Re: [mailop] Any Proofpoint contacts here?

2016-04-14 Thread Jim Cheetham 
Excerpts from Jim Cheetham's message of 2016-04-15 09:12:37 +1200:
> Yes, we had had a compromised account, and we had addressed it before the
> block became obvious.

May as well let you all know ... a newbie mistake by me. We don't have a
totally automated way to close down all the various systems through which
a user sends email, and while running through the manual steps I neglected
to dequeue the outbound spam submissions.

Proofpoint had already picked up on the initial outbound, and were dsn=421
for the remaining items. I prevented new spam from being submitted, and
when we got dsn=500 from Proofpoint we noticed the issue, and requested
delisting.

This went through, then our queued items got delivered, triggering a
repeat listing, and confusion at my end.

-- 
Jim Cheetham, Information Security, University of Otago, Dunedin, N.Z.
✉ jim.cheet...@otago.ac.nz☏ +64 3 470 4670☏ m +64 21 279 4670
⚷ OpenPGP: B50F BE3B D49B 3A8A 9CC3 8966 9374 82CD C982 0605


signature.asc
Description: PGP signature
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Any Proofpoint contacts here?

2016-04-14 Thread Jim Cheetham 
Excerpts from Jaren Angerbauer's message of 2016-04-15 04:33:42 +1200:
> Jim -- I'll reply offline with details (looks like you have a compromised
> user sending phish)

Thanks Jaren, just ack-ing to the list that our problem is sorted.
Thanks everyone for their comments, too.
Yes, we had had a compromised account, and we had addressed it before the
block became obvious.
The feedback loop to the sending IPs is the problem, common to so many
other reputation providers.

-- 
Jim Cheetham, Information Security, University of Otago, Dunedin, N.Z.
✉ jim.cheet...@otago.ac.nz☏ +64 3 470 4670☏ m +64 21 279 4670
⚷ OpenPGP: B50F BE3B D49B 3A8A 9CC3 8966 9374 82CD C982 0605


signature.asc
Description: PGP signature
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Any Proofpoint contacts here?

2016-04-14 Thread Michelle Sullivan 

Word from the persons who deal with PDR systems is:

The "most recently seen" dates are not accurate.  I really wish they 
didn't include that data as it's next to worthless.


Most likely they get delisted 1x, more 'bad' stuff comes in and the IP 
gets re-shot.


Delisting is not permanent.

So unfortunately when it comes to 'Last Seen' information on the 
Proofpoint Dynamic Reputation lookup page is a case of 'your milage may 
vary'.


Regards,

Michelle

John Possidente wrote:
I've been seeing this, too, for more than one client/mailer over the 
last few weeks. The listing disappears shortly after the active 
mailing is done (so requesting delisting is a matter of timing it just 
right), the data in the lookup record is usually quite old, and the 
listing pops up again next day when another mailing begins. Delisting 
seems to have a 2-3 day effect, then it's back to the  odd behavior.


I imagine the folks at Proofpoint would like to know if their system 
is working not-as-intended.


John


On Wed, Apr 13, 2016 at 10:07 PM, Jim Cheetham 
mailto:jim.cheet...@otago.ac.nz>> wrote:


I'm suffering from a strange recurrent blocking ...

https://support.proofpoint.com/rbl-lookup.cgi?ip=139.80.64.247

As of right now, it says "Most Recently Seen as Spam 10/04/2014
23:44:25 GMT " and customers are rejecting our email.

I delisted this yesterday, but it's back, and I can't attempt another
delist within 24h. Also, there's no information about what might
really
have happened (like all networks we do occasionally emit spam, and
we'd
love to know about it). And that 2014 date worries me.

But as I'm not a Proofpoint customer myself, I can't see any way
to raise
this issue. So a contact from Proofpoint would be welcome ... :-)

--
Jim Cheetham, Information Security, University of Otago, Dunedin, N.Z.
✉ jim.cheet...@otago.ac.nz    ☏
+64 3 470 4670 ☏ m +64 21 279 4670

⚷ OpenPGP: B50F BE3B D49B 3A8A 9CC3 8966 9374 82CD C982 0605

___
mailop mailing list
mailop@mailop.org 
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop




___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop



--
Michelle Sullivan
http://www.mhix.org/


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Any Proofpoint contacts here?

2016-04-14 Thread Jaren Angerbauer 
On Thu, Apr 14, 2016 at 8:46 AM, Laura Atkins 
wrote:

>
> On Apr 14, 2016, at 5:50 AM, John Possidente 
> wrote:
>
> I've been seeing this, too, for more than one client/mailer over the last
> few weeks. The listing disappears shortly after the active mailing is done
> (so requesting delisting is a matter of timing it just right), the data in
> the lookup record is usually quite old, and the listing pops up again next
> day when another mailing begins. Delisting seems to have a 2-3 day effect,
> then it's back to the  odd behavior.
>
> I imagine the folks at Proofpoint would like to know if their system is
> working not-as-intended.
>
>
> There is a human behind postmaster@ who actively replies to email.
>

Hi,

Jim -- I'll reply offline with details (looks like you have a compromised
user sending phish)

John --  The system is working as intended :)  If you (also) want to hit me
up offline, I'm happy to hopefully provide the needed visibility /
assistance.

Thanks,

--Jaren
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Any Proofpoint contacts here?

2016-04-14 Thread Laura Atkins 

> On Apr 14, 2016, at 5:50 AM, John Possidente  wrote:
> 
> I've been seeing this, too, for more than one client/mailer over the last few 
> weeks. The listing disappears shortly after the active mailing is done (so 
> requesting delisting is a matter of timing it just right), the data in the 
> lookup record is usually quite old, and the listing pops up again next day 
> when another mailing begins. Delisting seems to have a 2-3 day effect, then 
> it's back to the  odd behavior.
> 
> I imagine the folks at Proofpoint would like to know if their system is 
> working not-as-intended.

There is a human behind postmaster@ who actively replies to email.

laura

-- 
Having an Email Crisis?  800 823-9674 

Laura Atkins
Word to the Wise
la...@wordtothewise.com
(650) 437-0741  

Email Delivery Blog: http://wordtothewise.com/blog  





___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Any Proofpoint contacts here?

2016-04-14 Thread Michelle Sullivan 

John Possidente wrote:
I've been seeing this, too, for more than one client/mailer over the 
last few weeks. The listing disappears shortly after the active 
mailing is done (so requesting delisting is a matter of timing it just 
right), the data in the lookup record is usually quite old, and the 
listing pops up again next day when another mailing begins. Delisting 
seems to have a 2-3 day effect, then it's back to the  odd behavior.


I imagine the folks at Proofpoint would like to know if their system 
is working not-as-intended.


Anyone can 'click delist' a listing, but indications in your message 
would seem to indicate that not listed stuff is coming back randomly...  
If so then I'll get someone to look at it ... do you have any concrete 
examples?


Michelle


John


On Wed, Apr 13, 2016 at 10:07 PM, Jim Cheetham 
mailto:jim.cheet...@otago.ac.nz>> wrote:


I'm suffering from a strange recurrent blocking ...

https://support.proofpoint.com/rbl-lookup.cgi?ip=139.80.64.247

As of right now, it says "Most Recently Seen as Spam 10/04/2014
23:44:25 GMT " and customers are rejecting our email.

I delisted this yesterday, but it's back, and I can't attempt another
delist within 24h. Also, there's no information about what might
really
have happened (like all networks we do occasionally emit spam, and
we'd
love to know about it). And that 2014 date worries me.

But as I'm not a Proofpoint customer myself, I can't see any way
to raise
this issue. So a contact from Proofpoint would be welcome ... :-)

--
Jim Cheetham, Information Security, University of Otago, Dunedin, N.Z.
✉ jim.cheet...@otago.ac.nz    ☏
+64 3 470 4670 ☏ m +64 21 279 4670

⚷ OpenPGP: B50F BE3B D49B 3A8A 9CC3 8966 9374 82CD C982 0605

___
mailop mailing list
mailop@mailop.org 
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop




___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop



--
Michelle Sullivan
http://www.mhix.org/


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Any Proofpoint contacts here?

2016-04-14 Thread John Possidente 
I've been seeing this, too, for more than one client/mailer over the last
few weeks. The listing disappears shortly after the active mailing is done
(so requesting delisting is a matter of timing it just right), the data in
the lookup record is usually quite old, and the listing pops up again next
day when another mailing begins. Delisting seems to have a 2-3 day effect,
then it's back to the  odd behavior.

I imagine the folks at Proofpoint would like to know if their system is
working not-as-intended.

John


On Wed, Apr 13, 2016 at 10:07 PM, Jim Cheetham 
wrote:

> I'm suffering from a strange recurrent blocking ...
>
> https://support.proofpoint.com/rbl-lookup.cgi?ip=139.80.64.247
>
> As of right now, it says "Most Recently Seen as Spam10/04/2014
> 23:44:25 GMT " and customers are rejecting our email.
>
> I delisted this yesterday, but it's back, and I can't attempt another
> delist within 24h. Also, there's no information about what might really
> have happened (like all networks we do occasionally emit spam, and we'd
> love to know about it). And that 2014 date worries me.
>
> But as I'm not a Proofpoint customer myself, I can't see any way to raise
> this issue. So a contact from Proofpoint would be welcome ... :-)
>
> --
> Jim Cheetham, Information Security, University of Otago, Dunedin, N.Z.
> ✉ jim.cheet...@otago.ac.nz☏ +64 3 470 4670☏ m +64 21 279 4670
> ⚷ OpenPGP: B50F BE3B D49B 3A8A 9CC3 8966 9374 82CD C982 0605
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Any Proofpoint contacts here?

2016-04-14 Thread Michelle Sullivan 

Jim Cheetham wrote:

I'm suffering from a strange recurrent blocking ...

https://support.proofpoint.com/rbl-lookup.cgi?ip=139.80.64.247


/me waves hand... however also takes note of the other reply, and this:


Your IP address is not currently being blocked: 139.80.64.247

Regards,

--
Michelle Sullivan
http://www.mhix.org/


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Any Proofpoint contacts here?

2016-04-14 Thread ops . lists 
Did you try that URL lately, mate?  Says here -

IP Address

Your IP address is not currently being blocked: 139.80.64.247 

IP Lookup Information
IP Address  139.80.64.247
Reverse Lookup  mailhub2.otago.ac.nz
Query Time  04/14/2016 10:34:14 GMT


> On 14-Apr-2016, at 7:37 AM, Jim Cheetham  wrote:
> 
> I'm suffering from a strange recurrent blocking ...
> 
> https://support.proofpoint.com/rbl-lookup.cgi?ip=139.80.64.247
> 
> As of right now, it says "Most Recently Seen as Spam  10/04/2014
> 23:44:25 GMT " and customers are rejecting our email.
> 
> I delisted this yesterday, but it's back, and I can't attempt another
> delist within 24h. Also, there's no information about what might really
> have happened (like all networks we do occasionally emit spam, and we'd
> love to know about it). And that 2014 date worries me.
> 
> But as I'm not a Proofpoint customer myself, I can't see any way to raise
> this issue. So a contact from Proofpoint would be welcome ... :-)
> 
> -- 
> Jim Cheetham, Information Security, University of Otago, Dunedin, N.Z.
> ✉ jim.cheet...@otago.ac.nz☏ +64 3 470 4670☏ m +64 21 279 4670
> ⚷ OpenPGP: B50F BE3B D49B 3A8A 9CC3 8966 9374 82CD C982 0605
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop