Re: [mailop] [INFORMATION] What's happening in the world of spam/email abuse update
On 29/04/2021 20:05, Jaroslaw Rafa via mailop wrote: Dnia 29.04.2021 o godz. 13:04:55 Noel Butler via mailop pisze: nobody, but nobody, is too big to block to protect my users. And what if your users because of being unable to communicate with Google users (which is roughly equal to "almost everyone" for an average user) will switch to Google and move their email there? And BTW. in my opinion that's exactly what Google wants - that everyone uses their services and nobody else's. So just in order to stop people moving to GGogle we should be able to communicate with Google :) I have no doubt they rather people use their service so they can scan and scam them, but I don't and wont play their games, if the rest of you are too gutless to stand up the bullies thats more work for you, answering irate clients who want the spam to stop, how does that go down you telling them google is too big to block in your eyes - that, would be a faster way to lose clients. Think what we will about Microsoft, even I give them credit in this area, they do a pretty good job when it comes to dealing with abusers on their network, no reason google can't. -- Regards, Noel Butler This Email, including attachments, may contain legally privileged information, therefore at all times remains confidential and subject to copyright protected under international law. You may not disseminate this message without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message.___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] [INFORMATION] What's happening in the world of spam/email abuse update
Dnia 29.04.2021 o godz. 13:04:55 Noel Butler via mailop pisze: > > nobody, but nobody, is too big to block to protect my users. And what if your users because of being unable to communicate with Google users (which is roughly equal to "almost everyone" for an average user) will switch to Google and move their email there? And BTW. in my opinion that's exactly what Google wants - that everyone uses their services and nobody else's. So just in order to stop people moving to GGogle we should be able to communicate with Google :) -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] [INFORMATION] What's happening in the world of spam/email abuse update
On 28/04/2021 17:05, Jaroslaw Rafa via mailop wrote: Dnia 28.04.2021 o godz. 10:19:17 Noel Butler via mailop pisze: What's so hard about 1 ? What do we do with any S.P. that emits tonnes of crap, we block them, often outright, nothing hard about that. It shouldn't matter how big a company is, it certainly didn't 20 years ago when most people here who were around at the time would have blocked AOL for the exact same thing, yet people are scared to block the freemailers these days, why, it's those actions that force said companies to pull their finger out of their arse and clean up their network, if they don't, well, like i said, AOL, they become irrelevant. From "normal" people (ie. not email-related professionals like on this list) that I correspond with, about 70% have email addresses on Gmail. There are also numerous companies that use Gsuite for their work email (and among them are really big corporations, like my employer). The popularity of smartphones and mobile applications has a big impact on this. So blocking Google is like blocking 70% or more of your possible correspondents. If you can afford this, then good luck, but most people cannot. Google just grew too big and for a small email operator (and almost everyone is small compared to Google) blocking Google will hurt themselves more than it will hurt Google. you see, this is EXACTLY what I am talking about it is EXACTLY what google counts on and google does S F A about it. I've blocked them in the past yes, I have no hesitation in doing so again. nobody, but nobody, is too big to block to protect my users. -- Regards, Noel Butler This Email, including attachments, may contain legally privileged information, therefore at all times remains confidential and subject to copyright protected under international law. You may not disseminate this message without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message.___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] [INFORMATION] What's happening in the world of spam/email abuse update
Dnia 28.04.2021 o godz. 10:19:17 Noel Butler via mailop pisze: > > What's so hard about 1 ? > > What do we do with any S.P. that emits tonnes of crap, we block > them, often outright, nothing hard about that. > > It shouldn't matter how big a company is, it certainly didn't 20 > years ago when most people here who were around at the time would > have blocked AOL > for the exact same thing, yet people are scared to block the > freemailers these days, why, it's those actions that force said > companies to pull their finger out of their arse and clean up their > network, if they don't, well, like i said, AOL, they become > irrelevant. From "normal" people (ie. not email-related professionals like on this list) that I correspond with, about 70% have email addresses on Gmail. There are also numerous companies that use Gsuite for their work email (and among them are really big corporations, like my employer). The popularity of smartphones and mobile applications has a big impact on this. So blocking Google is like blocking 70% or more of your possible correspondents. If you can afford this, then good luck, but most people cannot. Google just grew too big and for a small email operator (and almost everyone is small compared to Google) blocking Google will hurt themselves more than it will hurt Google. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] [INFORMATION] What's happening in the world of spam/email abuse update
On 28/04/2021 01:31, Rob McEwen via mailop wrote: (1) sent from legit Google mail servers (2) the spammer's "payload URL" in the body of the message - is content is hosted at storage[.]googleapis[.]com servers (3) Those links are staying "live" for many days (possibly weeks/months?) This combination (1 & 2) makes them difficult to block - especially for small and medium sized hosters who don't have as much expertise and resources to deal with this. What's so hard about 1 ? What do we do with any S.P. that emits tonnes of crap, we block them, often outright, nothing hard about that. It shouldn't matter how big a company is, it certainly didn't 20 years ago when most people here who were around at the time would have blocked AOL for the exact same thing, yet people are scared to block the freemailers these days, why, it's those actions that force said companies to pull their finger out of their arse and clean up their network, if they don't, well, like i said, AOL, they become irrelevant. As for 2, blocking them is easy in even the most basic of systems like milter-regex, or even spamassassin et al Lastly for 3, that makes 1 even more justifiable. -- Regards, Noel Butler This Email, including attachments, may contain legally privileged information, therefore at all times remains confidential and subject to copyright protected under international law. You may not disseminate this message without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message.___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] [INFORMATION] What's happening in the world of spam/email abuse update
On 2021-04-27 8:32 a.m., Hans-Martin Mosner via mailop wrote: Am 27.04.21 um 17:00 schrieb Michael Peddemors via mailop: Well, in better news, I get my vaccine shot tomorrow ;) Great! Havent' posted one of these in a while, but last couple of weeks has spam auditors very busy.. * Huge amounts of reports from Azure IP(s), Hit and Run (If you are seeing the same, and frustrated, reach out, we can post one days report, but hundreds of IP(s) every day triggering invalid rate limiter reports, we call it hit and run, as the PTR's are usually gone shortly after the attacks, or not present at all. Really surprised that with the amount of IP(s) involved, this doesn't set off a lot of bell's at MS. Combination of RATS-AZURE and rDNS naming patterns catch this pretty easily though. However, they volume enough to really fill someone's logs and use valuable resources) MS seems to be actively ignoring the problem. They have gotten a couple hundred reports from me (mostly automated, I must admit). No reaction, not even a complaint that I'm flooding them with abuse reports. The only plausible explanation is that they're employing Dave Null as their sole abuse desk worker. To mitigate the log problem, I've resorted to putting the containing /21 for every cloudapp.azure.com spam into the iptables list. Works like a charm. Cheers, Hans-Martin If you wish to do the same, with less pain, they do post all the AZURE IP(s) online, put them all into an 'ipset' ;) But actually, (albeit I have heard from 'those in the know' that accepting email from any IP in the Azure space is probably risky) there COULD be a legitimate operator standing up an email server on that IP Space. I know, you can of course 'whitelist' when it happens, but as per my original post and suggestion.. better to at least do 'If on Azure IP space AND it has a generic or missing PTR record, reject it as early as possible' Course that might not last long.. Anyone see the noise from.. 20.52.48.27 10 j.safemaskspro.com 20.52.48.92 10 k.safemaskspro.com 20.52.47.204 11 c.safemaskspro.com 20.52.47.232 12 d.safemaskspro.com 20.52.48.109 11 l.safemaskspro.com 20.52.48.25 1 f.safemaskspro.com 20.52.48.301 h.safemaskspro.com 20.52.48.341 i.safemaskspro.com 20.52.48.511 m.safemaskspro.com 20.52.48.622 n.safemaskspro.com 20.52.48.672 o.safemaskspro.com 13.74.217.163 2 safempro.us 13.79.192.184 1 safempro.us 13.79.199.170 1 safempro.us 13.79.216.163 1 safempro.us 13.79.216.166 3 safempro.us 13.79.216.169 1 safempro.us 13.79.216.196 1 safempro.us 13.79.75.91 2 safempro.us 23.100.53.194 1 safempro.us 23.101.56.113 1 safempro.us 40.113.6.138 1 safempro.us 40.115.117.1631 safempro.us 40.69.83.170 1 safempro.us 40.69.89.41 2 safempro.us 40.69.89.641 safempro.us 40.69.89.101 1 safempro.us 52.148.139.1121 safempro.us 52.148.142.87 1 safempro.us 52.148.177.89 1 safempro.us 52.148.178.1641 safempro.us 52.148.182.1531 safempro.us 52.149.14.141 1 safempro.us 52.149.14.167 1 safempro.us 52.149.41.69 2 safempro.us 52.158.230.58 1 safempro.us 52.183.113.1511 safempro.us 52.233.74.143 2 safempro.us 52.233.78.184 1 safempro.us 20.52.234.40 1 m.safemaskspro.com 20.52.234.47 1 n.safemaskspro.com 20.52.234.103 2 k.safemaskspro.com -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. _
Re: [mailop] [INFORMATION] What's happening in the world of spam/email abuse update
On 2021-04-27 8:31 a.m., Rob McEwen via mailop wrote: On 4/27/2021 11:00 AM, Michael Peddemors via mailop wrote: New Google Groups style spam outbreak.. Many of them (or all of them?) are doing the following: (1) sent from legit Google mail servers (2) the spammer's "payload URL" in the body of the message - is content is hosted at *storage[.]googleapis[.]com* servers (3) Those links are staying "live" for many days (possibly weeks/months?) This combination (1 & 2) makes them difficult to block - especially for small and medium sized hosters who don't have as much expertise and resources to deal with this. Not to make excuses for such organizations' lack of abilities or resources/time - but they shouldn't be forced to expend such resources on dealing with "friendly fire" from google's network. If Google were a small startup doing this right now, their IPs and domains would all get onto anti-spam lists, they'd be put out of business, and we'd "call it a day"! And then I also can't help but wonder - how many of those smaller email hosters just lost business email hosting customers this month to Google G-Suite - due to the customers' frustration over these SAME spams getting to the inbox? See the problem here? Also, this storage[.]googleapis[.]com spam has been happening for a long time - but they were sent from the spammers' own IP space (or other irrelevant IP space) - now they suddenly figured out a way to get these spams to be sent from Google MTAs. -- Rob McEwen, invaluement Yes, while in general it has been happening for a while (for a period we even started blocking all Google Groups mail as a shot over their bow, however we went back to 'filtering' it as likely spam, there were legit users affected) this looks to be a new way to send Google list spam, and not the traditional groups spamming methods we have seen over the last year. -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] [INFORMATION] What's happening in the world of spam/email abuse update
On 4/27/2021 11:00 AM, Michael Peddemors via mailop wrote: New Google Groups style spam outbreak.. Many of them (or all of them?) are doing the following: (1) sent from legit Google mail servers (2) the spammer's "payload URL" in the body of the message - is content is hosted at *storage[.]googleapis[.]com* servers (3) Those links are staying "live" for many days (possibly weeks/months?) This combination (1 & 2) makes them difficult to block - especially for small and medium sized hosters who don't have as much expertise and resources to deal with this. Not to make excuses for such organizations' lack of abilities or resources/time - but they shouldn't be forced to expend such resources on dealing with "friendly fire" from google's network. If Google were a small startup doing this right now, their IPs and domains would all get onto anti-spam lists, they'd be put out of business, and we'd "call it a day"! And then I also can't help but wonder - how many of those smaller email hosters just lost business email hosting customers this month to Google G-Suite - due to the customers' frustration over these SAME spams getting to the inbox? See the problem here? Also, this storage[.]googleapis[.]com spam has been happening for a long time - but they were sent from the spammers' own IP space (or other irrelevant IP space) - now they suddenly figured out a way to get these spams to be sent from Google MTAs. -- Rob McEwen, invaluement ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] [INFORMATION] What's happening in the world of spam/email abuse update
Am 27.04.21 um 17:00 schrieb Michael Peddemors via mailop: > Well, in better news, I get my vaccine shot tomorrow ;) Great! > > Havent' posted one of these in a while, but last couple of weeks has spam > auditors very busy.. > > * Huge amounts of reports from Azure IP(s), Hit and Run > > (If you are seeing the same, and frustrated, reach out, we can post one days > report, but hundreds of IP(s) every day > triggering invalid rate limiter reports, we call it hit and run, as the PTR's > are usually gone shortly after the > attacks, or not present at all. Really surprised that with the amount of > IP(s) involved, this doesn't set off a lot of > bell's at MS. Combination of RATS-AZURE and rDNS naming patterns catch this > pretty easily though. However, they > volume enough to really fill someone's logs and use valuable resources) MS seems to be actively ignoring the problem. They have gotten a couple hundred reports from me (mostly automated, I must admit). No reaction, not even a complaint that I'm flooding them with abuse reports. The only plausible explanation is that they're employing Dave Null as their sole abuse desk worker. To mitigate the log problem, I've resorted to putting the containing /21 for every cloudapp.azure.com spam into the iptables list. Works like a charm. Cheers, Hans-Martin ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop