Re: [mailop] Just how does SendGrid fail this badly?
Hello, At 05:23 AM 18-08-2020, Atro Tossavainen via mailop wrote: The SendGrid account sending these yesterday is 13999362. I am receiving emails from Sendgrid about "Nedbank Credit Card monthly Charges eStatement". The account is 17343945. It looks like a phishing attempt. Those emails originate from 149.72.32.249. Regards, S. Moonesamy ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Just how does SendGrid fail this badly?
Most ESPs allow forging of arbitrary domains (usually requiring just an email loop verification *to* any address in the domain). It's good for business. Their customers don't understand SPF/DKIM/DMARC, in their defense. Plus, it's technically a misdeployment for any domain to publish DMARC if it houses users, so all bets are off. But that's a topic for another list. Jesse On Aug 20, 2020 9:57 PM, Philip Paeps via mailop wrote: On 2020-08-21 00:26:37 (+0800), Brielle via mailop wrote: > Oops, hit the send keybind by accident while trying to paste... Lets > try this again. > > > On 8/19/2020 11:06 PM, Philip Paeps via mailop wrote: >> On 2020-08-18 20:23:37 (+0800), Atro Tossavainen via mailop wrote: >>> The SendGrid account sending these yesterday is 13999362. >> >> The one I've seen most often is 12340469 with 9789821 a close second >> and 8512936 in third place. > > I just started seeing 2019535 this morning. Luckily ClamAV's extra > rules seem to be snagging it. This is clearly a structural problem rather than one rogue customer... Philip -- Philip Paeps Senior Reality Engineer Alternative Enterprises ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Just how does SendGrid fail this badly?
On 2020-08-21 00:26:37 (+0800), Brielle via mailop wrote: Oops, hit the send keybind by accident while trying to paste... Lets try this again. On 8/19/2020 11:06 PM, Philip Paeps via mailop wrote: On 2020-08-18 20:23:37 (+0800), Atro Tossavainen via mailop wrote: The SendGrid account sending these yesterday is 13999362. The one I've seen most often is 12340469 with 9789821 a close second and 8512936 in third place. I just started seeing 2019535 this morning. Luckily ClamAV's extra rules seem to be snagging it. This is clearly a structural problem rather than one rogue customer... Philip -- Philip Paeps Senior Reality Engineer Alternative Enterprises ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Just how does SendGrid fail this badly?
On 2020-08-20 at 09:35 +0200, Hans-Martin Mosner via mailop wrote: > Am 20.08.20 um 09:10 schrieb Benoit Panizzon via mailop: > > > > Return-Path: > > > > Does the c581 part also belong to the account id? > No, it's a short hash to verify that bounces were indeed caused by > mails actually sent from sendgrid. For example, > and +6019856-0d96-@sg.e.doodle.com> are doodle notifications > sent to two different mail addresses. I don't know whether the time > also takes part in the hash computation (as in SRS). I see the same later part when the destination is the same recipient, hours and even months later, so the time isn't computed there. I thought that it might be an index of the "subscriber" into the customer list. The same account, spammed by different sendgrid accounts, has different suffixes, but that's not surprising. I don't get much sendgrid spam when compared with other people, but today it was quite prolific: 17045745 - "you have been gifted $5 MILLION USD From Mr. Bill Gates" + "CONGRATULATION TO YOU" (20 Italian billionaries donating money) 9364509 - "To prevent your email from closing, please verify your account details below" 13001617 - This is a plain-spam account. Today it was for recharge-mobile.co spam, which mixes with a shop of earrings, bracelets, etc. Best regards ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Just how does SendGrid fail this badly?
On Tue, 2020-08-18 at 14:34 -0700, Carl Byington via mailop wrote: > > dhl is asking folks to reject that mail, but sendgrid tries to send it > anyway. > Sendgrid doesn't seem to do any From: address authentication. They're sending email pretending to be from all kinds of random domains. I know they probably have customers that depend on being able to forge addresses, but come on guys, it's 2020, you can't do that anymore. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Just how does SendGrid fail this badly?
Oops, hit the send keybind by accident while trying to paste... Lets try this again. On 8/19/2020 11:06 PM, Philip Paeps via mailop wrote: On 2020-08-18 20:23:37 (+0800), Atro Tossavainen via mailop wrote: The SendGrid account sending these yesterday is 13999362. The one I've seen most often is 12340469 with 9789821 a close second and 8512936 in third place. I just started seeing 2019535 this morning. Luckily ClamAV's extra rules seem to be snagging it. 2020-08-20 10:18:57 1k8nHE-000881-PC H=wrqvprhc.outbound-mail.sendgrid.net [149.72.53.12] X=TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256 CV=no F= rejected after DATA: This message contains a virus, trojan, phish, or banned attachment (Sanesecurity.Phishing.Fake.27094.UNOFFICIAL). -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org/ http://www.ahbl.org ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Just how does SendGrid fail this badly?
On 8/19/2020 11:06 PM, Philip Paeps via mailop wrote: On 2020-08-18 20:23:37 (+0800), Atro Tossavainen via mailop wrote: The SendGrid account sending these yesterday is 13999362. The one I've seen most often is 12340469 with 9789821 a close second and 8512936 in third place. I just started seeing -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org/ http://www.ahbl.org ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Just how does SendGrid fail this badly?
> Does the c581 part also belong to the account id? I think it does. > I might consider trying to extract this on my spamtrap and collect them > to see if there are accounts that keep sending phishing emails for long > times. Top senders in Koli-Lõks traps yesterday (n>7000): 8512936 (5%) - multiple types of phishing 9711754 (3%) - multiple types of phishing 4468541 (3%) - Uber 8807282 (2%) - multiple types of phishing 1365613 (2%) - Jockey Comfort -- Atro Tossavainen, Founder, Partner Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635) Tallinn, Estonia tel. +372-5883-4269, http://www.koliloks.eu/ ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Just how does SendGrid fail this badly?
Am 20.08.20 um 09:10 schrieb Benoit Panizzon via mailop: > > Return-Path: > > Does the c581 part also belong to the account id? No, it's a short hash to verify that bounces were indeed caused by mails actually sent from sendgrid. For example, and are doodle notifications sent to two different mail addresses. I don't know whether the time also takes part in the hash computation (as in SRS). > > I might consider trying to extract this on my spamtrap and collect them > to see if there are accounts that keep sending phishing emails for long > times. Probably not. Most that I've seen lately seem to be web form submission auto-responses, and it looks like customers get a notice to fix that and maybe even do it. Cheers, Hans-Martin ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Just how does SendGrid fail this badly?
Am Tue, 18 Aug 2020 11:01:19 -0700 schrieb Luke via mailop : > In the Return-Path. "bounces+1234567" the number following bounces+ is the > SendGrid account ID. Return-Path: Does the c581 part also belong to the account id? I might consider trying to extract this on my spamtrap and collect them to see if there are accounts that keep sending phishing emails for long times. What I also wonder: How is a customer required to identify himself @sendgrid before he can start sending emails? Did they start providing 'testing' accounts which don't require any kind of identification and which can be automatically mass created via an API or similar. (Yes, they just could go on a run an open smtp relay then :-) ) I know Mailchimp ran into a similar issue some time ago, but it looks like they managed to solve that problem. Mit freundlichen Grüssen -Benoît Panizzon- -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Just how does SendGrid fail this badly?
On 2020-08-18 20:23:37 (+0800), Atro Tossavainen via mailop wrote: The SendGrid account sending these yesterday is 13999362. The one I've seen most often is 12340469 with 9789821 a close second and 8512936 in third place. Given that these are so blatant, I don't believe there's any point in reporting them to Sendgrid. We've simply started blocking Sendgrid and whitelisting obvious false positives. Philip -- Philip Paeps Senior Reality Engineer Alternative Enterprises ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Just how does SendGrid fail this badly?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Tue, 2020-08-18 at 12:03 +, Andy Smith via mailop wrote: > From: "chiark.greenend.org.uk" So sendgrid account 15204622 was sending mail as: Received: from dhl.com (unknown) by ismtpd0005p1lon1.sendgrid.net (SG) with ESMTP id 0c6xV8agQF6yK8GOsXvJLw for <$munged>; Tue, 18 Aug 2020 05:18:02.219 + (UTC) From: DHL Subject: Shipment for $munged They allow outbound mail with a from: header in dlh.com, even though: dig _dmarc.dhl.com txt +short reject.valimail.dmarc.dhl.com. "v=DMARC1; p=reject; fo=0; rua=mailto:dmarc- repo...@dhl.com,mailto:dmarc_agg@vali.email;"; dhl is asking folks to reject that mail, but sendgrid tries to send it anyway. -BEGIN PGP SIGNATURE- iHMEAREKADMWIQSuFMepaSkjWnTxQ5QvqPuaKVMWwQUCXzxJQxUcY2FybEBmaXZl LXRlbi1zZy5jb20ACgkQL6j7milTFsF+zwCeIBJRw3/ZgyaPCN/kJlrI/GwJUQAA n1iFbtwcnyTT5DMfm6iD6GDY78BM =LLN0 -END PGP SIGNATURE- ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Just how does SendGrid fail this badly?
Checking my Proofpoint PPS cluster, a bunch of Sendgrid phishing emails are being rejected by PDR, meaning they're already blocked at the IP level. mxa-0058bc01.gslb.pphosted.com:[205.220.165.245] : 554 Blocked - see https://ipcheck.proofpoint.com/?ip=192.254.123.97 Best, Faisal PGP Key: C8FD029B ‐‐‐ Original Message ‐‐‐ On Tuesday, August 18, 2020 7:03 AM, Andy Smith via mailop wrote: > > > Received: fromwrqvhkqq.outbound-mail.sendgrid.net ([149.72.1.68]) > by chiark.greenend.org.uk (SAUCE v0.9.0) > with esmtp id sauce-2544-1597663-1; 17 Aug 2020 11:32:54 + (GMT) > Message-ID: 20200817203728.96117de88be30...@chilitato.com > From: "chiark.greenend.org.uk" i...@chilitato.com > Subject: chiark.greenend.org.uk quota full: (98% full) > > Cheers, > Andy > > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Just how does SendGrid fail this badly?
Huh, I'm not seeing that Sendgrid account ID in my traps at all in the last few days. Different traps for different folks, I guess? Cheers, Al On Tue, Aug 18, 2020 at 1:06 PM Luke via mailop wrote: > > In the Return-Path. "bounces+1234567" the number following bounces+ is the > SendGrid account ID. > > On Tue, Aug 18, 2020 at 10:57 AM Carl Byington via mailop > wrote: >> >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA512 >> >> On Tue, 2020-08-18 at 15:23 +0300, Atro Tossavainen via mailop wrote: >> > The SendGrid account sending these yesterday is 13999362. >> >> Where do you find that account number in the headers? I see some from >> today with "Upgrade (FINAL WARNING)" in the subject, but no indication >> of any sendgrid account number. >> >> >> -BEGIN PGP SIGNATURE- >> >> iHMEAREKADMWIQSuFMepaSkjWnTxQ5QvqPuaKVMWwQUCXzwT2hUcY2FybEBmaXZl >> LXRlbi1zZy5jb20ACgkQL6j7milTFsFoigCeONxnBFkM/QJI3Mky1A9XafBR+IQA >> oIUMyZCHGvGEjasL9fCb22Njyfer >> =+kBp >> -END PGP SIGNATURE- >> >> >> >> ___ >> mailop mailing list >> mailop@mailop.org >> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > > ___ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop -- Al Iverson // Wombatmail // Chicago Song a day! https://www.wombatmail.com Deliverability! https://spamresource.com And DNS Tools too! https://xnnd.com ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Just how does SendGrid fail this badly?
It's in the envelope sender, which your mail system probably doesn't preserve when it stores mail. Traditional mbox format has it in the 'From ' line. Cheers, Hans-Martin Am 18. August 2020 20:03:46 schrieb Carl Byington via mailop : -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Tue, 2020-08-18 at 15:23 +0300, Atro Tossavainen via mailop wrote: The SendGrid account sending these yesterday is 13999362. Where do you find that account number in the headers? I see some from today with "Upgrade (FINAL WARNING)" in the subject, but no indication of any sendgrid account number. -BEGIN PGP SIGNATURE- iHMEAREKADMWIQSuFMepaSkjWnTxQ5QvqPuaKVMWwQUCXzwT2hUcY2FybEBmaXZl LXRlbi1zZy5jb20ACgkQL6j7milTFsFoigCeONxnBFkM/QJI3Mky1A9XafBR+IQA oIUMyZCHGvGEjasL9fCb22Njyfer =+kBp -END PGP SIGNATURE- ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Just how does SendGrid fail this badly?
In the Return-Path. "bounces+1234567" the number following bounces+ is the SendGrid account ID. On Tue, Aug 18, 2020 at 10:57 AM Carl Byington via mailop wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On Tue, 2020-08-18 at 15:23 +0300, Atro Tossavainen via mailop wrote: > > The SendGrid account sending these yesterday is 13999362. > > Where do you find that account number in the headers? I see some from > today with "Upgrade (FINAL WARNING)" in the subject, but no indication > of any sendgrid account number. > > > -BEGIN PGP SIGNATURE- > > iHMEAREKADMWIQSuFMepaSkjWnTxQ5QvqPuaKVMWwQUCXzwT2hUcY2FybEBmaXZl > LXRlbi1zZy5jb20ACgkQL6j7milTFsFoigCeONxnBFkM/QJI3Mky1A9XafBR+IQA > oIUMyZCHGvGEjasL9fCb22Njyfer > =+kBp > -END PGP SIGNATURE- > > > > ___ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Just how does SendGrid fail this badly?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Tue, 2020-08-18 at 15:23 +0300, Atro Tossavainen via mailop wrote: > The SendGrid account sending these yesterday is 13999362. Where do you find that account number in the headers? I see some from today with "Upgrade (FINAL WARNING)" in the subject, but no indication of any sendgrid account number. -BEGIN PGP SIGNATURE- iHMEAREKADMWIQSuFMepaSkjWnTxQ5QvqPuaKVMWwQUCXzwT2hUcY2FybEBmaXZl LXRlbi1zZy5jb20ACgkQL6j7milTFsFoigCeONxnBFkM/QJI3Mky1A9XafBR+IQA oIUMyZCHGvGEjasL9fCb22Njyfer =+kBp -END PGP SIGNATURE- ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Just how does SendGrid fail this badly?
The SendGrid account sending these yesterday is 13999362. Method: get all SendGrid mail from yesterday and today, restrict to anything that says "quota full" in the subject, look at accounts sending. Sample size is measured in the dozens, across about ten recipient domains. They were all sent by the same SendGrid account. On Tue, Aug 18, 2020 at 12:03:55PM +, Andy Smith via mailop wrote: > > Received: from wrqvhkqq.outbound-mail.sendgrid.net ([149.72.1.68]) > by chiark.greenend.org.uk (SAUCE v0.9.0) > with esmtp id sauce-2544-1597663-1; 17 Aug 2020 11:32:54 + (GMT) > Message-ID: <20200817203728.96117de88be30...@chilitato.com> > From: "chiark.greenend.org.uk" > Subject: chiark.greenend.org.uk quota full: (98% full) > > Cheers, > Andy > > ___ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop -- Atro Tossavainen, Chairman of the Board Infinite Mho Oy, Helsinki, Finland tel. +358-44-5000 600, http://www.infinitemho.fi/ ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
[mailop] Just how does SendGrid fail this badly?
Received: from wrqvhkqq.outbound-mail.sendgrid.net ([149.72.1.68]) by chiark.greenend.org.uk (SAUCE v0.9.0) with esmtp id sauce-2544-1597663-1; 17 Aug 2020 11:32:54 + (GMT) Message-ID: <20200817203728.96117de88be30...@chilitato.com> From: "chiark.greenend.org.uk" Subject: chiark.greenend.org.uk quota full: (98% full) Cheers, Andy ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop