx responses are later rejected by other reason, even with connection drop and/or fail2ban block for repeating offenders. -- Slavko ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] 0spam.org DNSBL SERVFAIL
Hi, Dňa Fri, 12 Nov 2021 16:15:34 -0600 Jarland Donnell via mailop napísal: > This is who runs it: https://area51services.com/ I tried to report problem to them via contact form, but they require phone number, which i am not willing to provide them and form doesn't accept the fake one (or i do not know how to properly fake it). I will just ignore their errors and perhaps whole RBL after some time, it is not crucial for me. regards -- Slavko https://www.slavino.sk pgpwRJfwhNY7c.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] 0spam.org DNSBL SERVFAIL
Hi, Dňa 12 Nov 2021 19:59:11 -0500 John Levine via mailop napísal: > When I do an A lookup on bl.0spam.org or 2.0.0.127.bl.0spam.org it > works fine, valid DNSSEC. Yes, this works for me too with positive answer, but fails for NXDOMAIN answers, see below. > Where are you looking for an SOA, any why? when i ask not listed IP (real example IP here), it returns SOA in AUTHORITY section in case NXDOMAIN (without validating): dig 62.82.187.80.bl.0spam.org +cdflag ; <<>> DiG 9.17.19-1-Debian <<>> 62.82.187.80.bl.0spam.org +cdflag ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36826 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;62.82.187.80.bl.0spam.org. IN A ;; AUTHORITY SECTION: 0spam.org. 900 IN SOA ns1.0spam.org. sa.0spam.org. 2021110501 10800 3600 1209600 3600 ;; Query time: 0 msec ;; SERVER: 192.168.10.13#53(192.168.10.13) (UDP) ;; WHEN: Sat Nov 13 11:11:29 CET 2021 ;; MSG SIZE rcvd: 97 The same with validation: dig 62.82.187.80.bl.0spam.org ; <<>> DiG 9.17.19-1-Debian <<>> 62.82.187.80.bl.0spam.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53811 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;62.82.187.80.bl.0spam.org. IN A ;; Query time: 0 msec ;; SERVER: 192.168.10.13#53(192.168.10.13) (UDP) ;; WHEN: Sat Nov 13 11:14:27 CET 2021 ;; MSG SIZE rcvd: 54 And unbound logs: info: validation failure <80.bl.0spam.org. A IN>: signature crypto failed from 208.92.158.10 for <0spam.org. SOA IN> info: validation failure <187.80.bl.0spam.org. A IN>: signature crypto failed from 208.92.158.10 for <0spam.org. SOA IN> info: validation failure <62.82.187.80.bl.0spam.org. A IN>: signature crypto failed from 208.92.158.10 for <0spam.org. SOA IN> info: validation failure <82.187.80.bl.0spam.org. A IN>: signature crypto failed from 208.92.158.10 for <0spam.org. SOA IN> regards -- Slavko https://www.slavino.sk pgpySgaOfk04e.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] 0spam.org DNSBL SERVFAIL
Dňa 12. novembra 2021 22:15:34 UTC používateľ Jarland Donnell via mailop napísal: >This is who runs it: https://area51services.com/ Thanks Slavko ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] 0spam.org DNSBL SERVFAIL
Dňa 12. novembra 2021 20:30:25 UTC používateľ Michael Peddemors via mailop napísal: >If you check mxtoolbox or hetrixtools, and see an IP listed, but you >don't see it listed in your queries, or blocked/flagged by the chosen >RBL, it is most likely a DNS problem. > >Many open resolvers are blocked by many RBL's.. Your crystal ball is broken, consider to get new one ;-) >(IT's DNS, it's always DNS) More specific, MY recursive & validating DNS server reports that it is DNSSEC problem with their SOA signature. I cannot find contact address on their site, thus i ask here... Slavko ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
[mailop] 0spam.org DNSBL SERVFAIL
Hi, I am using bl.0spam.org and nbl.0spam.org RBLs in my custom RBL check script, but in more days their DNS server returns SERVFAIL. Please, are these RBL gone or it is only mistake in its configuration? regards -- Slavko https://www.slavino.sk pgpPxqibrEsKY.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Failing ed25519-sha256 verfication (was: Re: DKIM signing with ed25519 keys - leap of faith)
Dňa 5. 11. o 9:31 Patrick Ben Koetter via mailop napísal(a): > rspamd, which has been used in the example avove, seems to handle > ed25519-sha256 verification quite well. Anyone using other DKIM verifiers > which have problems with ed25519-sha256 verification and take it badly i.e. do > anything else but note "unsupported algo" and go on happily verifying the > second rsa-sha256 sigs? I use dual sign with ed25519 keys and i have enabled rua reports. While my domain is very low traffic, i have only small amount of reports. But i see that e.g. google verifies RSA keys as success and ED25519 keys are failed, but this does not affects DMARC success verification. E.g. reports from amazon-ses are lacking ed25519 keys at all, but again DMARC was success. When i start to use de25519 keys, i tried multiple online verifiers and most of RSA only reports message as failed DKIM at all when they meet ED25519 key. Then yes one can meet implementation which will fail DKIM, if it meet unknown algorihtm, but IMO it is pure its problem, which have to be solved from their side, as it is broken behavior. regards slavko ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] cloudapp.azure.com spamming again
Ahoj, Dňa Tue, 2 Nov 2021 07:21:31 -0700 Michael Peddemors via mailop napísal: > SpamRats has nothing to do with Microsoft, but it does have two lists > that can help with Spammers on Azure. I am sorry, it was my misunderstanding what it is linked. I initially think that you point me to mentioned AZURE-RATS and that URL surprised me. regards -- Slavko https://www.slavino.sk pgpGtcqqk_eJ_.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] cloudapp.azure.com spamming again
Dňa 1. novembra 2021 23:09:56 UTC používateľ Michael Peddemors via mailop napísal: >The 'current' link.. (it does change) is.. > >https://www.microsoft.com/en-us/download/confirmation.aspx?id=41653 Please, what have Microsoft with SpamRats? Slavko ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] cloudapp.azure.com spamming again
Dňa 1. novembra 2021 21:40:50 UTC používateľ Michael Peddemors via mailop napísal: >RATS-AZURE might be your friend, but we combine that with other checks >to auto detect spammers from Azure.. Please, is it described somewhere? I cannot see it in https://spamrats.com/ regards Slavko ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Fighting spam
Dňa 15. 10. o 0:04 Hans-Martin Mosner via mailop napísal(a): > 1. Rspamd (embedded in a Mailu installation) for low-maintenance operation. > That packages includes several mechanisms > to score messages and handle them according to score intervals. This does > a relatively good job but isn't really > able to detect persistent spammers using their own IP ranges. Are you aware of its reputation module? In conjuction with selector system you can build reputation on wide range of params without touching Lua. Beside its IP reputation i use sender's eSLD, IPnet & ASN reputation with score limited to not be enough for rejection. If spamer uses not related IP, ASN and/or senders (snowshoe), you still can use its bayes and/or fuzzy checks. But basically the reputation module with RBL scoring does good job and in last year i do not remmeber any false negative mail and small amount of false positives, especially from gmail, these false positives are mostly not due reputation, but due SPF/DKIM/DMARC ignorance of our eshop systems. I have small python script, which gets reputation data from rspam's redis DB and fill dynamic blocklist for exim, to block persistent spammers at MTA level (RCPT stage). regards ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] DKIM signing with ed25519 keys - leap of faith
Hi, Dňa 12 Oct 2021 12:12:27 -0400 John Levine via mailop napísal: > The perl and python DKIM modules still don't support ed25519 keys. > They're on my list of things to do, but pretty far down the list. python's dkimpy (and its CLI tool) is able to check ed25519, but by default it checks only first signature. I do not know in which version it was added. regards -- Slavko http://slavino.sk pgp_ymkAvtbht.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] DKIM signing with ed25519 keys - leap of faith
Ahoj, Dňa Tue, 12 Oct 2021 19:52:38 +0100 Vsevolod Stakhov via mailop napísal: > You can do it with Rspamd as well: > > > rspamadm dkim_keygen -d example.com -s dkim -t ed25519 > vYJfhPrDPls0CBf4Y5H1usrJu6OxDaYubEAldoyza9X4PwjpomnSnMJyf0tNLfDj5KvVAVGMI+DF3sPSDj3USA== > dkim._domainkey IN TXT ( "v=DKIM1; k=ed25519; " > "p=+D8I6aJp0pzCcn9LTS3w4+Sr1QFRjCPgxd7D0g491Eg=" ) ; And it is usable in exim? (i cannot to test it right now) AFAIK it expects: -BEGIN PRIVATE KEY- key-base64 -END PRIVATE KEY- regards -- Slavko http://slavino.sk pgpXpN0nNkZC5.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] DKIM signing with ed25519 keys - leap of faith
Dňa 12. 10. o 11:02 Sidsel Jensen via mailop napísal(a): > My question to you: What are your thoughts on starting to sign with ed25519 > keys and what is currently holdning you back? I am using dual sign with ed25519 keys for some months already (i do not remember exactly without checking config, sorry), because i think, that it is way to go in future. Recently i enabled DMARC rua eports to see results, but i am not sending a lot of emails. Most of reports simple miss ed25519 DKIM in its reports, thus i guess, that they applied to ignore unknown signature algo. The only reports with included ed25519 is from google, but it always failed, eg.: slavino.sk pass r2021 slavino.sk fail e2021 slavino.sk pass Or failed without mention selector: slavino.sk pass r2021 slavino.sk fail slavino.sk pass Both examples are from my IP and i am not sure how to interpret them. > One thing I did find was that a number of the DKIM checker tools does not yet > support the new keys. I’ve reached out to EasyDMARC and I know their > developers are currently looking at it, but I could use the help of the mail > community to reach out to some of the other DKIM checker tools to get them up > to date as well, if you have any contacts there. The rspamd is able to verify/sign ed25519 keys, thus if you can send email to site which is using it and will add results headers, you can verify it. The biggest troubles with ed25519 key is lack of tools to generate ed25519 keys tends to use different formats for private keys, thus they cannot be used universally (generate in one and use in another). Recently i did own tool to generate (both RSA & ED) keys in form for exim MTA and for DNS, but it not finished yet... Slavko ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Google not sending DMARC reports since 10/3
Hi, Dňa Fri, 08 Oct 2021 16:33:12 + Faisal Misle via mailop napísal: > It seems Google has not been sending any DMARC reports since 10/3. > Our internal data shows Google has not been sending us reports to our > RUAs Reports are send now, but twice a day, and today even thrice (report ID 5465279129776). regards -- Slavko http://slavino.sk pgpD6oLsqgnGY.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] DMARC and pure SPF
Hi, Dňa 4 Oct 2021 23:06:53 -0400 John Levine via mailop napísal: > I think you will find that rejecting on SPF -all (other than the > special case of a bare -all meaning we send no mail) will make you > reject a lot of perfectly good mail. So don't do that. I check log for last month (30 days), i found 52 rejected messages due SPF fail, only one has valid reverse DNS and only 12 of them was trough TLS. Some IP was duplicated (44 unique). All of them are on some RBL (except one) and most of them is on more than 4 RBLs (including multiple results in composite RBLs), thus most of them will be anyway rejected later due RBLs scoring. After i switch SPF to rspamd i got only one SPF fail, which was rejected later due too many RBLs. This doesn't seem as a lot nor as legitimate mails (perhaps because my users do not use forwarders, they are not very popular in our country)... regards -- Slavko http://slavino.sk pgpncpgyuoDtM.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] DMARC and pure SPF
Hi, Dňa Mon, 4 Oct 2021 21:15:25 +0200 Alessandro Vesely via mailop napísal: > That's if exim can lookup dnswl and accept spf=fail for whitelisted > IPs. Ah, i understand now, thanks. I think about it too awkwardly ;-) regards -- Slavko http://slavino.sk pgpF0bsgW4OUX.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] DMARC and pure SPF
Hi, thanks for all answers, all was useful. Note: I am talking (asking) about incoming emails, not about my domain. Dňa Mon, 4 Oct 2021 14:15:03 +0200 Alessandro Vesely via mailop napísal: > You can consider either the union or the intersection. OK, i read suggested 6.7 and 10.1 sections of RFC7489 and my understanding of them is, that i can implement what i want :-P But joking apart, basically the 6.7 section gives answer to my question, that SPF -all is typically ignored for p= other than none. Until recently my MTA was rejecting mails based on SPF fail (eg. -all) at RCPT stage, thus before any DMARC checking. The DMARC checking is done in rspamd (with exim) and recently i decided to enable its DMARC module (including rua reports) and forcing reject/mark based on DMARC results. And i removed SPF rejecting at RCPT stage, but then i start to think about p=none. > Honoring SPF -all is too harsh anyway. It is very efficient because > you can reject before DATA, but needs to be softened. IME, using a > whitelist such as dnswl.org is enough to get rid of clowns pretending > to be your domain (if you publish spf-all), while letting almost all > legitimate forwarders pass. Yes, clowns :-P but i do not understand how dnswl.org can help with them. Can you please elaborate more on it? > DMARC filtering has to be done after DATA. At that point you can > consider the SPF result recorded in header and add them to the mix. > It also depends on what options your software offers. Courier-MTA > has a -allow option and an "allowok" SPF setting to ease such usage, > so it is convenient. Rejecting message after DATA based on rule available on RCPT seems as not very effective for me, as the DATA are transferred uselessly. And my experience shows, that some sites (not all, no most, only some) better understand rejection at RCPT stage, than at DATA stage and in second case persistently continues to sends their garbage. But anyway i am considering to do it as you suggests, as it is only one way to check the value of p= while i consider, that when domain owner wnts to fail if -something is defined, i will follow it. Finally i want to do it as this: + check SPF in exim, but do not decide on it, only fill the Authentication-Results header + leave rspamd to make decision based on DMARC quarantine|reject policy + leave rspamd to make decision based on SPF fail|softfail, if no DMARC or p=none + leave rspamd to use DKIM only for scoring message, if no DMARC Please, is it good plan? -- Slavko http://slavino.sk pgpIuZtCcB5HT.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
[mailop] DMARC and pure SPF
Hi, please i want to ask how to deal with pure SPF when DMARC is in use. I understand how to deal with SPF within DMARC checks and i do not want to diskuss this. But what if domain owner specify eg. -all (or ~all) and SPF check against SMTP.From (or EHLO) fails (or softfails) with this rule? Have i (my MTA) follow this rule (respect domain owner) and reject (mark) mail without taking DMARC policy into account. Or have i make decision only based on DMARC result AND policy and ignore pure SPF checks at all? AFAIK, even when SPF in DMARC fails, there still can be DMARC success with DKIM and this can leads to ignore SPF -/~all. I am confused... regards -- Slavko signature.asc Description: OpenPGP digital signature ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] rua report rejected by microsoft
Hi, Dňa Tue, 28 Sep 2021 17:27:48 + Faisal Misle via mailop napísal: > That usually means the address does not exist in Office 365. > Thanks to both (i got one offlist response too). Reading here about problems with mail delivery to microsoft, i was not sure if it is not my mistake, and SMTP message was not clear in this (at least for me). regards -- Slavko http://slavino.sk pgpedbdcsHrgr.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
[mailop] rua report rejected by microsoft
Hi, my rua report was rejected at RCPT stage with: SMTP error from remote mail server after RCPT TO:: 550 5.4.1 Recipient address rejected: Access denied. AS(201806281) [DB5EUR01FT030.eop-EUR01.prod.protection.outlook.com] I search the Internet, but i found multiple similar posts, but no clean description what is cause, as most of them talk about something in exchange, which i am not familiar with. Please, can someone explain me, what this rejection means? What is (can be) real reason? thanks -- Slavko http://slavino.sk pgp3tJ3XiP_Uh.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Whoisand GDPR - was Re: Got any users in Texas? Better turn off your spam filters by Dec 2
Ahoj, Dňa Mon, 27 Sep 2021 08:04:18 -0700 Michael Peddemors via mailop napísal: > Yes, an individual probably SHOULD be able to opt out from whois IF > THEY WANT, however if if they expect people to allow traffic from > their domain, they should understand that transparency is important, > especially so that people can notify them if 'things go wrong'. In this case i will expect, that you will block traffic from gmail.com, yahoo.com or even mailop.org, as there is no one person name behind these domains in WHOIS... Yes, i know that you will tell, that there is organization info, but that is the same anonymity as no name when there is not organization behind it. As i am all persons behind my domain, i then will want to publish all people who profits from these organizations in WHOIS. When transparency, then total transparency, not selective one! regards -- Slavko http://slavino.sk pgpXy9_F2Hmug.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Got any users in Texas? Better turn off your spam filters by Dec 2
Ahoj, Dňa Sat, 25 Sep 2021 12:11:19 +0200 Alessandro Vesely via mailop napísal: > On Fri 24/Sep/2021 19:55:51 +0200 Slavko Via Mailop wrote: > > Good analogy, as street is as public as the Internet is. You do not > > answer if are you publishing your identity on the street. > > Yes, you have to publish your identity if you open a shop or even a > stall on the street. > Yes, when you want provide (payed) services for others. But not when you want to buy in it, nor when someone want to sell something to you (i mean your identity, not seller one). Nor when you want to invite friend in your home (they walk on the street too). regards -- Slavko http://slavino.sk pgpujlfGjC5YK.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Got any users in Texas? Better turn off your spam filters by Dec 2
Ahoj, Dňa Fri, 24 Sep 2021 12:36:23 -0400 Bill Cole via mailop napísal: > On 2021-09-24 at 11:50:24 UTC-0400 (Fri, 24 Sep 2021 17:50:24 +0200) > Slavko via mailop > is rumored to have said: > > > While i cannot comment mentioned OVH domain, i will ask, why anyone > > have to know from WHOIS of my domain my name, or my address or > > anything > > about me as private person? Yes, if someone has archive of WHOIS > > response, it was there and i was not happy from that. Are you having > > label with these info at top of face when you are walking on the > > street? > > Bad analogy. Good analogy, as street is as public as the Internet is. You do not answer if are you publishing your identity on the street. > Owning an operational domain name makes you a public person. A domain > name is a claim on a specific piece of the public commons of the DNS. > In many places (including the US and at least some European > countries) you can only own land if your 'title' to that land is > registered with the government in an open public record. In the US, > that title includes the record of past ownership and even sales > prices. A domain name is intrinsically connected to public > interaction. And that is what GDPR exactly prevents. That anyone want/require that others have to publish, what they don't want, only because they want to know it. The RFC defines ways how to contact domain's services maintainers (postmaster, hostmaster, abuse, etc). What more you need to know? What will be better with my services, when i publish my name? Do you know me? What will prevent me to publish fictive name or use someone else to register domain for me? You do not need know me, you only need to know, if my servers abuse you or not. Nothing more, nothing less, exactly as on the street. Or do you care about identity of all people on the street, which want something from you? I doubt... When you look at RFC, you will found, that it say about server's identity (HELO/EHLO) nothing more, nothing less. And even tells, that no one have to reject emails based on that identity checks... I do not know how in USA, but in our country the government has tools to know my identity, if there is legal reason (and court approve it). How legal is your reason, beside that you want to know it? In our country's neighbor, here is one saying (i will no try to translate it): "jména hloupých na všech sloupích", see https://cs.wiktionary.org/wiki/jm%C3%A9na_hloup%C3%BDch_na_v%C5%A1ech_sloup%C3%ADch regards -- Slavko http://slavino.sk pgpEB_iIiMh3c.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Got any users in Texas? Better turn off your spam filters by Dec 2
Ahoj, Dňa Fri, 24 Sep 2021 14:45:08 + Steven Champeon via mailop napísal: > Looking up the domain in Google gives you the parent organization, as > well as a link to a French Wikipedia page containing their address, > leadership, history, URL, etc. so the net effect is that GDPR > destroying WHOIS has provided absolutely no "privacy protection", and > the illusory belief that blocking one of thousands of potential > sources of information will protect anyone's privacy (not that > corporations are people, despite whatever laws may state the > contrary) is asinine and delusional. While i cannot comment mentioned OVH domain, i will ask, why anyone have to know from WHOIS of my domain my name, or my address or anything about me as private person? Yes, if someone has archive of WHOIS response, it was there and i was not happy from that. Are you having label with these info at top of face when you are walking on the street? That some companies are misusing GDPR to hide own identity? That doesn't mean, that GDPR is bad, it only shows that some companies are (at least) suspicious. While it still can be private domain... As someone already mention, GDPR is step in good direction. Not perfect nor without problems, but good step and good direction. -- Slavko http://slavino.sk pgpBaYUJ6qChJ.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Got any users in Texas? Better turn off your spam filters by Dec 2
Hi, Dňa 24. 9. o 11:40 Jaroslaw Rafa via mailop napísal(a): > This *is* a law that "helps protect the innocent victims". Yes, it is > sometimes poorly (or intentionally wrongly) implemented, such an abusing the > "legitimate interest" concept included in the GDPR by many advertisers to > still flood you with advertising. It may also have unwanted consequences as > anonymizing the data of domain holders in registries, if these holders are > private persons. But in fact in my opinion GDPR is overall a good step in > protecting the rights of the individual. I absolutely agree, GDPR is intended to protect individual's privacy. And most of caomplains come from these semi-spammers, who think, that people have email addresses to get their advertisements. > Maybe Americans have a different experience, as GDPR only imposes some > obligations on them without returning any benefits (as US does not have a > similar data protection law, as far as I know), but we Europeans view GDPR > differently, as provides some *actual benefits* to us. Sure, USA has different laws and different point of view on users privacy, than here in EU. regards Slavko ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] How to detect fraud login in POP IMAP or SMTP?
Hi, Dňa Tue, 21 Sep 2021 17:08:54 +0200 Alessio Cecchi via mailop napísal: > For "do something" I means: > > - too many logins from different country > - too many fast login You do not tell what IMAP/POP3 server are you using, but eg. with dovecot you can use/apply these (and more) policies by its auth_policy facility and dedicated policy daemon. The policy daemon is here https://github.com/PowerDNS/weakforced and it can be used as standalone (without dovecot) by its HTTP API. regards -- Slavko http://slavino.sk pgpfnBcGHZYQc.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] what is the PSL, was Gmail putting messages to spam
Hi, Dňa Tue, 21 Sep 2021 18:30:46 +0200 Alexey Shpakovsky via mailop napísal: > On Tue, September 21, 2021 17:39, Slavko via mailop wrote: > > > I am curious, do you block whole gmail.com? > > No, but at one time I was pretty close to blocking yahoo, having 0 > friend using it. > > But I have only a single-user personal server, so have more freedom > than majority of members of this list. You simple cannot apply single user MTA/SPAM filtering rules to multi user environment. And that multi user environment is not necessary big email provider, even with my small number of users i cannot reliably decide, on what domains their friends/contacts are. Some time ago i applied (time based) blocking whole TLD based on their SPAM reputation (from rspamd). I abandon it shortly, it was bad approach which catch a lot false positives and there are better ways to distinguish usual SPAM messages, while bad reputation is still counted (and the gmail has the worst one here and i need to WL some of its senders). Anyway, i do not understand one thing. As i read here, the gmail is blocking a lot of regular messages (or mark them as SPAM). But i (my MTA) daily got "million dollars" offers (or similar) from gmail. Which one having millions dollars will use freemail? What their AI is doing? Is it blocking SPAM or it only blocks concurrence? Or they decided, that there is not enough data transferred in network and thus adding more useless traffic is needed? regards -- Slavko http://slavino.sk pgpZh0h3lqYU0.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] what is the PSL, was Gmail putting messages to spam
Hi, Dňa Tue, 21 Sep 2021 15:02:37 +0200 Alexey Shpakovsky via mailop napísal: > However, we live in an imperfect world, and if some email provider > would declare themselves "big" but offer unlimited number of free > email addresses for spammers - then everyone else will likely just > block the whole domain. I am curious, do you block whole gmail.com? regards -- Slavko http://slavino.sk pgplkry7kTSYe.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Google and IPv6
Ahoj, Dňa Mon, 13 Sep 2021 22:46:47 +0100 Chris Malton via mailop napísal: > Last I looked, HE tunnels block TCP port 25 unless explicitly > requested to be unblocked. > > Looks to still be the case from their FAQ - > https://ipv6.he.net/certification/faq.php > Once again thanks, it is enabled now. It took some time, but finally i got email, that i have "unblock" button in my tunnel settings, where i enabled it by self and now i can reach the remote 25 port via IPv6: nmap -6p 25 2a00:1450:400c:c07::1b Starting Nmap 7.70 ( https://nmap.org ) at 2021-09-14 18:43 CEST Nmap scan report for wo-in-x1b.1e100.net (2a00:1450:400c:c07::1b) Host is up (0.035s latency). PORT STATE SERVICE 25/tcp open smtp Nmap done: 1 IP address (1 host up) scanned in 2.25 seconds regards -- Slavko http://slavino.sk pgpLSdYi41lH1.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Google and IPv6
Hi, Dňa Mon, 13 Sep 2021 14:41:34 -0700 Brandon Long via mailop napísal: > I did get the IP offlist, and my initial investigation didn't find it > on any block lists. Thanks for investigation, it was not google fail. I am sorry for wasting your time. regards -- Slavko http://slavino.sk pgp0aumm_aKPr.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Google and IPv6, was Recommendation for inbox provider?
Dňa 13. septembra 2021 21:46:47 UTC používateľ Chris Malton napísal: > >Last I looked, HE tunnels block TCP port 25 unless explicitly requested >to be unblocked. Oh, many thanks for it. I miss or forgot this. I am sorry that i blame google ;-) I didn't care about this for long time, as i had not PTRs for IPv6, thus i disabled it for outgoing mails, but recently i setup it correctly and enabled it. I will contact them. regards Slavko ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Google and IPv6, was Recommendation for inbox provider?
Dňa 9. septembra 2021 17:44:14 UTC používateľ Brandon Long via mailop napísal: > >I can't do any investigation without knowing your IP address or net. > Hi, I send you IPs offlist, did you got it? regards Slavko ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Google and IPv6, was Recommendation for inbox provider?
Hi, Dňa 8. 9. o 22:44 Brandon Long via mailop napísal(a): > Hmm, blocking connections is highly unusual for us, as it doesn't provide > any feedback, usually we respond with a 5xx banner or to HELO. I would > check to see if you can reach www.google.com on IPv6 from the same box, and > if you can, then go ahead and send me your IPv6 address and I can escalate > that. I can ping it from that box: ping -ac2 2a00:1450:400c:c07::1b PING 2a00:1450:400c:c07::1b(2a00:1450:400c:c07::1b) 56 data bytes 64 bytes from 2a00:1450:400c:c07::1b: icmp_seq=1 ttl=107 time=32.9 ms 64 bytes from 2a00:1450:400c:c07::1b: icmp_seq=2 ttl=107 time=31.7 ms --- 2a00:1450:400c:c07::1b ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 31.702/32.297/32.892/0.595 ms It is a LXC container with limited software, but here is nmap output from its physical host: nmap -6p 25 2a00:1450:400c:c07::1b Starting Nmap 7.70 ( https://nmap.org ) at 2021-09-09 10:44 CEST Nmap scan report for wo-in-f27.1e100.net (2a00:1450:400c:c07::1b) Host is up (0.029s latency). PORT STATESERVICE 25/tcp filtered smtp Nmap done: 1 IP address (1 host up) scanned in 2.57 seconds > Unusual means it's almost always a manual step taken in response to a spam > or other bad acting campaign of extremely large magnitude... but sometimes > those types of blocks can linger. Here is wery low traffic out from my MTA, and only small amount of this outbound mails are going to gmail (<10/week), thus it cannot be massive in any mean ;-) I use HE IPv6 tunnel, with /48 net, from which i use only one /64 block yet, thus even all neighbors are under my control. I have even working PTR for IPv6. I didn't noticed any unusual outbound traffic from my net. Delivery via IPv4 works without any problems, thus for now i enabled ipv4_prefer in my MTA. If you need more info, be free to contact me off list. regards Slavko ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Google and IPv6, was Recommendation for inbox provider?
Dňa 7. 9. o 20:20 John Levine via mailop napísal(a): > It appears that John Capo via mailop said: >> The only IPv6 issues I have seen, other than transit only via HE, is >> delivering to Google. Google seems to assume that mail via IPv6 is spam. >> The same mail flow via IPv4 is OK with Google. Proper DNS and all that >> stuff, of course. > > Google has clearly said that IPv6 mail has to be authenticated. Add DKIM > signatures and you'll have a lot more success. When they try to check DKIM signature when IPv6 connection was refused at all (redacted): 2021-09-03 11:10:19 1mM5DF-0005en-PL <= u...@domain.tld H=servac.skk [192.168.10.11] S=1899 id=some...@domain.tld 2021-09-03 11:10:19 1mM5DF-0005en-PL H=gmail-smtp-in.l.google.com [2a00:1450:400c:c07::1b] Connection refused 2021-09-03 11:10:21 1mM5DF-0005en-PL => 026...@gmail.com R=dnslookup T=remote_smtp H=gmail-smtp-in.l.google.com [74.125.133.27] C="250 2.0.0 OK h13si4784520wrs.127 - gsmtp" QT=3s DT=1s 2021-09-03 11:10:21 1mM5DF-0005en-PL Completed QT=3s regards ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] So uh... Zoom/Sendgrid... How's that webinar spam investigation coming?
Hi, Dňa Sat, 07 Aug 2021 19:15:57 +1000 Noel Butler via mailop napísal: > So you think it's better to have the potential to inconvenience > > over the likelihood of a dozen or so people who may have loss of a > legit mail? > > I'm not one to bow to the tiny minorities, also, T&C's are most clear. > Your server, your rules, no doubts. I only hope, that your users are aware of this and you have it in this clean (not lawyer, which not many understand) form in your policy... regards -- Slavko http://slavino.sk pgpEUQuaPBDWU.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] SMTP AUTH harassment
Hi, Dňa Sun, 18 Jul 2021 13:56:18 -0400 Bill Cole via mailop napísal: > > The only usable way seems to be GoiIP blocking countries, but i > > afraid that it is wrong way. > > Why? Hard to describe it in English for me, but i will try. I consider blocking access by country as discriminating all honest people in particular country. One can be surprised, but my long term country stat shows, that worst countries are USA and Germany, and no, China is even not in top 10. Yes, my stats are screwed by blocking from blocklist.de, which seems to catch about 50 % of abusive access and those never reach the server, thus are missing in that stats, but anyway... And yes, i have in my stats my own country too, while far away from top. Second, blocking by country breaks the main Internet purpose -- connect together the whole world. Finally, blocking by country seems as simplest solution. But many of (if not all) simplest solutions are not good solutions too. They are simple only simplest. Do one remember one of simplest solution in past -- cut off burglar's hands? It solved nothing... > If you have no users who need to authenticate from a particular > network, there's no need to allow access from that network. If > knowing where a network is based helps you make an accurate > estimation of whether access from that network is needed, what's > wrong with that? It is 2021 year here, people are not slaves nor vassals, they are free to travel, they use VPSs, VPNs, proxies, etc for good purpose, not only to hide their abusive behaviour. I do not want to limit nor to spy them, especially when they are family or friends. They must be free to use services from anywhere and does not matter, if they need this or not. > On one small mail server I manage, I have 346 IPv4 networks blocked > from all ports that expose any password-based authentication, with > some of those being /6 networks. I do not afraid to block whole network blocks (even countries), but it must have good reason AND must be short term solution. Once again, in most of network blocks are honest people, even clouds (VPS) are using honest people too. Consider, why are RBLs, which block whole network blocks (and people which use them), as often criticised not only in this list history. Why people complains (again not only in this list) about mail providers, which rejects mails only due bad neighbours, etc, etc... Yes, one can tell that even behind one IP can be honest people too, and will be right. In ideal world we will able to distinguish them, unfortunately we are living in real world, not in ideal. In ideal world they all will have unique IP (no IPv6 will not solve it), until this we have to live with this limitation, but we must do not do things even worse... That is why we have SPAM checks software, brute forcing guards and similar solutions. Their purpose is distinguish honest access from abusive on per case base, not by its origination. One again one no, simplest solutions are only rarely good solutions at once. (I hope, that i wrote this properly in English...) regards -- Slavko http://slavino.sk pgp__X6twfbuz.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] SMTP AUTH harassment
Hi, Dňa Mon, 19 Jul 2021 00:34:40 +0100 Tim Bray via mailop napísal: > I didn't really get on with fail2ban. I do have it running, but it > pulls very little for exim. > > I did write my own script to follow the exim mainlog with a bunch of > regexp and drop IP addresses into ipset. (task for future is to > make it work nft natively) i have a lot custom rules in it, to catch even my own log messages (exim's logwrite, log_message and/or message stuff). It works well for my config and offending IP, of course fails in this case as IP doesn't repeats. I do block for relative short time (1 hour) to quick reveal of false positives, and i use f2b's recidive jail to add long block on repeating hosts. If you want, be free to contact me off list, i can help you with it. There is not need to do own parsing, when f2b can do it for you. > acl_connect: > accept hosts = * > delay = 6s I have RBL & PTR checks in connect ACL. It works well, as it ads timeout too (even bigger on some failing PTR checks). But i have separate exim for MX & MSA, thus i can simple distinguish AUTH access (and abuse) from incoming mails in this ACL. The problem with rejecting connection is, that many clients consider it as network failure and repeats constantly, even when they got own timeout (disconnects before got answer). But thanks to f2b, they are blocked shortly and thus it is effective. > - this confuses some botnets. Some are confused by multiline banner too, they are then caught as out of sync by exim ;-) But, eg. rspamd's reporting is confused too... I noticed that recent exim adds connect pipelining, but i use older version yet. > obviously somebody might write a better botnet email client or they abuse real MTA for delivery... > I'm also lucky that our usernames follow a bit of a format which > isn't the email address. Seems quite common for bots to have a few > guesses about what the username might be - again, easy to block. I agree. While it is not about security, one can simply distinguish login attempts on harvested email addresses. I use this approach for years, and where it is (was) not possible, i never do use email address which is login name, but its aliases. But nowadays gmail's generation doesn't know about aliases... > My main motivation for getting the blocking right is to avoid having > 1000s of connections from scanners, and so real mail not getting > through. Sure, blocking them is mostly not due security (but it counts too), but about saving own resources. Most of the (one shot) abusers then move away, to find more simpler target. But some have "long cable" and try to "break wall by head" (in quotes raw translation of our idioms). For now it seems, that this SMTP attack is gone, and i can to enjoy on the next one... regards -- Slavko http://slavino.sk pgpPZHrdA2cyh.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] SMTP AUTH harassment
Hi, Dňa Sun, 18 Jul 2021 06:54:07 +0200 Slavko via mailop napísal: > To see from where they come i did simple Python(3) script, which reads > list of IP from stdin and prints some stats based on GeoLite2 DBs. > When i feed it with IPs parsed from today dovecot's fail2ban log i > can see: Seems to be finished for now. fail2ban will not help with it at all, as no one IP was used more than twice and even very little amount of networks was repeated (little improved script's output): Top 5 of 50 countries: 241 South Korea (KR) 104 Japan (JP) 75 Hong Kong (HK) 40 United States (US) 40 Taiwan (TW) Top 5 of 546 networks: 12 223.16.0.0/14 (9304, HK) 10 219.100.37.0/24 (36599, JP) 8 117.146.0.0/16 (9808, CN) 7 113.252.0.0/14 (9304, HK) 7 221.124.0.0/14 (9304, HK) Top 5 of 697 (total 713) IPs: 2 179.35.122.18 (BR) 2 112.164.147.228 (KR) 2 191.177.186.129 (BR) 2 88.215.95.21 (DE) 2 219.73.72.159 (HK) The only usable way seems to be GoiIP blocking countries, but i afraid that it is wrong way. The whole attack took about 5-6 hours. I will continue to investigate weakforced for future as i feel, that it is not real end, only pause... Anyway, despite of all words about Kerckhoffs's principle, using the same email address as login name seems to be wrong approach (as someone pointed already), because without valid username no password will match and thus knowing username saves 50 % of the attacker work. Thus while username is not secret, not revealing it can help... Of course, to hide username is not (enough) security method. regards -- Slavko http://slavino.sk pgp7byj4jwJIH.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] SMTP AUTH harassment
Hi,
Dňa 17 Jul 2021 20:41:14 -0400 John Levine via mailop
napísal:
> It appears that Thomas Hochstein via mailop said:
> About 12,000 here. It's a botnet, it's not targeting you any more
> than any other random server it can find, and I don't know of any way
> to block it. You can use something like fail2ban to block individual
> IPs but it's a very large botnet.
Thanks a lot for all answers, it helped me to understand that it is not
by some of my mistake, as i always care about own mistakes first...
> The logins are pretty random:
Now the IMAP (dovecot) attack starts again, where i see full failed
logins log. While it seems as different botnet (different IP
sources/countries) i see, that only one account is targeting with
passwords (and its variations) which looks know to me, but i cannot
bring in mid from where ;-) But this current attack seems to be more
massive than previous, as my F2B log shows twice IP blocked yet (and it
grows).
Ad blocklist.de: i update IP list (ipset with timeout) hourly with
adding only new (recent) IPs from this list and count of added IP is
loged. There was times, when script adds hourly about 2500 IP, now it
is adding only about 500 - 600. It doesn't help - i watch on
incoming SYN packets on router and i see very little amount without
SYN+ACK, thus only very little IP are blocked...
Ad fail2ban: it helps, not a lot, but helps. I did some research before
i go to to sleep yesterday, and i found why i do not know how to block
subnets in fail2ban, as it was introduced in its 0.10.5 version, but in
debian stable there is only 0.10.2, but anyway blocking subnets will
help only little more (see stats below).
To see from where they come i did simple Python(3) script, which reads
list of IP from stdin and prints some stats based on GeoLite2 DBs. When
i feed it with IPs parsed from today dovecot's fail2ban log i can see:
Top 5 countries of 33:
75 South Korea (KR)
36 Japan (JP)
25 Hong Kong (HK)
20 China (CN)
18 Taiwan (TW)
Top 5 networks of 220:
7 117.146.0.0/16
4 113.252.0.0/14
4 111.240.0.0/12
3 77.53.0.0/16
3 219.100.37.0/24
Top 5 IPs of 257:
2 191.177.186.129
2 88.215.95.21
2 219.73.72.159
1 37.57.200.229
1 59.8.115.197
I do not know if attachments are allowed here, thus i add it here, if
someone is interested:
import sys
from collections import Counter
import geoip2.database
icnt = Counter()
ccnt = Counter()
ncnt = Counter()
total = 0
maxi = 5
with geoip2.database.Reader('/var/lib/GeoIP/GeoLite2-Country.mmdb') as creader,
\
geoip2.database.Reader('/var/lib/GeoIP/GeoLite2-ASN.mmdb') as areader:
for ip in sys.stdin:
ip = ip.strip()
ctr = creader.country(ip)
asn = areader.asn(ip)
isoc = f"{ctr.country.name} ({ctr.country.iso_code})"
netw = str(asn.network)
icnt[ip] += 1
ccnt[isoc] += 1
ncnt[netw] += 1
total += 1
print(f"\nTop {maxi} countries of {len(ccnt)}:")
for k, v in ccnt.most_common(maxi):
print(" %-3s %s" % (v, k))
print(f"\nTop {maxi} networks of {len(ncnt)}:")
for k, v in ncnt.most_common(maxi):
print(" %-3s %s" % (v, k))
print(f"\nTop {maxi} IPs of {len(icnt)}:")
for k, v in icnt.most_common(maxi):
print(" %-3s %s" % (v, k))
One can tweak the maxi value, if want to see more top items...
regards
--
Slavko
http://slavino.sk
pgpIIQsP66Zyf.pgp
Description: Digitálny podpis OpenPGP
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
[mailop] SMTP AUTH harassment
Hi all! I registered here only in recent time and this is my first post here (i am sorry, my English is not best)... In recent days i bother with many login attempt to my personal mail server, which i use for some years. I meet distributed dictionary attack to IMAP server which was partially blocked by my fail2ban with some manual intervention. But attempts to login into SMTP server are less often, thus more difficult to catch. I will shortly describe current situation: They all connects to port 465 (as i do not provide other for logins) and repeats one attempt about every hour (30 - 90 min) any from different IPs. Most of them are known to SpamHaus CSS/XBL, which i use to deny AUTH for them. They waits max. about 10 s to every response (connect, EHLO, AUTH), and then disconnects without QUIT. They disconnect without QUIT to 5xx response to AUTH too. I do not know what accounts/passwords they are trying, as real AUTH doesn't happen. Two or three days ago i decided to extend AUTH response delay to they disconnect before they get reply and to see what happens. This results in burst 8 - 12 attempts every time, again all from different IPs. They are logged and counted by exim's notQUIT ACL, here is excerpt (wrapped manually): 2021-07-17 20:18:02 H=[186.190.163.50] NotQ connection-lost (AS:27953 10.5, N:186.190.163.0/24 1.0, C:AR 40.1) EHLO,AUTH 2021-07-17 20:18:24 H=[202.52.230.206] NotQ connection-lost (AS:4613 2.6, N:202.52.230.0/24 1.0, C:NP 4.3) EHLO,AUTH 2021-07-17 20:18:46 H=[187.62.177.90] NotQ connection-lost (AS:262662 1.0, N:187.62.176.0/21 1.0, C:BR 301.1) EHLO,AUTH 2021-07-17 20:19:14 H=[103.63.29.72] NotQ connection-lost (AS:134888 2.0, N:103.63.29.0/24 2.0, C:IN 46.7) EHLO,AUTH 2021-07-17 20:19:49 H=[45.188.61.3] NotQ connection-lost (AS:269585 1.0, N:45.188.61.0/24 1.0, C:BR 302.1) EHLO,AUTH 2021-07-17 20:20:16 H=[188.112.7.125] NotQ connection-lost (AS:42739 6.9, N:188.112.0.0/18 3.4, C:PL 65.7) EHLO,AUTH 2021-07-17 20:20:47 H=[45.168.31.121] NotQ connection-lost (AS:268052 1.9, N:45.168.31.0/24 1.0, C:BR 303.0) EHLO,AUTH I count ASN (AS:), IP network (N:) and country (C:) by exim's ratelimit facility for 1 week, to get some quick look. Most of them come from Brasil, other top includes India, Poland, Argentina and others. The IP is only rarely used more than once, and as one can see, the IP networks and AS numbers doesn't get high counts too (with some exceptions which i blocked manually). Please, i want ask others if are these (mostly) Brasil attempts know to others too or am i "special" target? Some other questions, which comes to my minds without answers, while perhaps nobody here will/can know right answer, i will ask: - i use blocklist.de IP list to block access on router for years, but i feeling in recent time as it is not as effective as before, can it be related, that i do not see similar attempts before? - have someone similar feeling about blocklist.de effectivity or am i wrong? - some days ago i decide to register my IP with dnswl.org, can it be related? (in really i am not sure, if they start closely before i register or after) And finally, please can someone help me to create fail2ban rule, which will catch network IP from these logs? While i am able to do own f2b rules and actions, i do not know how to catch (and use) network address in them and i cannot find any resource for it. thanks -- Slavko http://slavino.sk pgpC9pMowkv2z.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
