Re: [mailop] The oligopoly has won.

[Steven Champeon via mailop]

on Mon, Sep 12, 2022 at 04:54:30PM -0700, Brandon Long via mailop wrote:
> These numbers are also worse than when I worked on Gmail years ago, but
> it's always possible things got worse.

I know I am a tiny speck, but as just another data point, I'm looking
at a folder full of spam with 731 messages in it, received here since
May 15, 367 (almost exactly 50%) of which originated at GMail, 45 via
outlook.com, 25 via salesforce.com and 16 via sendgrid.net. Of those
367 sent via GMail, 57 are bogus billing notices for "Windows
Defender", which I've since had to write custom sendmail filtering
rules to block. They were coming in at a rate that made it such that I
could test the rules in the half an hour I spent writing them because,
lo, there's another one.

Most of the rest are either blindingly obvious 419 scams or offers to
help us estimate our construction projects, give us a better web site
or improve our SEO. The latter I can deal with, they're just cold call
campaigns, and hey, everybody has to eat, but the Defender phishes are
just stupid and someone should have stopped them months ago. How hard
is it to flag a campaign whose sender is "Windows Defender Order" and
Subject is "Order Confirmation" or "Billing Team" without variation?

Aside from a few whitelisted addresses, we quarantine everything sent
via GMail here, to save our users the hassle of having to forward them
to me and file them away for reference in posts like this.

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
Internet security and antispam hostname intelligence: http://enemieslist.com/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Roundcube client IPs → dovecot, postfix

[Steven Champeon via mailop]

on Tue, Dec 28, 2021 at 07:17:43AM -0800, Michael Peddemors via mailop wrote:
> The problem isn't 'technical', but rather political.  There are
> those out there that believe by including the originating IP
> Address, you are exposing PPI (Private Personal Information) by
> including the IP Address.
> 
> Of course, I personally think this is baloney, as the email operator
> can simply tell customers that this information will be disclosed,
> as part of the terms of service.  By including the IP Address, you
> add transparency, security and safety to the communication.

I hope to die before that logic extends to hiding what channel you are
tuned into on a TV or radio for "privacy reasons". Infrastructure is
infrastructure, it's not like every packet you send has a social security
number or bank account routing number in it. Ridiculous.

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
Internet security and antispam hostname intelligence: http://enemieslist.com/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] WhatCounts/Costco silliness

[Steven Champeon via mailop]

on Sun, Oct 24, 2021 at 09:33:15PM -0400, John R Levine via mailop wrote:
> >>>List-Unsubscribe: 
> >>>List-Unsubscribe-Post: List-Unsubscribe=One-Click
> >>>
> >>>I don't know which fools to blame; The client Costco, or their ESP
> >>>WhatCounts.  Perhaps both.
> >>
> >>Definitely both.
> >
> >I don't work for or with WhatCounts, but I know who does, so I nudged them.
> 
> Considering that every message sent without working unsubscribe is a
> CAN SPAM violation, I'd think some tooling to check that the link at
> least connects to a server would be in order.

example.com seems to be a favorite of folks needing a placeholder for a PTR:

103.193.36.20:dns2.example.com.
104.248.162.121:109.248.10.0:subnet.example.com.
107.181.187.148:vds4274.example.com.
109.248.10.10:free.example.com.
109.248.10.16:free.example.com.
109.248.10.1:gw.example.com.
109.248.10.255:broadcast.example.com.
109.248.200.124:free.example.com.
109.248.202.101:free.example.com.
146.185.220.10:fgcp.au.example.com.
147.255.227.0:147-255-227-0.w.example.com.
147.78.64.134:korkin.v.d.example.com.
147.78.65.189:xdarker87.example.com.
147.78.65.250:mcdonaldsrestaurant72.example.com.
147.78.66.22:erinbaxtere8.example.com.
154.59.112.203:www.example.com.
185.104.249.100:yuriybiit0.example.com.
185.104.249.241:mail16.example.com.
185.127.24.107:free.example.com.
185.127.24.149:free.example.com.
185.127.24.169:free.example.com.
185.127.25.100:free.example.com.
185.127.25.204:free.example.com.
185.139.69.163:trushinskiys.example.com.
185.139.69.222:ilvalil26.example.com.
185.142.98.138:mgnhost.example.com.
185.17.120.165:ya1.danilovvs.example.com.
185.188.182.186:hasper8367.example.com.
185.242.84.10:gaev7.ilya.s.example.com.
185.246.153.137:katruk.example.com.
185.31.160.143:zakalyor28.example.com.
185.62.57.110:tempbackup.example.com.
185.63.190.142:ddic.sudarev.example.com.
192.83.197.0:82.202.165.178:kakallibi121.example.com.
193.0.178.110:mgnhost.example.com.
193.233.149.198:mgnhost.ru.example.com.
193.9.60.102:dominik1.muratov.example.com.
195.140.144.101:bet5.centr.example.com.
228.0.0.101:103.193.36.10:dns1.example.com.
37.9.33.11:platform-admin58.example.com.
45.87.128.0:sub0.example.com.
5.188.148.10:gcore5.example.com.
5.188.71.100:roberto77.example.com.
5.188.71.32:ovqtitdenis1.example.com.
5.8.24.53:viktor.example.com.
62.173.138.226:bigwashing87.example.com.
62.173.150.114:bigwashing87.051.example.com.
69.48.130.253.colo.example.com.
89.108.104.112:testudo1871891.example.com.
92.223.67.10:mahjong9.example.com.
92.38.135.127:aisles2.webmaster.example.com.
92.38.135.141:m881.8isles.example.com.
92.38.148.107:support108.example.com.

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
Internet security and antispam hostname intelligence: http://enemieslist.com/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] AOL and Message-ID headers?

[Steven Champeon via mailop]

on Wed, Oct 13, 2021 at 07:40:00PM +0200, Bastian Blank via mailop wrote:
> On Wed, Oct 13, 2021 at 03:34:48PM +0000, Steven Champeon via mailop wrote:
> > Seems it was sent from a US Cellular phone. She just sent me another via
> > the phone and it also lacks a Message-ID header. So, USC's phone mail
> > client is the culprit. 
> 
> And that's where it is up to you to stop ranting and providing proof.
> Aka provide enough e-mail headers (aka all with only identifying
> information removed) so people can identify what you see.

As Marcel has mentioned, I provided such offlist, though I find it hard
to understand how I can show you a Message-Id header that wasn't there.

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
Internet security and antispam hostname intelligence: http://enemieslist.com/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] AOL and Message-ID headers?

[Steven Champeon via mailop]

on Tue, Oct 12, 2021 at 09:31:08PM -0400, John Levine via mailop wrote:
> How does she sent her mail?  Webmail?  Ancient AOL PC client?
> Phone?

Via Samsung/Android on a US Cellular link; I've verified that it is indeed
not issuing a proper Message-Id header and the Yahoo! transit isn't adding
one, either. Marcel is looking into it.

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
Internet security and antispam hostname intelligence: http://enemieslist.com/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] AOL and Message-ID headers?

[Steven Champeon via mailop]

on Tue, Oct 12, 2021 at 09:31:08PM -0400, John Levine wrote:
> It appears that Steven Champeon via mailop  said:
> >My mom has been an AOL user for decades, and still has and uses her AOL
> >address as her primary address. Lately, none of her messages have
> >contained a Message-ID header, which we treat as brokenness here,
> 
> I just sent myself a message from my AOL account, using their webmail,
> and it arrived with a normal message-ID:
> 
> Message-ID: <490596937.2432168.1634088397...@mail.yahoo.com>
> 
> How does she sent her mail?  Webmail?  Ancient AOL PC client?
> Phone?

Seems it was sent from a US Cellular phone. She just sent me another via
the phone and it also lacks a Message-ID header. So, USC's phone mail
client is the culprit. 

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
Internet security and antispam hostname intelligence: http://enemieslist.com/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] AOL and Message-ID headers?

[Steven Champeon via mailop]

My mom has been an AOL user for decades, and still has and uses her AOL
address as her primary address. Lately, none of her messages have
contained a Message-ID header, which we treat as brokenness here,
because it's wrong and stupid and broken, so she's been having trouble
emailing us. I know it's a SHOULD even in RFC5322 but come on, people,
it's expected. I don't know why anyone would remove support for it in
any MUA, and it's been there for years and years. And as recently as
today, but suddenly it's gone.

Is this a deliberate act of stupidity or just some form of random
failure to comply with longstanding tradition? I've whitelisted her here
but wonder if anyone else is seeing this idiocy and has some insight
into why and how it just suddenly started showing up?

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
Internet security and antispam hostname intelligence: http://enemieslist.com/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Got any users in Texas? Better turn off your spam filters by Dec 2

[Steven Champeon via mailop]

on Fri, Sep 24, 2021 at 12:36:23PM -0400, Bill Cole via mailop wrote:
> Owning an operational domain name makes you a public person. A
> domain name is a claim on a specific piece of the public commons of
> the DNS. In many places (including the US and at least some European
> countries) you can only own land if your 'title' to that land is
> registered with the government in an open public record. In the US,
> that title includes the record of past ownership and even sales
> prices. A domain name is intrinsically connected to public
> interaction.

This. 

If you want to operate a private LAN with RFC1918 addressing that isn't
connected to the public Internet, by all means, register domains to use
on that LAN (or even WAN) with cloaked bullshit, whatever the excuse you
want to use - or don't bother, because nobody else will ever need to
know why you're using those domains, because they're not public. Once
you decide you want to participate in the public Internet, you have a
basic responsibility to be accountable for abuse emanating from that
participation, and part of that is being able to demonstrate who you are
and who to contact to report such abuse. The GDPR is pointless, as I've
said upthread, because massive interconnectedness ALREADY makes all of
the information that might have shown up in a WHOIS lookup public
information. Does anyone really think that cloaked WHOIS is anything
more than a way for registrars to make more money? I'm still pissed that
I once renewed a domain registration and they cloaked my information
(and charged me for it) because I missed a checkbox. Lunacy and vile
idiocy combined with profit motive is all this amounts to, and making
futile arguments about "personal privacy" is so much dross. Want to be
a private person? Stay out of the public sphere. 

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
Internet security and antispam hostname intelligence: http://enemieslist.com/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Got any users in Texas? Better turn off your spam filters by Dec 2

[Steven Champeon via mailop]

on Fri, Sep 24, 2021 at 11:40:22AM +0200, Jaroslaw Rafa via mailop wrote:
> This *is* a law that "helps protect the innocent victims". Yes, it is
> sometimes poorly (or intentionally wrongly) implemented, such an abusing the
> "legitimate interest" concept included in the GDPR by many advertisers to
> still flood you with advertising. It may also have unwanted consequences as
> anonymizing the data of domain holders in registries, if these holders are
> private persons. But in fact in my opinion GDPR is overall a good step in
> protecting the rights of the individual.

This is the output of a whois lookup of a domain hosted by OVH:

Registry Registrant ID:
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: LOCARCHIVES
Registrant Street: REDACTED FOR PRIVACY
Registrant City: REDACTED FOR PRIVACY
Registrant State/Province: 
Registrant Postal Code: REDACTED FOR PRIVACY
Registrant Country: FR
Registrant Phone: REDACTED FOR PRIVACY
Registrant Phone Ext: REDACTED FOR PRIVACY
Registrant Fax: REDACTED FOR PRIVACY
Registrant Fax Ext: REDACTED FOR PRIVACY
Registrant Email: REDACTED FOR PRIVACY. Send message to contact by visiting 
https://www.ovhcloud.com/en/lp/request-ovhcloud-registered-domain/
Registry Admin ID:
Admin Name: REDACTED FOR PRIVACY
Admin Organization: REDACTED FOR PRIVACY
Admin Street: REDACTED FOR PRIVACY
Admin City: REDACTED FOR PRIVACY
Admin State/Province: REDACTED FOR PRIVACY
Admin Postal Code: REDACTED FOR PRIVACY
Admin Country: REDACTED FOR PRIVACY
Admin Phone: REDACTED FOR PRIVACY
Admin Phone Ext: REDACTED FOR PRIVACY
Admin Fax: REDACTED FOR PRIVACY
Admin Fax Ext: REDACTED FOR PRIVACY
Admin Email: REDACTED FOR PRIVACY. Send message to contact by visiting 
https://www.ovhcloud.com/en/lp/request-ovhcloud-registered-domain/
Registry Tech ID:
Tech Name: REDACTED FOR PRIVACY
Tech Organization: REDACTED FOR PRIVACY
Tech Street: REDACTED FOR PRIVACY
Tech City: REDACTED FOR PRIVACY
Tech State/Province: REDACTED FOR PRIVACY
Tech Postal Code: REDACTED FOR PRIVACY
Tech Country: REDACTED FOR PRIVACY
Tech Phone: REDACTED FOR PRIVACY
Tech Phone Ext: REDACTED FOR PRIVACY
Tech Fax: REDACTED FOR PRIVACY
Tech Fax Ext: REDACTED FOR PRIVACY
Tech Email: REDACTED FOR PRIVACY. Send message to contact by visiting 
https://www.ovhcloud.com/en/lp/request-ovhcloud-registered-domain/
Name Server: dns105.ovh.net
Name Server: ns105.ovh.net
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System:
http://wdprs.internic.net/
>>> Last update of WHOIS database: 2021-07-01T17:56:10.0Z <<<

I count two useful data points. What a ridiculous waste of time,
resources, energy, and effort. And that's followed by some 60+ lines of
explanatory language in both French and English, which is a pack of lies
on the face of it ("The data in this Whois is at your disposal with the
aim of supplying you the information only, that is helping you in the
obtaining of the information about or related to a domain name
registration record."). Three if you count the name servers, but I don't
generally regard an NS record as PII, especially when it's one from one
of the largest Web hosting conglomerates in the world.

Visiting the domain in a browser redirects to a OVH webmail login screen.

Looking up the domain in Google gives you the parent organization, as
well as a link to a French Wikipedia page containing their address,
leadership, history, URL, etc. so the net effect is that GDPR destroying
WHOIS has provided absolutely no "privacy protection", and the illusory
belief that blocking one of thousands of potential sources of
information will protect anyone's privacy (not that corporations are
people, despite whatever laws may state the contrary) is asinine and
delusional.

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
Internet security and antispam hostname intelligence: http://enemieslist.com/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Old subject, awareness, given recent Microsoft disclosure.. blocking port 25 from dynamic/DUL networks

[Steven Champeon via mailop]

on Fri, Jul 09, 2021 at 09:25:57AM +0200, Hans-Martin Mosner via mailop wrote:
> IMHP that's the wrong approach. The question isn't whether IP
> addresses are dynamically or statically assigned, but whether it is
> possible with reasonable effort to find an entity that is responsible
> for SMTP traffic coming from an IP address. It doesn't matter whether
> the IP address has no pointer, has "dynamicip" or "staticip" or one of
> the various anonymous cloud hosting domain names in it.

I can assure you that the approach is valid. I don't know of anyone who
still accepts mail from hosts without a PTR, period. And I do know for
certain that many find distinguishing between generic, static, and
dynamic (as well as several other classifications, such as shared or
dedicated webhosts, residential university networks, NATs, etc.) extremely
useful in the context of not just inbound SMTP but also a variety of other
contexts where the nature of the source matters. Correlations are useful.

Now, you're right in thinking that reaching a responsible party is an
important aspect of making manual decisions as to who to block; with
the devastation that is WHOIS and the GDRP that has become well-nigh
impossible in many, if not most, cases, and the proliferation of idiocy
that is the failure to provide a working abuse@ address for every domain
and replacing them with alternates or even jump-through-hoops Web forms
for reporting abuse isn't helping. It's a lot easier to set policy based
on your tolerance for static/dynamic/generic/etc. and let the MTA or
filter make the decisions for you using a dataset based on classified
naming conventions. Why should that be any different than how you might
use SPF or DKIM/DMARC?

YMMV, your server, your rules. But I wouldn't have been able to collect
and classify almost 275K naming patterns over the past 18 years, with a
coverage of ~97% of the IPv4 PTR namespace, if someone didn't find the
dataset valuable...

Steve

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
Internet security and antispam hostname intelligence: http://enemieslist.com/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Old subject, awareness, given recent Microsoft disclosure.. blocking port 25 from dynamic/DUL networks

[Steven Champeon via mailop]

on Thu, Jul 08, 2021 at 02:28:13PM -0700, Michael Peddemors via mailop wrote:
> Ex. 1.186.104.104 x1  1.186.104.104.dvois.com

Even better still dvois.com uses the same naming for dynamics and
statics. At least they only have the couple - though they also use
static.dvois.com right anchored PTR naming, they don't ALWAYS, so it's a
risk to just assume. I've dealt with Indian ISPs with hundreds, if not
thousands of naming "conventions". The old vsnl and bsnl were awful.

> Time to brush off M3AAWG best practices.. listing what ports do not
> need to be open on dynamic IP home style networks..

That's just it - you can't assume dynamic with dvois.com, and many more.
I have at least 136 patterns that I had to throw my hands up and call
"mixed" because they either lie, don't distinguish, or are so
incompetent they can't be bothered to not hand out statics with 'dyn'
token labels, and vice versa (eg., rima-tde). Much of Brazil is simply
generic, stuff like 1-2-3-4.example.net.br. We tend to assume generic ==
dynamic, especially when they've got tiny allocations, but shrug.

Steve

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
Internet security and antispam hostname intelligence: http://enemieslist.com/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Haraka status? Exim the only choice? (v Postfix)

[Steven Champeon via mailop]

on Sat, May 01, 2021 at 03:18:49AM +, MRob via mailop wrote:
> Can I ask what are mailop's opinions about Exim? Thanks you!

I'm a dinosaur who at one point had 15K lines of custom m4 code in my
sendmail setup (I removed a few thousand a few years back for various
reasons), and am still running it because it Just Works, so take any of
this with a massive grain of salt, but I've also looked at some 97%+ of
IPv4 and can tell you that AFAICT the only people actually running Exim
are on cPanel shared webhosting servers, and the folks who wrote it in
the first place at Cambridge. This despite claims that it's the most
popular MTA on the Internet with a 60% market share[1]. This is not to
denigrate Exim, just to suggest that its userbase probably isn't even
really aware that they're running Exim and configures what they need to
configure via some Web hosting management console.

Postfix in my experience is solid, and has lots of knobs to tweak, but
if you need something special, such as say, blocking mail from the idiot
with infinite Gmail accounts having common Vietnamese surnames in them
who keeps trying to sell t-shirts to your role accounts, you're out of
luck. I know, you can write a policy daemon, but I haven't had much luck
with that, for various performance-based reasons which may no longer be
applicable many years on. (I ran Postfix for a year as a trial and had
a lukewarm response to it.)

For context, I run a project called Enemieslist which has reduced the
PTR naming conventions for much of IPv4 down to regular expressions with
classifications of assignment type (static, dynamic) and other special
subclasses like NATs, resnets, shared and dedicated webhosts, etc. The
idea being that you ought to be able to set policy regarding where
you're blocking or accepting and/or quarantining mail from based on such
factors, though it's been applied in a wider variety of ways than we
first imagined, it's the darling of big data scientists.

We made the dataset queriable via a patch to rbldnsd over fifteen years
ago, and our original users wanted to include checks against the mirrors
in their MTAs, which included Exim, Postfix, qpsmtpd, ecelerity, and
obviously sendmail, as well as SpamAssassin. Vincent wrote some custom
code to integrate into Cloudmark as well. So we have some old contrib
policy daemons for postfix, config info for Exim, an SA plugin, and
various other forms of custom integration. The common aspect to all was
that they could query our DNSBL with the PTR of the connecting host and
then implement some policy based on the result (eg, block dynamic,
quarantine generic static, etc.) Exim could do this via configuration;
Postfix required a policy daemon, the others required custom plugins or
modules or as with sendmail, custom rulesets.

Of the 149424 patterns we have for known outbound mail servers and
server farms, only 4003 are known to run Exim. Of the 68266 shared
webhost patterns, 21260 run cPanel and therefore are also running Exim
by default. Postfix is on at least 17395 of those surveyed, by
comparison. These are based on banner scans, which you can obviously
configure to obscure the software make and model but that's a baseline
for you. I'd say go with whatever MTA has the most active development
and support community, if you don't already have a lot invested in
customization and configuration of your current MTA.

We did a banner survey of the edu space some fifteen years ago and found
that a ridiculous proportion of them were running Barracuda boxes, like
80% or so, but this was back when you couldn't walk through an airport
without seeing a Barracuda advertisement on the wall; I suspect things
have changed since then. Proofpoint seems to have surged ahead.

I know that sendmail rulesets have been compared to modem line noise and
Mr. Dithers' cursing, and can attest to the fact that writing them is
far more satisfying than reading them, but you have almost infinite
customization capacity if you can stand it. I once mentioned to a friend
(who used to write for sendmail.net when that was a thing) that you
could probably fit all of the people with as much experience writing
sendmail rulesets as I had into a Volvo station wagon, and his reply was
"you could fit more if you pulped them first", so don't take this as a
recommendation for sendmail; I'll eventually have to give up on it and
surrender to whatever the vox populi says I need to use. 

As for Haraka, I haven't followed it closely but know Matt to be a solid
coder; the impression I got when he was writing it was that it was on a
lark to see if he could write an RFC-compliant SMTP server in
Javascript. I think the quote was "that's why there are weekends".
Having written a lot of JS code over the years, including an entire
library and book on how to use it to produce Web-based GUIs, I was
amazed that it actually worked. I've only ever seen 11 hosts that were
actually running it.

HTH,
Steve

[1] 

Re: [mailop] [External] sendgrid.net

[Steven Champeon via mailop]

on Fri, Sep 25, 2020 at 12:22:43PM -0700, Michael Peddemors via mailop wrote:
> But does anyone know these guys? Looks like they have bought or used
> a bad mailing list, or they have a sign process being abused
> heavily..

I don't know anyone there that I know of, but whoever they are they are
capable of advertising on many of the TV channels we watch fairly
regularly. So, maybe bad signup process, hard to say without knowing more.
When you visit their Web site to check it out you're forced to sign up
or login, so that's probably the human factors issue that's driving that.

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
Internet security and antispam hostname intelligence: http://enemieslist.com/

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Gmail IMAP xyzzy ?

[Steven Champeon via mailop]

on Sun, Aug 02, 2020 at 06:43:02PM -0400, John Levine via mailop wrote:
> When I connect to Gmail's IMAP server, one of the capbilities it
> advertises is "xyzzy". Anyone know what that is?
> 
> I know the etymology (same place as plugh) but what's it supposed to do?

Back in the mid-90s I ran Eudora Mac as an email client, and one of the
first things I figured out how to do was configure it to add stupid X
headers, so if you were among my correspondents during that time you
know that my email contained an X header like so:

 X-Because-I-Can: because I can

I wonder if that's the same dorky joke in a different form. 

The other thing I figured out was how to make it such that when I got a
new message it played the "message for you, sir" sound from Monty
Python's Holy Grail with the squire getting killed by an arrow. :-) That
was insanely amusing for the first few days, anyway.

Also, for a time around the same era, my .sig on certain lists was

> Steven Champeon  | It is very dark. You are
> http://www.hesketh.com/schampeo/ | likely to be eaten by a grue.
> http://www.jaundicedeye.com  |   - Zork

I remember how thrilled I was that they made a version of Zork you could
play on the Palm Pilot. Never mind drug wars.

West of House,
Steve

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
Internet security and antispam hostname intelligence: http://enemieslist.com/

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [WEEKLY UPDATE] Happy Holidays Everyone!

[Steven Champeon via mailop]

on Tue, Jun 30, 2020 at 04:46:43PM -0700, Michael Peddemors via mailop wrote:
> * Brazil, for all the talk from CERT about pushing compliance,
> Brazilian ISP's have one of the highest rates of infected PC's and
> Personal computers, you need better PTR naming conventions, and more
> blocking of Port 25 on Egress.

Perhaps the fact that the president thinks viruses are fake news is to
blame for some of that. Certainly, the fact that there's a telco or ISP
in Brazil for every few dozen people is also a factor. But yeah, in any
case, it's far more common for rDNS in Brazil to be nothing more than
the IP address separated by dashes followed by a domain name; useful
subdomains and other meaningful tokens are vanishingly rare for most of
it. It's the bane of my existence. It's almost like the same two people
set up rDNS for most of Brazil. 

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
Internet security and antispam hostname intelligence: http://enemieslist.com/

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] t-online.de refuses to remove an ip from their blacklist

[Steven Champeon via mailop]

on Thu, Jun 18, 2020 at 09:57:58AM -0700, Michael Peddemors via mailop wrote:
> WHO do I contact when I have problems related to a domain..

I've been creating patterns based on PTR records and associating
classifications with them as an anti-spam and anti-abuse mechanism for
almost eighteen years, and now have around 96.7% of IPv4 (and some IPv6
but those are mostly multi-homed mail servers with the same name as the
IPv4) classified. This means that I've done easily three hundred
thousand WHOIS lookups, probably far more, over the years. The GDPR is
my nemesis. One of the data points I collect is the entity responsible
for a given domain. 

I also think it makes sense that if you have $domain you ought to be
able to visit $domain in a browser, but my expectations are pretty much
constantly disappointed. 

What makes matters worse is that many TLDs don't have a functional WHOIS
service, and many others have such useless information that it is often
impossible to find out the name of the entity that owns the domain.
Brazil usually has an "owner" but not a corporate description; Argentina
usually just has a registration number as the owner; many other Latin
American countries' domains just have a network engineer as the sole
contact information in WHOIS.

Much of Eastern Europe is similar, and for some reason Poland often has
records where the name of the org is followed by the name of some other
network engineer (eg, Foo Bar Baz s.p. z o.o Stanislaw Wojciehowicz).
That's if there is any information at all other than a confirmation that
the domain has been registered.

Germany is a nightmare because of the GDPR; probably the only useful
and reliable WHOIS service is Canada's, where they often also tell you
what sort of organization owns the domain, which I find very helpful. 

What's most annoying about the whole situation is that I can often find
out what I need to know about an IP by doing an rwhois lookup, so the
GDPR masking domain WHOIS is essentially useless as a form of information
privacy. Total policy fail. 

Oh, also, there is apparently an ISP or telco for every fourteen people
in Brazil, which just compounds the frustration. So many lookups. 

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
Internet security and antispam hostname intelligence: http://enemieslist.com/

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] SendGrid Abuse unresponsive

[Steven Champeon via mailop]

on Mon, May 11, 2020 at 01:45:42PM -0400, Matt V via mailop wrote:
> On 2020-05-05 11:09 p.m., Andy Smith via mailop wrote:
> 
> I've been told by at least one Sendgrid person that they have
> requested membership to the list and are awaiting administrator
> approvals...

Yep, apparently the folks who run the list don't actually read mail
to -owner@. Len is a good guy and has been waiting for days to get a
response. WTF, people? 

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
Internet security and antispam hostname intelligence: http://enemieslist.com/

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] contact at google

[Steven Champeon via mailop]

I sent this to John offlist but here is a list of the IPs that are doing
stupid and useless queries against one of our mirrors (couple of days stale
but still potentially useful to someone):

   count IP
 122 172.253.12.1
 119 172.253.14.3
 117 172.253.12.2
 117 172.253.11.3
 116 172.253.14.2
 115 172.253.14.1
 114 172.253.11.1
 112 172.253.12.4
 110 172.253.14.5
 110 172.253.12.3
 109 172.253.12.5
 105 172.253.11.5
 104 172.253.11.4
 101 172.253.14.4
  98 172.253.11.2

There are more, but those are the high-count Google IPs. Apparently, there
are idiots at Linode, too. But the vast majority of these things are coming
from Google netspace.

# egrep "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.g" query.log|wc -l
2099

# egrep "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.g" query.log|grep ' 172.253'|wc -l
1681

Please, make it stop already. You do not understand what you're doing.

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
Internet security and antispam hostname intelligence: http://enemieslist.com/

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] contact at google

[Steven Champeon via mailop]

on Mon, Apr 13, 2020 at 11:54:17AM -0700, Brandon Long wrote:
> Are you sure this isn't just the Google Public DNS servers?

Why would a DNS server be querying our mirrors?
 
> I can guarantee that Gmail/Google doesn't do external rbl queries for live
> traffic[1].  There might be some dashboard around that someone uses to see
> if any of our addresses are on various rbls, though I haven't seen those
> used in a long time and I don't see that hostname at all in our configs.
> Doesn't rule out someone having their own script, I guess.

That's kind of what I figure, but it's still epically stupid to do
reverse octet style queries against a server that is customized to
handle a completely different style of lookup. None of them will ever
return a useful result, period, because that's not what those zones
are for. I'd really like it if they would knock it off.

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
Internet security and antispam hostname intelligence: http://enemieslist.com/

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] contact at google

[Steven Champeon via mailop]

Are there any Google folks here? 

We have a few rbldnsd mirrors, hosting a custom DNSBL for Enemieslist
which is not your standard reverse-octet IP-based lookup (instead, you
pre-pend a PTR record or HELO to the zones before you query, and get a
reply that lets you know how we've classified that naming convention).
An A query gets you the class and TXT gets you the "tech" (eg, "dsl",
"dialup" "cable", etc.) 

And yet, for years, Google has been doing reverse-octet lookups against
it. I'd rather they don't, but don't know who at Google is doing it.
It's dumb, because they will never receive a useful response, and it's
just adding to the load on our mirrors. And we actually have people who 
want to use it for the proper purpose.

eg:

1586629389 172.253.12.1 198.211.246.23.g.enemieslist.com A IN: NOERROR/0/50

So, if anyone at Google can figure out who controls whatever experiment
is epically failing and has been for a long time, I'd appreciate a hand in
making it stop.

Thanks, and stay safe,
Steve

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
Internet security and antispam hostname intelligence: http://enemieslist.com/

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Who runs the mailspike BL and why are they blocking Yahoo?

[Steven Champeon via mailop]

on Thu, Mar 19, 2020 at 04:02:11PM -0400, John Levine via mailop wrote:
> In article <20200319185924.gb20...@dm7.infinitemho.fi> you write:
> >On Thu, Mar 19, 2020 at 02:40:23PM -0400, John Levine via mailop wrote:
> >> One of my users reported that I was rejecting mail from Yahoo, and I found 
> >> it
> >> was because at least one of Yahoo's outbound addresses 74.6.128.32 is 
> >> listed
> >> at bl.mailspike.net.
> >
> >If you google "mailspike", the first hit has "AnubisNetworks" on it.
> 
> I see they're also blocking Gofundme and Constant Contact.  Again, not
> pristine but vast numbers of false positives.
> 
> Nothing personal but I won't be using their BL again any time soon.

It's been a while since I talked with Joao but back then it was purely
trap-driven, it was my understanding that it was intended to be used in
a scoring context rather than binary black/white blocking. They've since
been purchased by Bitsight, perhaps Stephen Boyer can explain better.

 https://www.linkedin.com/in/stephenwboyer/

HTH,
Steve

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
Internet security and antispam hostname intelligence: http://enemieslist.com/

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [FEEDBACK] Approach to dealing with List Washing services, industry feedback..

[Steven Champeon via mailop]

on Wed, Jan 22, 2020 at 09:53:24AM -0800, Brandon Long via mailop wrote:
> You can treat these all as spam, and as misdirected mail, they are.  The
> problem is, they aren't usually of a volume that matters and using them to
> block the source is likely to have more false positives than not.  

We are good friends with the nice folks over at gamila, who made stuff
like the tea stick (they eventually sold the rights to the folks who
also make Bobbles, water bottles with built-in filters). They are known
as gamila now because their original name, gamil.com, was practically
impossible to use because, well, obvious reasons. 

I have champeon.com and regularly have to deal with presumably
intoxicated Latin Americans who think they are the champeon of the world
and sign up for facebook or twitter with an account in my domain. Shrug.
I reset their password and try to shut the accounts down when I can.

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
Internet security and antispam hostname intelligence: http://enemieslist.com/

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] bell.ca?

[Steven Champeon via mailop]

Is anyone from bell.ca here who has any way to fix their DNS? They seem
to have several blocks that have spaces (\032) in their PTRs, which is
sort of weird.

eg:

74.15.212.103:bras-base-sjerpq0524w-grc-12  -74-15-212-103.dsl.bell.ca

I mean, your network your rules, but this just seems like an accident.

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
Internet security and antispam hostname intelligence: http://enemieslist.com/

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Reasons to add plain text alternative to email?

[Steven Champeon via mailop]

on Tue, Dec 10, 2019 at 01:18:23PM -0500, Rich Kulawiec via mailop wrote:
> If you (generic you) can't communicate in plain text, then you can't
> communicate.  Nothing you have to say is worthy of an audience.

https://giphy.com/media/5hHOBKJ8lw9OM/200.webp

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
Internet security and antispam hostname intelligence: http://enemieslist.com/

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Reasons to add plain text alternative to email?

[Steven Champeon via mailop]

on Mon, Dec 09, 2019 at 06:23:41AM -0800, Ned Freed via mailop wrote:
> (c) Plain text parts that are just a copy of the HTML.

And, lo, just now from sharefile (copy/paste directly from mutt in 'v'):

---Attachment: text/plain (21%) 
http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd;> http://www.w3.org/1999/xhtml;>

[...]

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
Internet security and antispam hostname intelligence: http://enemieslist.com/

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Reasons to add plain text alternative to email?

[Steven Champeon via mailop]

on Mon, Dec 09, 2019 at 12:00:17PM -0500, Allen Kitchen via mailop wrote:
> 
> I have considered writing something to munge the HTML portions out of
> my saved emails, but considering the effort it would take and also
> considering that doing this would render them less defensible as true
> copies should the need ever arise, that’s a deferred project.

It's too bad disk space is so expensive these days, or you could keep
both copies :-)

cf. perl:

 
https://stackoverflow.com/questions/371153/how-can-i-strip-html-and-attachments-from-emails

or just use MimeDefang:

 https://en.wikipedia.org/wiki/MIMEDefang

HTH,
Steve

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
Internet security and antispam hostname intelligence: http://enemieslist.com/

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Reasons to add plain text alternative to email?

[Steven Champeon via mailop]

on Mon, Dec 09, 2019 at 02:26:08PM +0100, Jaroslaw Rafa via mailop wrote:
> Dnia  9.12.2019 o godz. 12:52:31 Steven Champeon via mailop pisze:
> > That's all I can see in mutt. Not even a "your mail client sucks" or
> > "click on the URL to view this message in a web browser" disclaimer.
> 
> As you are using mutt, you definitely know how to use the "v" key on the
> message :). Then you can press Enter on the HTML part and your locally
> installed text-mode browser like w3m, lynx or links kicks in and displays
> the HTML for you. However, it still sucks to have to do this :)

Yeah, of course, I know that, but it's an even more idiotic sign on
behalf of the sender that they don't care enough to make it so I don't
have to do that. Also, I suspect whenever I'm going to have to do that
I am just going to get a lynx -dump that consists of a blurb followed
by forty-leven ~1K hash redirect "Visible link" lines and perhaps a
clicktracker "Hidden link" line. Respect!

And I also note that there is no account preference for either special
notice mail^W^W^Wmarketing like this or for their newsletter to let
them know I'd rather get plain text. Shrug. I don't make good cheap
eyeglasses, they don't know how to properly manage their broadcast mail.
 
-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
Internet security and antispam hostname intelligence: http://enemieslist.com/

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Reasons to add plain text alternative to email?

[Steven Champeon via mailop]

on Mon, Dec 09, 2019 at 09:50:14AM +0100, Maarten Oelering via mailop wrote:
> Multipart messages with html and text alternatives are generally
> considered best practice. Senders with html templates should add a
> text version is the common believe.

Well, the common belief is more like "what's multipart"? :-)
 
> But it's almost 2020, and we were wondering if there's still a good
> reason for adding plain text to a html message. Is there a significant
> audience reading in plain text?

I'm reading this in mutt, but I'm probably not a significant audience
unless your audience is defined as people who still like plain text,
such as, oh, hey, maybe mailop or nanog or anywhere else filled with
grizzled old hangers-on to decades-old technology biases.

Caveat: back in the Day I helped argue for the foundation of what is
now known as "responsive design" in Web design, so I have a standpoint.

> Is plain text important for accessibility?

Again, that's a whole 'nother can of worms. I started out in SGML and
taught myself the HTML of the day in a few minutes, and so believe that
it is certainly /possible/ to write HTML that it readable by the tools
that make such accessible, but as to whether anyone (or any tools) know
how or care to know how to do that anymore? Shrug. So, provide a plain
text alternative, preferably one you've actually tried to read in a
client like mutt. A significant number of those clients and tools I've
seen people using to send multipart mail don't understand why stripping
ALL of the newlines and mashing down spaces makesithardertoread.YMMV.

An example of this (created by yahoo mail, IIUIC) from a post to a local
neighborhood mailing list, sent by someone describing a house on our
upcoming historic district tour, cut and pasted from mutt and reformatted
only to indent for legibility and wrap to ~76c:

   703N. East St. Nowell-Forbes house 1923Naudain MachenThisNeoclassical
   Revival house was built for developer Virginia Nowell. From 1941to
   1989 it was the home of Harry Forbes, an engineer with the Seaboard
   Air LineRailway, and his family. The house was restored and expanded
   for the currentowner in 2005. The interior is beautifully lit by
   large windows, surrounded bystained-wood trim. The retaining wall at
   the front of the property is built ofBelgian block stones. Behind the
   house is a 5,000-gallon pool wherein reside 21koi.

Each item it also jammed together so the next line starts immediately:

  609 Polk St. Forrest-Crew House 1897Lyric Thompson& Lee LilleyThisand
  five other houses on this block were originally identical four-room
  QueenAnne-style

I dunno, seems like we'd have figured the basics out by now.

> Because SpamAssassin says so?

Doesn't hurt. 

How about "because the following makes you look really stupid":

Actual example from this month, and I'm a past customer and in the
market for a fresh prescription update:

   Date: Fri, 29 Nov 2019 04:27:15 + (UTC)
   From: "Eyeglasses.com" 
   To: scham...@hesketh.com
   Subject: It's Black Friday, FREE LENSES

That's all I can see in mutt. Not even a "your mail client sucks" or
"click on the URL to view this message in a web browser" disclaimer.

I know, I should get a different account for all the vendors who send
me stuff with ~1K char click-tracker redirects and just read and manage
them in an HTML-capable client, but I'd rather know what I'm actually
looking at, not just what the rendering engine decided to show me.

JADP,
Steve

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
Internet security and antispam hostname intelligence: http://enemieslist.com/

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Can someone write me a prescription for a sane MTA? I'm allergic to Postfix.

[Steven Champeon via mailop]

on Fri, Dec 06, 2019 at 12:10:54AM +, Steve Holdoway via mailop wrote:
> Still on sendmail... not wasting those 10's of thousands of hours!

At the risk of adding to a not-even-close-to-ops-related thread,

Sing it, brother!

I'm still running most of the 14K lines of custom m4 sendmail rulesets I
wrote back before I knew any better, mostly to deal with specific
ratware signatures.

In short, though, I've found if you want complete customizability and
are not afraid to get your hands dirty sendmail is hard to beat. Postfix
is crazy flexible in terms of knobs you can turn, as is exim, and I hear
it is possible to make the latter two do more than I could ever figure
out how to do, but I always found them more rigid than sendmail, which
is a clear sign of confirmation bias on my part, but hey. Where else do
you get to do a fifty-four member set of defs to deal with an insanely
particular set of From: header checks like this, AND get to do it in m4?

# f.last_
# e.g. "First M. Last" 
# e.g. "First Last" 
KEL_FirstMLastZZ05 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*\.*\ *[A-Z]([a-z
\-]+[A-Z]*[a-z]*)"\ <[a-z].[a-z]\2_[a-z]{2}@

In over fifteen years of running this set (dealt with randomized stuff
like "Steven J. Champeon" ) I had one FP
on someone whose email address ended in _md, because, doctor.

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
Internet security and antispam hostname intelligence: http://enemieslist.com/

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Suggestions for VPS providers in Europe?

[Steven Champeon via mailop]

on Tue, Dec 03, 2019 at 03:27:04PM +, Chris Woods via mailop wrote:
> I'd avoid Linode, Hetzner and particularly OVH. OVH in particular appears
> to be a wretched hive of scum and villainy. Tempting as they may be on
> price, you'll never solve deliverability issues hosting on there. Same for
> EC2 and AWS.

One of the longest running threads on Usenet, IIRC, was people on
triangle.food talking about^W^Warguing about who had the best North
Carolina BBQ (and for the record, if you hear anyone say that's what
they're trying to sell you who isn't actually IN North Carolina, ask
"which kind", because it comes in Eastern (vinegar and hot pepper,
usually whole hog) and Western (tomato, usually smoked shoulder)
styles). It's ALWAYS pork. Sorry for the nested parens. If they try to
just sell you "Carolina BBQ" they obviously don't know what they're
talking about because in South Carolina they use mustard in their sauce,
which is an unconscionable crime and which really ought to be punishable
by making them eat it. My wife is from down east NC and she prefers
eastern style. I, on the other hand, am a Yankee carpetbagger from down
east Maine and like both kinds. As far as I can tell the matter was
never actually settled, but I will put my hand in and say that Skylight
Inn in Ayden may be the best, even if their hoecake style cornbread is a
bit weird, and my wife doesn't like how they do their coleslaw (too
sweet, apparently). The best pie is at a place in Oxford, though, but
their fried chicken is strange. Opinions vary widely. And we're
suffering through a spate of some of the oldest places shutting down -
we've lost Allen and Son in Pittsboro and several other vaunted joints
recently, which is just horrible and a true sign that the end times may
well be coming after all...

This thread risks running the same fate. ALL large colo/hosting
providers have enormous problems, some so bad I've taken to blocking
mail from them by ASN instead of bothering to keep up with who they let
robo-host last and blocking by the /28 or whatever. If I know your
networks' AS# you're probably failing at managing abuse. All I can say
is that the recommendation of at the very least having proper rDNS set
up is a good one, as many people and orgs block generic webhost/colo
rDNS by default, because if you're in such a hurry to firehose spam out
of a new block that you can't even wait for the DNS to propagate, you're
probably not sending anything anyone wants. But if all you're trying to
do is send mail reliably, I'd suggest you just go with a reputable ESP,
or several, and keep a close eye on how they're doing at managing abuse,
and whether or not they've just sold out to some other company because
that seems to be a harbinger of cost-cutting and abuse desks are
basically viewed as a cost center.

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
Internet security and antispam hostname intelligence: http://enemieslist.com/

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] delivery problems from mimecast.com

[Steven Champeon via mailop]

on Wed, Nov 20, 2019 at 10:15:20AM +0100, Claus Assmann via mailop wrote:
> seemingly because it does not like my (self-signed) cert.

We recently ran into this as well, via a longtime list member whose
company decided to switch to mimecast. I just grudgingly disabled TLS
altogether until I can investigate what ridiculous hoops I need to jump
through these days to get a "trusted" CA to issue me a cert (this after
oh, ten years or so of using a self-signed cert) that others will trust
as well.

The only other place I'd run into this is with a server at prolocation
in the Netherlands, which is ironic because they actually host an rbldns
server mirror for enemieslist and have for years. :-/

Of course, the idea that self-signed certs are somehow less valid is
absolutely idiotic on the face of it; encryption doesn't guarantee a
person or entity on the other end is "valid" in any way, regardless of
whether you've filled out some paperwork, and should not be treated as
anything but a way to shill paid services. But there we are.

As for free CAs, they suffer from the same problem as self-signed, maybe
because that's what all certs are at the bottom. I'm not sure if there
are any who would actually work with mimecast, or how a mail server is
supposed to dynamically import a root cert exactly. I'd love to know how
this is resolved, however, if it can be done without paying and renewing
a completely unnecessary cert over and over again for no good reason.

Steve

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
Internet security and antispam hostname intelligence: http://enemieslist.com/

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Junk filtering as a tool for unfair competition

[Steven Champeon via mailop]

I would just like to ask where I can apply to become an official
Microsoft X-header analyst and/or creator. Reading these reminds me of
the old days when I had Eudora and set it up so that it added an
X-Because-I-Can: header well, because I could. But I do question the
wisdom of adding some 5K worth of idiotic X-headers to a message whose
body content is one line of abused URL shortener trying to sell me
make-penis-fast pills. YMMV.

I mean, what could the possible value be of a header like

 X-MS-Exchange-CrossTenant-FromEntityHeader: Internet

? Or

 X-MS-PublicTrafficType: Email

? Of COURSE it's email. And I love this:

 X-IncomingHeaderCount: 21

and yet there are at least 36 headers in the first example Daniele sent.

And despite the fact that Daniele sent message #2 from kernel-panic.it,
you still have

 X-OriginatorOrg: outlook.com

which is, frankly, incorrect. Unless I misunderstand the meaning of
"originator".

We recently refused mail from a potential licensee because their own
Forefront server labeled it as spam. Authenticated, outbound, and so on,
and they still thought it was worthy of rejecting, so we rejected it (I
still don't quite understand why once a message has been determined to
be spam it is still relayed - but I don't have that many X-headers to
draw on). Is there anything at all about these headers that has value?

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
Internet security and antispam hostname intelligence: http://enemieslist.com/

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Do we need Spam folders?

[Steven Champeon via mailop]

on Mon, Oct 14, 2019 at 12:58:51PM -0700, Brandon Long via mailop wrote:
> I used to think, when I ran my own server, that five or so spam messages a
> day, what's the big deal... until I just got tired of it.  It was often
> more than the actual useful messages in my mailbox every time I checked.

I've had the same email address since oh, 1996 or so? I've run my own
email services since 1997, and have invested a great deal of time into
making sure my filters are good, at one point for our company and its
hosting clients and nowadays for a very small userbase (think in terms
of single-digits).

We block according to a wide variety of criteria, and quarantine/flag on
some others. We eat our own dog food and don't rely on anyone else's
filters, though we do query a few for stats purposes and the very
occasional quarantine exception.

Yesterday (FSVO "yesterday") we blocked 12 messages for being sent from
known-bad ASNs alone (after a couple of months in which said ASNs sent
288 that we let in and tried to send another thousand or so). That's out
of a total of 310 rejections today. And that doesn't count the 6 419s we
got from random sources, the several offers of sales lead lists and
contact lists, SEO offers, loan/financing offers and other garbage, that
we quarantined and blacklisted. This out of a total mail load of 649
messages - not bad compared to the bad old days when spam accounted for
over 95% of all inbound, but bear in mind I've also got about a full
quarter of IPv4 blocked at the packet level, so I should also include in
that number another 59 unique IPs that made port 25 connections,
bringing us up to 708, or around 60% spam/ham if you don't account for
any filtering at all. And the vast majority of the ham was from lists,
such as this one. So for practical purposes, non-list mail was probably
still in that 95% neighborhood.

Dealing with the stuff I had to quarantine ate up at least half an hour,
in various chunks, while I'm in Montreal at M3AAWG to talk to other
people who are either trying to send or block or manage and should be
down on the floor talking to them instead of sitting in a hotel room.

And that's NOW. Imagine what a waste of time it's been over the past 23
years, given that we have already invested in filtering (14+K lines of
sendmail m4 code, a dataset of classifications for ~96.3% of IPv4's PTR
space for filtering and quarantining, a set of ~90K blacklisted domains,
etc., etc.) and for the most part ONLY have to handle the edge cases
(419s, cold calls, and new idiots) and imagine how tired I am of it. And
I've never had a userbase more than a few hundred or several thousand if
you include the various mailing lists we hosted over the years, which we
still had to provide filtering for.

Everyone has different spam loads and tolerances, as you mentioned. To
extrapolate from an obviously VERY light load to anyone else's actual
experience is misguided. It just smacks of "JHD" and comes off as the
sort of dismissive and disrespectful attitudes we've been trying for
decades to rid ourselves and our various communities of. 

As for whether we still need spam folders, I can see all sides - you
do risk missing FPs, and senders need feedback (or not, depending on
if you think the sender is legit), and users deal with their own spam
tolerances in wildly different ways. We still have a quarantine folder,
mostly because I would rather waste my own time than both mine and that
of the other users I serve. Without quarantine, they have to forward
the stuff they think is spam to me AND I have to deal with it. YMMV. I
make no claim to understand what a Yahoo! or GMail have to deal with.

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
Internet security and antispam hostname intelligence: http://enemieslist.com/

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Weird blocking by outlook.com (S3150)

[Steven Champeon via mailop]

on Fri, Aug 23, 2019 at 08:31:24AM -0700, Michael Peddemors via mailop wrote:
> On 2019-08-23 12:45 a.m., Benoit Panizzon via mailop wrote:
> >So for privacy reasons we have decided not to register our customers
> >using this ranges @ RIPE. Anyway we mostly have businesses customers in
> >this range.
> 
> You should allow your customers to make the choice on whether they
> wish to advertise their operational control over the IP(s) they have
> been delegated.

*claps*

I can't be the only person who believes the whole "privacy" claim for
failing to provide accurate information about who is using the Internet
to be complete and utter nonsensical bullshit, right?

I make a living classifying PTR naming conventions, so I spend much of
my day (and the past 13 years) looking at WHOIS and rwhois lookups. In
the past few years it has become more or less the default for companies
and organizations and ISPs and telcos to hide their information, even
though you can go to their Web site and find out who they are and how to
contact them and where their locations are and so forth. Some ccTLDs
don't even bother to run a WHOIS server at all. Most ISPs don't offer
delegation records, or if they did, the rwhois server the lookups try to
redirect to was shut down long ago. 

I dread living in a world where the best way to find out who and where
the responsible party behind a given IP address is traceroute. But it's
becoming more and more the case. 

Steve

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
Internet security and antispam hostname intelligence: http://enemieslist.com/

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Return Path / Sender Score

[Steven Champeon via mailop]

on Thu, Aug 22, 2019 at 06:39:07AM -0400, Rob McEwen via mailop wrote:
> This "no-javascript" loophole is HUGE!

We have a contact form and an evaluation request form that happen to use
mostly the same markup and CGI perl script to process them. I'd say
around 99% of the submissions we get from them are spam, from around 70
different ASNs (mostly Russian/Eastern European, but also M247 for some
reason) so I have implemented a way to refuse such submissions from
entire ASNs. This on top of the CAPTCHA we already added when things
started getting silly.

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
Internet security and antispam hostname intelligence: http://enemieslist.com/

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] How to identify source of email sent via Google?

[Steven Champeon via mailop]

on Thu, Jul 18, 2019 at 06:27:37PM +, Michael Wise via mailop wrote:
> The doctrine seems to be that they're sufficiently on the ball that
> they can handle all abuse issues internally, and thus, they hide that
> information, since it could be used to, for instance, launch a DDOS
> attach against the user's "Home" IP infrastructure.

Bwahahahahahahahahahahaha.

Yeah, whatever. I've had rulesets that block webmail-injected 419/AFF
scams for over a decade and Google is among the few who I still get them
from because I can't tell if the IP is in West Africa thanks to this
idiotic "policy". It's just stupid.

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
Internet security and antispam hostname intelligence: http://enemieslist.com/

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Digital Ocean Sextortion Spammers..

[Steven Champeon]

on Mon, Apr 08, 2019 at 03:48:24PM -0600, Grant Taylor via mailop wrote:
> If I were to do something like that, I'd likely find out the IP
> space that $HostingCompany is using and wholesale block them.  I'm
> confident there are ways to do this based on the Global Internet
> Default Free Zone BGP feeds.  I.e. null route any IPs associated
> with their ASN(s).

Blocking by ASN is easier.

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
Internet security and antispam hostname intelligence: http://enemieslist.com/

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] abuse.net

[Steven Champeon]

on Mon, Nov 12, 2018 at 11:02:28AM -0500, Al Iverson wrote:
> Hey, senders or receivers or spam filterers. Do you use abuse.net?

Every domain for which I have patterns in Enemieslist has an associated
abuse addy fetched from abuse.net, but frankly I don't do anything with
them - IIRC the "nobody has registered an address" default is just to
prepend abuse@ to the domain. Shrug. RFC 2148!

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
Internet security and antispam hostname intelligence: http://enemieslist.com/

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop