Re: [mailop] Anyone from Mandrill/Mailchimp here?
Hello, May I suggest to report the phishing using the Signal Spam plugin as well? Also, if Mailchimp wants to, they can put their manually qualified phishing in Signal Spam blacklist for instant protection of Signal Spam users against the phishing. Kind regards, Thomas FONTVIELLE Secrétaire général +33 (0)7 72 18 33 60 @signalspam | @tfontvielle Le 28 févr. 2019 à 10:19 +0100, Paul Smith , a écrit : > On 27/02/2019 20:56, Matt Gilbert via mailop wrote: > > I understand how frustrating this can be for you who have received one > > of these emails, and I personally thank you for keeping those tinfoil > > hats on tight. > > > It wasn't that frustrating for me - it's phishing, I see them all the > time, but I thought it was clever to use an email platform to perform a > phishing attack against itself. > > This meant that it passed basic 'is this forged' checks because of that > (eg it was DKIM signed by Mailchimp). Thankfully, (a) I've learned to be > ultra-suspicious, and (b) I'm fairly sure I just have a free Mailchimp > account, so why I'd be asked to check my billing details was suspicious. > > I didn't know it was already known about, so I reported it :-) Normally > I don't bother because I know there's nothing that the phishee can > reasonably do about it, but in this case there was. > > > > -- > > > Paul Smith Computer Services > Tel: 01484 855800 > Vat No: GB 685 6987 53 > > Sign up for news & updates at http://www.pscs.co.uk/go/subscribe > > ___ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Anyone from Mandrill/Mailchimp here?
On 27/02/2019 20:56, Matt Gilbert via mailop wrote: I understand how frustrating this can be for you who have received one of these emails, and I personally thank you for keeping those tinfoil hats on tight. It wasn't that frustrating for me - it's phishing, I see them all the time, but I thought it was clever to use an email platform to perform a phishing attack against itself. This meant that it passed basic 'is this forged' checks because of that (eg it was DKIM signed by Mailchimp). Thankfully, (a) I've learned to be ultra-suspicious, and (b) I'm fairly sure I just have a free Mailchimp account, so why I'd be asked to check my billing details was suspicious. I didn't know it was already known about, so I reported it :-) Normally I don't bother because I know there's nothing that the phishee can reasonably do about it, but in this case there was. -- Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 Sign up for news & updates at http://www.pscs.co.uk/go/subscribe ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Anyone from Mandrill/Mailchimp here?
Hi Mark, My main intent with my response was simply to let y’all know that we are aware of and acting on the phishing. But, I’ll take a moment to address your response as well since you took the time to offer some tips. We offer many or most of (or at least similar) features to what you’ve mentioned on a per-account basis within Mandrill. We’ve recommended MFA for user logins in both Mandrill and Mailchimp for years. There are also other anti-abuse mechanisms that sit above user accounts that are being tweaked to help address this as well. Obviously when we identify a compromised Mandrill account, in addition to disabling the API key, we strongly advise that they enable as many of the additional security features as practical to prevent future abuse. Rest assured that we have some of the best security and anti-abuse people around working on this. We take any abuse of our systems and users very seriously. Thanks, Matt Gilbert -- Deliverability Engineer | Mailchimp delivery.mailchimp.com > On Feb 27, 2019, at 4:07 PM, Mark Foster wrote: > > Forgive my ignorance, but for anything user-interactive, can you mandate > MFA and/or comment on the viability and/or success in doing so? > > For API interaction, can you mix both keys and credentials or use some > other method for achieving similar ends? > > What about other sorts of controls, (for example perhaps) geo-locking of > user accounts and/or API interfaces so that their sudden use from another > country is at least logged/flagged, if not blocked outright? > > Obviously, generating spam via a compromised account is extremely common > and makes mail systems accessible from anywhere very attractive; in the > userspace we recommend MFA as a significant control for compromised > credentials, i'll admit to being less familiar with the applicability of > this approach for anything API driven. But for a commercial mail-sending > operation these sorts of controls would seem to becoming more and more > relevant, as the impact of a reputation hit on your IP ranges, etc, is > much more far-reaching than a private system? > > Cheers > Mark. > ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Anyone from Mandrill/Mailchimp here?
> I realized I sent this to Paul, but forgot to CC the list. So Iâm > sending this again. > *snip* > Unfortunately, some mail is still able to slip through the net. We are > also unable to identify these compromised accounts before the malicious > mail is sent, because the Mandrill account credentials are being harvested > from sources outside of our systems, so we have no insight into vulnerable > accounts until there is abuse. Generally speaking we advise all users to > secure their passwords and API keys, but sometimes mistakes are made, like > posting an API key on a publicly shared GitHub repo. > > I understand how frustrating this can be for you who have received one of > these emails, and I personally thank you for keeping those tinfoil hats on > tight. > > Forgive my ignorance, but for anything user-interactive, can you mandate MFA and/or comment on the viability and/or success in doing so? For API interaction, can you mix both keys and credentials or use some other method for achieving similar ends? What about other sorts of controls, (for example perhaps) geo-locking of user accounts and/or API interfaces so that their sudden use from another country is at least logged/flagged, if not blocked outright? Obviously, generating spam via a compromised account is extremely common and makes mail systems accessible from anywhere very attractive; in the userspace we recommend MFA as a significant control for compromised credentials, i'll admit to being less familiar with the applicability of this approach for anything API driven. But for a commercial mail-sending operation these sorts of controls would seem to becoming more and more relevant, as the impact of a reputation hit on your IP ranges, etc, is much more far-reaching than a private system? Cheers Mark. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Anyone from Mandrill/Mailchimp here?
I realized I sent this to Paul, but forgot to CC the list. So I’m sending this again. Hi Paul (et al), Thank you for mentioning this. In the interest of being transparent, and because the folks here are more savvy to these types of issues, our anti-abuse team has been tracking a group of malicious actors who are using Mandrill user account credentials that were collected from outside of our systems to send the phishing mail you saw. The current batch of compromised accounts have been suspended until credentials are changed and secured, and we are monitoring for further cases. We are also proactively forcing password resets on any targeted Mailchimp users to ensure that these bad actors can’t gain access to the targeted victims. So don’t be surprised if you will need to reset your password for your Mailchimp account, Paul. For the emails that had used our click tracking, we are breaking the 302 redirects on our end, so that if a link is clicked it will error. But there are many that were sent that aren’t using our click tracking, and so we don’t have control over the links. For the cases where the phishing domain is using a cousin domain to Mailchimp, our legal team is also issuing takedowns with the web hosts. Unfortunately, some mail is still able to slip through the net. We are also unable to identify these compromised accounts before the malicious mail is sent, because the Mandrill account credentials are being harvested from sources outside of our systems, so we have no insight into vulnerable accounts until there is abuse. Generally speaking we advise all users to secure their passwords and API keys, but sometimes mistakes are made, like posting an API key on a publicly shared GitHub repo. I understand how frustrating this can be for you who have received one of these emails, and I personally thank you for keeping those tinfoil hats on tight. Thanks, Matt Gilbert -- Deliverability Engineer | Mailchimp delivery.mailchimp.com ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Anyone from Mandrill/Mailchimp here?
Paul, please pass the info to us offlist and we'll get it in front of the right person ASAP. Anne *Typed with 1.5 eyes as I'm recuperating from a torn retina, so apologies for any typos. > On Feb 27, 2019, at 10:47 AM, Paul Smith wrote: > > We've just received what I'm 99% sure is a phishing email - sent through the > Mandrill/Mailchimp infrastructure, claiming there's a problem with our > Mailchimp account. The links go to landing pages on MailChimp, and it's > clever. > > So, it needs sorting, ASAP, because it's quite likely to catch people out, > given that it's claiming to be from Mailchimp, the links go to Mailchimp > pages (which look like Mailchimp login pages, but aren't quite), etc. > > I've reported it to ab...@mandrillapp.com as well, but that may take a while > to get through, so thought I'd try a different channel as well... > > Headers: > > Return-Path: > > DomainKey-Status: non-participant from=nore...@drsha.net; domainkeys=fail > Authentication-Results: lmail.pscs.co.uk; spf=Pass > > smtp.mailfrom=bounce-md_30903452.5c76c31e.v1-cef683aebe194acebd48d0ee66249...@mandrillapp.com > smtp.helo=mail136-28.atl41.mandrillapp.com; dkim=pass (signature verified) > header.i=nore...@drsha.net; dkim=pass (signature verified) > header.i=@mandrillapp.com; auth=none > Received-SPF: Pass client-ip=198.2.136.28; > envelope-from=bounce-md_30903452.5c76c31e.v1-cef683aebe194acebd48d0ee66249...@mandrillapp.com; > helo=mail136-28.atl41.mandrillapp.com; identity=mailfrom > Received: from mail136-28.atl41.mandrillapp.com ([198.2.136.28] > (mail136-28.atl41.mandrillapp.com)) by lmail.pscs.co.uk ([192.168.66.70] > running VPOP3) with ESMTPS (TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384) for > ; Wed, 27 Feb 2019 17:04:37 - > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=mandrill; d=drsha.net; > h=From:Subject:Message-Id:To:Date:MIME-Version:Content-Type; > i=nore...@drsha.net; > bh=bjT9fpLnOr3an+CY799OLe4k3utaSPU5laFCWT8pwCg=; > > b=gQinse9xWTicS6IrV9weXt2IV1IcoZfAU7bSiuz+iVUqUs4FbEwORfiYx3xatb1VPmjHq2PSeYbR > bEYOgo/YmI87WzJMOgCIdBFQoNMzYmRg8pmJiQKAWzaTv8kT14AJzChsZbnsT0/H9tiQ/N5rqjU3 >x2G+/fYQ/zkjhbW95JM= > Received: from pmta04.mandrill.prod.atl01.rsglab.com (127.0.0.1) by > mail136-28.atl41.mandrillapp.com id her1ia1sb1ku for ; > Wed, 27 Feb 2019 17:04:30 + (envelope-from > ) > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mandrillapp.com; > i=@mandrillapp.com; q=dns/txt; s=mandrill; t=1551287070; h=From : > Subject : Message-Id : To : Date : MIME-Version : Content-Type : From : > Subject : Date : X-Mandrill-User : List-Unsubscribe; > bh=bjT9fpLnOr3an+CY799OLe4k3utaSPU5laFCWT8pwCg=; > b=Ftc1ffes3M9osTYrxu23+LeE++UDNvFpKZMEUjD1F6FuYJIQ2gp0rUgiLqQy4TUM9VI9Qr > 1jL/nIskU8jImnlHy6jyv//1mlU2W+FoJ5KJTTr09SkWzdQ03EFexi2Gv3zIK0MerQxED/rR > SPhuTsNtFXI2kBhK7OsbgWra44C5M= > From: MailChimp Billing > Subject: MailChimp Billing Dispute In Progress > Return-Path: > > Received: from [138.68.74.240] by mandrillapp.com id > cef683aebe194acebd48d0ee662499fe; Wed, 27 Feb 2019 17:04:30 + > X-Mailer: Apple Mail (2.2104) > Message-Id: <2b2604b9-8adc-e769-5633-d2471df00...@drsha.net> > To: > X-Report-Abuse: Please forward a copy of this message, including all headers, > to ab...@mandrill.com > X-Report-Abuse: You can also report abuse here: > http://mandrillapp.com/contact/abuse?id=30903452.cef683aebe194acebd48d0ee662499fe > X-Mandrill-User: md_30903452 > Date: Wed, 27 Feb 2019 17:04:30 + > MIME-Version: 1.0 > Content-Type: multipart/alternative; boundary="_av-tmIbwtKaFByrlcctRqVPTg" > > > -- > > > Paul Smith Computer Services > Tel: 01484 855800 > Vat No: GB 685 6987 53 > > Sign up for news & updates at http://www.pscs.co.uk/go/subscribe > > ___ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
[mailop] Anyone from Mandrill/Mailchimp here?
We've just received what I'm 99% sure is a phishing email - sent through the Mandrill/Mailchimp infrastructure, claiming there's a problem with our Mailchimp account. The links go to landing pages on MailChimp, and it's clever. So, it needs sorting, ASAP, because it's quite likely to catch people out, given that it's claiming to be from Mailchimp, the links go to Mailchimp pages (which look like Mailchimp login pages, but aren't quite), etc. I've reported it to ab...@mandrillapp.com as well, but that may take a while to get through, so thought I'd try a different channel as well... Headers: Return-Path: DomainKey-Status: non-participant from=nore...@drsha.net; domainkeys=fail Authentication-Results: lmail.pscs.co.uk; spf=Pass smtp.mailfrom=bounce-md_30903452.5c76c31e.v1-cef683aebe194acebd48d0ee66249...@mandrillapp.com smtp.helo=mail136-28.atl41.mandrillapp.com; dkim=pass (signature verified) header.i=nore...@drsha.net; dkim=pass (signature verified) header.i=@mandrillapp.com; auth=none Received-SPF: Pass client-ip=198.2.136.28; envelope-from=bounce-md_30903452.5c76c31e.v1-cef683aebe194acebd48d0ee66249...@mandrillapp.com; helo=mail136-28.atl41.mandrillapp.com; identity=mailfrom Received: from mail136-28.atl41.mandrillapp.com ([198.2.136.28] (mail136-28.atl41.mandrillapp.com)) by lmail.pscs.co.uk ([192.168.66.70] running VPOP3) with ESMTPS (TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384) for ; Wed, 27 Feb 2019 17:04:37 - DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=mandrill; d=drsha.net; h=From:Subject:Message-Id:To:Date:MIME-Version:Content-Type; i=nore...@drsha.net; bh=bjT9fpLnOr3an+CY799OLe4k3utaSPU5laFCWT8pwCg=; b=gQinse9xWTicS6IrV9weXt2IV1IcoZfAU7bSiuz+iVUqUs4FbEwORfiYx3xatb1VPmjHq2PSeYbR bEYOgo/YmI87WzJMOgCIdBFQoNMzYmRg8pmJiQKAWzaTv8kT14AJzChsZbnsT0/H9tiQ/N5rqjU3 x2G+/fYQ/zkjhbW95JM= Received: from pmta04.mandrill.prod.atl01.rsglab.com (127.0.0.1) by mail136-28.atl41.mandrillapp.com id her1ia1sb1ku for ; Wed, 27 Feb 2019 17:04:30 + (envelope-from ) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mandrillapp.com; i=@mandrillapp.com; q=dns/txt; s=mandrill; t=1551287070; h=From : Subject : Message-Id : To : Date : MIME-Version : Content-Type : From : Subject : Date : X-Mandrill-User : List-Unsubscribe; bh=bjT9fpLnOr3an+CY799OLe4k3utaSPU5laFCWT8pwCg=; b=Ftc1ffes3M9osTYrxu23+LeE++UDNvFpKZMEUjD1F6FuYJIQ2gp0rUgiLqQy4TUM9VI9Qr 1jL/nIskU8jImnlHy6jyv//1mlU2W+FoJ5KJTTr09SkWzdQ03EFexi2Gv3zIK0MerQxED/rR SPhuTsNtFXI2kBhK7OsbgWra44C5M= From: MailChimp Billing Subject: MailChimp Billing Dispute In Progress Return-Path: Received: from [138.68.74.240] by mandrillapp.com id cef683aebe194acebd48d0ee662499fe; Wed, 27 Feb 2019 17:04:30 + X-Mailer: Apple Mail (2.2104) Message-Id: <2b2604b9-8adc-e769-5633-d2471df00...@drsha.net> To: X-Report-Abuse: Please forward a copy of this message, including all headers, to ab...@mandrill.com X-Report-Abuse: You can also report abuse here: http://mandrillapp.com/contact/abuse?id=30903452.cef683aebe194acebd48d0ee662499fe X-Mandrill-User: md_30903452 Date: Wed, 27 Feb 2019 17:04:30 + MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="_av-tmIbwtKaFByrlcctRqVPTg" -- Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 Sign up for news & updates at http://www.pscs.co.uk/go/subscribe ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop